Please find below I have done cim compliance for the Bit9 security Platform. This will 90 % will be covering if any one can find more post on this.
props.conf
[bit9]
EVAL-dest_nt_domain = mvindex(split(HostName, "\\"),0)
EVAL-date = strftime(_time,"%Y-%m-%d %H:%M:%S")
EVAL-vendor_product="bit9 carbon black"
EVAL-action=case(like(EventSubType,"%change%"),"modified",like(EventSubType,"%delet%"),"deleted",like(EventSubType,"%,modif%"),"modified",like(EventSubType,"%create%"),"created",like(EventSubType,"%fail%"),"failure",like(EventSubType,"%succe%"),"success",like(EventSubType,"%rest%"),"restarted",like(EventSubType,"%shutdown%"),"shutdown",like(EventSubType,"%start%"),"started",like(EventSubType,"%reset%"),"modified",like(EventSubType,"%login%"),"success",like(EventSubType,"%logout%"),"logoff",like(EventSubType,"%attach%"),"created",like(EventSubType,"%detach%"),"deleted",like(EventSubType,"%upgrade%"),"upgraded",like(EventSubType,"%nstall%"),"created",like(EventSubType,"%uninstall%"),"deleted",like(EventSubType,"%finish%"),"success",like(EventSubType,"%close%"),"success",like(EventSubType,"%logout%"),"logoff",like(EventSubType,"%set%"),"modified",like(EventSubType,"%allow%"),"allowed",like(EventSubType,"%block%"),"blocked",like(EventSubType,"%download%"),"created",like(EventSubType,"%detect%"),"allowed",like(EventSubType,"%found%"),"allowed",like(EventSubType,"%discover%"),"created",like(EventSubType,"%error%"),"error",like(EventSubType,"%writ%"),"allowed",like(EventSubType,"%execut%"),"success",like(EventSubType,"%lost%"),"failure",like(EventSubType,"%add%"),"created",like(EventSubType,"%approve%"),"success",like(EventSubType,"%New%"),"allowed",like(EventSubType,"%update%"),"updated",like(EventSubType,"%upload%"),"created",like(EventSubType,"%clone%"),"created",like(EventSubType,"%regis%"),"created",like(EventSubType,"%New unapproved%"),"allowed",OpType=="0","created",OpType=="1","deleted",OpType=="9","created", OpType=="6","started",OpType=="5","modified",OpType=="2","modified",OpType=="12","deleted",OpType=="7","success",OpType=="11","modified",1==1,success)
FIELDALIAS-filepathname =PathName as file_path
FIELDALIAS-severity=priority as severity
FIELDALIAS-signature=EventSubType as signature
FIELDALIAS-signature_id=EventSubTypeId as signature_id
FIELDALIAS-src=src_ip as src
FIELDALIAS-src_user= UserName as src_user
FIELDALIAS-user= UserName as user
FIELDALIAS-category=EventType as Category
FIELDALIAS-description=OpDescription as description
FIELDALIAS-originalfilname=FileName as original_file_name
FIELDALIAS-process=ProcessPath as process
FIELDALIAS-process_path=ProcessPath as process_path
FIELDALIAS-Process_hash=ProcessHash as process_hash
FIELDALIAS-process_name=ProcessFileName as process_name
FIELDALIAS-process_id=ProcessKey as process_id
FIELDALIAS-command=CommandLine as command
FIELDALIAS-object=Policy as object
FIELDALIAS-object_id=PolicyId as object_id
FIELDALIAS-object_category=Platform as object_category
FIELDALIAS-result=EventSubType as result
FIELDALIAS-dvc=dvc_ip as dvc
#####tags.conf
[eventtype=bit9_malware]
malware = enabled
attack = enabled
[eventtype=bit9_event]
endpoint = enabled
filesystem = enabled
[eventtype=bit9_filesOnComputers]
endpoint = enabled
filesystem = enabled
[eventtype=bit9_event_change]
endpoint = enabled
change = enabled
[eventtype=bit9_event_authentication]
authentication = enabled
success = enabled
#### eventtypes.conf
[bit9_fileCatalog]
search = index=$index_name$ sourcetype=bit9 source=*Metadata*
[bit9_filesOnComputers]
search = index=$index_name$ sourcetype=bit9 source=*NetTrace*
[bit9_event]
search = index=$index_name$ sourcetype=bit9 source=*Event*
[bit9_malware]
search= index=$index_name$ sourcetype=bit9 source=*Event* (EventSubType="Potential risk file detected" OR EventSubType="Malicious file detected")
[bit9_event_change]
search = index=$index_name$ sourcetype=bit9 source=*Event* (action!=allowed OR action!=blocked) OR (EventSubType!="*login*" OR EventSubType!="*logout*")
[bit9_event_authentication]
search = index=$index_name$ sourcetype=bit9 source=*Event* (EventSubType="*login*" OR EventSubType="*logout*")
... View more