Re: How to make action field CIM compliant

Haleb · ‎04-17-2024

I need to bring events related to creating and changing a user in the application to this CIM (Change->Account Management). To do this, I need the following values to be specified in the action field - acl_modified, cleared, created, deleted, modified, stopped, lockout, read, logoff, updated, started, restarted, unlocked according to this documentation. The problem is that the action field already exists in events with the following values - create, delete and it is used not only to describe actions with users but also for other objects. What method can you recommend to make the field CIM compliant?
Event example:

{ [-]
   action: delete
   actor_details: { [+]
   }
   actor_uuid: 11111111
   location: { [+]
   }
   object_details: { [+]
   }
   object_type: user #Also can be item, vault, etc
   object_uuid: 333333333
   session: { [+]
   }
   timestamp: 33213123
   uuid: 4444444
}

marnall · ‎04-17-2024

Assuming you are only cim-normalizing Change->Account Management, you could filter the logs to object_type=user

Make an eventtype with search string:

<yoursearch>
| search object_type=user
```Or put the above search filter in the first line of your search```

And set the tags to "change,account"

Then you can make the action field cim-compliant by making a calculated field:

Name: action
Eval expression: case(action="create","created",action="delete","deleted",1=1,action)

How to make action field CIM compliant

troubleshooting

using Splunk Enterprise

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Are you a member of the Splunk Community?