Please find below I have done cim compliance for the Bit9 security Platform. This will 90 % will be covering if any one can find more post on this. props.conf [bit9] EVAL-dest_nt_domain = mvindex(split(HostName, "\\"),0) EVAL-date = strftime(_time,"%Y-%m-%d %H:%M:%S") EVAL-vendor_product="bit9 carbon black" EVAL-action=case(like(EventSubType,"%change%"),"modified",like(EventSubType,"%delet%"),"deleted",like(EventSubType,"%,modif%"),"modified",like(EventSubType,"%create%"),"created",like(EventSubType,"%fail%"),"failure",like(EventSubType,"%succe%"),"success",like(EventSubType,"%rest%"),"restarted",like(EventSubType,"%shutdown%"),"shutdown",like(EventSubType,"%start%"),"started",like(EventSubType,"%reset%"),"modified",like(EventSubType,"%login%"),"success",like(EventSubType,"%logout%"),"logoff",like(EventSubType,"%attach%"),"created",like(EventSubType,"%detach%"),"deleted",like(EventSubType,"%upgrade%"),"upgraded",like(EventSubType,"%nstall%"),"created",like(EventSubType,"%uninstall%"),"deleted",like(EventSubType,"%finish%"),"success",like(EventSubType,"%close%"),"success",like(EventSubType,"%logout%"),"logoff",like(EventSubType,"%set%"),"modified",like(EventSubType,"%allow%"),"allowed",like(EventSubType,"%block%"),"blocked",like(EventSubType,"%download%"),"created",like(EventSubType,"%detect%"),"allowed",like(EventSubType,"%found%"),"allowed",like(EventSubType,"%discover%"),"created",like(EventSubType,"%error%"),"error",like(EventSubType,"%writ%"),"allowed",like(EventSubType,"%execut%"),"success",like(EventSubType,"%lost%"),"failure",like(EventSubType,"%add%"),"created",like(EventSubType,"%approve%"),"success",like(EventSubType,"%New%"),"allowed",like(EventSubType,"%update%"),"updated",like(EventSubType,"%upload%"),"created",like(EventSubType,"%clone%"),"created",like(EventSubType,"%regis%"),"created",like(EventSubType,"%New unapproved%"),"allowed",OpType=="0","created",OpType=="1","deleted",OpType=="9","created", OpType=="6","started",OpType=="5","modified",OpType=="2","modified",OpType=="12","deleted",OpType=="7","success",OpType=="11","modified",1==1,success) FIELDALIAS-filepathname =PathName as file_path FIELDALIAS-severity=priority as severity FIELDALIAS-signature=EventSubType as signature FIELDALIAS-signature_id=EventSubTypeId as signature_id FIELDALIAS-src=src_ip as src FIELDALIAS-src_user= UserName as src_user FIELDALIAS-user= UserName as user FIELDALIAS-category=EventType as Category FIELDALIAS-description=OpDescription as description FIELDALIAS-originalfilname=FileName as original_file_name FIELDALIAS-process=ProcessPath as process FIELDALIAS-process_path=ProcessPath as process_path FIELDALIAS-Process_hash=ProcessHash as process_hash FIELDALIAS-process_name=ProcessFileName as process_name FIELDALIAS-process_id=ProcessKey as process_id FIELDALIAS-command=CommandLine as command FIELDALIAS-object=Policy as object FIELDALIAS-object_id=PolicyId as object_id FIELDALIAS-object_category=Platform as object_category FIELDALIAS-result=EventSubType as result FIELDALIAS-dvc=dvc_ip as dvc #####tags.conf [eventtype=bit9_malware] malware = enabled attack = enabled [eventtype=bit9_event] endpoint = enabled filesystem = enabled [eventtype=bit9_filesOnComputers] endpoint = enabled filesystem = enabled [eventtype=bit9_event_change] endpoint = enabled change = enabled [eventtype=bit9_event_authentication] authentication = enabled success = enabled #### eventtypes.conf [bit9_fileCatalog] search = index=$index_name$ sourcetype=bit9 source=*Metadata* [bit9_filesOnComputers] search = index=$index_name$ sourcetype=bit9 source=*NetTrace* [bit9_event] search = index=$index_name$ sourcetype=bit9 source=*Event* [bit9_malware] search= index=$index_name$ sourcetype=bit9 source=*Event* (EventSubType="Potential risk file detected" OR EventSubType="Malicious file detected") [bit9_event_change] search = index=$index_name$ sourcetype=bit9 source=*Event* (action!=allowed OR action!=blocked) OR (EventSubType!="*login*" OR EventSubType!="*logout*") [bit9_event_authentication] search = index=$index_name$ sourcetype=bit9 source=*Event* (EventSubType="*login*" OR EventSubType="*logout*")   ... View more

Hello Please give me suggestion to resolve this  ... View more

same problem your issues is resolved with that or not, Please provide steps to troubleshoot that problem ... View more