cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Erendouille
Engager
Member since: ‎10-16-2024
‎10-17-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎10-16-2024
Activity Feed
View All

Re: Endpoint data model not filling itself

by in Getting Data In
‎10-17-2024 12:02 AM
‎10-17-2024 12:02 AM
Thanks for your answer @gcusello ! Yes, I'm aware that some of our searches appear multiple times because of the "trigger configuration" but this wasn't really the question, sorry if i misled you. My question was really about why the datas coming from the Endpoint data model are not all filled (for example, 99% of the parent_process_name field are "unknown", 97 % of the process_path fields are "null"), and how can I "repair" the data model so every field has a value, which would mean no more false positives and a less crowded ESS dashboard. But thanks anyway for your reactivity ! 🙂 ... View more

Endpoint data model not filling itself

by in Getting Data In
‎10-16-2024 11:48 PM
‎10-16-2024 11:48 PM
Hello ! I'm using Splunk_SA_CIM with ESS and I'm currently studying most of the ESCU correlation search for my own purposes. Problem : I discovered that most of my ESCU rules are creating a lot of notable events, which after investigation, were all false positives. All these rules are based on fields coming from Endpoint Data Model (for exemple, Processes.process_path), and because most of the process.path values are equal to "null", it triggers the search and create a notable event. I've already updated every app I use, and to gather Windows data, I'm using Splunk_TA_Windows add-on. Do you have any clue on how I can find where the problem is and solve it ?     ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎10-17-2024 03:56 AM
Karma given to
View All