Closed cschmidt0121 closed 7 years ago
alexhauber
commented
8 years ago Installed the App and it is not pulling Data. Looking for some input on how to get it to work. We installed it on a forwarder and are doing a index=duo. Data shows but not Data pulled from the API.
bawood
commented
8 years ago @alexhauber please try the latest version. Thanks.
cschmidt0121
commented
8 years ago Is the lookup necessary? It seems like an eval might be more efficient.
Yeah, in this case an eval might be more efficient. It's common for apps to have a wide variety of vendor actions, and then a lookup is better. Since Duo only has SUCCESS and FAILURE an eval would be fine.
Also from Splunk's docs, it sounds like they recommend creating eventtypes to map the cim fields to.
A lot of times a single sourcetype will have data that goes into multiple datamodels. In this case since the entire sourcetype is auth, I think just a tag is fine. An eventtype wouldn't hurt though.
inspired
commented
8 years ago Would be great if this could get merged :-)
bawood
commented
7 years ago I've added CIM compliance but in a somewhat different way. It seemed like integration made more sense to be mapped as app, for example in our environment integration doesn't necessarily map to the destination endpoint (e.g our SSO server is an integration but we can't say that's the destination based solely on that). We also occasionally get events marked with result=FRAUD and I wanted to gracefully handle the possibility there might be other results we just haven't seen. So I handled that with an if statement in an eval. CIM compliance now checks out ok against the app builder verification process.
cschmidt0121
commented
7 years ago Nicely done! Thank you.
These changes make the duo:authentication sourcetype CIM compliant so that they can be easily ingested by Enterprise Security (and other CIM-dependent Splunk apps). (https://docs.splunk.com/Documentation/CIM/4.5.0/User/Authentication).