Splunk® Supported Add-ons

Splunk Add-on for Microsoft Windows

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Release history for the Splunk Add-on for Windows

The latest version of the Splunk Add-on for Windows is version 8.8.0. See Release notes for the Splunk Add-on for Windows.

Version 8.7.0

Version 8.7.0 of the Splunk Add-on for Windows was released on April 21, 2023.

The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and higher. The Splunk Add-on for Windows versions 6.0.0 and higher includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.


Compatibility

Version 8.7.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x, 9.0.x
CIM 4.15 and later
Platform Windows
Vendor Products Windows Server 2022, Windows 11, Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server

New or changed features

Version 8.7.0 of the Splunk Add-on for Windows has the following new or changed features:

  • Tagged Windows DNS logs collected in MSAD:NT6:DNS sourcetype with NetworkResolution:DNS data model and mapped the relevant CIM fields.

See CIM model and Field Mapping changes for MSAD:NT6:DNS for more details on the Event Code changes.

Fixed Issues

Version 8.7.0 of the Splunk Add-on for Windows fixes the following issues:


Date resolved Issue number Description
2023-05-03 ADDON-61555 src_nt_domain field extracting value from next line when "Security_ID" field is missing for source WinEventLog:Security

Known Issues

Version 8.7.0 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2022-07-21 ADDON-54050 Parsing does not work properly when a nested XML event is encoded.
2018-09-06 ADDON-19338 Data duplication issue in WindowsUpdate.Log


Version 8.6.0

Version 8.6.0 of the Splunk Add-on for Windows was released on January 23, 2023.

The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and higher. The Splunk Add-on for Windows versions 6.0.0 and higher includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.


Compatibility

Version 8.6.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x, 9.0.x
CIM 4.15 and later
Platform Windows
Vendor Products Windows Server 2022, Windows 11, Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server

New or changed features

Version 8.6.0 of the Splunk Add-on for Windows has the following new or changed features:

  • CIM enhancements for the following Event Codes: 4727, 4728, 4729, 4730, 4731, 4733, 4734, 4735, 4737, 4754, 4755, 4756, 4757, 4758, 4799, 4764. See Field Changes for more details on the Event Code changes.

(To review field extraction changes, please refer to Field Changes Section)

  • For EventCodes: 4727, 4730, 4731, 4734, 4735, 4737, 4754, 4755, 4758, 4764 the user field has been removed as these events belong to object_category=group.
  • Mapped the 4799 Event Code of the Windows Security to the Change:All_Changes data model.



Fixes

  • Fixed the signature field extraction issue for source WinEventLog:System.

Notes:

  • If the configured input has evt_resolve_ad_obj = 1 then the value forMember:Security_ID, Group:Security_ID, Subject:Security_ID will be in enriched "DOMAIN\UserName" format.
  • If the configured input has evt_resolve_ad_obj = 0 then the value forMember:Security_ID, Group:Security_ID, Subject:Security_ID will be in traditional Windows SID format, i.e. S-1-1234-etc


Field Changes

Source - WinEventLog:Security field mapping changes

Source-type EventCode Fields added Fields removed


['WinEventLog'] 4727 src_user, src_user_name, object_id, object, src user
['WinEventLog'] 4728 src_user_name, object_id, object, user_name, src
['WinEventLog'] 4729 src_user_name, object_id, object, user_name, src
['WinEventLog'] 4730 src_user, src_user_name, object_id, object, src user
['WinEventLog'] 4731 src_user, src_user_name, object_id, object, src user
['WinEventLog'] 4733 src_user_name, object_id, src user
['WinEventLog'] 4734 src_user, src_user_name, object_id, object, src user
['WinEventLog'] 4735 src_user, src_user_name, object_id, object, src user
['WinEventLog'] 4737 src_user, src_user_name, object_id, object, src user
['WinEventLog'] 4754 src_user, src_user_name, object_id, object, src user
['WinEventLog'] 4755 src_user, src_user_name, object_id, object, src user
['WinEventLog'] 4756 object_attrs, Group_Name, src_user_name, user_group, object_id, object, user_name, Group_Domain, src
['WinEventLog'] 4757 src_user_name, object_id, object, user_name, src
['WinEventLog'] 4758 src_user, src_user_name, object_id, object, src user
['WinEventLog'] 4764 src_user, src_user_name, object_id, object, src user, object_attrs
['WinEventLog'] 4799 object_category, result, change_type, subject, signature, object_id, object, user_name, src, name


