Release history for the Splunk Add-on for Windows
The latest version of the Splunk Add-on for Windows is version 8.8.0. See Release notes for the Splunk Add-on for Windows.
Version 8.7.0
Version 8.7.0 of the Splunk Add-on for Windows was released on April 21, 2023.
The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and higher. The Splunk Add-on for Windows versions 6.0.0 and higher includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.
Compatibility
Version 8.7.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.1.x, 8.2.x, 9.0.x |
CIM | 4.15 and later |
Platform | Windows |
Vendor Products | Windows Server 2022, Windows 11, Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server |
New or changed features
Version 8.7.0 of the Splunk Add-on for Windows has the following new or changed features:
- Tagged Windows DNS logs collected in MSAD:NT6:DNS sourcetype with NetworkResolution:DNS data model and mapped the relevant CIM fields.
See CIM model and Field Mapping changes for MSAD:NT6:DNS for more details on the Event Code changes.
Fixed Issues
Version 8.7.0 of the Splunk Add-on for Windows fixes the following issues:
Date resolved | Issue number | Description |
---|---|---|
2023-05-03 | ADDON-61555 | src_nt_domain field extracting value from next line when "Security_ID" field is missing for source WinEventLog:Security |
Known Issues
Version 8.7.0 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:
Date filed | Issue number | Description |
---|---|---|
2022-07-21 | ADDON-54050 | Parsing does not work properly when a nested XML event is encoded. |
2018-09-06 | ADDON-19338 | Data duplication issue in WindowsUpdate.Log |
Version 8.6.0
Version 8.6.0 of the Splunk Add-on for Windows was released on January 23, 2023.
The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and higher. The Splunk Add-on for Windows versions 6.0.0 and higher includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.
Compatibility
Version 8.6.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.1.x, 8.2.x, 9.0.x |
CIM | 4.15 and later |
Platform | Windows |
Vendor Products | Windows Server 2022, Windows 11, Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server |
New or changed features
Version 8.6.0 of the Splunk Add-on for Windows has the following new or changed features:
- CIM enhancements for the following Event Codes: 4727, 4728, 4729, 4730, 4731, 4733, 4734, 4735, 4737, 4754, 4755, 4756, 4757, 4758, 4799, 4764. See Field Changes for more details on the Event Code changes.
(To review field extraction changes, please refer to Field Changes Section)
- For EventCodes: 4727, 4730, 4731, 4734, 4735, 4737, 4754, 4755, 4758, 4764 the user field has been removed as these events belong to object_category=group.
- Mapped the 4799 Event Code of the Windows Security to the Change:All_Changes data model.
Fixes
- Fixed the signature field extraction issue for source WinEventLog:System.
Notes:
- If the configured input has
evt_resolve_ad_obj = 1
then the value forMember:Security_ID
,Group:Security_ID
,Subject:Security_ID
will be in enriched "DOMAIN\UserName" format. - If the configured input has
evt_resolve_ad_obj = 0
then the value forMember:Security_ID
,Group:Security_ID
,Subject:Security_ID
will be in traditional Windows SID format, i.e. S-1-1234-etc
Field Changes
Source - WinEventLog:Security field mapping changes
Source-type | EventCode | Fields added | Fields removed
|
---|---|---|---|
['WinEventLog']
|
4727 | src_user, src_user_name, object_id, object, src | user |
['WinEventLog']
|
4728 | src_user_name, object_id, object, user_name, src | |
['WinEventLog']
|
4729 | src_user_name, object_id, object, user_name, src | |
['WinEventLog']
|
4730 | src_user, src_user_name, object_id, object, src | user |
['WinEventLog']
|
4731 | src_user, src_user_name, object_id, object, src | user |
['WinEventLog']
|
4733 | src_user_name, object_id, src | user |
['WinEventLog']
|
4734 | src_user, src_user_name, object_id, object, src | user |
