Splunk Enterprise Security

CIM: About the flexibility of the action field

3DGjos
Communicator

Hello again,

I'm developing a compliance app, the intention is to make it the more CIM compliant as possible, but here is the problem, no CIM fields cover windows sessions for example (which starts with event 4264 and finish with 4647). I can make my sessions panel out of the accelerated datamodel, but I think the best idea is to accomodate a few fields to respect the cim and don't interfere with the Authentication datamodel, even if I use the 4624 in another panels of my dashboards.

So, i'm planning of doing it with Change, for example:

change_type=session
result_id would be a fieldalias of logonID
and action would be action=session_started for 4624, action=session_finished for 4647

after that I would make transactions with the result_id's inside my dashbord's panel search. Before doing that, I would like to know
A. If you have a better Idea for doing this respecting the CIM
B. how flexible is the "action" field? I mean, it's valid to Eval session_started and session_finished?

I mean, the action field in Change table is restricted to only 9 options (acl_,modified, cleared, created, deleted, modified, read, stopped, updated), can I make extra actions? My objective is to isolate the actions and the panels the more I can, I mean, I have no other use to these sessions other than that panel.

Thanks!

0 Karma
1 Solution

woodcock
Esteemed Legend

You could use the Network Sessions datamodel.

View solution in original post

0 Karma

marycordova
SplunkTrust
SplunkTrust

I do not think the Change data model sounds like an appropriate match based on the "action" field value listing you provided. It might be that the Network Session model is more appropriate, but I haven't looked at it closely.

The Authentication data model seems the most appropriate. Here is what I would alias to:

action = "success" or "failure"
signature_id = 4624, etc
signature = "An account was successfully logged on", etc

The only thing you really need to perform the transaction is the signature_id. The "session_started" and "finished" that you want to use in the action field you don't really need. If you want those values you can just add them as evals for each event/EventCode and place them into any field you want like "description" or "message".

You may not even need to worry about the data model. If you are only using this in a single dashboard panel and not building an entire app or data model on that work then you could just alias the fields to the most appropriate CIM field and use those fields to build your panel. If you need the acceleration, you could use an accelerated report just for this panel without a data model, or you could build to an existing model, or create your own data model as mentioned previously.

I suspect, because of the sheer volume of 4624 log events, that acceleration is a significant consideration.

@marycordova
0 Karma

woodcock
Esteemed Legend

You could use the Network Sessions datamodel.

0 Karma

3DGjos
Communicator

Thanks for your answer, if I go for Network Sessions, my actions should be added / blocked? or can I use started / stopped? or added/blocked apply?

Should I use Session_Start / Session_End datasets?

I think ill go for that approach. Thanks!

0 Karma

woodcock
Esteemed Legend

I would use allowed and blocked but you can do whatever you like. If this works, please do click Accept to close the question.

chrisyounger
SplunkTrust
SplunkTrust

Hi @3DGjos

Others might have more to add, but yes you can add new fields to the action field if you like. However there will be no search that uses the DMA that will know what to do with your field.

I think what you are doing overall sounds OK to me. You could also consider using a new data model that you create yourself for the data if it isn't a good fit for an existing one. If you are planning to release this app on Splunkbase then you should be extra careful that its a good fit for the data model.

All the best,

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...