Splunk® Supported Add-ons

Splunk Add-on for Microsoft Windows

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Release notes for the Splunk Add-on for Windows

Version 8.2.0 of the Splunk Add-on for Windows was released on October 8, 2021.

The Splunk Add-on for Windows 5.0.0 introduced breaking changes. If you are upgrading from a version of the Splunk Add-on for Windows that is lower than 5.0.0, you must follow the steps outlined in Upgrade the Splunk Add-on for Windows. Failure to do so can result in data loss.

The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and higher. The Splunk Add-on for Windows versions 6.0.0 and higher includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.


Compatibility

Version 8.2.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.0.x, 8.1.x, 8.2.x
CIM 4.15 and later
Platform Windows
Vendor Products Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server

New or changed features

Version 8.2.0 of the Splunk Add-on for Windows has the following new or changed features:

Features

  • Introduced a new event type windows_endpoint_processes (tags: "report" and "process") which will only apply to these Windows Event Codes:
    • 4688
    • 4689
    • 4696
    • 4674
    • 4673

These fall under source="WinEventLog:Security" OR source="XmlWinEventLog:Security" and is therefore mapped to the Endpoint:Processes CIM Data Model.

  • Introduced a new event type windows_endpoint_services (tags: "report" and "service") which will only apply to these Windows Event Codes:
    • 1100
    • 5024
    • 5025
    • 5030
    • 5033
    • 5034
    • 5035
    • 5478
    • 7036
    • 7040
    • 7045

These falls under source="WinEventLog:Security" OR source="XmlWinEventLog:Security" OR source="WinEventLog:System" OR source="XmlWinEventLog:System" and is therefore mapped to the Endpoint:Services CIM Data Model.

  • Updated Common Information Model (CIM) field mapping for these Windows Event Codes:
    • 4688
    • 4689
    • 4696
    • 4674
    • 4673
    • 1100
    • 5024
    • 5025
    • 5033
    • 5034
    • 5478
    • 7036
    • 7040
    • 7045

These fall under source="WinEventLog:Security" OR source="XmlWinEventLog:Security" OR source="WinEventLog:System" OR source="XmlWinEventLog:System".

  • Removed tags ("report", "service", "process") from the event type endpoint_services_processes.

Earlier all events falling in source="WMI:WinEventLog:Security" OR sourcetype="WinEventLog" OR sourcetype="XmlWinEventLog" were mapped to both Endpoint:Processes and Endpoint:Services CIM Data Model. This has been removed and only specific events mentioned in above points are mapped now.

  • Minor regex optimizations.
  • Updated extraction for process_id field for all events falling in the source=XmlWinEventLog:Security. The field would now only be extracted for event codes where relevant information is present.
  • Updated extraction for parent_process_id field for all events falling in the source=XmlWinEventLog:Security. It will now be extracted for only two Event Codes: 4688 and 4696.

See the example below:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
    <System>
        <Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}' />
        <EventID>4689</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>13313</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime='2021-07-26T08:13:24.962474100Z' />
        <EventRecordID>55551</EventRecordID>
        <Correlation />
        <Execution ProcessID='4' ThreadID='1488' />
        <Channel>Security</Channel>
        <Computer>IP-0ACA15D4</Computer>
        <Security />
    </System>
    <EventData>
        <Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data>
        <Data Name='SubjectUserName'>IP-0ACA15D4$</Data>
        <Data Name='SubjectDomainName'>WORKGROUP</Data>
        <Data Name='SubjectLogonId'>0x3e7</Data>
        <Data Name='Status'>0x1</Data>
        <Data Name='ProcessId'>0x908</Data>
        <Data Name='ProcessName'>C:\opt\splunk\bin\splunk-MonitorNoHandle.exe</Data>
    </EventData>
</Event>

In the above event, v8.1.2 of the Add-on extracted process_id as 4 from the tag

<Execution ProcessID='4' ThreadID='1488' />

and parent_process_id as 0x908 from the tag

<Data Name='ProcessId'>0x908</Data>

This has been corrected and now with v8.2.0 process_id is extracted as 0x908 and parent_process_id is not extracted since this event doesn't have relevant information.

Field Mapping Changes

Version 8.2.0 of the Splunk Add-on for Windows introduces field changes to the WinEventLog:Security and , XmlWinEventLog:Security, WinEventLog:System and XmlWinEventLog:System sourcetypes. See the following table for information in field changes:

The below details are only for those event codes for which mapping have been corrected. They are '''4688, 4689, 4696, 4674, 4673, 1100, 5024, 5025, 5033, 5034, 5478, 7036, 7040, 7045'''. Other than this fields, '''process_id''' and '''parent_process_id''' are affected for all event codes falling in the source=XmlWinEventLog:Security.'''

