All Apps and Add-ons

Splunk Common Information Model: If my data source can generate multiple user names related to an intrusion detection event, how do I handle this?

vvajdic
Splunk Employee
Splunk Employee

The current definition for this field is this:
IDS_Attacks| user | string | The user involved with the intrusion detection event.

My data source can generate multiple user names related to an intrusion detection event.
How would be best to handle this?

Thanks.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Without seeing your data source, most like you need to multikv these events in order to report on them individually.

Thinking of some common HIDS types logs such as McAffeeEPO, typically destination user events are individual and not reported in the same log..

0 Karma

Richfez
SplunkTrust
SplunkTrust

"How" does it generate multiple user names? Can you paste an example of the raw log? Are you already ingesting it into Splunk? If so can you paste an example of the event from Splunk?

0 Karma

vvajdic
Splunk Employee
Splunk Employee

Here is a part of a log event:

deviceSeverity=value act=value rt=value shost=value src=value sourceZoneURI=value sproc=value dhost=value dst=value destinationZoneURI=value dntdom=value dpt=value duser=value1, value2, value3, value4 fname=value cs1= value cs2=value cs3=value cs4=value

duser should map to Intrusion Detection/User and the question is what to do with multiple values of duser.

a More generally what are the options if data source generates more fields then what exists is in the data model?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...