Splunk Enterprise Security

inclusion in Datamodel

N92
Path Finder

If there is any source type which has hash values but not action fields like allowed or blocked then it can consider as in malware datamodel.

If not then what would be ideal way to cover the souretype in different usecases.

0 Karma
1 Solution

lakshman239
Influencer

if you have a datasource which can be mapped to Malware datamodel, https://docs.splunk.com/Documentation/CIM/4.12.0/User/Malware, yes, it can be mapped, but you would need to ensure required fields are derived from your data. If you don't have action - allowed/blocked readily available, can that be derived based on other fields/data in your events? If yes, that can be used to calculate a suitable value for action field.

what's your data source.

View solution in original post

0 Karma

lakshman239
Influencer

if you have a datasource which can be mapped to Malware datamodel, https://docs.splunk.com/Documentation/CIM/4.12.0/User/Malware, yes, it can be mapped, but you would need to ensure required fields are derived from your data. If you don't have action - allowed/blocked readily available, can that be derived based on other fields/data in your events? If yes, that can be used to calculate a suitable value for action field.

what's your data source.

0 Karma

N92
Path Finder

My datasource is kind of analytics where multiple values are available like (Hash, URL etc). Ideally they are not part of malware because they doesn't have the alarm values which indicate it's malware.

But I have to use this data with other indexs for the correlation so adding in malware datamodel is good or not. If not then what would be the ideal way?

0 Karma

lakshman239
Influencer

If its not related to malware data, you don't have to add them to datamodel. You can still correlate with you other data(from another index/sourcetype) and join both the data based on common fields.

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...