Hello Splunkers,
Not sure if "enriching" is the right term to use but I'm hoping someone can point me in the direction of some documentation that will help me get more information into, and out of, a dashboard panel.
The "Infosec app for Splunk" has an "All Authentications" dashboard. (Infosec app>Continuous Monitoring>All Authentications) On that dashboard there is a panel that is titled "Authentication Attempts by Application"
The search powering the panel is
| tstats summariesonly=true allow_old_summaries=true count from datamodel=Authentication.Authentication where Authentication.app="*" Authentication.action=* by Authentication.app
| rename "Authentication.*" as "*"
The results I get look like this:
app and count
win:local 690
win:remote 8328
win:unknown 8784
**Is there any way I can get this to identify the actual app?**
Looking through the settings I see that the "Authentication.app" field is calculated using an eval expression (below), by the Authentication data model.
if(isnull(app) OR app="",sourcetype,app)
I'm not sure if this is what needs to be adjusted and I'm terrible with eval expressions and regex so rather then mess something up I thought I would ask here first. Any help is greatly appreciated.
System details:
Stand-alone Splunk Enterprise
Version: 7.3.0
Build: 657388c7a488
CIM: 4.14.0
Some of the installed Add-ons/Apps:
Microsoft Sysmon Add-on
Microsoft Windows DHCP add-on for Splunk
Splunk Add-on for Microsoft Windows
Splunk Add-on for Microsoft Windows DNS
Splunk Add-on for PowerShell
Splunk App for Windows Infrastructure
Splunk Supporting Add-on for Active Directory
Sysmon App for Splunk
↧