The Template app is able to do this, provided you create your own TA using it as a base (hence the template part). Can you post some sample data?
Edit: Updated with info from the sample data
Looks like you found a bug in the template!
Here is what I have done to get the onboarding and extractions working correctly, using the CEF template add-on as a base:
Prepare your new add-on
I downloaded a copy of the add-on from splunkbase, then I renamed it to TA-kasperskylab_securitycenter .
Then I opened default/props.conf and changed the stanza from my_sourcetype to kasperskylab:securitycenter . Additionally, I renamed the REPORT extractions as such:
REPORT-cefLabelFirst = kasperskylab_cefLabelFirst
REPORT-cefLabelSecond = kasperskylab_cefLabelSecond
REPORT-builtInCefFields = kasperskylab_builtInCefFields
and opened the transforms.conf to match for those.
Configure onboarding
I configured the sourcetype for onboarding as such:
[kasperskylab:securitycenter:cef]
MAX_TIMESTAMP_LOOKAHEAD = 10
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %s
TIME_PREFIX = \|rt=
TRUNCATE=999999
Fix that extraction
I've uploaded a new version (1.2) to Splunkbase, but it may not be published yet. In the meantime, you can change the following line for the initial extractions from:
\sCEF:\d\|(?<vendor>[^\|]+)\|(?<product>[^\|]+)\|(?<product_version>[^\|]+)\|(?<signature_id>[^\|]+)\|(?<signature>[^\|]+)\|(?<vendor_severity>[^\|]+)\|(?<cef_message>.*)
to
^CEF:\d\|(?<vendor>[^\|]+)\|(?<product>[^\|]+)\|(?<product_version>[^\|]+)\|(?<signature_id>[^\|]+)\|(?<signature>[^\|]+)\|(?<vendor_severity>[^\|]+)\|(?<cef_message>.*)
CIM compliance
This fix should get the extractions going as you would like. Note that while this will get you a good start on the CIM fields, it isn't a silver bullet. You will still need to add eventtypes and tags, and may need to add some field aliases or extractions to round out the model with which you decide to work.
HTH,
Dave
Edit: Here's a screenshot of the results:
... View more
