Okay I'm pulling my hair out here. I'm playing around with Windows Defender Events, trying to capture them and get them in with CIM compliance. I've looked the TA on splunkbase but it's not working so I started extracting pieces to see what is going on. I have the event log (WinEventLog://Microsoft-Windows-Windows Defender/Operational) events being ingested and identified but my EVALS in the props.conf aren't getting through to search.
Here is a list of things I've looked at
btool check
- syntax is correctbtool props list "WinEventLog:Microsoft-Windows-Windows Defender/Operational" --debug
this shows all the EVALs that I'm expecting, including some static values I put in for testingSo a static EVAL (not a calculated one from a potentially missing field) shows in props, shows in the Calculated Fields list, but DOES NOT show up in a search. I feel like I'm missing something obvious and it's going to be a duh moment but I can't determine what I'm missing.
And I found the answer, I needed to change the props.conf entry for that source from
[WinEventLog:Microsoft-Windows-Windows Defender/Operational]
to
[source::WinEventLog:Microsoft-Windows-Windows Defender/Operational]
Now everything is working. I knew it was a "duh" issue.
@martynoconnor So I've removed most of the EVALs and have a single static value one configured. Here is the btool props list for the sourcetype, notice the single eval (EVAL-brenden) from TA-windefender/local/props.conf.
/opt/splunk/bin$ ./splunk btool props list "WinEventLog:Microsoft-Windows-Windows Defender/Operational" --debug
/opt/splunk/etc/apps/TA-windefender/local/props.conf [WinEventLog:Microsoft-Windows-Windows Defender/Operational]
/opt/splunk/etc/system/default/props.conf ADD_EXTRA_TIME_FIELDS = True
/opt/splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True
/opt/splunk/etc/system/default/props.conf AUTO_KV_JSON = true
/opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE =
/opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True
/opt/splunk/etc/system/default/props.conf CHARSET = UTF-8
/opt/splunk/etc/system/default/props.conf DATETIME_CONFIG = /etc/datetime.xml
/opt/splunk/etc/system/default/props.conf DEPTH_LIMIT = 1000
/opt/splunk/etc/apps/TA-windefender/local/props.conf EVAL-brenden = "brenden"
/opt/splunk/etc/system/default/props.conf HEADER_MODE =
/opt/splunk/etc/system/default/props.conf LEARN_MODEL = true
/opt/splunk/etc/system/default/props.conf LEARN_SOURCETYPE = true
/opt/splunk/etc/system/default/props.conf LINE_BREAKER_LOOKBEHIND = 100
/opt/splunk/etc/system/default/props.conf MATCH_LIMIT = 100000
/opt/splunk/etc/system/default/props.conf MAX_DAYS_AGO = 2000
/opt/splunk/etc/system/default/props.conf MAX_DAYS_HENCE = 2
/opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_AGO = 3600
/opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_HENCE = 604800
/opt/splunk/etc/system/default/props.conf MAX_EVENTS = 256
/opt/splunk/etc/system/default/props.conf MAX_TIMESTAMP_LOOKAHEAD = 128
/opt/splunk/etc/system/default/props.conf MUST_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_BEFORE =
/opt/splunk/etc/system/default/props.conf SEGMENTATION = indexing
/opt/splunk/etc/system/default/props.conf SEGMENTATION-all = full
/opt/splunk/etc/system/default/props.conf SEGMENTATION-inner = inner
/opt/splunk/etc/system/default/props.conf SEGMENTATION-outer = outer
/opt/splunk/etc/system/default/props.conf SEGMENTATION-raw = none
/opt/splunk/etc/system/default/props.conf SEGMENTATION-standard = standard
/opt/splunk/etc/system/default/props.conf SHOULD_LINEMERGE = True
/opt/splunk/etc/system/default/props.conf TRANSFORMS =
/opt/splunk/etc/system/default/props.conf TRUNCATE = 10000
/opt/splunk/etc/system/default/props.conf detect_trailing_nulls = false
/opt/splunk/etc/system/default/props.conf maxDist = 100
/opt/splunk/etc/system/default/props.conf priority =
/opt/splunk/etc/apps/Splunk_TA_windows/default/props.conf rename = wineventlog
/opt/splunk/etc/system/default/props.conf sourcetype =
My props.conf looks like so:
[WinEventLog:Microsoft-Windows-Windows Defender/Operational]
EVAL-brenden = "brenden"
Do you have the actual EVAL statement? If an EVAL is applied, but doesn't actually evaluate out because of a no match/the logic doesn't function as expected, then you wouldn't see anything in your results.
If the EVAL is sensitive, can you post a sanitised version of it?
That would be helpful now wouldn't it.