Security

Malware Operations CIM, catering for multiple engines and pattern types

Path Finder

Hi,

I am currently adapting sourcetypes for Trend Micro Products to the the CIM, in order to use them with ES and the CIM app.

The CIM caters for:

  • product
  • vendor
  • product_version
  • signature_version

However, the products I deal with have multiple scanning engines as well as multiple pattern file types. I thus propose some new fields:

  • engine
  • engine_version
  • signature_type
  • signature_version

Perhaps signature_version can then be created using an eval of the specified fields.

Regards,
Stephan

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Hi Stephan,

good suggestions, we'll look into this for the future. In the meantime, you're probably best off treating each engine version as a different product type for simplicity's sake.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Hi Stephan,

good suggestions, we'll look into this for the future. In the meantime, you're probably best off treating each engine version as a different product type for simplicity's sake.

View solution in original post

0 Karma