Hi,
I am currently adapting sourcetypes for Trend Micro Products to the the CIM, in order to use them with ES and the CIM app.
The CIM caters for:
- product
- vendor
- product_version
- signature_version
However, the products I deal with have multiple scanning engines as well as multiple pattern file types. I thus propose some new fields:
- engine
- engine_version
- signature_type
- signature_version
Perhaps signature_version can then be created using an eval of the specified fields.
Regards,
Stephan
