For the Windows Event Log Cleared detection, some of the fields won't be available, and some results will be missed.
I'm refering to:
- app
- name
- object_attrs
- signature
- src_user
- subject
which don't appear when source=XmlWinEventLog:System EventCode=104 .
I've checked the Splunk_TA_windows add-on and at least for name, signature and subject these come from the windows_signatures_910.csv doesn't have the 104 signature_id in it.
The app field comes from the windows_apps.csv as an enrichment and there is no association for it to be populated since neither EventCode=104 or source=XmlWinEventLog:System are present.
I'm not an expert in attack_data but I believe tests passed because the data has both XmlWinEventLog:System and XmlWinEventLog:Security events in it, and it gives a result for the XmlWinEventLog:Security, which the tests consider sufficient.
For the Windows Event Log Cleared detection, some of the fields won't be available, and some results will be missed.
I'm refering to:
which don't appear when
source=XmlWinEventLog:System EventCode=104.I've checked the Splunk_TA_windows add-on and at least for
name,signatureandsubjectthese come from the windows_signatures_910.csv doesn't have the104signature_id in it.The app field comes from the windows_apps.csv as an enrichment and there is no association for it to be populated since neither
EventCode=104orsource=XmlWinEventLog:Systemare present.I'm not an expert in attack_data but I believe tests passed because the data has both
XmlWinEventLog:SystemandXmlWinEventLog:Securityevents in it, and it gives a result for theXmlWinEventLog:Security, which the tests consider sufficient.