Reporting

What's the best datamodel to audit processes ran by users? and filesystem changes?

3DGjos
Communicator

Hello Again, I'm developing a compliance app (CIM, with tstats), now is the turn to write a search to monitor processes ran by users on the domain (windows and linux, maybe some other source of interest)

My doubt is, what datamodel should I use? I'm between Endpoint and Change. But endpoint does not have a user field, I don't understand why ¿What would be the right approarch?

For filesystem changes, I personally like Change but the SA-Cim definition, on the constraint part worries me, it litterally says:

(`cim_Change_indexes`) tag=change NOT (object_category=file OR object_category=directory OR object_category=registry)

I could just not parse the events with object_category=file, but I would like to know why is this, I mean, the endpoint datamodel does not have an object_category field, for example. Why I can't use it?

Thanks!

0 Karma
1 Solution

lakshman239
SplunkTrust
SplunkTrust
0 Karma

lakshman239
SplunkTrust
SplunkTrust

Pls accept if this helped to resolve your query, to help tracking

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...