https://community.splunk.com/t5/Splunk-Enterprise-Security/CIM-malware-actions/m-p/454927#M6404 <P>Greetings...<BR /> We are currently using ES and ingesting data from our IDS and AV to populate the Malware DataModel.</P> <P>According to the documentation:<BR /> <A href="https://docs.splunk.com/Documentation/CIM/4.13.0/User/Malware">https://docs.splunk.com/Documentation/CIM/4.13.0/User/Malware</A></P> <BLOCKQUOTE> <P><STRONG>Dataset name:</STRONG> Malware_Attacks Field<BR /> <STRONG>name:</STRONG> action<BR /><BR /> <STRONG>Data type:</STRONG> string<BR /><BR /> <STRONG>Description:</STRONG> The action taken by the reporting device. <BR /> <STRONG>Abbreviated list of example values:</STRONG> <BR /> <EM>ES expects:</EM> allowed<BR /> <EM>Other:</EM> blocked, deferred</P> </BLOCKQUOTE> <P>In our DataModel, we have an Eval Expression that uses a CSV inputlookup:<BR /> <CODE>| inputlookup actions_te.csv</CODE></P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7538i6C077DDDBCB38A0A/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span><BR /> Which is not always helpful as there are a LOT of events being picked up by "deferred"</P> <P>Would it still be CIM compliant if we evaled <EM>Redirect</EM> and <EM>Detect</EM> events as their own actions?<BR /> Would this break anything in ES?</P> <P>Thanks in advance.</P> Tue, 20 Aug 2019 18:50:54 GMT richardphung 2019-08-20T18:50:54Z https://community.splunk.com/t5/Splunk-Enterprise-Security/CIM-malware-actions/m-p/454927#M6404 <P>Greetings...<BR /> We are currently using ES and ingesting data from our IDS and AV to populate the Malware DataModel.</P> <P>According to the documentation:<BR /> <A href="https://docs.splunk.com/Documentation/CIM/4.13.0/User/Malware">https://docs.splunk.com/Documentation/CIM/4.13.0/User/Malware</A></P> <BLOCKQUOTE> <P><STRONG>Dataset name:</STRONG> Malware_Attacks Field<BR /> <STRONG>name:</STRONG> action<BR /><BR /> <STRONG>Data type:</STRONG> string<BR /><BR /> <STRONG>Description:</STRONG> The action taken by the reporting device. <BR /> <STRONG>Abbreviated list of example values:</STRONG> <BR /> <EM>ES expects:</EM> allowed<BR /> <EM>Other:</EM> blocked, deferred</P> </BLOCKQUOTE> <P>In our DataModel, we have an Eval Expression that uses a CSV inputlookup:<BR /> <CODE>| inputlookup actions_te.csv</CODE></P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7538i6C077DDDBCB38A0A/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span><BR /> Which is not always helpful as there are a LOT of events being picked up by "deferred"</P> <P>Would it still be CIM compliant if we evaled <EM>Redirect</EM> and <EM>Detect</EM> events as their own actions?<BR /> Would this break anything in ES?</P> <P>Thanks in advance.</P> Tue, 20 Aug 2019 18:50:54 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/CIM-malware-actions/m-p/454927#M6404 richardphung 2019-08-20T18:50:54Z https://community.splunk.com/t5/Splunk-Enterprise-Security/CIM-malware-actions/m-p/454928#M6405 <P>My suggestion is that you map your field values to one of - allowed/blocked/deferred for CIM complaince. this way the Security Domain -&gt; Malware Center/Search/Operations dashboard will all be fine. </P> <P>Any searches using datamodel/tstats should also be fine.</P> Thu, 22 Aug 2019 09:17:50 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/CIM-malware-actions/m-p/454928#M6405 lakshman239 2019-08-22T09:17:50Z