Hi Team ,
in Splunk Add-on for McAfee you have query option in inputs (template\example) configuration : [EPOEvents].[ThreatActionTaken] as [vendor_action]
.
Then we have 2 neighbours in props.conf:
FIELDALIAS-vendor_action_for_mcafee_epo=action AS vendor_action
LOOKUP-action_for_mcafee_epo=epo_action_lookup vendor_action OUTPUT action
According to sequence of operations, value of vendor_action
obtains the value of action
, which is obviously NULL
. As a result both action
and vendor_action
returns NULL
.
Could you, please correct this or correct me, if I'm wrong 🙂
here is the props.conf statement I used to cobble together a decent "action" field:
| eval action=replace((replace((replace((case(
'ProductFamily'=="UDLP" OR
match(lower('event_description'),"on-") OR
match(lower('event_description'),"dll") OR
match(lower('event_description'),"oss") OR
match(lower('event_description'),"svm") OR
match(lower('event_description'),"^scan") OR
match(lower('event_description'),"policy") OR
match(lower('event_description'),"service") OR
match(lower('event_description'),"deferred") OR
match(lower('event_description'),"update") OR
match(lower('event_description'),"mcafee security") OR
match(lower('event_description'),"protection \w+abled") OR
(match(lower('event_description'),"move") AND 'threat_handled'=="0"),lower('event_description'),
match(lower('event_description'),"pending") OR
match(lower('event_description'),"unable to") OR
match(lower('event_description'),"not blocked") OR
match(lower('event_description'),"would delete") OR
match(lower('event_description'),"delete on reboot") OR
(match(lower('event_description'),"handled") AND 'threat_handled'=="0") OR
(match(lower('event_description'),"spam") AND match(lower('vendor_action'),"clean")) OR
(match(lower('event_description'),"failed") AND NOT match(lower('event_description'),"deleted")) OR
(match(lower('event_description'),"browser") AND NOT match(lower('ThreatName'),"web control violation")),"allowed",
match(lower('event_description'),"spam") OR
match(lower('event_description'),"denied") OR
match(lower('event_description'),"blocked") OR
match(lower('event_description'),"handled") OR
match(lower('event_description'),"deleted") OR
match(lower('event_description'),"cleaned") OR
match(lower('event_description'),"browser") OR
match(lower('event_description'),"quarantine") OR
(match(lower('event_description'),"detected") AND 'threat_handled'=="1"),"blocked",
isnotnull('event_description'),lower('event_description'),
isnull('event_description'),"none")),",","")),"\.","")),";","")
well, this was the GUI based statement i was building off of...tweak the pre-pended syntax to make it a props.conf config:
EVAL-action = ...
Hi Mary,
thank you, that's a great example.
What I'm trying to say - with described add-on configuration you should not get any value for fields vendor_action and action on Search head, even if you have vendor_action in events.
I see you use condition AND match(lower('vendor_action')
- does your 'vendor_action' field fulfilled with values?
yeah...it does, unfortunately at this current job I no longer have access to the config files...I believe our admins at least start with stock TA/app deployments and customize to hell 😛
but I would say, if you have a stock TA/app and its weird, you could comment out the problem statements in the stock version then just make a quick custom app with only the things you need in it
for example you could make an app directory custom_$tech$, custom_mcafee_epo, and then drop local and metadata directories in and just the *.conf files you need in each plus the local.meta file
I could have sworn I had a post about making an IR app that gives you a nice little app shell...cant find it now sorry!
here it is: https://answers.splunk.com/answers/741035/how-to-index-evtx-files-exported-from-a-windows-sy.html
needs updated already too...