Solved: CIM Field Values- Do field values have to be consi...

R00ster · ‎09-21-2022

Hello

Do field values have to be consistent for ES or doesn't it matter? So in the wineventlog if src is sometimes the IP and other times the fqdn does ES care? Same with the user field, if sometimes the field value is bob@domain or domain-bob or bob$ does it matter?

Thanks

R00ster

richgalloway · ‎09-21-2022

CIM focuses on field names and completely ignores the values.

As for whether or not ES cares, that depends on how the field is used. Attempting to correlate source addresses in events will be a challenge if some events contain IP addresses and others contain FQDNs, for example.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎09-21-2022

CIM focuses on field names and completely ignores the values.

As for whether or not ES cares, that depends on how the field is used. Attempting to correlate source addresses in events will be a challenge if some events contain IP addresses and others contain FQDNs, for example.

---
If this reply helps you, Karma would be appreciated.

R00ster · ‎10-10-2022

Fab thanks very much for confirming, very helpful indeed.

CIM Field Values- Do field values have to be consistent for ES or doesn't it matter?

using Enterprise Security

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?