Supported data sources in behavioral analytics service
This topic applies only to customers on the Splunk Cloud platform.
Behavioral analytics service uses data sources to generate anomalies.
The following table identifies the source types supported by universal forwarders:
Data source | Sourcetype for universal forwarder |
---|---|
Windows security logs | XmlWinEventLog:Security
|
Windows event IDs supported in Splunk Behavioral Analytics
The following table summarizes the Microsoft Windows event IDs used by behavioral analytics service. See Configure Windows event logging to ensure the proper events are logged for instructions to properly log Microsoft Windows events.
Event ID | Description | Supported for XmlWinEventLog |
---|---|---|
4103 | Windows license activation failed | Yes |
4104 | PowerShell script block logging | Yes |
4624 | An account was successfully logged on | Yes |
4625 | An account failed to log on | Yes |
4661 | A handle to an object was requested | Yes |
4662 | An operation was performed on an object | Yes |
4663 | An attempt was made to access an object | Yes |
4673 | A privileged service was called | Yes |
4688 | A new process has been created | Yes |
4689 | A process has exited | Yes |
5145 | A network share object was checked to see whether client can be granted desired access | Yes |
Data source sample events and fields mappings
Behavioral analytics service extracts and maps the values from specific fields in each data source to be used by its models. Expand each Fields and Mapping section to see how fields in raw events are mapped. The tables in the Field and Mapping section contain the following information:
Table column | Description |
---|---|
Raw event field name | The original value of the field in the raw event. |
Behavioral analytics service token name | What the field in the raw event is mapped to in behavioral analytics service. For example, the raw event may contain a field named threatURL, but the models in behavioral analytics service require a field named threat_url. |
Behavioral analytics service entity/field type | The field used to enrich entities with assets and identities data. For example, a local_ip field in the raw event marked as dest_user/DNS in the table defines the database table used to perform the lookup, so DNS addresses are searched when performing the lookup instead of IP tables. |
Behavioral analytics service data model | Data models in behavioral analytics service normalize data into specific categories like Authorization or Endpoint. The detections in the system run queries against this normalized data instead of running vendor-specific queries. |
XmlWinEventLog logs
Sample Event
Sample XmlWinEventLog events
4689
<?xml version="1.0" encoding="UTF-8"?> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4689</EventID> <Version>0</Version> <Level>0</Level> <Task>13313</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2015-08-27T17:13:01.826339500Z" /> <EventRecordID>187030</EventRecordID> <Correlation /> <Execution ProcessID="4" ThreadID="144" /> <Channel>Security</Channel> <Computer>DC01.contoso.local</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> <Data Name="SubjectUserName">dadmin</Data> <Data Name="SubjectDomainName">CONTOSO</Data> <Data Name="SubjectLogonId">0x31365</Data> <Data Name="Status">0x0</Data> <Data Name="ProcessId">0xfb0</Data> <Data Name="ProcessName">C:\Windows\System32\notepad.exe</Data> </EventData> </Event>
5140
<?xml version="1.0" encoding="UTF-8"?> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4689</EventID> <Version>0</Version> <Level>0</Level> <Task>13313</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2015-08-27T17:13:01.826339500Z" /> <EventRecordID>187030</EventRecordID> <Correlation /> <Execution ProcessID="4" ThreadID="144" /> <Channel>Security</Channel> <Computer>DC01.contoso.local</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> <Data Name="SubjectUserName">dadmin</Data> <Data Name="SubjectDomainName">CONTOSO</Data> <Data Name="SubjectLogonId">0x31365</Data> <Data Name="Status">0x0</Data> <Data Name="ProcessId">0xfb0</Data> <Data Name="ProcessName">C:\Windows\System32\notepad.exe</Data> </EventData> </Event>
5145
