Splunk IT Service Intelligence

ITSI - Exchange - Dashboard - External Logins Map - wrong extraction of source IP (c_ip)

corti77
Communicator

Hi,

recently we deployed IT Essential Works with latest Exchange Content Pack. we also deployed the three addons for the Exchange  in the exchange nodes (including IIS and OWA logs).


Now we are in the process of validation of the ITSI dashboards, External Logins Map is one of them, and we realized that the extracted source IP (c_ip field) corresponds to our load balancer (XXX.XXX.XXX.XXX) instead of the remote host (IP shown at the end of the event).

below an example of exchange event that reach our splunk infra.

 

 

2021-10-08 12:22:31 XXX.XXX.XXX.XXX POST /Microsoft-Server-ActiveSync/default.eas Cmd=Ping&User=---%5n---&DeviceId=-------&DeviceType=Outlook&CorrelationID=<empty>;&cafeReqId=c586f22d-14cd-4449-be95-fe666b30c92e; 443 -------\----- 192.168.X.X Outlook-iOS-Android/1.0 - 200 0 0 181382 52.98.193.109

 

 

we use the official TA-Exchange-2013-Mailbox, TA-Exchange-ClientAccess and Ta-Windows-Exchange-IIS addons.

I found the definition of c_ip field in the transform.conf and props.conf in  the TA-Windows-Exchange-IIS, but I dont see any specific regex for its correct extraction. 

could someone tell me how to proceed to fix this parsing issue so the dashboards can show correct information?

many thanks

Labels (4)
Tags (1)
0 Karma

corti77
Communicator

I created a extracted field called c_ip2 containing the last IP shown in the event and I changed the query on the map. That approach worked but this solution is not valid for other built-in dashboards that use a macros such as Outlook Web Access dashboard which uses the macro `client-ews-events`.

Also, I would like to dont change much the ITSI internals so I can easily upgrade it whenever needed. 

So, my goal would be to fix the issue completely by keeping only the original c_ip field but with the correct external IP.

any suggestion?

many thanks

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...