Splunk Enterprise Security

ES search head notable events for zscaler have signature "None"

ravikiranradhak
New Member

Hi All,

We're getting a number of notable events through originating from zscaler that have a signature of "None". From looking at the props.conf, I see there are two aliases resulting in signature.

FIELDALIAS-aob_gen_zscalernss_web_alias_4 = threatname AS signature
FIELDALIAS-dlpdictionaries_as_signature = dlpdictionaries AS signature

If 100% of events have signature="None" then can FIELDALIAS-dlpdictionaries_as_signature be disabled?

Looks like there are two aliases for category field as well:
FIELDALIAS-threatcategory_as_category = threatcategory AS category
FIELDALIAS-urlcategory_as_category = urlcategory AS category

0 Karma

jawaharas
Motivator

Based on your response (Threatname field has non-NONE values. But all the values in dlpdictionaries has NONE value.), it makes sense now.

FIELDALIAS-aob_gen_zscalernss_web_alias_4 = threatname AS signature
FIELDALIAS-dlpdictionaries_as_signature = dlpdictionaries AS signature

As per the above sequence in your props.conf, 'dlpdictionaries' NONE value overwrites the NON-NONE values of 'threatname' field.

Based on your use-case, you can either reverses the oder of FIELDALIAS configuration as below or you can use different FIELDALIAS name (as you figured it out).

FIELDALIAS-dlpdictionaries_as_signature = dlpdictionaries AS signature
FIELDALIAS-aob_gen_zscalernss_web_alias_4 = threatname AS signature
0 Karma

jawaharas
Motivator

Does the log event has values for dlpdictionaries and threatname fields? Or can you post sample log event and your props.conf file for 'Zscaler Splunk App'?

0 Karma

ravikiranradhak
New Member

@jawaharas : Threatname field has non NONE values. But all the values in dlpdictionaries has NONE value. We are using default props.conf from the app itself. Though after rename alias name for dlpdictionaries to some other name, we can see values in signature field populates non None values from threatnanme field.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...