Splunk Enterprise Security

CIM malware actions

richardphung
Communicator

Greetings...
We are currently using ES and ingesting data from our IDS and AV to populate the Malware DataModel.

According to the documentation:
https://docs.splunk.com/Documentation/CIM/4.13.0/User/Malware

Dataset name: Malware_Attacks Field
name: action

Data type: string

Description: The action taken by the reporting device.
Abbreviated list of example values:
ES expects: allowed
Other: blocked, deferred

In our DataModel, we have an Eval Expression that uses a CSV inputlookup:
| inputlookup actions_te.csv

alt text
Which is not always helpful as there are a LOT of events being picked up by "deferred"

Would it still be CIM compliant if we evaled Redirect and Detect events as their own actions?
Would this break anything in ES?

Thanks in advance.

0 Karma
1 Solution

lakshman239
SplunkTrust
SplunkTrust

My suggestion is that you map your field values to one of - allowed/blocked/deferred for CIM complaince. this way the Security Domain -> Malware Center/Search/Operations dashboard will all be fine.

Any searches using datamodel/tstats should also be fine.

View solution in original post

0 Karma

lakshman239
SplunkTrust
SplunkTrust

My suggestion is that you map your field values to one of - allowed/blocked/deferred for CIM complaince. this way the Security Domain -> Malware Center/Search/Operations dashboard will all be fine.

Any searches using datamodel/tstats should also be fine.

0 Karma
Get Updates on the Splunk Community!

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...