Splunk Enterprise Security

Mapping field values to allowed valued for Enterprise Security (CIM Data Models)

Path Finder


in my logs I have field named 'action' with the following possible values: detect, prevent, redirect.
In order to integrate with Enterprise Security, the allowed values for this field are: allowed or blocked.

I edited my props.conf and added new EVAL command with the same field name 'action' (EVAL-action = ...).

This change affect the way my app users will need to look for their data.
In past, they used to search for "action=prevent" while after this change, this query has no results at all since the value has changed to "blocked".
Moreover, in the raw events, action field contains my own values (detect, prevent, redirect) and not the new ones so its a bit confusing.

Is this how I need to map my field values into ES values?

0 Karma


As the raw values contain (detect, prevent, re-direct), do you have TA/code that extracts these field values to a field called 'action'?. If so, your EVAL-action is overriding it.

My suggestion would be to have 2 fields, say 'vendor_action' and let it extract and have values like detect, prevent, re-direct. Then have another field extraction, say EVAL-action=.... map your logic to get 'allowed' and 'blocked'

The users can use vendor_action, if they want it specifically and CIM will have happy with 'action'.

0 Karma