Source - XmlWinEventLog:Security field mapping changes

Source-type EventCode Fields added Fields removed
['XmlWinEventLog'] 4727 src_user_name, src, object_id, object user
['XmlWinEventLog'] 4728 src_user_name, object_id, user_name, object_attrs, src, object
['XmlWinEventLog'] 4729 src_user_name, object_id, user_name, object_attrs, src, object
['XmlWinEventLog'] 4730 src_user_name, object_id, object_attrs, src, object user
['XmlWinEventLog'] 4731 src_user_name, src, object_id, object user
['XmlWinEventLog'] 4733 object_attrs, src_user_name, src, object_id user
['XmlWinEventLog'] 4734 src_user_name, object_id, object_attrs, src, object user
['XmlWinEventLog'] 4735 src_user_name, src, object_id, object user
['XmlWinEventLog'] 4737 src_user_name, src, object_id, object user
['XmlWinEventLog'] 4754 src_user_name, src, object_id, object user
['XmlWinEventLog'] 4755 src_user_name, src, object_id, object user
['XmlWinEventLog'] 4756 src_user_name, object_id, user_name, object_attrs, src, object
['XmlWinEventLog'] 4757 src_user_name, object_id, user_name, object_attrs, src, object
['XmlWinEventLog'] 4758 src_user_name, object_id, object_attrs, src, object user
['XmlWinEventLog'] 4764 src_user_name, src, object_id, object user
['XmlWinEventLog'] 4799 result, object_id, user_name, object_attrs, change_type, name, src, subject, object, signature, object_category


Fixed Issues

Version 8.6.0 of the Splunk Add-on for Windows fixes the following issues:

Known Issues

Version 8.6.0 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2022-07-21 ADDON-54050 Parsing does not work properly when a nested XML event is encoded.
2018-09-06 ADDON-19338 Data duplication issue in WindowsUpdate.Log


Version 8.5.0

Version 8.5.0 of the Splunk Add-on for Windows was released on April 21, 2022.

The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and higher. The Splunk Add-on for Windows versions 6.0.0 and higher includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.


Compatibility

Version 8.5.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x
CIM 4.15 and later
Platform Windows
Vendor Products Windows Server 2022, Windows 11, Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server

New or changed features

Version 8.5.0 of the Splunk Add-on for Windows has the following new or changed features:

  • CIM enhancements for these Event Codes: 104, 1102, 4624, 4625, 4634, 4698, 4700, 4701, 4702, 4719, 720, 4732, 4740, 4800, 4801

(To review field extraction changes, please refer to Field Changes Section)

  • Removed the incorrect Endpoint:Filesystem CIM tags from the wineventlog_windows event type.
  • Removed the fs_notification event type and fs_notification source type extractions as Splunk no longer supports this source type.


Fixes

  • Fixed the user field extraction issue for Event Codes 4728, 4729, 4732 when the distinguished name (DN) contains "Lastname, Firstname".

Notes:

  • If the Member:Security_ID value uses the enriched "DOMAIN\UserName" format then the user field would be extracted as UserName.
  • If the Member:Security_ID value uses the traditional Windows SID (S-1234-etc) format then the user field will be extracted from the first RDN section of the Member:Account Name string (which gets logged as an LDAP DN format).
  • If the Member:Security_ID value uses the traditional Windows SID (S-1234-etc) format and the first RDN section of Member:Account Name as CN=Lastname\, Firstname, OU=Users, DC=CONTOSO, DC=com, then it can be in the lastname,firstname format, in which case user field will not be extracted.


Field Changes

Source - WinEventLog:System field mapping changes

Source-type EventCode Fields added Fields removed
['WinEventLog'] 104 object, user_name, object_category, action, result, status, change_type

Source - XmlWinEventLog:System field mapping changes

Source-type EventCode Fields added Fields removed
['WinEventLog'] 104 user, object, user_name, object_category, user_data_channel, action, result, status, change_type

