Splunk Enterprise Security

Adding an Azure sign in field to Splunk ES authentication data model


We recently started to ingest Microsoft's Azure sign-in events and one thing I've noticed are some values from the clientAppUsed field throws off the Geographically Improbable Access Detected alert.

I stopped the acceleration on the Authentication data model so I could go in and see if I could add the field clientAppUsed, but it's not coming up a field to be added (using the 'Add Auto-Extracted Field' option).

If I run a search on index=azuread the clientAppUsed field is parsed automatically, but it seems to not present itself within the Authentication data model.

How can I add the clientAppUsed field in the Authentication data model so I can then work to filter some values out to fix the false positives in the Geographically Improbable Access Detected alert?


0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>