Knowledge Management

Make logs CIM compatible - Malware in Splunk ES

tbavarva
Path Finder

Hi All,

I am using Sophos AV in my environment and it produces the logs in JSON format.

I want to see them in malware center in Splunk ES.

But some of the fields are not present in the logs, specially action field for which I am preparing one CSV (combination of event name and action). I will arrange auto-lookup then which should populate action field.

I don't have much idea on how to make them CIM compatible.

If I go by logic which I follow:
1. Trying to check whether all the required fields are being populated.
2. AV logs are properly tagged and relevant event types are created.

I have zero knowledge on pivot and data set creation.

Considering the required data sets are already created in data model.

Do I need to use pivot (mandatory)? Is my above understanding correct?

Regards,
Tejas

0 Karma
1 Solution

gaurav_maniar
Builder

Hi Tejas,

It's not clear from your question, actually what help you need.

To make the data CIM compatible means, identify the fields from the data and name them as per the CIM rules.
Example,
- For IP address extraction, usually we the filed name ip_add, ip_location, etc...
- But to make it CIM compatible, the filed name should be src_ip or dest_ip.

Similarly eventtype or tag should be defined as per the naming convention of CIM rules.

In your case for MALWARE dashboard,
- check the datamodel or dataset being used in Malware dashboard
- identify the sourcetype/eventtype/tag for mail search query (means your data should be ingesting in splunk with this sourcetype/eventtype/tag value)
- identify the required fields and rename your extracted fields as per the fields in datamodel/dataset

Pivot is just a data visualization feature, the same thing you do with stats or other chart commands.

The below Splunk App may help to understand CIM compliance better.
https://splunkbase.splunk.com/app/1621/

Let me know if any other details are required.

Accept and upvote the answer if it helps.

Happy splunking........!!!!!!

View solution in original post

gaurav_maniar
Builder

Hi Tejas,

It's not clear from your question, actually what help you need.

To make the data CIM compatible means, identify the fields from the data and name them as per the CIM rules.
Example,
- For IP address extraction, usually we the filed name ip_add, ip_location, etc...
- But to make it CIM compatible, the filed name should be src_ip or dest_ip.

Similarly eventtype or tag should be defined as per the naming convention of CIM rules.

In your case for MALWARE dashboard,
- check the datamodel or dataset being used in Malware dashboard
- identify the sourcetype/eventtype/tag for mail search query (means your data should be ingesting in splunk with this sourcetype/eventtype/tag value)
- identify the required fields and rename your extracted fields as per the fields in datamodel/dataset

Pivot is just a data visualization feature, the same thing you do with stats or other chart commands.

The below Splunk App may help to understand CIM compliance better.
https://splunkbase.splunk.com/app/1621/

Let me know if any other details are required.

Accept and upvote the answer if it helps.

Happy splunking........!!!!!!

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...