Source - WinEventLog:Security field mapping changes

Source-type EventCode Fields added Fields removed


['WinEventLog'] 1102 result, object, user_name
['WinEventLog'] 4624 authentication_method
['WinEventLog'] 4625 authentication_method
['WinEventLog'] 4634 object_id, change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name
['WinEventLog'] 4698 object, user_name, TaskContent, object_category, object_attrs, result, change_type
['WinEventLog'] 4700 object, user_name, TaskContent, object_category, object_attrs, result, change_type
['WinEventLog'] 4701 object, user_name, TaskContent, object_category, object_attrs, result, change_type
['WinEventLog'] 4702 object, user_name, TaskNewContent, object_category, object_attrs, result, change_type
['WinEventLog'] 4719 result, object, user_name
['WinEventLog'] 4720 src_user_name, object_id, object, user_name, object_attrs, New_Account_Account_Name, New_Account_Domain, New_Account_Security_ID
['WinEventLog'] 4732 src_user_name, object_id, Member_Security_ID, object, user_name, Member_Account_Name
['WinEventLog'] 4740 src_user_name, object_id, Account_Locked_Out_Security_ID, Account_Locked_Out_Name, object, user_name, object_attrs
['WinEventLog'] 4800 change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name
['WinEventLog'] 4801 change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name

Source - XmlWinEventLog:Security field mapping changes

Source-type EventCode Fields added Fields removed
['XmlWinEventLog'] 1102 result, object, user, user_name
['XmlWinEventLog'] 4624 authentication_method
['XmlWinEventLog'] 4625 authentication_method
['XmlWinEventLog'] 4634 object_id, change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name, src_nt_domain
['XmlWinEventLog'] 4698 user, object, user_name, object_category, object_attrs, result, change_type
['XmlWinEventLog'] 4700 user, object, user_name, object_category, object_attrs, result, change_type
['XmlWinEventLog'] 4701 user, object, user_name, object_category, object_attrs, result, change_type
['XmlWinEventLog'] 4702 user, object, user_name, object_category, object_attrs, result, change_type
['XmlWinEventLog'] 4719 result, object, user, user_name
['XmlWinEventLog'] 4720 src_user_name, object_id, object, user_name, object_attrs
['XmlWinEventLog'] 4732 src_user_name, object_id, object, user_name, object_attrs
['XmlWinEventLog'] 4740 src_user_name, object, user_name, object_attrs
['XmlWinEventLog'] 4800 change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name, src_nt_domain
['XmlWinEventLog'] 4801 change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name, src_nt_domain

Fixed Issues

Version 8.5.0 of the Splunk Add-on for Windows fixes the following issues:


Known Issues

Version 8.5.0 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2023-04-26 ADDON-61962 Group_Name field extraction of windows security classic event for EventCode 4756
2023-03-28 ADDON-61555 src_nt_domain field extracting value from next line when "Security_ID" field is missing for source WinEventLog:Security
2022-07-21 ADDON-54050 Parsing does not work properly when a nested XML event is encoded.
2018-09-06 ADDON-19338 Data duplication issue in WindowsUpdate.Log


Version 8.4.0

Version 8.4.0 of the Splunk Add-on for Windows was released on February 1, 2022.

The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and higher. The Splunk Add-on for Windows versions 6.0.0 and higher includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.


Compatibility

Version 8.4.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x
CIM 4.15 and later
Platform Windows
Vendor Products Windows Server 2022, Windows 11, Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server

New or changed features

Version 8.4.0 of the Splunk Add-on for Windows has the following new or changed features:

Features

  • Enhanced "win_listening_ports.bat" input to get the process name associated with the listening port.
  • Added 'storage_free', 'storage', 'storage_used', and 'storage_used_percent' field extractions for "PerfmonMk:LogicalDisk" sourcetype.
  • Added 'user_type'=computer field extraction for the EventCodes 4741, 4742, and 4743.
  • Added 'dest' and 'resource_type' field extractions for the "Script:TimesyncStatus" sourcetype.
  • Introduced a new eventtype 'windows_security_change_account' (with tags: 'account', 'change' and CIM datamodel: Change:Account_Management) which will only apply to Windows Event Codes: 4703, 4704, 4705, 4722, 4723, 4724, 4725, 4726, 4738, 4767, and 4781 falling under source="WinEventLog:Security" OR source="XmlWinEventLog:Security". Also enhanced the CIM mappings for these Event Codes. (To review field extraction changes, please refer to "Field Changes" Section)
  • Excluded Event Codes: 4703, 4704, 4705, 4722, 4723, 4724, 4725, 4726, 4738, 4767, 4781 from 'wineventlog_windows' eventtype to remove the incorrect Endpoint:Filesystem CIM tag.
  • Added support of the latest DHCP event format and enhanced the CIM mapping of the "DhcpSrvLog" sourcetype.
CIM Data Model DHCP Event IDs before v8.4.0 DHCP Event IDs after v8.4.0
['Network Sessions:DHCP'] All the DHCP events (sourcetype=DhcpSrvLog) 10,11,12,13,14,15,16,17,18
['Network Sessions:Session_Start'] 10,11,13 10,11
['Network Sessions:Session_End'] 12,16,17 12,16,17,18