Source - WinEventLog:Security field mapping changes

Source-type EventCode Fields added Fields removed
['WinEventLog'] 1100 service, service_name
['WinEventLog'] 4689, 4673 process_exec, process_path, process_id
['WinEventLog'] 4674 process_exec, process_path
['WinEventLog'] 4696 process_path, target_process_name, process_name, process_exec, parent_process_id, process


Source - XmlWinEventLog:Security field mapping changes

Source-type EventCode Fields added Fields removed
['XmlWinEventLog'] 1100 service, service_name process_id
['XmlWinEventLog'] 4689, 4673, 4674 process_exec, user parent_process_id
['XmlWinEventLog'] 4696 process_path, target_process_name, process, process_exec, process_name
['XmlWinEventLog'] 4697 user process_id
['XmlWinEventLog'] 5033, 5034, 5478, 5024, 5025 process_id

Source - WinEventLog:System field mapping changes

Source-type EventCode Fields added Fields removed
['WinEventLog'] 7036 service, service_name, Service_Name, status
['WinEventLog'] 7040 service, Service_Name, start_mode, start_type2, service_name
['WinEventLog'] 7045 start_mode

Source - XmlWinEventLog:System field mapping changes

Source-type EventCode Fields added Fields removed
['XmlWinEventLog'] 7036 service, service_name, ServiceName, status
['XmlWinEventLog'] 7040 service, service_name, start_mode, ServiceName
['XmlWinEventLog'] 7045 start_mode


Sample values for modified sourcetypes

The following tables display the field changes for the WinEventLog:Security and XmlWinEventLog:Security sourcetypes.


WinEventLog:Security sourcetype field mapping changes

Field mapping changes for the WinEventLog:Security sourcetype.

EventCode Field modified Sample Value for Modified fields in 8.1.2 Sample Value for Modified fields in 8.2.0
1100 status
success
stopped
4673 process_name
C:\Windows\System32\lsass.exe
lsass.exe
4674 process_name
C:\Windows\System32\wininit.exe
wininit.exe
4689 process_name
C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
splunk-powershell.exe
4696 process_id
0x4
0x54
5033, 5024, 5478, 4697 status
success
started
5034, 5025 status
success
started


XmlWinEventLog:Security sourcetype field changes

Field mapping changes for the XmlWinEventLog:Security sourcetype.

EventCode Field modified Sample Value for Modified fields in 8.1.2 Sample Value for Modified fields in 8.2.0
1100 status
success
stopped
4673 process_name
C:\Windows\explorer.exe
explorer.exe
process_id
4
0xa20
4674 process_name
C:\Windows\System32\wbem\WmiPrvSE.exe
wWmiPrvSE.exe
process_id
4
0x1494
4689 process_name
C:\opt\splunk\bin\splunk-MonitorNoHandle.exe
splunk-MonitorNoHandle.exe
process_id
4
0x908
4696 process_id
4
0x54
5033, 5024, 5478, 4697 status
success
started
5034, 5025 status
success
started

The values for tag and eventtype field have been affected for various sources and eventcodes as mentioned in the features section above on this page and not explicitly displayed in above tables.


Bug Fixes

  • Fixed issue with timestamp parsing which was conflicting with MAC address for the sourcetype DhcpSrvLog.
  • Fixed issue with src_port field not extracted for Windows Event ID 5156 XML events.
  • Fixed issue with Error_Code field not extracted due to Splunk field alias behavior change for multiple source types.
  • Fixed issue with SubjectDomainName field not extracted for Windows Event ID 1102 XML events.
  • Fixed issue with src_domain field extraction not working correctly if containing a '-' character for the sourcetype MSAD:NT6:DNS.

Fixed Issues

Version 8.2.0 of the Splunk Add-on for Windows fixes the following issues:


Date resolved Issue number Description
2021-09-23 ADDON-34640 Windows TA: eventtype endpoint_services_processes is too broad.
2021-09-01 ADDON-40674 SubjectDomainName is not extracted from windows events
2021-08-31 ADDON-40890 'KV_for_Domain' transforms regex in "Splunk Add-on for Microsoft Windows" is incorrect

Known Issues

Version 8.2.0 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:

Last modified on 13 October, 2021
PREVIOUS
Sourcetypes for the Splunk Add-on for Windows
  NEXT
Hardware and software requirements for the Splunk Add-on for Windows

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters