Solved: CIM malware actions

richardphung · ‎08-20-2019

Greetings...
We are currently using ES and ingesting data from our IDS and AV to populate the Malware DataModel.

According to the documentation:
https://docs.splunk.com/Documentation/CIM/4.13.0/User/Malware

Dataset name: Malware_Attacks Field
name: action

Data type: string

Description: The action taken by the reporting device.
Abbreviated list of example values:
ES expects: allowed
Other: blocked, deferred

In our DataModel, we have an Eval Expression that uses a CSV inputlookup:
| inputlookup actions_te.csv

Which is not always helpful as there are a LOT of events being picked up by "deferred"

Would it still be CIM compliant if we evaled Redirect and Detect events as their own actions?
Would this break anything in ES?

Thanks in advance.

lakshman239 · ‎08-22-2019

My suggestion is that you map your field values to one of - allowed/blocked/deferred for CIM complaince. this way the Security Domain -> Malware Center/Search/Operations dashboard will all be fine.

Any searches using datamodel/tstats should also be fine.

View solution in original post

lakshman239 · ‎08-22-2019

My suggestion is that you map your field values to one of - allowed/blocked/deferred for CIM complaince. this way the Security Domain -> Malware Center/Search/Operations dashboard will all be fine.

Any searches using datamodel/tstats should also be fine.

CIM malware actions

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk