Knowledge Management

Make logs CIM compatible - Malware in Splunk ES

Path Finder

Hi All,

I am using Sophos AV in my environment and it produces the logs in JSON format.

I want to see them in malware center in Splunk ES.

But some of the fields are not present in the logs, specially action field for which I am preparing one CSV (combination of event name and action). I will arrange auto-lookup then which should populate action field.

I don't have much idea on how to make them CIM compatible.

If I go by logic which I follow:
1. Trying to check whether all the required fields are being populated.
2. AV logs are properly tagged and relevant event types are created.

I have zero knowledge on pivot and data set creation.

Considering the required data sets are already created in data model.

Do I need to use pivot (mandatory)? Is my above understanding correct?

Regards,
Tejas

0 Karma
1 Solution

Hi Tejas,

It's not clear from your question, actually what help you need.

To make the data CIM compatible means, identify the fields from the data and name them as per the CIM rules.
Example,
- For IP address extraction, usually we the filed name ip_add, ip_location, etc...
- But to make it CIM compatible, the filed name should be src_ip or dest_ip.

Similarly eventtype or tag should be defined as per the naming convention of CIM rules.

In your case for MALWARE dashboard,
- check the datamodel or dataset being used in Malware dashboard
- identify the sourcetype/eventtype/tag for mail search query (means your data should be ingesting in splunk with this sourcetype/eventtype/tag value)
- identify the required fields and rename your extracted fields as per the fields in datamodel/dataset

Pivot is just a data visualization feature, the same thing you do with stats or other chart commands.

The below Splunk App may help to understand CIM compliance better.
https://splunkbase.splunk.com/app/1621/

Let me know if any other details are required.

Accept and upvote the answer if it helps.

Happy splunking........!!!!!!

View solution in original post

Hi Tejas,

It's not clear from your question, actually what help you need.

To make the data CIM compatible means, identify the fields from the data and name them as per the CIM rules.
Example,
- For IP address extraction, usually we the filed name ip_add, ip_location, etc...
- But to make it CIM compatible, the filed name should be src_ip or dest_ip.

Similarly eventtype or tag should be defined as per the naming convention of CIM rules.

In your case for MALWARE dashboard,
- check the datamodel or dataset being used in Malware dashboard
- identify the sourcetype/eventtype/tag for mail search query (means your data should be ingesting in splunk with this sourcetype/eventtype/tag value)
- identify the required fields and rename your extracted fields as per the fields in datamodel/dataset

Pivot is just a data visualization feature, the same thing you do with stats or other chart commands.

The below Splunk App may help to understand CIM compliance better.
https://splunkbase.splunk.com/app/1621/

Let me know if any other details are required.

Accept and upvote the answer if it helps.

Happy splunking........!!!!!!

View solution in original post