We are reviewing the Fireeye app v3 for Splunk CIM compliance; the eventtype configuration that exists in the Splunk FireEye app currently applies all tags all to events, meaning for example the email tag is applied to HX events, resulting in them populating in the Email data model in splunk, which does not seem correct.
We are trying to understand if there is a reason for this, or if there is a reason multiple eventtypes can't be defined to apply the tags a bit more selectively, so that the event types from the various FireEye appliance end up on only the relevant data models.
i.e. Events from HX only end up in the 'Malware' & 'Intrusion Detection' data model and not the 'Email' data model.
The defined eventtype search string in the fireeye app:
search = sourcetype=fe_* OR sourcetype=hx_*
That search results in every fireeye event we have getting tagged with these:
alert, attack, dhcp, email, ids, malware, operations, proxy & web
Could someone familiar with this app and CIM compliance explain the logic of this setup?