Reporting
Highlighted

What's the best datamodel to audit processes ran by users? and filesystem changes?

Communicator

Hello Again, I'm developing a compliance app (CIM, with tstats), now is the turn to write a search to monitor processes ran by users on the domain (windows and linux, maybe some other source of interest)

My doubt is, what datamodel should I use? I'm between Endpoint and Change. But endpoint does not have a user field, I don't understand why ¿What would be the right approarch?

For filesystem changes, I personally like Change but the SA-Cim definition, on the constraint part worries me, it litterally says:

(`cim_Change_indexes`) tag=change NOT (object_category=file OR object_category=directory OR object_category=registry)

I could just not parse the events with objectcategory=file, but I would like to know why is this, I mean, the endpoint datamodel does not have an objectcategory field, for example. Why I can't use it?

Thanks!

0 Karma
Highlighted

Re: What's the best datamodel to audit processes ran by users? and filesystem changes?

SplunkTrust
SplunkTrust
0 Karma
Highlighted

Re: What's the best datamodel to audit processes ran by users? and filesystem changes?

SplunkTrust
SplunkTrust

Pls accept if this helped to resolve your query, to help tracking

0 Karma