['WinEventLog']
|
4735 | src_user, src_user_name, object_id, object, src | user |
['WinEventLog']
|
4737 | src_user, src_user_name, object_id, object, src | user |
['WinEventLog']
|
4754 | src_user, src_user_name, object_id, object, src | user |
['WinEventLog']
|
4755 | src_user, src_user_name, object_id, object, src | user |
['WinEventLog']
|
4756 | object_attrs, Group_Name, src_user_name, user_group, object_id, object, user_name, Group_Domain, src | |
['WinEventLog']
|
4757 | src_user_name, object_id, object, user_name, src | |
['WinEventLog']
|
4758 | src_user, src_user_name, object_id, object, src | user |
['WinEventLog']
|
4764 | src_user, src_user_name, object_id, object, src | user, object_attrs |
['WinEventLog']
|
4799 | object_category, result, change_type, subject, signature, object_id, object, user_name, src, name |
Source - XmlWinEventLog:Security field mapping changes
Source-type | EventCode | Fields added | Fields removed |
---|---|---|---|
['XmlWinEventLog']
|
4727 | src_user_name, src, object_id, object | user |
['XmlWinEventLog']
|
4728 | src_user_name, object_id, user_name, object_attrs, src, object | |
['XmlWinEventLog']
|
4729 | src_user_name, object_id, user_name, object_attrs, src, object | |
['XmlWinEventLog']
|
4730 | src_user_name, object_id, object_attrs, src, object | user |
['XmlWinEventLog']
|
4731 | src_user_name, src, object_id, object | user |
['XmlWinEventLog']
|
4733 | object_attrs, src_user_name, src, object_id | user |
['XmlWinEventLog']
|
4734 | src_user_name, object_id, object_attrs, src, object | user |
['XmlWinEventLog']
|
4735 | src_user_name, src, object_id, object | user |
['XmlWinEventLog']
|
4737 | src_user_name, src, object_id, object | user |
['XmlWinEventLog']
|
4754 | src_user_name, src, object_id, object | user |
['XmlWinEventLog']
|
4755 | src_user_name, src, object_id, object | user |
['XmlWinEventLog']
|
4756 | src_user_name, object_id, user_name, object_attrs, src, object | |
['XmlWinEventLog']
|
4757 | src_user_name, object_id, user_name, object_attrs, src, object | |
['XmlWinEventLog']
|
4758 | src_user_name, object_id, object_attrs, src, object | user |
['XmlWinEventLog']
|
4764 | src_user_name, src, object_id, object | user |
['XmlWinEventLog']
|
4799 | result, object_id, user_name, object_attrs, change_type, name, src, subject, object, signature, object_category |
Fixed Issues
Version 8.6.0 of the Splunk Add-on for Windows fixes the following issues:
Known Issues
Version 8.6.0 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:
Date filed | Issue number | Description |
---|---|---|
2022-07-21 | ADDON-54050 | Parsing does not work properly when a nested XML event is encoded. |
2018-09-06 | ADDON-19338 | Data duplication issue in WindowsUpdate.Log |
Version 8.5.0
Version 8.5.0 of the Splunk Add-on for Windows was released on April 21, 2022.
The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and higher. The Splunk Add-on for Windows versions 6.0.0 and higher includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.
Compatibility
Version 8.5.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.1.x, 8.2.x |
CIM | 4.15 and later |
Platform | Windows |
Vendor Products | Windows Server 2022, Windows 11, Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server |
New or changed features
Version 8.5.0 of the Splunk Add-on for Windows has the following new or changed features:
- CIM enhancements for these Event Codes: 104, 1102, 4624, 4625, 4634, 4698, 4700, 4701, 4702, 4719, 720, 4732, 4740, 4800, 4801
(To review field extraction changes, please refer to Field Changes Section)
- Removed the incorrect
Endpoint:Filesystem
CIM tags from the wineventlog_windows event type. - Removed the
fs_notification
event type andfs_notification
source type extractions as Splunk no longer supports this source type.
Fixes
- Fixed the user field extraction issue for Event Codes 4728, 4729, 4732 when the distinguished name (DN) contains "Lastname, Firstname".
