Splunk Enterprise

None Authentication in Default Authentication

StehS
New Member
Hi,

 

have you noticed that FortiGate authentication events are tagged with "default" by the Fortinet FortiGate Add-on for Splunk, even when they represent non-default user authentications?

 

The Authentication data model expects the tags "authentication" and "default". According to the current tagging in the TA, all authentication-related event types receive the "default" tag:

 

default:
    eventtype=ftnt_fortigate_auth
    eventtype=ftnt_fortigate_vpn_auth
    eventtype=ftnt_fortigate_wireless_client_authentication

 

My understanding is that the "default" tag should only be applied when the authenticating account is a built-in or default account, such as "admin", "root", or similar.

 

Is this the behavior you are seeing as well, or am I misunderstanding the intended CIM mapping?

 

Thanks.

 

Labels (1)
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Get Agentic with Splunk Lantern: Connect to Cisco Cloud Control, Transform ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

July Community Events: Master ITSI 5.0 & Automate Splunk

Struggling with alert fatigue or feeling like you're spending more time on infrastructure maintenance than ...

New Release of Federated Search: Bringing Splunk Analytics to More of Your Data

Organizations today are generating more data than ever and storing it across cloud object stores, data lakes, ...