All Apps and Add-ons

Splunk Add-on for CrowdStrike: Why is the Action field not evaluated correctly?

brandonf
Path Finder

Hi

The action field result do not evaluate properly as the field alias (EVAL-action) in the props.conf doesn't have all the correct values for the event.DetectName field. For example I am getting "Activity Prevented", which is not specified in the eval function.

I would recommend rather using a lookup table (vendor action list) like some of the other vendors do.
http://docs.splunk.com/Documentation/AddOns/released/McAfeeEPO/ConfigureLookups

Regards
Brandon

simonsigre
Path Finder

This appears to still be the case for the latest version... tags are applied correctly but the action field is not populated from the CIM list.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...