Notes:

  • Removed the tags (dhcp network session) from 'DhcpSrvLog' eventtype and created new 'DhcpSrvLog_dhcp' eventtype which covers Event Codes mapped with NetworkSession:dhcp DM.
  • The header for latest supported event format is [ ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name, TransactionID, QResult,Probationtime, CorrelationID,Dhcid,VendorClass(Hex),VendorClass(ASCII),UserClass(Hex),UserClass(ASCII),RelayAgentInformation,DnsRegError ]


Fixes

  • Removed invalid 'object' field extraction (sourcetype AS object) from all security events. (Note: Existing users relying on the 'object' field can directly use the 'sourcetype' field.)
  • Fixed the 'Name' field extraction issue for "WMI:LocalProcesses" sourcetype when Name contains the space character.

Field Changes

Source - WinEventLog:Security field mapping changes

Source-type EventCode Fields added Fields removed
['WinEventLog'] 4703 change_type, Subject_Security_ID, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, object_category, Target_Logon_ID, object_attrs, Target_Account_Name, user_name, user_group, Target_Account_Domain, result, object_id
['WinEventLog'] 4704 change_type, Subject_Security_ID, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Subject_Account_Name, object_category, Target_Account_Name, object_attrs, user_name, user_group, result
['WinEventLog'] 4705 change_type, Subject_Security_ID, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Subject_Account_Name, object_category, Target_Account_Name, object_attrs, user_name, user_group, result
['WinEventLog'] 4722 Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, object_attrs, Target_Account_Domain, user_group, Subject_Security_ID, object_id
['WinEventLog'] 4723 Subject_Security_ID, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, Target_Account_Domain, user_group, result, object_id
['WinEventLog'] 4724 Subject_Security_ID, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, Target_Account_Domain, user_group, result, object_id
['WinEventLog'] 4725 Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, object_attrs, Target_Account_Domain, user_group, Subject_Security_ID, object_id
['WinEventLog'] 4726 Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, object_attrs, Target_Account_Domain, user_group, Subject_Security_ID, object_id
['WinEventLog'] 4738 Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, object_attrs, Target_Account_Domain, user_group, Subject_Security_ID, object_id
['WinEventLog'] 4767 Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, object_attrs, Target_Account_Domain, user_group, Subject_Security_ID, object_id
['WinEventLog'] 4781 Target_Old_Account_Name, src_user, Target_New_Account_Name, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, user_name, Target_Account_Domain, Subject_Security_ID, object_id

Source - XmlWinEventLog:Security field mapping changes

Source-type EventCode Fields added Fields removed
['XmlWinEventLog'] 4703 result, user_name, object_attrs, object_category, object_id, src_user_name, change_type
['XmlWinEventLog'] 4704 result, object_attrs, object_id, object_category, src_user_name, change_type
['XmlWinEventLog'] 4705 result, object_attrs, object_id, object_category, src_user_name, change_type
['XmlWinEventLog'] 4722 user_name, object_attrs, src_user_name, object_id
['XmlWinEventLog'] 4723 result, user_name, src_user_name, object_id
['XmlWinEventLog'] 4724 result, user_name, src_user_name, object_id
['XmlWinEventLog'] 4725 user_name, object_attrs, src_user_name, object_id
['XmlWinEventLog'] 4726 user_name, object_attrs, src_user_name, object_id
['XmlWinEventLog'] 4738 user_name, object_attrs, src_user_name, object_id
['XmlWinEventLog'] 4767 user_name, object_attrs, src_user_name, object_id
['XmlWinEventLog'] 4781 user, user_name, src_user_name, object_id


Fixed Issues

Version 8.4.0 of the Splunk Add-on for Windows fixes the following issues:


Known Issues

Version 8.4.0 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2018-09-06 ADDON-19338 Data duplication issue in WindowsUpdate.Log


Version 8.3.0

Version 8.3.0 of the Splunk Add-on for Windows was released on December 8, 2021.

