Mapping field values to allowed valued for Enterpr...

shayhibah · ‎01-12-2020

Hi,

in my logs I have field named 'action' with the following possible values: detect, prevent, redirect.
In order to integrate with Enterprise Security, the allowed values for this field are: allowed or blocked.

I edited my props.conf and added new EVAL command with the same field name 'action' (EVAL-action = ...).

This change affect the way my app users will need to look for their data.
In past, they used to search for "action=prevent" while after this change, this query has no results at all since the value has changed to "blocked".
Moreover, in the raw events, action field contains my own values (detect, prevent, redirect) and not the new ones so its a bit confusing.

Is this how I need to map my field values into ES values?

lakshman239 · ‎02-24-2020

As the raw values contain (detect, prevent, re-direct), do you have TA/code that extracts these field values to a field called 'action'?. If so, your EVAL-action is overriding it.

My suggestion would be to have 2 fields, say 'vendor_action' and let it extract and have values like detect, prevent, re-direct. Then have another field extraction, say EVAL-action=.... map your logic to get 'allowed' and 'blocked'

The users can use vendor_action, if they want it specifically and CIM will have happy with 'action'.

Mapping field values to allowed valued for Enterprise Security (CIM Data Models)

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!