Notes:
- If the
Member:Security_ID
value uses the enriched "DOMAIN\UserName" format then the user field would be extracted as UserName. - If the
Member:Security_ID
value uses the traditional Windows SID (S-1234-etc) format then the user field will be extracted from the first RDN section of the Member:Account Name string (which gets logged as an LDAP DN format). - If the
Member:Security_ID
value uses the traditional Windows SID (S-1234-etc) format and the first RDN section ofMember:Account Name
asCN=Lastname\,
Firstname,
OU=Users,
DC=CONTOSO,
DC=com,
then it can be in thelastname,firstname
format, in which case user field will not be extracted.
Field Changes
Source - WinEventLog:System field mapping changes
Source-type | EventCode | Fields added | Fields removed |
---|---|---|---|
['WinEventLog']
|
104 | object, user_name, object_category, action, result, status, change_type |
Source - XmlWinEventLog:System field mapping changes
Source-type | EventCode | Fields added | Fields removed |
---|---|---|---|
['WinEventLog']
|
104 | user, object, user_name, object_category, user_data_channel, action, result, status, change_type |
Source - WinEventLog:Security field mapping changes
Source-type | EventCode | Fields added | Fields removed
|
---|---|---|---|
['WinEventLog']
|
1102 | result, object, user_name | |
['WinEventLog']
|
4624 | authentication_method | |
['WinEventLog']
|
4625 | authentication_method | |
['WinEventLog']
|
4634 | object_id, change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name | |
['WinEventLog']
|
4698 | object, user_name, TaskContent, object_category, object_attrs, result, change_type | |
['WinEventLog']
|
4700 | object, user_name, TaskContent, object_category, object_attrs, result, change_type | |
['WinEventLog']
|
4701 | object, user_name, TaskContent, object_category, object_attrs, result, change_type | |
['WinEventLog']
|
4702 | object, user_name, TaskNewContent, object_category, object_attrs, result, change_type | |
['WinEventLog']
|
4719 | result, object, user_name | |
['WinEventLog']
|
4720 | src_user_name, object_id, object, user_name, object_attrs, New_Account_Account_Name, New_Account_Domain, New_Account_Security_ID | |
['WinEventLog']
|
4732 | src_user_name, object_id, Member_Security_ID, object, user_name, Member_Account_Name | |
['WinEventLog']
|
4740 | src_user_name, object_id, Account_Locked_Out_Security_ID, Account_Locked_Out_Name, object, user_name, object_attrs | |
['WinEventLog']
|
4800 | change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name | |
['WinEventLog']
|
4801 | change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name |
Source - XmlWinEventLog:Security field mapping changes
Source-type | EventCode | Fields added | Fields removed |
---|---|---|---|
['XmlWinEventLog']
|
1102 | result, object, user, user_name | |
['XmlWinEventLog']
|
4624 | authentication_method | |
['XmlWinEventLog']
|
4625 | authentication_method | |
['XmlWinEventLog']
|
4634 | object_id, change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name, src_nt_domain | |
['XmlWinEventLog']
|
4698 | user, object, user_name, object_category, object_attrs, result, change_type | |
['XmlWinEventLog']
|
4700 | user, object, user_name, object_category, object_attrs, result, change_type | |
['XmlWinEventLog']
|
4701 | user, object, user_name, object_category, object_attrs, result, change_type | |
['XmlWinEventLog']
|
4702 | user, object, user_name, object_category, object_attrs, result, change_type | |
['XmlWinEventLog']
|
4719 | result, object, user, user_name | |
['XmlWinEventLog']
|
4720 | src_user_name, object_id, object, user_name, object_attrs | |
['XmlWinEventLog']
|
4732 | src_user_name, object_id, object, user_name, object_attrs | |
['XmlWinEventLog']
|
4740 | src_user_name, object, user_name, object_attrs | |
['XmlWinEventLog']
|
4800 | change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name, src_nt_domain | |
['XmlWinEventLog']
|
4801 | change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name, src_nt_domain |
Fixed Issues
Version 8.5.0 of the Splunk Add-on for Windows fixes the following issues:
Known Issues
Version 8.5.0 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:
Date filed | Issue number | Description |
---|---|---|
2023-04-26 | ADDON-61962 | Group_Name field extraction of windows security classic event for EventCode 4756 |
2023-03-28 | ADDON-61555 | src_nt_domain field extracting value from next line when "Security_ID" field is missing for source WinEventLog:Security |
2022-07-21 | ADDON-54050 | Parsing does not work properly when a nested XML event is encoded. |
2018-09-06 | ADDON-19338 | Data duplication issue in WindowsUpdate.Log |
Version 8.4.0
Version 8.4.0 of the Splunk Add-on for Windows was released on February 1, 2022.
