Splunk Search

Actions in regards to events coming in

domino30
Path Finder

We have searches for 4740 account lockouts not showing as action=lockout but instead as action=modified.

This is important to us as we are trying to configure ES but that's one dashboard where we aren't getting any results.

Where do we go to fix this?

 

Also whenever you get a a source or field that shows as "unknown" whats the best way to go about fixing these?

Labels (4)
Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @domino30,

yes, calculated fields (like the one you shared) are one of the methods to normalize data.

Let me know if you solved your issue.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @domino30,

this job is called "normalization", in other words, you have to create some sules (using reneme and calculated fields) to align yur values with the waited ones.

In your case, you have to add to your Add-On a custom calculated field like the following:

| eval action=if(EventCode=4740 AND action="lockout","modified",action)

you can find more infos at https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Normalizing_values_to_a_comm... and at https://docs.splunk.com/Documentation/CIM/5.1.1/User/Overview

Ciao.

Giuseppe

domino30
Path Finder

like this 444.PNG

 Like this?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @domino30,

No, this is the possibility to add fields to a DataModel.

You have to create (usually in an Add-On) a calculated field [Settings > Fields > Calculated Fields] that makes the transformation BEFORE an event is added to a Datamodel.

In other words, the process is the following:

  • events are tagged using eventtypes in the Add-Ons (for this reason, before using an Add-On check the CIM compliance or create a CIM compliant Add-On),
  • fields are renamed in the Add-Ons to have the field names predefined for that Data Model,
  • values are normalized using calculated fieds in the Add-Ons,
  • the scheduled searches populate the Data Model adding all the fields already normalized.

for more infos see at https://docs.splunk.com/Documentation/CIM/5.1.1/User/Overview

Ciao.

Giuseppe

0 Karma

domino30
Path Finder

like this? btw its working now just confirming something

like this solved.PNG

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @domino30,

yes, calculated fields (like the one you shared) are one of the methods to normalize data.

Let me know if you solved your issue.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...