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>5145</EventID> <Version>0</Version> <Level>0</Level> <Task>12811</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2015-09-17T23:54:48.941761700Z" /> <EventRecordID>267092</EventRecordID> <Correlation /> <Execution ProcessID="516" ThreadID="524" /> <Channel>Security</Channel> <Computer>DC01.contoso.local</Computer> <Security /> </System> - <EventData> <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> <Data Name="SubjectUserName">dadmin</Data> <Data Name="SubjectDomainName">CONTOSO</Data> <Data Name="SubjectLogonId">0x38d34</Data> <Data Name="ObjectType">File</Data> <Data Name="IpAddress">fe80::31ea:6c3c:f40d:1973</Data> <Data Name="IpPort">56926</Data> <Data Name="ShareName">\\\\\*\\Documents</Data> <Data Name="ShareLocalPath">\\??\\C:\\Documents</Data> <Data Name="RelativeTargetName">Bginfo.exe</Data> <Data Name="AccessMask">0x100081</Data> <Data Name="AccessList">%%1541 %%4416 %%4423</Data> <Data Name="AccessReason">%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:(A;;FA;;;WD)</Data> </EventData> </Event>
Fields and Mapping
Fields and mapping
4103
Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
---|---|---|---|
Provider | source_name | Endpoint_Processes | |
Computer | dest_device/DNS endpoint_device/DNS |
Endpoint_Processes | |
UserID | dest_user/WINDOWS_ACCOUNT_NAME endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_Processes | |
Payload | process | Endpoint_Processes | |
Use constant value of "powershell.exe" | parent_process_name process_name |
Endpoint_Processes | |
Task | task_category (extended) | ||
Channel | log_name (extended) | ||
EventID | signature_id (extended) |
4104
Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
---|---|---|---|
Provider (Name attribute) | source_name | Endpoint_Processes | |
Computer | dest_device/DNS endpoint_device/DNS |
Endpoint_Processes | |
Path | process_path extracted from script path process_name exgracted from script path |
Endpoint_Processes | |
Use constant value of "powershell.exe" | parent_process_name | Endpoint_Processes | |
Task | task_category (extended) | ||
Channel | log_name (extended) | ||
EventID | signature_id (extended) |
4624
Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
---|---|---|---|
Keywords | action This is a calculated field. |
Authentication | |
Static value: "An account was successfully logged on" |
signature | Authentication | |
EventID | signature_id | Authentication | |
Computer | origin_device_domain | src_device/DNS | Authentication |
FailureReason | reason | Authentication | |
SubjectUserName | src_user/WINDOWS_ACCOUNT_NAME |
Authentication | |
TargetUserName | src_user/WINDOWS_ACCOUNT_NAME |
Authentication | |
TargetDomainName | dest_nt_domain | Authentication | |
AuthenticationPackageName | auth_pkg | Authentication | |
LogonType | authentication_type, authentication_type_name (calculated field) | Authentication | |
LoginProcessName | authentication_method | Authentication | |
ProcessName | app | Authentication | |
WorkstationName | src_device/DNS | Authentication | |
ipAddress | dest_device/IP, src_device/IP | Authentication | |
Keywords | action This is a calculated field. |
Endpoint_Processes | |
Static value: "Microsoft WIndows" |
vendor_product, os | Endpoint_Processes | |
Computer | dest_devince/DNS endpoint_device/DNS |
Endpoint_Processes | |
SubjectUserName | endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_Processes | |
TargetUserName | endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_Processes | |
ProcessId | process_id | Endpoint_Processes | |
ProcessName | process_name, process_exec, process_current_directory, process_path, process If ProcessName is empty, the values of process_name and process_exec are extracted from Login Process |
Endpoint_Processes | |
WorkstationName | dest_device/DNS, endpoint_device/DNS | Endpoint_Processes | |
ipAddress | dest_device/IP, endpoint_device/DNS | Endpoint_Processes | |
Task | task_category (extended) | ||
Provider (name attribute) | aosurce_name (extended) | ||
Channel | log_name (extended) | ||
SubjectDomainName | account_domain (extended) |
4625
Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
---|---|---|---|
Keywords | action This is a calculated field. |
Authentication | |
Static value: "An account failed to log on" |
signature | Authentication | |
EventID | signature_id | Authentication | |
Computer | origin_device_domain | src_device/DNS | Authentication |
FailureReason | reason | Authentication | |
SubjectUserName | src_user/WINDOWS_ACCOUNT_NAME |