The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and higher. The Splunk Add-on for Windows versions 6.0.0 and higher includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.
Compatibility
Version 8.4.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.1.x, 8.2.x |
CIM | 4.15 and later |
Platform | Windows |
Vendor Products | Windows Server 2022, Windows 11, Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server |
New or changed features
Version 8.4.0 of the Splunk Add-on for Windows has the following new or changed features:
Features
- Enhanced "win_listening_ports.bat" input to get the process name associated with the listening port.
- Added 'storage_free', 'storage', 'storage_used', and 'storage_used_percent' field extractions for "PerfmonMk:LogicalDisk" sourcetype.
- Added 'user_type'=computer field extraction for the EventCodes 4741, 4742, and 4743.
- Added 'dest' and 'resource_type' field extractions for the "Script:TimesyncStatus" sourcetype.
- Introduced a new eventtype 'windows_security_change_account' (with tags: 'account', 'change' and CIM datamodel: Change:Account_Management) which will only apply to Windows Event Codes: 4703, 4704, 4705, 4722, 4723, 4724, 4725, 4726, 4738, 4767, and 4781 falling under source="WinEventLog:Security" OR source="XmlWinEventLog:Security". Also enhanced the CIM mappings for these Event Codes. (To review field extraction changes, please refer to "Field Changes" Section)
- Excluded Event Codes: 4703, 4704, 4705, 4722, 4723, 4724, 4725, 4726, 4738, 4767, 4781 from 'wineventlog_windows' eventtype to remove the incorrect Endpoint:Filesystem CIM tag.
- Added support of the latest DHCP event format and enhanced the CIM mapping of the "DhcpSrvLog" sourcetype.
CIM Data Model | DHCP Event IDs before v8.4.0 | DHCP Event IDs after v8.4.0 |
---|---|---|
['Network Sessions:DHCP']
|
All the DHCP events (sourcetype=DhcpSrvLog) | 10,11,12,13,14,15,16,17,18 |
['Network Sessions:Session_Start']
|
10,11,13 | 10,11 |
['Network Sessions:Session_End']
|
12,16,17 | 12,16,17,18 |
Notes:
- Removed the tags (dhcp network session) from 'DhcpSrvLog' eventtype and created new 'DhcpSrvLog_dhcp' eventtype which covers Event Codes mapped with NetworkSession:dhcp DM.
- The header for latest supported event format is [ ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name, TransactionID, QResult,Probationtime, CorrelationID,Dhcid,VendorClass(Hex),VendorClass(ASCII),UserClass(Hex),UserClass(ASCII),RelayAgentInformation,DnsRegError ]
Fixes
- Removed invalid 'object' field extraction (sourcetype AS object) from all security events. (Note: Existing users relying on the 'object' field can directly use the 'sourcetype' field.)
- Fixed the 'Name' field extraction issue for "WMI:LocalProcesses" sourcetype when Name contains the space character.