The Splunk Add-on for Windows 5.0.0 introduced breaking changes. If you are upgrading from a version of the Splunk Add-on for Windows that is lower than 5.0.0, you must follow the steps outlined in Upgrade the Splunk Add-on for Windows. Failure to do so can result in data loss.

The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and higher. The Splunk Add-on for Windows versions 6.0.0 and higher includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.


Compatibility

Version 8.3.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x
CIM 4.15 and later
Platform Windows
Vendor Products Windows Server 2022, Windows 11, Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server

New or changed features

Version 8.3.0 of the Splunk Add-on for Windows has the following new or changed features:

Features

  • Support for Windows Server 2022 and Windows 11

Fixed Issues

Version 8.3.0 of the Splunk Add-on for Windows fixes the following issues:

Known Issues

Version 8.3.0 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2018-09-06 ADDON-19338 Data duplication issue in WindowsUpdate.Log


Version 8.2.0

Version 8.2.0 of the Splunk Add-on for Windows was released on April 18, 2021. 

The Splunk Add-on for Windows 5.0.0 introduced breaking changes. If you are upgrading from a version of the Splunk Add-on for Windows that is earlier than 5.0.0, you must follow the steps outlined in Upgrade the Splunk Add-on for Windows. Failure to do so can result in data loss.

 

The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and above. The Splunk Add-on for Windows versions 6.0.0 and above includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.

Compatibility

Version 8.2.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:

Splunk platform versions   8.0.x, 8.1.x, 8.2.x
CIM 4.15 and later
Platform Windows
Vendor Products Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server

New or changed features

Version 8.2.0 of the Splunk Add-on for Windows has the following new or changed features:

Features

  • Introduced new event type windows_endpoint_processes (tags: "report" and "process") which will only apply to Windows Event Codes: 4688, 4689, 4696, 4674, 4673 falling under source="WinEventLog:Security" OR source="XmlWinEventLog:Security" and therefore mapped to Endpoint:Processes CIM Data Model.
  • Introduced new event type windows_endpoint_services (tags: "report" and "service") which will only apply to Windows Event Codes: 1100, 5024, 5025, 5030, 5033, 5034, 5035, 5478, 7036, 7040, 7045 falling under source="WinEventLog:Security" OR source="XmlWinEventLog:Security" OR source="WinEventLog:System" OR source="XmlWinEventLog:System" and theref mapped to Endpoint:Services CIM Data Model.
  • Updated Common Information Model (CIM) field mapping for Windows Event Codes: 4688, 4689, 4696, 4674, 4673, 1100, 5024, 5025, 5033, 5034, 5478, 7036, 7040, 7045 falling under source="WinEventLog:Security" OR source="XmlWinEventLog:Security" OR source="WinEventLog:System" OR source="XmlWinEventLog:System".
  • Removed tags ("report", "service", "process") from the event type endpoint_services_processes. Earlier all events falling in source="WMI:WinEventLog:Security" OR sourcetype="WinEventLog" OR sourcetype="XmlWinEventLog" were mapped to both Endpoint:Processes and Endpoint:Services CIM Data Model. This has been removed and only specific events mentioned in above points are mapped now.
  • Minor regex optimizations.
  • Updated extraction for process_id field for all events falling in the source=XmlWinEventLog:Security. The field would now only be extracted for event codes where relevant information is present.
  • Updated extraction for parent_process_id field for all events falling in the source=XmlWinEventLog:Security. It will now be extracted for only two Event Codes: 4688 and 4696.

See the example below 

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
    <System>
        <Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}' />
        <EventID>4689</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>13313</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime='2021-07-26T08:13:24.962474100Z' />
        <EventRecordID>55551</EventRecordID>
        <Correlation />
        <Execution ProcessID='4' ThreadID='1488' />
        <Channel>Security</Channel>
        <Computer>IP-0ACA15D4</Computer>
        <Security />
    </System>
    <EventData>
        <Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data>
        <Data Name='SubjectUserName'>IP-0ACA15D4$</Data>
        <Data Name='SubjectDomainName'>WORKGROUP</Data>
        <Data Name='SubjectLogonId'>0x3e7</Data>
        <Data Name='Status'>0x1</Data>
        <Data Name='ProcessId'>0x908</Data>
        <Data Name='ProcessName'>C:\opt\splunk\bin\splunk-MonitorNoHandle.exe</Data>
    </EventData>
</Event>

In the above event, v8.1.2 of the Add-on extracted process_id as 4 from the tag 

<Execution ProcessID='4' ThreadID='1488' />

and parent_process_id as 0x908 from the tag 

<Data Name='ProcessId'>0x908</Data>

.This has been corrected and now with v8.2.0 process_id is extracted as 0x908 and parent_process_id is not extracted since this event doesn't have relevant information.