Authentication | |
TargetUserName | src_user/WINDOWS_ACCOUNT_NAME |
Authentication | |
TargetDomainName | dest_nt_domain | Authentication | |
AuthenticationPackageName | auth_pkg | Authentication | |
LogonType | authentication_type, authentication_type_name (calculated field) | Authentication | |
LoginProcessName | authentication_method | Authentication | |
ProcessName | app | Authentication | |
WorkstationName | src_device/DNS | Authentication | |
ipAddress | dest_device/IP, src_device/IP | Authentication | |
Status | event_return_code This is a alculated field. |
Authentication | |
ActiveDirectory (static value) | authentication_service | Authentication | |
Keywords | action This is a calculated field. |
Endpoint_Processes | |
Static value: "Microsoft WIndows" |
vendor_product, os | Endpoint_Processes | |
Computer | dest_devince/DNS endpoint_device/DNS |
Endpoint_Processes | |
SubjectUserName | endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_Processes | |
TargetUserName | endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_Processes | |
ProcessId | process_id | Endpoint_Processes | |
ProcessName | process_name, process_exec, process_current_directory, process_path, process If ProcessName is empty, the values of process_name and process_exec are extracted from Login Process |
Endpoint_Processes | |
WorkstationName | dest_device/DNS, endpoint_device/DNS | Endpoint_Processes | |
ipAddress | dest_device/IP, endpoint_device/DNS | Endpoint_Processes | |
Task | task_category (extended) | ||
Provider (name attribute) | aosurce_name (extended) | ||
Channel | log_name (extended) | ||
SubjectDomainName | account_domain (extended) |
4661
Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
---|---|---|---|
ObjectName | resource_handle | Endpoint_ResourceAccess | |
ObjectType | resource_type | Endpoint_ResourceAccess | |
HandleId | resource_handle_id | Endpoint_ResourceAccess | |
AccessMask | resource_operation_access_mask | Endpoint_ResourceAccess | |
PrivilegeList | resource_operation_privileges | Endpoint_ResourceAccess | |
Properties | resource_operation_properties | Endpoint_ResourceAccess | |
RestrictedSidCount | resource_operation_restricted_sid_count | Endpoint_ResourceAccess | |
AccessList | resource_operation_access | Endpoint_ResourceAccess | |
ProcessId | process_id | Endpoint_Process | |
ProcessName | process_name process_path |
Endpoint_Process | |
event_description (calculated field) | Endpoint_ResourceAccess | ||
Computer | dest_device/DNS endpoint_device/DNS |
Endpoint_ResourceAccess, Endpoint_Processes | |
SubjectUserName | dest_user/WINDOWS_ACCOUNT_NAME endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_ResourceAccess, Endpoint_Processes | |
SubjectLogonId | logon_id | Endpoint_ResourceAccess | |
TransactionId | resource_operation_transaction_id | Endpoint_ResourceAccess | |
Keywords | event_status | Endpoint_ResourceAccess | |
Computer | dest_nt_domain (extended) | Endpoint_ResourceAccess (v2) | |
ObjectName | resource_handle_name (extended) | Endpoint_ResourceAccess (v2) | |
Task | task_category (extended) | ||
Provider (name attribute) | source_name (extended) | ||
Channel | log_name (extended) | ||
SubjectDomainName | account_domain (extended) | ||
EventID | signature_id (extended) |
4662
Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
---|---|---|---|
ObjectName | resource_handle | Endpoint_ResourceAccess | |
ObjectType | resource_type | Endpoint_ResourceAccess | |
HandleId | resource_handle_id | Endpoint_ResourceAccess | |
AccessMask | resource_operation_access_mask | Endpoint_ResourceAccess | |
Properties | resource_operation_properties | Endpoint_ResourceAccess | |
RestrictedSidCount | resource_operation_restricted_sid_count | Endpoint_ResourceAccess | |
AccessList | resource_operation_access | Endpoint_ResourceAccess | |
OperationType | resource_operation_type | Endpoint_ResourceAccess | |
event_description (calculated field) | Endpoint_ResourceAccess | ||
Computer | dest_device/DNS | Endpoint_ResourceAccess, Endpoint_Processes | |
SubjectUserName | dest_user/WINDOWS_ACCOUNT_NAME | Endpoint_ResourceAccess | |
SubjectLogonId | logon_id | Endpoint_ResourceAccess | |
Keywords | event_status | Endpoint_ResourceAccess | |
Computer | dest_nt_domain (extended) | Endpoint_ResourceAccess (v2) | |
Task | task_category (extended) | ||
Provider (name attribute) | source_name (extended) | ||