Field Changes
Source - WinEventLog:Security field mapping changes
Source-type | EventCode | Fields added | Fields removed |
---|---|---|---|
['WinEventLog']
|
4703 | change_type, Subject_Security_ID, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, object_category, Target_Logon_ID, object_attrs, Target_Account_Name, user_name, user_group, Target_Account_Domain, result, object_id | |
['WinEventLog']
|
4704 | change_type, Subject_Security_ID, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Subject_Account_Name, object_category, Target_Account_Name, object_attrs, user_name, user_group, result | |
['WinEventLog']
|
4705 | change_type, Subject_Security_ID, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Subject_Account_Name, object_category, Target_Account_Name, object_attrs, user_name, user_group, result | |
['WinEventLog']
|
4722 | Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, object_attrs, Target_Account_Domain, user_group, Subject_Security_ID, object_id | |
['WinEventLog']
|
4723 | Subject_Security_ID, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, Target_Account_Domain, user_group, result, object_id | |
['WinEventLog']
|
4724 | Subject_Security_ID, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, Target_Account_Domain, user_group, result, object_id | |
['WinEventLog']
|
4725 | Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, object_attrs, Target_Account_Domain, user_group, Subject_Security_ID, object_id | |
['WinEventLog']
|
4726 | Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, object_attrs, Target_Account_Domain, user_group, Subject_Security_ID, object_id | |
['WinEventLog']
|
4738 | Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, object_attrs, Target_Account_Domain, user_group, Subject_Security_ID, object_id | |
['WinEventLog']
|
4767 | Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, object_attrs, Target_Account_Domain, user_group, Subject_Security_ID, object_id | |
['WinEventLog']
|
4781 | Target_Old_Account_Name, src_user, Target_New_Account_Name, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, user_name, Target_Account_Domain, Subject_Security_ID, object_id |
Source - XmlWinEventLog:Security field mapping changes
Source-type | EventCode | Fields added | Fields removed |
---|---|---|---|
['XmlWinEventLog']
|
4703 | result, user_name, object_attrs, object_category, object_id, src_user_name, change_type | |
['XmlWinEventLog']
|
4704 | result, object_attrs, object_id, object_category, src_user_name, change_type | |
['XmlWinEventLog']
|
4705 | result, object_attrs, object_id, object_category, src_user_name, change_type | |
['XmlWinEventLog']
|
4722 | user_name, object_attrs, src_user_name, object_id | |
['XmlWinEventLog']
|
4723 | result, user_name, src_user_name, object_id | |
['XmlWinEventLog']
|
4724 | result, user_name, src_user_name, object_id | |
['XmlWinEventLog']
|
4725 | user_name, object_attrs, src_user_name, object_id | |
['XmlWinEventLog']
|
4726 | user_name, object_attrs, src_user_name, object_id | |
['XmlWinEventLog']
|
4738 | user_name, object_attrs, src_user_name, object_id | |
['XmlWinEventLog']
|
4767 | user_name, object_attrs, src_user_name, object_id | |
['XmlWinEventLog']
|
4781 | user, user_name, src_user_name, object_id |
Fixed Issues
Version 8.4.0 of the Splunk Add-on for Windows fixes the following issues:
Known Issues
Version 8.4.0 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:
Date filed | Issue number | Description |
---|---|---|
2018-09-06 | ADDON-19338 | Data duplication issue in WindowsUpdate.Log |
Version 8.3.0
Version 8.3.0 of the Splunk Add-on for Windows was released on December 8, 2021.
The Splunk Add-on for Windows 5.0.0 introduced breaking changes. If you are upgrading from a version of the Splunk Add-on for Windows that is lower than 5.0.0, you must follow the steps outlined in Upgrade the Splunk Add-on for Windows. Failure to do so can result in data loss.
The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and higher. The Splunk Add-on for Windows versions 6.0.0 and higher includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.
Compatibility
Version 8.3.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.1.x, 8.2.x |
CIM | 4.15 and later |
Platform | Windows |
Vendor Products | Windows Server 2022, Windows 11, Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server |
New or changed features
Version 8.3.0 of the Splunk Add-on for Windows has the following new or changed features:
Features
- Support for Windows Server 2022 and Windows 11
Fixed Issues
Version 8.3.0 of the Splunk Add-on for Windows fixes the following issues:
Known Issues
Version 8.3.0 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:
Date filed | Issue number | Description |
---|---|---|
2018-09-06 | ADDON-19338 | Data duplication issue in WindowsUpdate.Log |
Version 8.2.0
Version 8.2.0 of the Splunk Add-on for Windows was released on April 18, 2021.
The Splunk Add-on for Windows 5.0.0 introduced breaking changes. If you are upgrading from a version of the Splunk Add-on for Windows that is earlier than 5.0.0, you must follow the steps outlined in Upgrade the Splunk Add-on for Windows. Failure to do so can result in data loss.
The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and above. The Splunk Add-on for Windows versions 6.0.0 and above includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.
