Archive

Splunk Add-on for CrowdStrike: Why is the Action field not evaluated correctly?

Path Finder

Hi

The action field result do not evaluate properly as the field alias (EVAL-action) in the props.conf doesn't have all the correct values for the event.DetectName field. For example I am getting "Activity Prevented", which is not specified in the eval function.

I would recommend rather using a lookup table (vendor action list) like some of the other vendors do.
http://docs.splunk.com/Documentation/AddOns/released/McAfeeEPO/ConfigureLookups

Regards
Brandon

Path Finder

This appears to still be the case for the latest version... tags are applied correctly but the action field is not populated from the CIM list.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!