All Apps and Add-ons

Splunk Common Information Model: If my data source can generate multiple user names related to an intrusion detection event, how do I handle this?

vvajdic
Splunk Employee
Splunk Employee

The current definition for this field is this:
IDS_Attacks| user | string | The user involved with the intrusion detection event.

My data source can generate multiple user names related to an intrusion detection event.
How would be best to handle this?

Thanks.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Without seeing your data source, most like you need to multikv these events in order to report on them individually.

Thinking of some common HIDS types logs such as McAffeeEPO, typically destination user events are individual and not reported in the same log..

0 Karma

Richfez
SplunkTrust
SplunkTrust

"How" does it generate multiple user names? Can you paste an example of the raw log? Are you already ingesting it into Splunk? If so can you paste an example of the event from Splunk?

0 Karma

vvajdic
Splunk Employee
Splunk Employee

Here is a part of a log event:

deviceSeverity=value act=value rt=value shost=value src=value sourceZoneURI=value sproc=value dhost=value dst=value destinationZoneURI=value dntdom=value dpt=value duser=value1, value2, value3, value4 fname=value cs1= value cs2=value cs3=value cs4=value

duser should map to Intrusion Detection/User and the question is what to do with multiple values of duser.

a More generally what are the options if data source generates more fields then what exists is in the data model?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...