Compatibility
Version 8.2.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.0.x, 8.1.x, 8.2.x |
CIM | 4.15 and later |
Platform | Windows |
Vendor Products | Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server |
New or changed features
Version 8.2.0 of the Splunk Add-on for Windows has the following new or changed features:
Features
- Introduced new event type windows_endpoint_processes (tags: "report" and "process") which will only apply to Windows Event Codes: 4688, 4689, 4696, 4674, 4673 falling under source="WinEventLog:Security" OR source="XmlWinEventLog:Security" and therefore mapped to Endpoint:Processes CIM Data Model.
- Introduced new event type windows_endpoint_services (tags: "report" and "service") which will only apply to Windows Event Codes: 1100, 5024, 5025, 5030, 5033, 5034, 5035, 5478, 7036, 7040, 7045 falling under source="WinEventLog:Security" OR source="XmlWinEventLog:Security" OR source="WinEventLog:System" OR source="XmlWinEventLog:System" and theref mapped to Endpoint:Services CIM Data Model.
- Updated Common Information Model (CIM) field mapping for Windows Event Codes: 4688, 4689, 4696, 4674, 4673, 1100, 5024, 5025, 5033, 5034, 5478, 7036, 7040, 7045 falling under source="WinEventLog:Security" OR source="XmlWinEventLog:Security" OR source="WinEventLog:System" OR source="XmlWinEventLog:System".
- Removed tags ("report", "service", "process") from the event type endpoint_services_processes. Earlier all events falling in source="WMI:WinEventLog:Security" OR sourcetype="WinEventLog" OR sourcetype="XmlWinEventLog" were mapped to both Endpoint:Processes and Endpoint:Services CIM Data Model. This has been removed and only specific events mentioned in above points are mapped now.
- Minor regex optimizations.
- Updated extraction for process_id field for all events falling in the source=XmlWinEventLog:Security. The field would now only be extracted for event codes where relevant information is present.
- Updated extraction for parent_process_id field for all events falling in the source=XmlWinEventLog:Security. It will now be extracted for only two Event Codes: 4688 and 4696.
See the example below
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'> <System> <Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}' /> <EventID>4689</EventID> <Version>0</Version> <Level>0</Level> <Task>13313</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime='2021-07-26T08:13:24.962474100Z' /> <EventRecordID>55551</EventRecordID> <Correlation /> <Execution ProcessID='4' ThreadID='1488' /> <Channel>Security</Channel> <Computer>IP-0ACA15D4</Computer> <Security /> </System> <EventData> <Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data> <Data Name='SubjectUserName'>IP-0ACA15D4$</Data> <Data Name='SubjectDomainName'>WORKGROUP</Data> <Data Name='SubjectLogonId'>0x3e7</Data> <Data Name='Status'>0x1</Data> <Data Name='ProcessId'>0x908</Data> <Data Name='ProcessName'>C:\opt\splunk\bin\splunk-MonitorNoHandle.exe</Data> </EventData> </Event>
In the above event, v8.1.2 of the Add-on extracted process_id
as 4
from the tag
<Execution ProcessID='4' ThreadID='1488' />
and parent_process_id
as 0x908
from the tag
<Data Name='ProcessId'>0x908</Data>
.This has been corrected and now with v8.2.0 process_id
is extracted as 0x908
and parent_process_id
is not extracted since this event doesn't have relevant information.
Bug Fixes
- Fixed issue with timestamp parsing which was conflicting with MAC address for the sourcetype DhcpSrvLog.
- Fixed issue with src_port field not extracted for Windows Event ID 5156 XML events.
- Fixed issue with Error_Code field not extracted due to Splunk field alias behavior change for multiple source types.
- Fixed issue with SubjectDomainName field not extracted for Windows Event ID 1102 XML events.
- Fixed issue with src_domain field extraction not working correctly if containing a '-' character for the sourcetype MSAD:NT6:DNS.
