All Apps and Add-ons

Splunk Add-on for CrowdStrike: Why is the Action field not evaluated correctly?

brandonf
Path Finder

Hi

The action field result do not evaluate properly as the field alias (EVAL-action) in the props.conf doesn't have all the correct values for the event.DetectName field. For example I am getting "Activity Prevented", which is not specified in the eval function.

I would recommend rather using a lookup table (vendor action list) like some of the other vendors do.
http://docs.splunk.com/Documentation/AddOns/released/McAfeeEPO/ConfigureLookups

Regards
Brandon

simonsigre
Path Finder

This appears to still be the case for the latest version... tags are applied correctly but the action field is not populated from the CIM list.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!