All Apps and Add-ons

How can I check if the DM configuration is set properly to read data from tags?

adol83
Explorer

Hello everyone.

I am executing the following search:
| from datamodel:Malware | search sourcetype=sentinel*

to retrieve data from ST sentinelone. However, changing the standard search in this way:

| from datamodel:Malware | search tag=attack tag=malware

results in no data output.

I tried to change the search but any test that I have done brought to the same result: malware DM seems unable to find data for those two attacks.

However,  If I run the standard search  

(`cim_Malware_indexes`) tag=malware tag=attack

data is found. but from different ST (cp_log instead of sentinelone).

How can I check if the DM configuration is set properly to read data from tags?
Is there any way to avoid tag whitelisting in the Splunk ES CIM?

Please note that whitelisting attack and malware tags make them readable from the malware datamodel. I am not very keen of changing standard setups to make things work.

Labels (1)
Tags (3)
0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...