Field Mapping Changes
Version 8.2.0 of the Splunk Add-on for Windows introduces field changes to the WinEventLog:Security
and , XmlWinEventLog:Security
, WinEventLog:System
and XmlWinEventLog:System
sourcetypes. See the following table for information in field changes:
The below details are only for those event codes for which mapping have been corrected. They are '''4688, 4689, 4696, 4674, 4673, 1100, 5024, 5025, 5033, 5034, 5478, 7036, 7040, 7045'''. Other than this fields, '''process_id''' and '''parent_process_id''' are affected for all event codes falling in the source=XmlWinEventLog:Security.'''
Source - WinEventLog:Security field mapping changes
Source-type | EventCode | Fields added | Fields removed |
---|---|---|---|
['WinEventLog']
|
1100 | service, service_name | |
['WinEventLog']
|
4689, 4673 | process_exec, process_path, process_id | |
['WinEventLog']
|
4674 | process_exec, process_path | |
['WinEventLog']
|
4696 | process_path, target_process_name, process_name, process_exec, parent_process_id, process |
Source - XmlWinEventLog:Security field mapping changes
Source-type | EventCode | Fields added | Fields removed |
---|---|---|---|
['XmlWinEventLog']
|
1100 | service, service_name | process_id |
['XmlWinEventLog']
|
4689, 4673, 4674 | process_exec, user | parent_process_id |
['XmlWinEventLog']
|
4696 | process_path, target_process_name, process, process_exec, process_name | |
['XmlWinEventLog']
|
4697 | user | process_id |
['XmlWinEventLog']
|
5033, 5034, 5478, 5024, 5025 | process_id |
Source - WinEventLog:System field mapping changes
Source-type | EventCode | Fields added | Fields removed |
---|---|---|---|
['WinEventLog']
|
7036 | service, service_name, Service_Name, status | |
['WinEventLog']
|
7040 | service, Service_Name, start_mode, start_type2, service_name | |
['WinEventLog']
|
7045 | start_mode |
Source - XmlWinEventLog:System field mapping changes
Source-type | EventCode | Fields added | Fields removed |
---|---|---|---|
['XmlWinEventLog']
|
7036 | service, service_name, ServiceName, status | |
['XmlWinEventLog']
|
7040 | service, service_name, start_mode, ServiceName | |
['XmlWinEventLog']
|
7045 | start_mode |
Sample values for modified sourcetypes
The following tables display the field changes for the WinEventLog:Security
and XmlWinEventLog:Security
sourcetypes.
WinEventLog:Security sourcetype field mapping changes
Field mapping changes for the WinEventLog:Security
sourcetype.
EventCode | Field modified | Sample Value for Modified fields in 8.1.2 | Sample Value for Modified fields in 8.2.0 |
---|---|---|---|
1100 | status
|
success |
stopped |
4673 | process_name
|
C:\Windows\System32\lsass.exe |
lsass.exe |
4674 | process_name
|
C:\Windows\System32\wininit.exe |
wininit.exe |
4689 | process_name
|
C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe |
splunk-powershell.exe |
4696 | process_id
|
0x4 |
0x54 |
5033, 5024, 5478, 4697 | status
|
success |
started |
5034, 5025 | status
|
success |
started |
XmlWinEventLog:Security sourcetype field changes
Field mapping changes for the XmlWinEventLog:Security
sourcetype.
EventCode | Field modified | Sample Value for Modified fields in 8.1.2 | Sample Value for Modified fields in 8.2.0 |
---|---|---|---|
1100 | status
|
success |
stopped |
4673 | process_name
|
C:\Windows\explorer.exe |
explorer.exe |
process_id
|
4 |
0xa20 | |
4674 | process_name
|
C:\Windows\System32\wbem\WmiPrvSE.exe |
wWmiPrvSE.exe |
process_id
|
4 |
0x1494 | |
4689 | process_name
|
C:\opt\splunk\bin\splunk-MonitorNoHandle.exe |
splunk-MonitorNoHandle.exe |
process_id
|
4 |
0x908 | |
4696 | process_id
|
4 |
0x54 |
5033, 5024, 5478, 4697 | status
|
success |
started |
5034, 5025 | status
|
success |
started |
The values for tag and eventtype field have been affected for various sources and eventcodes as mentioned in the features section above on this page and not explicitly displayed in above tables.
