So it appears that the built-in tagging and field enrichment for the Splunk App for Enterprise Security is poorly configured.
For the Change Analysis CIM, I was pleased to see Windows events being tagged on ES
However, the field enrichment is totally off.
Pay particular attention to
user - The user or entity performing the change (can be UID or PID). object - Name of the affected object on the resource (such as a router interface, user account, or server volume). object_category - Generic name for the class of the updated resource object. Expected values may be specific to an App. src_user - The resource where the change was originated. May be aliased from more specific fields, such as src_host, src_ip, or src_name.
When this Windows event arrives where:
ad_jus = the admin user creating the user
JSMITH = the user being created
09/10/2015 12:09:45 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4720 EventType=0 Type=Information ComputerName=ADSVR1.production.prod TaskCategory=User Account Management OpCode=Info RecordNumber=2472352 Keywords=Audit Success Message=A user account was created. Subject: Security ID: PROD\ad_jus Account Name: ad_jus Account Domain: PRODUCTION Logon ID: 0x3ff7132B5B New Account: Security ID: PROD\JSMITH Account Name: JSMITH Account Domain: PRODUCTION Attributes: SAM Account Name: JSMITH Display Name: John Smith User Principal Name: JSMITH@production.prod Home Directory: \\production.prod\fsroot\UserData\JSMITH Home Drive: H: Script Path: - Profile Path: - User Workstations: - Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x11 User Account Control: Account Disabled 'Normal Account' - Enabled User Parameters: - SID History: - Logon Hours: <value not set> Additional Information: Privileges
In Enterprise Security the fields are extracted as follows:
user = JSMITH object = WinEventLog:Security object_category = user src_user = ad_jus
Seems to me, based on the CIM, it should be:
user = ad_jus object = JSMITH object_category = user src_user = ad_jus
Ideally I could try having custom local props and transforms in SplunkTAwindows to fix this issue, but seeing as Splunk ES is a paid product, I would have thought it should probably be fixed for all customers. I am not sure if this affects other EventCodes related to Windows user management, but it likely does.
I am posting this here so support can have a reference to the issue.
If anyone knows of a good quick solution please let me know.
Also it appears that the field 'result' from the CIM should be aliased to Message.
'result' is absent in the field extractions.
Enterprise Security Deployments always need tuning and tweaking. This tuning is usually a major portion of a professional services engagement when they are deploying Enterprise Security app. Most of the technology add-ons that are put out by splunk are pretty good, but they all usually require some customization at deployment time. I would validate that the version of the TA that you are using is the most recent. Sometimes the version that is bundled with Enterprise Security isn't the latest and greatest and you will find an updated version out on splunkbase. Other times, you may have to add a local/props.conf with an alias or an extract statement etc.