Hello everyone.
I am executing the following search:
| from datamodel:Malware | search sourcetype=sentinel*
to retrieve data from ST sentinelone. However, changing the standard search in this way:
| from datamodel:Malware | search tag=attack tag=malware
results in no data output.
I tried to change the search but any test that I have done brought to the same result: malware DM seems unable to find data for those two attacks.
However, If I run the standard search
(`cim_Malware_indexes`) tag=malware tag=attack
data is found. but from different ST (cp_log instead of sentinelone).
How can I check if the DM configuration is set properly to read data from tags?
Is there any way to avoid tag whitelisting in the Splunk ES CIM?
Please note that whitelisting attack and malware tags make them readable from the malware datamodel. I am not very keen of changing standard setups to make things work.