Fixed Issues
Version 8.21.02 of the Splunk Add-on for Windows fixes the following issues:
Known Issues
Version 8.21.02 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:
Version 8.1.2
Version 8.1.2 of the Splunk Add-on for Windows was released on April 18, 2021.
The Splunk Add-on for Windows 5.0.0 introduced breaking changes. If you are upgrading from a version of the Splunk Add-on for Windows that is earlier than 5.0.0, you must follow the steps outlined in Upgrade the Splunk Add-on for Windows. Failure to do so can result in data loss.
The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and above. The Splunk Add-on for Windows versions 6.0.0 and above includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.
Compatibility
Version 8.1.2 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 7.3.x, 8.0.x, 8.1.x |
CIM | 4.15 and later |
Platform | Windows |
Vendor Products | Windows 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server |
New or changed features
Version 8.1.2 of the Splunk Add-on for Windows has the following new or changed features:
- Updated Common Information Model (CIM) field mapping for Windows Event ID 4688
- Fixed the version value in app.conf
The latest version of the Splunk Add-on for Microsoft Windows introduced Common Information Model (CIM) and field mapping changes to its sourcetypes. See the Common Information Model and Field Mapping Changes for the Splunk Add-on for Microsoft Windows topic in the Reference chapter in this manual for information on changes to the mapping of this information.
Field Changes
Version 8.1.2 of the Splunk Add-on for Windows introduces field changes to the WinEventLog:Security
and XmlWinEventLog:Security
sourcetypes. See the following table for information in field changes:
Sourcetype | EventCode | Fields added | Fields removed | Fields modified |
---|---|---|---|---|
WinEventLog:Security
|
4688
|
new_process_name
|
N/A | action
|
XmlWinEventLog:Security
|
4688
|
Process_Command_Line
|
N/A | action
|
Sample values for modified sourcetypes
The following tables display the field changes for the WinEventLog:Security
and XmlWinEventLog:Security
sourcetypes.
WinEventLog:Security sourcetype field changes
Field changes for the WinEventLog:Security
sourcetype.
Field modified | Sample Value for Modified fields in 8.1.1 | Sample Value for Modified fields in 8.1.2 |
---|---|---|
action
|
success |
allowed |
process
|
splunk-powershell.exe --ps2 |
C:\opt\splunk\bin\splunk-powershell.exe --ps2 |
process_name
|
C:\opt\splunk\bin\splunk-optimize.exe |
splunk-optimize.exe |
user
|
- |
WIN-7K2KTN5JGVD$ |
XmlWinEventLog:Security sourcetype field changes
Field changes for the XmlWinEventLog:Security
sourcetype.
Field modified | Sample Value for Modified fields in 8.1.1 | Sample Value for Modified fields in 8.1.2 |
---|---|---|
action
|
success |
allowed |
process
|
splunk-powershell.exe --ps2 |
C:\opt\splunk\bin\splunk-powershell.exe --ps2 |
process_id
|
- |
0x15b8 |
process_name
|
C:\opt\splunk\bin\splunk-optimize.exe |
splunk-optimize.exe |
user
|
- |
WIN-7K2KTN5JGVD$ |
Fixed Issues
Version 8.1.2 of the Splunk Add-on for Windows fixes the following issues:
Date resolved | Issue number | Description |
---|---|---|
2021-04-12 | ADDON-33024 | Version 8.1.1 of the Splunk Add-on for Windows bad version value in app.conf |
2021-03-23 | ADDON-34637 | Fix Common Information Model (CIM) field mapping for Windows Event ID 4688 |
Known Issues
Version 8.1.2 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:
Date filed | Issue number | Description |
---|---|---|
2021-08-23 | ADDON-40890 | 'KV_for_Domain' transforms regex in "Splunk Add-on for Microsoft Windows" is incorrect |
2021-08-16 | ADDON-40674 | SubjectDomainName is not extracted from windows events |
2021-03-04 | ADDON-34640 | Windows TA: eventtype endpoint_services_processes is too broad. |
PREVIOUS Installation and configuration overview for the Splunk Add-on for Windows |
NEXT Install the Splunk Add-on for Windows |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!