Bug Fixes

  • Fixed issue with timestamp parsing which was conflicting with MAC address for the sourcetype DhcpSrvLog.
  • Fixed issue with src_port field not extracted for Windows Event ID 5156 XML events.
  • Fixed issue with Error_Code field not extracted due to Splunk field alias behavior change for multiple source types.
  • Fixed issue with SubjectDomainName field not extracted for Windows Event ID 1102 XML events.
  • Fixed issue with src_domain field extraction not working correctly if containing a '-' character for the sourcetype MSAD:NT6:DNS.


Field Mapping Changes

Version 8.2.0 of the Splunk Add-on for Windows introduces field changes to the WinEventLog:Security and , XmlWinEventLog:Security, WinEventLog:System and XmlWinEventLog:System  sourcetypes. See the following table for information in field changes:

The below details are only for those event codes for which mapping have been corrected. They are '''4688, 4689, 4696, 4674, 4673, 1100, 5024, 5025, 5033, 5034, 5478, 7036, 7040, 7045'''. Other than this fields, '''process_id''' and '''parent_process_id''' are affected for all event codes falling in the source=XmlWinEventLog:Security.'''

Source - WinEventLog:Security field mapping changes

Source-type EventCode Fields added Fields removed
['WinEventLog'] 1100 service, service_name
['WinEventLog'] 4689, 4673 process_exec, process_path, process_id
['WinEventLog'] 4674 process_exec, process_path
['WinEventLog'] 4696 process_path, target_process_name, process_name, process_exec, parent_process_id, process


Source - XmlWinEventLog:Security field mapping changes

Source-type EventCode Fields added Fields removed
['XmlWinEventLog'] 1100 service, service_name process_id
['XmlWinEventLog'] 4689, 4673, 4674 process_exec, user parent_process_id
['XmlWinEventLog'] 4696 process_path, target_process_name, process, process_exec, process_name
['XmlWinEventLog'] 4697 user process_id
['XmlWinEventLog'] 5033, 5034, 5478, 5024, 5025 process_id

Source - WinEventLog:System field mapping changes

Source-type EventCode Fields added Fields removed
['WinEventLog'] 7036 service, service_name, Service_Name, status
['WinEventLog'] 7040 service, Service_Name, start_mode, start_type2, service_name
['WinEventLog'] 7045 start_mode

Source - XmlWinEventLog:System field mapping changes

Source-type EventCode Fields added Fields removed
['XmlWinEventLog'] 7036 service, service_name, ServiceName, status
['XmlWinEventLog'] 7040 service, service_name, start_mode, ServiceName
['XmlWinEventLog'] 7045 start_mode


Sample values for modified sourcetypes

The following tables display the field changes for the WinEventLog:Security and XmlWinEventLog:Security sourcetypes.


WinEventLog:Security sourcetype field mapping changes

Field mapping changes for the WinEventLog:Security sourcetype.

EventCode Field modified Sample Value for Modified fields in 8.1.2 Sample Value for Modified fields in 8.2.0
1100 status 
success
 
stopped
4673 process_name 
C:\Windows\System32\lsass.exe
 
lsass.exe
4674 process_name 
C:\Windows\System32\wininit.exe
 
wininit.exe
4689 process_name 
C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
 
splunk-powershell.exe
4696 process_id 
0x4
 
0x54
5033, 5024, 5478, 4697 status 
success
 
started
5034, 5025 status 
success
 
started


XmlWinEventLog:Security sourcetype field changes

Field mapping changes for the XmlWinEventLog:Security sourcetype.

EventCode Field modified Sample Value for Modified fields in 8.1.2 Sample Value for Modified fields in 8.2.0
1100 status 
success
 
stopped
4673 process_name 
C:\Windows\explorer.exe
 
explorer.exe
process_id 
4
 
0xa20
4674 process_name 
C:\Windows\System32\wbem\WmiPrvSE.exe
 
wWmiPrvSE.exe
process_id 
4
 
0x1494
4689 process_name 
C:\opt\splunk\bin\splunk-MonitorNoHandle.exe
 
splunk-MonitorNoHandle.exe
process_id 
4
 
0x908
4696 process_id 
4
 
0x54
5033, 5024, 5478, 4697 status 
success
 
started
5034, 5025 status 
success
 
started

The values for tag and eventtype field have been affected for various sources and eventcodes as mentioned in the features section above on this page and not explicitly displayed in above tables.

