All Apps and Add-ons

Wrong assignment for field 'action' in ePO sourcetype?

evelenke
Contributor

Hi Team ,

in Splunk Add-on for McAfee you have query option in inputs (template\example) configuration : [EPOEvents].[ThreatActionTaken] as [vendor_action].
Then we have 2 neighbours in props.conf:
FIELDALIAS-vendor_action_for_mcafee_epo=action AS vendor_action
LOOKUP-action_for_mcafee_epo=epo_action_lookup vendor_action OUTPUT action

According to sequence of operations, value of vendor_action obtains the value of action, which is obviously NULL. As a result both action and vendor_action returns NULL.

Could you, please correct this or correct me, if I'm wrong 🙂

0 Karma

marycordova
SplunkTrust
SplunkTrust

here is the props.conf statement I used to cobble together a decent "action" field:

| eval action=replace((replace((replace((case(
'ProductFamily'=="UDLP" OR 
match(lower('event_description'),"on-") OR 
match(lower('event_description'),"dll") OR 
match(lower('event_description'),"oss") OR 
match(lower('event_description'),"svm") OR 
match(lower('event_description'),"^scan") OR 
match(lower('event_description'),"policy") OR 
match(lower('event_description'),"service") OR 
match(lower('event_description'),"deferred") OR 
match(lower('event_description'),"update") OR 
match(lower('event_description'),"mcafee security") OR 
match(lower('event_description'),"protection \w+abled") OR
(match(lower('event_description'),"move") AND 'threat_handled'=="0"),lower('event_description'),

match(lower('event_description'),"pending") OR 
match(lower('event_description'),"unable to") OR
match(lower('event_description'),"not blocked") OR 
match(lower('event_description'),"would delete") OR 
match(lower('event_description'),"delete on reboot") OR 
(match(lower('event_description'),"handled") AND 'threat_handled'=="0") OR 
(match(lower('event_description'),"spam") AND match(lower('vendor_action'),"clean")) OR 
(match(lower('event_description'),"failed") AND NOT match(lower('event_description'),"deleted")) OR 
(match(lower('event_description'),"browser") AND NOT match(lower('ThreatName'),"web control violation")),"allowed",

match(lower('event_description'),"spam") OR 
match(lower('event_description'),"denied") OR 
match(lower('event_description'),"blocked") OR 
match(lower('event_description'),"handled") OR 
match(lower('event_description'),"deleted") OR 
match(lower('event_description'),"cleaned") OR 
match(lower('event_description'),"browser") OR
match(lower('event_description'),"quarantine") OR 
(match(lower('event_description'),"detected") AND 'threat_handled'=="1"),"blocked",

isnotnull('event_description'),lower('event_description'),
isnull('event_description'),"none")),",","")),"\.","")),";","")
@marycordova
0 Karma

marycordova
SplunkTrust
SplunkTrust

well, this was the GUI based statement i was building off of...tweak the pre-pended syntax to make it a props.conf config:

EVAL-action = ...

@marycordova
0 Karma

evelenke
Contributor

Hi Mary,

thank you, that's a great example.
What I'm trying to say - with described add-on configuration you should not get any value for fields vendor_action and action on Search head, even if you have vendor_action in events.
I see you use condition AND match(lower('vendor_action') - does your 'vendor_action' field fulfilled with values?

0 Karma

marycordova
SplunkTrust
SplunkTrust

yeah...it does, unfortunately at this current job I no longer have access to the config files...I believe our admins at least start with stock TA/app deployments and customize to hell 😛

but I would say, if you have a stock TA/app and its weird, you could comment out the problem statements in the stock version then just make a quick custom app with only the things you need in it

for example you could make an app directory custom_$tech$, custom_mcafee_epo, and then drop local and metadata directories in and just the *.conf files you need in each plus the local.meta file

I could have sworn I had a post about making an IR app that gives you a nice little app shell...cant find it now sorry!

@marycordova
0 Karma

marycordova
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...