Channel | log_name (extended) | ||
SubjectDomainName | account_domain (extended) | ||
EventID | signature_id (extended) |
4663
Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
---|---|---|---|
ObjectName | resource_handle | Endpoint_ResourceAccess | |
ObjectType | resource_type | Endpoint_ResourceAccess | |
HandleId | resource_handle_id | Endpoint_ResourceAccess | |
AccessList | resource_operation_access | Endpoint_ResourceAccess | |
AccessMask | resource_operation_access_mask | Endpoint_ResourceAccess | |
ProcessId | process_id | Endpoint_Process | |
ProcessName | process_name process_path |
Endpoint_Process | |
event_description (calculated field) | Endpoint_ResourceAccess | ||
Computer | dest_device/DNS endpoint_device/DNS |
Endpoint_ResourceAccess, Endpoint_Processes | |
SubjectUserName | dest_user/WINDOWS_ACCOUNT_NAME endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_ResourceAccess, Endpoint_Processes | |
SubjectLogonId | logon_id | Endpoint_ResourceAccess | |
Keywords | event_status | Endpoint_ResourceAccess | |
Computer | dest_nt_domain (extended) | Endpoint_ResourceAccess (v2) | |
ObjectName | resource_handle_name (extended) | Endpoint_ResourceAccess (v2) | |
Task | task_category (extended) | ||
Provider (name attribute) | source_name (extended) | ||
Channel | log_name (extended) | ||
SubjectDomainName | account_domain (extended) | ||
EventID | signature_id (extended) |
4688
Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
---|---|---|---|
CommandLine | process | Endpoint_Process | |
Keywords | action This is a calculated field. |
Endpoint_Processes | |
NewProcessId | process_id | Endpoint_Processes | |
NewProcessName | process_name process_exec process_current_directory process_path |
Endpoint_Processes | |
Microsoft Windows (static value) | vendor_product, os | Endpoint_Processes | |
ParentProcessName | parent_process_name | Endpoint_Processes | |
ProcessId | parent_process_id | Endpoint_Processes | |
TargetUserName | dest_user/WINDOWS_ACCOUNT_NAME endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_Processes | |
Computer | dest_device/DNS endpoint_device/DNS |
Endpoint_Processes | |
Task | task_category (extended) | ||
Provider (name attribute) | source_name (extended) | ||
Channel | log_name (extended) | ||
SubjectDomainName | account_domain (extended) | ||
EventID | signature_id (extended) |
4689
Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
---|---|---|---|
Keywords | action This is a calculated field. |
Endpoint_Processes | |
Microsoft Windows (static value) | vendor_product, os | Endpoint_Processes | |
Computer | dest_device/DNS | Endpoint_Processes | |
SubjectUserName | dest_user/WINDOWS_ACCOUNT_NAME If SubjectUserName does not contain $ at the end, then dest_user is populated. |
Endpoint_Processes | |
ProcessId | process_id | Endpoint_Processes | |
ProcessName | process_name process_exec process_current_directory process_path process |
Endpoint_Processes | |
Task | task_category (extended) | ||
Provider (name attribute) | source_name (extended) | ||
Channel | log_name (extended) | ||
SubjectDomainName | account_domain (extended) | ||
EventID | signature_id (extended) |
4768
Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
---|---|---|---|
Status | action If the Status is 0x0, then the action is Successful. Otherwise, the action is Failed. |
Authentication | |
Use the static value "Kerberos" | authentication_method | Authentication | |
Use the static value "ActiveDirectory" | authentication_service | Authentication | |
Use the static value "Network" | authentication_type_name | Authentication | |
TargetUserName | dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS If TargetUserName contains a user, then dest_user is populated. If TargetUserName contains a device name, then dest_device is populated. |
Authentication | |
Status | reason
I If Status = 0x18, 0xc0000064, or 0xc000006e, then reason is "Invalid Password"
|
Authentication | |
Status | event_return_code | Authentication | |
Use the static value "A Kerberos authentication ticket (TGT) was requested." | signature | Authentication | |
EventID | signature_id | Authentication | |
Use the static value "ActiveDirectory". | app | Authentication | |
IpPort | dest_port | Certificates | |
CertThumbprint | ssl_hash | Certificates | |
CertIssuerName | ssl_issuer | Certificates | |
