Splunk® Supported Add-ons

Splunk Add-on for Microsoft Windows

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Release notes for the Splunk Add-on for Windows

Version 8.5.0 of the Splunk Add-on for Windows was released on April 21, 2022.

The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and higher. The Splunk Add-on for Windows versions 6.0.0 and higher includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.


Compatibility

Version 8.5.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x
CIM 4.15 and later
Platform Windows
Vendor Products Windows Server 2022, Windows 11, Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server

New or changed features

Version 8.5.0 of the Splunk Add-on for Windows has the following new or changed features:

  • CIM enhancements for these Event Codes: 104, 1102, 4624, 4625, 4634, 4698, 4700, 4701, 4702, 4719, 720, 4732, 4740, 4800, 4801

(To review field extraction changes, please refer to Field Changes Section)

  • Removed the incorrect Endpoint:Filesystem CIM tags from the wineventlog_windows event type.
  • Removed the fs_notification event type and fs_notification source type extractions as Splunk no longer supports this source type.


Fixes

  • Fixed the user field extraction issue for Event Codes 4728, 4729, 4732 when the distinguished name (DN) contains "Lastname, Firstname".

Notes:

  • If the Member:Security_ID value uses the enriched "DOMAIN\UserName" format then the user field would be extracted as UserName.
  • If the Member:Security_ID value uses the traditional Windows SID (S-1234-etc) format then the user field will be extracted from the first RDN section of the Member:Account Name string (which gets logged as an LDAP DN format).
  • If the Member:Security_ID value uses the traditional Windows SID (S-1234-etc) format and the first RDN section of Member:Account Name as CN=Lastname\, Firstname, OU=Users, DC=CONTOSO, DC=com, then it can be in the lastname,firstname format, in which case user field will not be extracted.


Field Changes

Source - WinEventLog:System field mapping changes

Source-type EventCode Fields added Fields removed
['WinEventLog'] 104 object, user_name, object_category, action, result, status, change_type

Source - XmlWinEventLog:System field mapping changes

Source-type EventCode Fields added Fields removed
['WinEventLog'] 104 user, object, user_name, object_category, user_data_channel, action, result, status, change_type

Source - WinEventLog:Security field mapping changes

Source-type EventCode Fields added Fields removed


['WinEventLog'] 1102 result, object, user_name
['WinEventLog'] 4624 authentication_method
['WinEventLog'] 4625 authentication_method
['WinEventLog'] 4634 object_id, change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name
['WinEventLog'] 4698 object, user_name, TaskContent, object_category, object_attrs, result, change_type
['WinEventLog'] 4700 object, user_name, TaskContent, object_category, object_attrs, result, change_type
['WinEventLog'] 4701 object, user_name, TaskContent, object_category, object_attrs, result, change_type
['WinEventLog'] 4702 object, user_name, TaskNewContent, object_category, object_attrs, result, change_type
['WinEventLog'] 4719 result, object, user_name
['WinEventLog'] 4720 src_user_name, object_id, object, user_name, object_attrs, New_Account_Account_Name, New_Account_Domain, New_Account_Security_ID
['WinEventLog'] 4732 src_user_name, object_id, Member_Security_ID, object, user_name, Member_Account_Name
['WinEventLog'] 4740 src_user_name, object_id, Account_Locked_Out_Security_ID, Account_Locked_Out_Name, object, user_name, object_attrs
['WinEventLog'] 4800 change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name
['WinEventLog'] 4801 change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name

Source - XmlWinEventLog:Security field mapping changes

Source-type EventCode Fields added Fields removed
['XmlWinEventLog'] 1102 result, object, user, user_name
['XmlWinEventLog'] 4624 authentication_method
['XmlWinEventLog'] 4625 authentication_method
['XmlWinEventLog'] 4634 object_id, change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name, src_nt_domain
['XmlWinEventLog'] 4698 user, object, user_name, object_category, object_attrs, result, change_type
['XmlWinEventLog'] 4700 user, object, user_name, object_category, object_attrs, result, change_type
['XmlWinEventLog'] 4701 user, object, user_name, object_category, object_attrs, result, change_type
['XmlWinEventLog'] 4702 user, object, user_name, object_category, object_attrs, result, change_type
['XmlWinEventLog'] 4719 result, object, user, user_name
['XmlWinEventLog'] 4720 src_user_name, object_id, object, user_name, object_attrs
['XmlWinEventLog'] 4732 src_user_name, object_id, object, user_name, object_attrs
['XmlWinEventLog'] 4740 src_user_name, object, user_name, object_attrs
['XmlWinEventLog'] 4800 change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name, src_nt_domain
['XmlWinEventLog'] 4801 change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name, src_nt_domain

Fixed Issues

Version 8.5.0 of the Splunk Add-on for Windows fixes the following issues:


Known Issues

Version 8.5.0 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:

Last modified on 26 April, 2022
PREVIOUS
Source types for the Splunk Add-on for Windows
  NEXT
Hardware and software requirements for the Splunk Add-on for Windows

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters