https://community.splunk.com/t5/Splunk-Enterprise-Security/CIM-About-the-flexibility-of-the-action-field/m-p/400873#M4541 <P>I would use <CODE>allowed</CODE> and <CODE>blocked</CODE> but you can do whatever you like. If this works, please do click <CODE>Accept</CODE> to close the question.</P> Wed, 06 Mar 2019 08:56:04 GMT woodcock 2019-03-06T08:56:04Z https://community.splunk.com/t5/Splunk-Enterprise-Security/CIM-About-the-flexibility-of-the-action-field/m-p/400868#M4536 <P>Hello again,</P> <P>I'm developing a compliance app, the intention is to make it the more CIM compliant as possible, but here is the problem, no CIM fields cover windows sessions for example (which starts with event 4264 and finish with 4647). I can make my sessions panel out of the accelerated datamodel, but I think the best idea is to accomodate a few fields to respect the cim and don't interfere with the Authentication datamodel, even if I use the 4624 in another panels of my dashboards.</P> <P>So, i'm planning of doing it with Change, for example:</P> <P>change_type=session<BR /> result_id would be a fieldalias of logonID<BR /> and action would be action=session_started for 4624, action=session_finished for 4647</P> <P>after that I would make transactions with the result_id's inside my dashbord's panel search. Before doing that, I would like to know <BR /> A. If you have a better Idea for doing this respecting the CIM<BR /> B. how flexible is the "action" field? I mean, it's valid to Eval session_started and session_finished?</P> <P>I mean, the action field in Change table is restricted to only 9 options (acl_,modified, cleared, created, deleted, modified, read, stopped, updated), can I make extra actions? My objective is to isolate the actions and the panels the more I can, I mean, I have no other use to these sessions other than that panel.</P> <P>Thanks!</P> Tue, 29 Sep 2020 23:22:16 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/CIM-About-the-flexibility-of-the-action-field/m-p/400868#M4536 3DGjos 2020-09-29T23:22:16Z https://community.splunk.com/t5/Splunk-Enterprise-Security/CIM-About-the-flexibility-of-the-action-field/m-p/400869#M4537 <P>Hi @3DGjos </P> <P>Others might have more to add, but yes you can add new fields to the action field if you like. However there will be no search that uses the DMA that will know what to do with your field. </P> <P>I think what you are doing overall sounds OK to me. You could also consider using a new data model that you create yourself for the data if it isn't a good fit for an existing one. If you are planning to release this app on Splunkbase then you should be extra careful that its a good fit for the data model.</P> <P>All the best,</P> Mon, 18 Feb 2019 19:41:34 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/CIM-About-the-flexibility-of-the-action-field/m-p/400869#M4537 chrisyounger 2019-02-18T19:41:34Z https://community.splunk.com/t5/Splunk-Enterprise-Security/CIM-About-the-flexibility-of-the-action-field/m-p/400870#M4538 <P>You could use the <CODE>Network Sessions</CODE> datamodel.</P> Tue, 19 Feb 2019 07:30:52 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/CIM-About-the-flexibility-of-the-action-field/m-p/400870#M4538 woodcock 2019-02-19T07:30:52Z https://community.splunk.com/t5/Splunk-Enterprise-Security/CIM-About-the-flexibility-of-the-action-field/m-p/400871#M4539 <P>I do not think the Change data model sounds like an appropriate match based on the "action" field value listing you provided. It might be that the Network Session model is more appropriate, but I haven't looked at it closely. </P> <P>The Authentication data model seems the most appropriate. Here is what I would alias to:</P> <P>action = "success" or "failure"<BR /> signature_id = 4624, etc<BR /> signature = "An account was successfully logged on", etc</P> <P>The only thing you really need to perform the transaction is the signature_id. The "session_started" and "finished" that you want to use in the action field you don't really need. If you want those values you can just add them as evals for each event/EventCode and place them into any field you want like "description" or "message". </P> <P>You may not even need to worry about the data model. If you are only using this in a single dashboard panel and not building an entire app or data model on that work then you could just alias the fields to the most appropriate CIM field and use those fields to build your panel. If you need the acceleration, you could use an accelerated report just for this panel without a data model, or you could build to an existing model, or create your own data model as mentioned previously. </P> <P>I suspect, because of the sheer volume of 4624 log events, that acceleration is a significant consideration. </P> Tue, 29 Sep 2020 23:18:18 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/CIM-About-the-flexibility-of-the-action-field/m-p/400871#M4539 marycordova 2020-09-29T23:18:18Z https://community.splunk.com/t5/Splunk-Enterprise-Security/CIM-About-the-flexibility-of-the-action-field/m-p/400872#M4540 <P>Thanks for your answer, if I go for Network Sessions, my actions should be added / blocked? or can I use started / stopped? or added/blocked apply?</P> <P>Should I use Session_Start / Session_End datasets?</P> <P>I think ill go for that approach. Thanks!</P> Tue, 29 Sep 2020 23:18:39 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/CIM-About-the-flexibility-of-the-action-field/m-p/400872#M4540 3DGjos 2020-09-29T23:18:39Z https://community.splunk.com/t5/Splunk-Enterprise-Security/CIM-About-the-flexibility-of-the-action-field/m-p/400873#M4541 <P>I would use <CODE>allowed</CODE> and <CODE>blocked</CODE> but you can do whatever you like. If this works, please do click <CODE>Accept</CODE> to close the question.</P> Wed, 06 Mar 2019 08:56:04 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/CIM-About-the-flexibility-of-the-action-field/m-p/400873#M4541 woodcock 2019-03-06T08:56:04Z