CertIssuerName | ssl_issuer_common_name | Certificates | |
CertSerialNumber | ssl_serial | Certificates | |
Status | ssl_is_valid
|
Certificates | |
TicketEncryptionType | ssl_signature_algorithm
| ||
Task | task_category (extended) | ||
Provider (name attribute) | source_name (extended) | ||
Channel | log_name (extended) | ||
TargetDomainName | account_domain (extended) |
4769
Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
---|---|---|---|
Keywords | action If the Keywords is 0x8020000000000000, then the action is Successful. Otherwise, the action is Failed. |
Authentication | |
Use the static value "Kerberos" | authentication_method | Authentication | |
Use the static value "ActiveDirectory" | authentication_service | Authentication | |
Use the static value "Network" | authentication_type_name | Authentication | |
Computer | origin_device_domain | origin_device/DNS | Authentication |
Use the static value "A Kerberos service ticket was requested." | signature | Authentication | |
EventID | signature_id | Authentication | |
TargetUserName | dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS If TargetUserName contains a user, then dest_user is populated. If TargetUserName contains a device name, then dest_device is populated. |
Authentication | |
TargetDomainName | dest_nt_domain | Authentication | |
IpAddress | dest_device/IP | Authentication | |
Status | event_return_code, reason
I If Result Code = 0x18, 0xc0000064, or 0xc000006e, then reason is "Invalid Password"
|
Authentication | |
Use the static value "ActiveDirectory". | app | Authentication |
5140
Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
---|---|---|---|
event_description (calculated field) | Endpoint_ResourceAccess | ||
Task | task_category | Endpoint_ResourceAccess | |
Provider (name attribute) | source_name | Endpoint_ResourceAccess | |
AccessMask | resource_operation_access_mask | Endpoint_ResourceAccess | |
AccessList | resource_operation_accesses | Endpoint_ResourceAccess | |
ObjectType | resource_type | Endpoint_ResourceAccess | |
Channel | log_name | Endpoint_ResourceAccess | |
ShareName | resource_handle | Endpoint_ResourceAccess | |
SubjectDomainName | account_domain | Endpoint_ResourceAccess | |
Keywords | event_status | Endpoint_ResourceAccess | |
ShareLocalPath | resource_handle_path (extended) | Endpoint_ResourceAccess (v2) | |
EventID | signature_id (extended) | Endpoint_ResourceAccess (v2) | |
IpAddress | source_address (extended) | Endpoint_ResourceAccess (v2) | |
Computer | dest_nt_domain | Endpoint_ResourceAccess (v2) | |
IpPort | source_port (extended) | Endpoint_ResourceAccess (v2) | |
Computer | dest_device/DNS | Endpoint_ResourceAccess | |
SubjectUserName | dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS If SubjectUserName contains a user name then dest_user is populated. If SubjectUserName contains a device then dest_device is populated. |
Endpoint_ResourceAccess |
5145
Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
---|---|---|---|
event_description (calculated field) | Endpoint_ResourceAccess | ||
Task | task_category | Endpoint_ResourceAccess | |
Provider (name attribute) | source_name | Endpoint_ResourceAccess | |
AccessMask | resource_operation_access_mask | Endpoint_ResourceAccess | |
AccessList | resource_operation_accesses | Endpoint_ResourceAccess | |
ObjectType | resource_type | Endpoint_ResourceAccess | |
Channel | log_name | Endpoint_ResourceAccess | |
ShareName | resource_handle | Endpoint_ResourceAccess | |
SubjectDomainName | account_domain | Endpoint_ResourceAccess | |
Keywords | event_status | Endpoint_ResourceAccess | |
RelativeTargetName | resource_handle_name (extended) | Endpoint_ResourceAccess (v2) | |
ShareLocalPath | resource_handle_path (extended) | Endpoint_ResourceAccess (v2) | |
EventID | signature_id (extended) | Endpoint_ResourceAccess (v2) | |
IpAddress | source_address (extended) | Endpoint_ResourceAccess (v2) | |
Computer | dest_nt_domain | Endpoint_ResourceAccess (v2) | |
IpPort | source_port (extended) | Endpoint_ResourceAccess (v2) | |
Computer | dest_device/DNS | Endpoint_ResourceAccess | |
SubjectUserName | dest_user/WINDOWS_ACCOUNT_NAME | Endpoint_ResourceAccess |
Create an identity lookup from your cloud service provider data in Splunk Enterprise Security | Configure Windows event logging to ensure the proper events are logged |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!