PaloAltoNetworks
Request for feedback: Should we support the Authentication CIM Datamodel?
We could support Authentication CIM Datamodel to some extent with USERID type logs from the firewall, but the Authentication CIM is not a great fit because it's geared more toward the logs from the actual point of authentication, which the firewall typically is not in enterprise environments. This would usually be logs fromyour RADIUS, LDAP, or AD server.
Interested in customer feedback if supporting the Authentication datamodel as best we can would be useful.
Thanks!
I don't think this is a great idea because as you mentioned this is majoirty already collected as part of the WinEvenLogs, it could however (based on volume) push the size of the accelerated models right up and create retention issues there.
Perhaps using an inputlookup we could look to either opt-in/opt-out items, would need to give this a little more thought.
Is this also somewhat linked to https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/issues/42
Yes, you should. Depending on the infrastructure, things may not show up in wineventlogs. For example, someone brute forcing the admin login. Here are some configs:
props.conf
[pan:system]
# Fields for auth
EXTRACT-pan_sys_user1 = for\s+user\s+'(?<user>[^']+)
EXTRACT-pan_sys_user2 = \"When\s+authenticating\s+user\s+'(?<user>[^']+)
EXTRACT-pan_sys_src1 = [Ff]rom:?\s+'?(?<src>\S+(?=\.[\"']))
EXTRACT-pan_sys_src2 = from\s+'(?<src>[^']+)
EXTRACT-os_version = Client\sOS\sversion:\s(?<os_version>.*-bit)
EXTRACT-auth_type = Auth\stype:\s(?<auth_type>[^,|^\.]+)[\,|\.]
EXTRACT-src_region = Source\sregion:\s(?<src_region>\w+)\,
EVAL-app = "pan"
LOOKUP-pan_sys_auth_action = pan_sys_auth_action event_id OUTPUT action
transforms.conf
[pan_sys_auth_action]
filename = pan_sys_auth_action.csv
eventtypes.conf
[pan_sys_auth]
search = sourcetype=pan:system log_subtype=auth
tags.conf
[eventtype=pan_sys_auth]
authentication = enabled
pan_sys_auth_action.csv
event_id,action
auth-success,success
auth-fail,failure
