Security

Malware Operations CIM, catering for multiple engines and pattern types

stephanbuys
Path Finder

Hi,

I am currently adapting sourcetypes for Trend Micro Products to the the CIM, in order to use them with ES and the CIM app.

The CIM caters for:

  • product
  • vendor
  • product_version
  • signature_version

However, the products I deal with have multiple scanning engines as well as multiple pattern file types. I thus propose some new fields:

  • engine
  • engine_version
  • signature_type
  • signature_version

Perhaps signature_version can then be created using an eval of the specified fields.

Regards,
Stephan

0 Karma
1 Solution

jcoates_splunk
Splunk Employee
Splunk Employee

Hi Stephan,

good suggestions, we'll look into this for the future. In the meantime, you're probably best off treating each engine version as a different product type for simplicity's sake.

View solution in original post

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hi Stephan,

good suggestions, we'll look into this for the future. In the meantime, you're probably best off treating each engine version as a different product type for simplicity's sake.

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...