Mapping field values to allowed valued for Enterpr...

shayhibah · ‎01-12-2020

Hi,

in my logs I have field named 'action' with the following possible values: detect, prevent, redirect.
In order to integrate with Enterprise Security, the allowed values for this field are: allowed or blocked.

I edited my props.conf and added new EVAL command with the same field name 'action' (EVAL-action = ...).

This change affect the way my app users will need to look for their data.
In past, they used to search for "action=prevent" while after this change, this query has no results at all since the value has changed to "blocked".
Moreover, in the raw events, action field contains my own values (detect, prevent, redirect) and not the new ones so its a bit confusing.

Is this how I need to map my field values into ES values?

lakshman239 · ‎02-24-2020

As the raw values contain (detect, prevent, re-direct), do you have TA/code that extracts these field values to a field called 'action'?. If so, your EVAL-action is overriding it.

My suggestion would be to have 2 fields, say 'vendor_action' and let it extract and have values like detect, prevent, re-direct. Then have another field extraction, say EVAL-action=.... map your logic to get 'allowed' and 'blocked'

The users can use vendor_action, if they want it specifically and CIM will have happy with 'action'.

Mapping field values to allowed valued for Enterprise Security (CIM Data Models)

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?