I am currently adapting sourcetypes for Trend Micro Products to the the CIM, in order to use them with ES and the CIM app.
The CIM caters for:
However, the products I deal with have multiple scanning engines as well as multiple pattern file types. I thus propose some new fields:
Perhaps signature_version can then be created using an eval of the specified fields.
good suggestions, we'll look into this for the future. In the meantime, you're probably best off treating each engine version as a different product type for simplicity's sake.
View solution in original post