topic Re: Datamodel not showing all actions in Splunk Enterprise Security

Datamodel not showing all actions

wgawhh5hbnht — Wed, 30 Sep 2020 01:34:28 GMT

Network_Traffic Traffic_By_Action isn't showing allowed or deferred.
In the data model, here is the constraints:

(`cim_Network_Traffic_indexes`) tag=network tag=communicate
action=*

The CIM setup for Network Traffic includes the indexes: check_point network lb
There is an eventtype for check_point that has the search

index=check_point action=*

and it has the tags: communicate & network

When I search index=check_point action=* | dedup action | table action, I get the following:

action
allowed
blocked
deferred
dropped

But when I search |tstats count from datamodel=Network_Traffic by All_Traffic.action I only get:

All_Traffic.action  count
blocked 88
deferred    126
dropped 118

Does anyone have any idea as to why the actions allowed or deferred aren't showing up?
I've checked the macro cim_traffic_actions & it has action

allowed
blocked
teardown

Re: Datamodel not showing all actions

lakshman239 — Thu, 01 Aug 2019 15:44:47 GMT

what values do you see for 'action' when you run |from datamodel:"Network_Traffic | stats count by action ? Also, on your TA, check if there is any props/transforms for actions. Also, generally, if its possible to avoid using index= in eventtypes.conf, its better [ as you are restricting the indexes for a datamodel via CIM config]

Re: Datamodel not showing all actions

wgawhh5hbnht — Wed, 30 Sep 2020 01:34:31 GMT

For |from datamodel:"Network_Traffic" | stats count by action here are the results:

action  count
blocked 82
deferred    270
dropped 108

The TA is Splunk_TA_checkpoint-opseclea, no local transform & for props there is only this that deals with action:

FIELDALIAS-protocol_for_opsec = proto AS protocol
FIELDALIAS-opsec_action = te_action AS action vendor_action AS action

For default/props.conf here is everything with action:
Splunk_TA_checkpoint-opseclea]$ grep 'action' default/props.conf

REPORT-checkpoint_action_for_checkpoint = action_as_checkpoint_action
REPORT-action_as_threat_emulation_action = action_as_threat_emulation_action
FIELDALIAS-vendor_action = action as vendor_action
LOOKUP-action_for_opsec = checkpoint_opsec_action_lookup vendor_action OUTPUT action
REPORT-action_as_ips_action = action_as_threat_emulation_action
LOOKUP-action_for_av = te_action_lookup te_action OUTPUT action
REPORT-action_as_threat_emulation_action = action_as_threat_emulation_action
REPORT-opsec_vendor_action_field = opsec_vendor_action_field
FIELDALIAS-vendor_action = action as vendor_action
LOOKUP-action_for_opsec = checkpoint_opsec_action_lookup vendor_action OUTPUT action
REPORT-checkpoint_action_for_checkpoint = vendor_action_for_opsec
EVAL-look_up_key = case((Subject="File Operation"),"filesystem",(Operation="Create Object" OR Operation="Modify Object" OR Operation="Delete Object"),Operation,(Operation="Log In" OR Operation="Log Out" OR Operation="Force Log Out"),if(isnull(status),"Success",status),1==1,action)
LOOKUP-checkpoint_audit_action_lookup = checkpoint_audit_action_lookup look_up_key OUTPUT action,app
REPORT-action_as_threat_emulation_action = action_as_threat_emulation_action
FIELDALIAS-category_for_threat_emulation = malware_action as category
LOOKUP-action_for_te = te_action_lookup te_action OUTPUT action
REPORT-action_as_anti_bot_action = action_as_threat_emulation_action
LOOKUP-action_for_te = te_action_lookup te_action OUTPUT action
REPORT-action_as_anti_virus_action = action_as_threat_emulation_action
LOOKUP-action_for_av = te_action_lookup te_action OUTPUT action

Re: Datamodel not showing all actions

kchamplin_splun — Wed, 30 Sep 2020 01:33:25 GMT

You may want to ensure that the tags.conf for checkpoint also is pointing to that eventtype you mention (check_point) for:
tag=network tag=communicate. As an example tags.conf:
[eventtype=check_point]
network = enabled
communicate = enabled

A quick litmus test would be to just run a search with something like:
"tag=network OR tag=communicate | stats values(action) by sourcetype"

Re: Datamodel not showing all actions

wgawhh5hbnht — Wed, 30 Sep 2020 01:34:34 GMT

In local/tags.conf both are enabled:

[eventtype=check_point_action]
communicate = enabled
network = enabled

Checked splunk cmd to confirm the tags are being used & they are:

Splunk_TA_checkpoint-opseclea]$ splunk cmd btool tags list --debug | grep 'Splunk_TA_checkpoint-opseclea' | egrep 'communicate|network' | sort | uniq
/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/tags.conf communicate = enabled
/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/tags.conf [eventtype=opsec_communicate]
/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/tags.conf network = enabled

Here is the output for tag=network OR tag=communicate action=* | stats values(action) by sourcetype :
sourcetype values(action)
linux_secure success
opendns:dnslogs
Allowed
Blocked
Proxied
opsec:anti_malware

blocked
deferred
opsec:anti_virus deferred
opsec:smartdefense

blocked
deferred
opsec:threat_emulation deferred
opsec:vpn

blocked
dropped

Re: Datamodel not showing all actions

kchamplin_splun — Wed, 30 Sep 2020 01:33:28 GMT

It's a bit hard to make out based on the formatting, but it looks to me like whatever sources or sourcetypes that are in in the eventtype search "opsec_communicate" is what's missing here...that said it looks like your local overrides for check_point_action eventtype should work, but in any case, if you can get tag=network or tag=communicate to actually return results for action=allowed, that will fix the DM problem.

Re: Datamodel not showing all actions

wgawhh5hbnht — Thu, 01 Aug 2019 17:40:30 GMT

Ya, formatting is terrible, I can't upload a picture...
Here is another crack at it with the action values below the sourcetype:
sourcetype values(action)
linux_secure
success

opendns:dnslogs 
Allowed
Blocked
Proxied

opsec:anti_malware  
blocked
deferred

opsec:anti_virus
deferred

opsec:smartdefense  
blocked
deferred

opsec:threat_emulation
deferred

opsec:vpn   
blocked
dropped

Re: Datamodel not showing all actions

lakshman239 — Wed, 30 Sep 2020 01:34:41 GMT

I believe the TA is overriding the action and missing the 'allowed. You can comment out FIELDALIAS-opsec_action = te_action AS action vendor_action AS action any any other related ones and see which one is causing the issue.