Fixed Issues

Version 8.21.02 of the Splunk Add-on for Windows fixes the following issues:

Known Issues

Version 8.21.02 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:

 


Version 8.1.2

Version 8.1.2 of the Splunk Add-on for Windows was released on April 18, 2021. 

The Splunk Add-on for Windows 5.0.0 introduced breaking changes. If you are upgrading from a version of the Splunk Add-on for Windows that is earlier than 5.0.0, you must follow the steps outlined in Upgrade the Splunk Add-on for Windows. Failure to do so can result in data loss.

 

The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and above. The Splunk Add-on for Windows versions 6.0.0 and above includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.

Compatibility

Version 8.1.2 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:

Splunk platform versions   7.3.x, 8.0.x, 8.1.x
CIM 4.15 and later
Platform Windows
Vendor Products Windows 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server

New or changed features

Version 8.1.2 of the Splunk Add-on for Windows has the following new or changed features:

  • Updated Common Information Model (CIM) field mapping for Windows Event ID 4688
  • Fixed the version value in app.conf

The latest version of the Splunk Add-on for Microsoft Windows introduced Common Information Model (CIM) and field mapping changes to its sourcetypes. See the  Common Information Model and Field Mapping Changes for the Splunk Add-on for Microsoft Windows topic in the Reference chapter in this manual for information on changes to the mapping of this information.

Field Changes

Version 8.1.2 of the Splunk Add-on for Windows introduces field changes to the WinEventLog:Security and XmlWinEventLog:Security sourcetypes. See the following table for information in field changes:

Sourcetype EventCode Fields added Fields removed Fields modified
WinEventLog:Security 4688 new_process_name

parent_process_id
parent_process_path
process_command_line_arguments
process_command_line_process
process_exec
process_path

 N/A action

process
process_name
user

XmlWinEventLog:Security 4688 Process_Command_Line

new_process
new_process_id
new_process_name
parent_process_id
parent_process_path
process_command_line_arguments
process_command_line_process
process_exec
process_path

 N/A action

process
process_id
process_name
user


Sample values for modified sourcetypes

The following tables display the field changes for the WinEventLog:Security and XmlWinEventLog:Security sourcetypes.


WinEventLog:Security sourcetype field changes

Field changes for the WinEventLog:Security sourcetype.

Field modified Sample Value for Modified fields in 8.1.1 Sample Value for Modified fields in 8.1.2
action 
success
 
allowed
process 
splunk-powershell.exe --ps2
 
C:\opt\splunk\bin\splunk-powershell.exe --ps2
process_name 
C:\opt\splunk\bin\splunk-optimize.exe
 
splunk-optimize.exe
user 
-
 
WIN-7K2KTN5JGVD$

XmlWinEventLog:Security sourcetype field changes

Field changes for the XmlWinEventLog:Security sourcetype.


Field modified Sample Value for Modified fields in 8.1.1 Sample Value for Modified fields in 8.1.2
action 
success
 
allowed
process 
splunk-powershell.exe --ps2
 
C:\opt\splunk\bin\splunk-powershell.exe --ps2
process_id 
-
 
0x15b8
process_name 
C:\opt\splunk\bin\splunk-optimize.exe
 
splunk-optimize.exe
user 
-
 
WIN-7K2KTN5JGVD$

Fixed Issues

Version 8.1.2 of the Splunk Add-on for Windows fixes the following issues:


Date resolved Issue number Description
2021-04-12 ADDON-33024 Version 8.1.1 of the Splunk Add-on for Windows bad version value in app.conf
2021-03-23 ADDON-34637 Fix Common Information Model (CIM) field mapping for Windows Event ID 4688

Known Issues

Version 8.1.2 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-08-23 ADDON-40890 'KV_for_Domain' transforms regex in "Splunk Add-on for Microsoft Windows" is incorrect
2021-08-16 ADDON-40674 SubjectDomainName is not extracted from windows events
2021-03-04 ADDON-34640 Windows TA: eventtype endpoint_services_processes is too broad.
Last modified on 22 April, 2024
PREVIOUS
Installation and configuration overview for the Splunk Add-on for Windows 		  NEXT
Install the Splunk Add-on for Windows

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters