Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Supported data sources in behavioral analytics service

Behavioral analytics service uses data sources to generate anomalies.

The following table identifies the source types supported by universal forwarders:

Data source Sourcetype for universal forwarder
Windows security logs XmlWinEventLog:Security
See Windows event IDs supported in behavioral analytics service.

Windows event IDs supported in Splunk Behavioral Analytics

The following table summarizes the Microsoft Windows event IDs used by behavioral analytics service. See Configure Windows event logging to ensure the proper events are logged for instructions to properly log Microsoft Windows events.

Event ID Description Supported for XmlWinEventLog
4103 Windows license activation failed Yes
4104 PowerShell script block logging Yes
4624 An account was successfully logged on Yes
4625 An account failed to log on Yes
4648 A log on was attempted using explicit credentials Yes
4661 A handle to an object was requested Yes
4662 An operation was performed on an object Yes
4663 An attempt was made to access an object Yes
4672 Special privileges assigned to new logon No
4673 A privileged service was called Yes
4688 A new process has been created Yes
4689 A process has exited Yes
4768 A Kerberos authentication ticket (TGT) was requested Yes
4769 A Kerberos service ticket was requested Yes
4771 Kerberos pre-authentication failed Yes
4776 The domain controller attempted to validate the credentials for an account No
5140 A network share object was accessed Yes
5145 A network share object was checked to see whether client can be granted desired access Yes

Data source sample events and fields mappings

Behavioral analytics service extracts and maps the values from specific fields in each data source to be used by its models. Expand each Fields and Mapping section to see how fields in raw events are mapped. The tables in the Field and Mapping section contain the following information:

Table column Description
Raw event field name The original value of the field in the raw event.
Behavioral analytics service token name What the field in the raw event is mapped to in behavioral analytics service. For example, the raw event may contain a field named threatURL, but the models in behavioral analytics service require a field named threat_url.
Behavioral analytics service entity/field type The field used to enrich entities with assets and identities data. For example, a local_ip field in the raw event marked as dest_user/DNS in the table defines the database table used to perform the lookup, so DNS addresses are searched when performing the lookup instead of IP tables.
Behavioral analytics service data model Data models in behavioral analytics service normalize data into specific categories like Authorization or Endpoint. The detections in the system run queries against this normalized data instead of running vendor-specific queries.

XmlWinEventLog logs

Sample Event

Sample XmlWinEventLog events

4689

<?xml version="1.0" encoding="UTF-8"?>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
   <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>4689</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>13313</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8020000000000000</Keywords>
      <TimeCreated SystemTime="2015-08-27T17:13:01.826339500Z" />
      <EventRecordID>187030</EventRecordID>
      <Correlation />
      <Execution ProcessID="4" ThreadID="144" />
      <Channel>Security</Channel>
      <Computer>DC01.contoso.local</Computer>
      <Security />
   </System>
   <EventData>
      <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
      <Data Name="SubjectUserName">dadmin</Data>
      <Data Name="SubjectDomainName">CONTOSO</Data>
      <Data Name="SubjectLogonId">0x31365</Data>
      <Data Name="Status">0x0</Data>
      <Data Name="ProcessId">0xfb0</Data>
      <Data Name="ProcessName">C:\Windows\System32\notepad.exe</Data>
   </EventData>
</Event>

5140

<?xml version="1.0" encoding="UTF-8"?>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
   <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>4689</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>13313</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8020000000000000</Keywords>
      <TimeCreated SystemTime="2015-08-27T17:13:01.826339500Z" />
      <EventRecordID>187030</EventRecordID>
      <Correlation />
      <Execution ProcessID="4" ThreadID="144" />
      <Channel>Security</Channel>
      <Computer>DC01.contoso.local</Computer>
      <Security />
   </System>
   <EventData>
      <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
      <Data Name="SubjectUserName">dadmin</Data>
      <Data Name="SubjectDomainName">CONTOSO</Data>
      <Data Name="SubjectLogonId">0x31365</Data>
      <Data Name="Status">0x0</Data>
      <Data Name="ProcessId">0xfb0</Data>
      <Data Name="ProcessName">C:\Windows\System32\notepad.exe</Data>
   </EventData>
</Event>

5145

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
   <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>5145</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>12811</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8020000000000000</Keywords>
      <TimeCreated SystemTime="2015-09-17T23:54:48.941761700Z" />
      <EventRecordID>267092</EventRecordID>
      <Correlation />
      <Execution ProcessID="516" ThreadID="524" />
      <Channel>Security</Channel>
      <Computer>DC01.contoso.local</Computer>
      <Security />
   </System>
   -
   <EventData>
      <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
      <Data Name="SubjectUserName">dadmin</Data>
      <Data Name="SubjectDomainName">CONTOSO</Data>
      <Data Name="SubjectLogonId">0x38d34</Data>
      <Data Name="ObjectType">File</Data>
      <Data Name="IpAddress">fe80::31ea:6c3c:f40d:1973</Data>
      <Data Name="IpPort">56926</Data>
      <Data Name="ShareName">\\\\\*\\Documents</Data>
      <Data Name="ShareLocalPath">\\??\\C:\\Documents</Data>
      <Data Name="RelativeTargetName">Bginfo.exe</Data>
      <Data Name="AccessMask">0x100081</Data>
      <Data Name="AccessList">%%1541 %%4416 %%4423</Data>
      <Data Name="AccessReason">%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:(A;;FA;;;WD)</Data>
   </EventData>
</Event>

Fields and Mapping

Fields and mapping

4103

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Provider source_name Endpoint_Processes
Computer dest_device/DNS
endpoint_device/DNS
Endpoint_Processes
UserID dest_user/WINDOWS_ACCOUNT_NAME
endpoint_user/WINDOWS_ACCOUNT_NAME
Endpoint_Processes
Payload process Endpoint_Processes
Use constant value of "powershell.exe" parent_process_name
process_name
Endpoint_Processes
Task task_category (extended)
Channel log_name (extended)
EventID signature_id (extended)

4104

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Provider (Name attribute) source_name Endpoint_Processes
Computer dest_device/DNS
endpoint_device/DNS
Endpoint_Processes
Path process_path extracted from script path
process_name exgracted from script path
Endpoint_Processes
Use constant value of "powershell.exe" parent_process_name Endpoint_Processes
Task task_category (extended)
Channel log_name (extended)
EventID signature_id (extended)

4624

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Keywords action

This is a calculated field.

Authentication
Static value:
"An account was successfully logged on"
signature Authentication
EventID signature_id Authentication
Computer origin_device_domain src_device/DNS Authentication
FailureReason reason Authentication
SubjectUserName
src_user/WINDOWS_ACCOUNT_NAME
Authentication
TargetUserName
src_user/WINDOWS_ACCOUNT_NAME
Authentication
TargetDomainName dest_nt_domain Authentication
AuthenticationPackageName auth_pkg Authentication
LogonType authentication_type, authentication_type_name (calculated field) Authentication
LoginProcessName authentication_method Authentication
ProcessName app Authentication
WorkstationName src_device/DNS Authentication
ipAddress dest_device/IP, src_device/IP Authentication
Keywords action

This is a calculated field.

Endpoint_Processes
Static value:
"Microsoft WIndows"
vendor_product, os Endpoint_Processes
Computer dest_devince/DNS
endpoint_device/DNS
Endpoint_Processes
SubjectUserName
endpoint_user/WINDOWS_ACCOUNT_NAME
Endpoint_Processes
TargetUserName
endpoint_user/WINDOWS_ACCOUNT_NAME
Endpoint_Processes
ProcessId process_id Endpoint_Processes
ProcessName process_name, process_exec, process_current_directory, process_path, process

If ProcessName is empty, the values of process_name and process_exec are extracted from Login Process

Endpoint_Processes
WorkstationName dest_device/DNS, endpoint_device/DNS Endpoint_Processes
ipAddress dest_device/IP, endpoint_device/DNS Endpoint_Processes
Task task_category (extended)
Provider (name attribute) aosurce_name (extended)
Channel log_name (extended)
SubjectDomainName account_domain (extended)

4625

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Keywords action

This is a calculated field.

Authentication
Static value:
"An account failed to log on"
signature Authentication
EventID signature_id Authentication
Computer origin_device_domain src_device/DNS Authentication
FailureReason reason Authentication
SubjectUserName
src_user/WINDOWS_ACCOUNT_NAME
Authentication
TargetUserName
src_user/WINDOWS_ACCOUNT_NAME
Authentication
TargetDomainName dest_nt_domain Authentication
AuthenticationPackageName auth_pkg Authentication
LogonType authentication_type, authentication_type_name (calculated field) Authentication
LoginProcessName authentication_method Authentication
ProcessName app Authentication
WorkstationName src_device/DNS Authentication
ipAddress dest_device/IP, src_device/IP Authentication
Status event_return_code

This is a alculated field.

Authentication
ActiveDirectory (static value) authentication_service Authentication
Keywords action

This is a calculated field.

Endpoint_Processes
Static value:
"Microsoft WIndows"
vendor_product, os Endpoint_Processes
Computer dest_devince/DNS
endpoint_device/DNS
Endpoint_Processes
SubjectUserName
endpoint_user/WINDOWS_ACCOUNT_NAME
Endpoint_Processes
TargetUserName
endpoint_user/WINDOWS_ACCOUNT_NAME
Endpoint_Processes
ProcessId process_id Endpoint_Processes
ProcessName process_name, process_exec, process_current_directory, process_path, process

If ProcessName is empty, the values of process_name and process_exec are extracted from Login Process

Endpoint_Processes
WorkstationName dest_device/DNS, endpoint_device/DNS Endpoint_Processes
ipAddress dest_device/IP, endpoint_device/DNS Endpoint_Processes
Task task_category (extended)
Provider (name attribute) aosurce_name (extended)
Channel log_name (extended)
SubjectDomainName account_domain (extended)

4661

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
ObjectName resource_handle Endpoint_ResourceAccess
ObjectType resource_type Endpoint_ResourceAccess
HandleId resource_handle_id Endpoint_ResourceAccess
AccessMask resource_operation_access_mask Endpoint_ResourceAccess
PrivilegeList resource_operation_privileges Endpoint_ResourceAccess
Properties resource_operation_properties Endpoint_ResourceAccess
RestrictedSidCount resource_operation_restricted_sid_count Endpoint_ResourceAccess
AccessList resource_operation_access Endpoint_ResourceAccess
ProcessId process_id Endpoint_Process
ProcessName process_name
process_path
Endpoint_Process
event_description (calculated field) Endpoint_ResourceAccess
Computer dest_device/DNS
endpoint_device/DNS
Endpoint_ResourceAccess, Endpoint_Processes
SubjectUserName dest_user/WINDOWS_ACCOUNT_NAME
endpoint_user/WINDOWS_ACCOUNT_NAME
Endpoint_ResourceAccess, Endpoint_Processes
SubjectLogonId logon_id Endpoint_ResourceAccess
TransactionId resource_operation_transaction_id Endpoint_ResourceAccess
Keywords event_status Endpoint_ResourceAccess
Computer dest_nt_domain (extended) Endpoint_ResourceAccess (v2)
ObjectName resource_handle_name (extended) Endpoint_ResourceAccess (v2)
Task task_category (extended)
Provider (name attribute) source_name (extended)
Channel log_name (extended)
SubjectDomainName account_domain (extended)
EventID signature_id (extended)

4662

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
ObjectName resource_handle Endpoint_ResourceAccess
ObjectType resource_type Endpoint_ResourceAccess
HandleId resource_handle_id Endpoint_ResourceAccess
AccessMask resource_operation_access_mask Endpoint_ResourceAccess
Properties resource_operation_properties Endpoint_ResourceAccess
RestrictedSidCount resource_operation_restricted_sid_count Endpoint_ResourceAccess
AccessList resource_operation_access Endpoint_ResourceAccess
OperationType resource_operation_type Endpoint_ResourceAccess
event_description (calculated field) Endpoint_ResourceAccess
Computer dest_device/DNS Endpoint_ResourceAccess, Endpoint_Processes
SubjectUserName dest_user/WINDOWS_ACCOUNT_NAME Endpoint_ResourceAccess
SubjectLogonId logon_id Endpoint_ResourceAccess
Keywords event_status Endpoint_ResourceAccess
Computer dest_nt_domain (extended) Endpoint_ResourceAccess (v2)
Task task_category (extended)
Provider (name attribute) source_name (extended)
Channel log_name (extended)
SubjectDomainName account_domain (extended)
EventID signature_id (extended)

4663

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
ObjectName resource_handle Endpoint_ResourceAccess
ObjectType resource_type Endpoint_ResourceAccess
HandleId resource_handle_id Endpoint_ResourceAccess
AccessList resource_operation_access Endpoint_ResourceAccess
AccessMask resource_operation_access_mask Endpoint_ResourceAccess
ProcessId process_id Endpoint_Process
ProcessName process_name
process_path
Endpoint_Process
event_description (calculated field) Endpoint_ResourceAccess
Computer dest_device/DNS
endpoint_device/DNS
Endpoint_ResourceAccess, Endpoint_Processes
SubjectUserName dest_user/WINDOWS_ACCOUNT_NAME
endpoint_user/WINDOWS_ACCOUNT_NAME
Endpoint_ResourceAccess, Endpoint_Processes
SubjectLogonId logon_id Endpoint_ResourceAccess
Keywords event_status Endpoint_ResourceAccess
Computer dest_nt_domain (extended) Endpoint_ResourceAccess (v2)
ObjectName resource_handle_name (extended) Endpoint_ResourceAccess (v2)
Task task_category (extended)
Provider (name attribute) source_name (extended)
Channel log_name (extended)
SubjectDomainName account_domain (extended)
EventID signature_id (extended)

4688

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
CommandLine process Endpoint_Process
Keywords action

This is a calculated field.

Endpoint_Processes
NewProcessId process_id Endpoint_Processes
NewProcessName process_name
process_exec
process_current_directory
process_path
Endpoint_Processes
Microsoft Windows (static value) vendor_product, os Endpoint_Processes
ParentProcessName parent_process_name Endpoint_Processes
ProcessId parent_process_id Endpoint_Processes
TargetUserName dest_user/WINDOWS_ACCOUNT_NAME
endpoint_user/WINDOWS_ACCOUNT_NAME
Endpoint_Processes
Computer dest_device/DNS
endpoint_device/DNS
Endpoint_Processes
Task task_category (extended)
Provider (name attribute) source_name (extended)
Channel log_name (extended)
SubjectDomainName account_domain (extended)
EventID signature_id (extended)

4689

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Keywords action

This is a calculated field.

Endpoint_Processes
Microsoft Windows (static value) vendor_product, os Endpoint_Processes
Computer dest_device/DNS Endpoint_Processes
SubjectUserName dest_user/WINDOWS_ACCOUNT_NAME

If SubjectUserName does not contain $ at the end, then dest_user is populated.

Endpoint_Processes
ProcessId process_id Endpoint_Processes
ProcessName process_name
process_exec
process_current_directory
process_path
process
Endpoint_Processes
Task task_category (extended)
Provider (name attribute) source_name (extended)
Channel log_name (extended)
SubjectDomainName account_domain (extended)
EventID signature_id (extended)

4768

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Status action

If the Status is 0x0, then the action is Successful. Otherwise, the action is Failed.

Authentication
Use the static value "Kerberos" authentication_method Authentication
Use the static value "ActiveDirectory" authentication_service Authentication
Use the static value "Network" authentication_type_name Authentication
TargetUserName dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS

If TargetUserName contains a user, then dest_user is populated. If TargetUserName contains a device name, then dest_device is populated.

Authentication
Status reason
  • If Status = 0x0, then reason is "Success"

I If Status = 0x18, 0xc0000064, or 0xc000006e, then reason is "Invalid Password"

  • If Status = 0x1, 0x2, 0x17, 0xc000007, or 0xc0000193, then reason is "ExpiredPassword"
  • If Status = 0x18, 0xc0000064, or 0xc000006e, then reason is "RevokedCredentials"
Authentication
Status event_return_code Authentication
Use the static value "A Kerberos authentication ticket (TGT) was requested." signature Authentication
EventID signature_id Authentication
Use the static value "ActiveDirectory". app Authentication
IpPort dest_port Certificates
CertThumbprint ssl_hash Certificates
CertIssuerName ssl_issuer Certificates
CertIssuerName ssl_issuer_common_name Certificates
CertSerialNumber ssl_serial Certificates
Status ssl_is_valid
  • If Status = 0x3E or 0x3F, then ssl_is_valid is "false"
  • Otherwise, ssl_is_valid is "true"
Certificates
TicketEncryptionType ssl_signature_algorithm
  • If TicketEncryptionType = 0x1, then ssl_signature_algorithm is "DES-CBC-CRC"
  • If TicketEncryptionType = 0x3, then ssl_signature_algorithm is "DES-CBC-MD5"
  • If TicketEncryptionType = 0x11, then ssl_signature_algorithm is "AES128-CTS-HMAC-SHA1-96"
  • If TicketEncryptionType = 0x12, then ssl_signature_algorithm is "AES256-CTS-HMAC-SHA1-96"
  • If TicketEncryptionType = 0x17, then ssl_signature_algorithm is "RC4-HMAC"
  • If TicketEncryptionType = 0x18, then ssl_signature_algorithm is "RC4-HMAC-EXP"
Task task_category (extended)
Provider (name attribute) source_name (extended)
Channel log_name (extended)
TargetDomainName account_domain (extended)

4769

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Keywords action

If the Keywords is 0x8020000000000000, then the action is Successful. Otherwise, the action is Failed.

Authentication
Use the static value "Kerberos" authentication_method Authentication
Use the static value "ActiveDirectory" authentication_service Authentication
Use the static value "Network" authentication_type_name Authentication
Computer origin_device_domain origin_device/DNS Authentication
Use the static value "A Kerberos service ticket was requested." signature Authentication
EventID signature_id Authentication
TargetUserName dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS

If TargetUserName contains a user, then dest_user is populated. If TargetUserName contains a device name, then dest_device is populated.

Authentication
TargetDomainName dest_nt_domain Authentication
IpAddress dest_device/IP Authentication
Status event_return_code, reason
  • If Result Code = 0x0, then reason is "Success"

I If Result Code = 0x18, 0xc0000064, or 0xc000006e, then reason is "Invalid Password"

  • If Result Code = 0x1, 0x2, 0x17, 0xc0000071, or 0xc0000193, then reason is "ExpiredPassword"
  • If Result Code = 0x18, 0xc0000064, or 0xc000006e, then reason is "RevokedCredentials"
Authentication
Use the static value "ActiveDirectory". app Authentication

5140

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
event_description (calculated field) Endpoint_ResourceAccess
Task task_category Endpoint_ResourceAccess
Provider (name attribute) source_name Endpoint_ResourceAccess
AccessMask resource_operation_access_mask Endpoint_ResourceAccess
AccessList resource_operation_accesses Endpoint_ResourceAccess
ObjectType resource_type Endpoint_ResourceAccess
Channel log_name Endpoint_ResourceAccess
ShareName resource_handle Endpoint_ResourceAccess
SubjectDomainName account_domain Endpoint_ResourceAccess
Keywords event_status Endpoint_ResourceAccess
ShareLocalPath resource_handle_path (extended) Endpoint_ResourceAccess (v2)
EventID signature_id (extended) Endpoint_ResourceAccess (v2)
IpAddress source_address (extended) Endpoint_ResourceAccess (v2)
Computer dest_nt_domain Endpoint_ResourceAccess (v2)
IpPort source_port (extended) Endpoint_ResourceAccess (v2)
Computer dest_device/DNS Endpoint_ResourceAccess
SubjectUserName dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS

If SubjectUserName contains a user name then dest_user is populated. If SubjectUserName contains a device then dest_device is populated.

Endpoint_ResourceAccess

5145

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
event_description (calculated field) Endpoint_ResourceAccess
Task task_category Endpoint_ResourceAccess
Provider (name attribute) source_name Endpoint_ResourceAccess
AccessMask resource_operation_access_mask Endpoint_ResourceAccess
AccessList resource_operation_accesses Endpoint_ResourceAccess
ObjectType resource_type Endpoint_ResourceAccess
Channel log_name Endpoint_ResourceAccess
ShareName resource_handle Endpoint_ResourceAccess
SubjectDomainName account_domain Endpoint_ResourceAccess
Keywords event_status Endpoint_ResourceAccess
RelativeTargetName resource_handle_name (extended) Endpoint_ResourceAccess (v2)
ShareLocalPath resource_handle_path (extended) Endpoint_ResourceAccess (v2)
EventID signature_id (extended) Endpoint_ResourceAccess (v2)
IpAddress source_address (extended) Endpoint_ResourceAccess (v2)
Computer dest_nt_domain Endpoint_ResourceAccess (v2)
IpPort source_port (extended) Endpoint_ResourceAccess (v2)
Computer dest_device/DNS Endpoint_ResourceAccess
SubjectUserName dest_user/WINDOWS_ACCOUNT_NAME Endpoint_ResourceAccess
Last modified on 12 June, 2023
Machine Learning Toolkit Troubleshooting in Splunk Enterprise Security   Configure Windows event logging to ensure the proper events are logged

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters