Splunk Enterprise Security

Datamodel not showing all actions

wgawhh5hbnht
Communicator

Network_Traffic Traffic_By_Action isn't showing allowed or deferred.
In the data model, here is the constraints:

(`cim_Network_Traffic_indexes`) tag=network tag=communicate
action=*

The CIM setup for Network Traffic includes the indexes: check_point network lb
There is an eventtype for check_point that has the search

index=check_point action=*

and it has the tags: communicate & network

When I search index=check_point action=* | dedup action | table action, I get the following:

action
allowed
blocked
deferred
dropped

But when I search |tstats count from datamodel=Network_Traffic by All_Traffic.action I only get:

All_Traffic.action  count
blocked 88
deferred    126
dropped 118

Does anyone have any idea as to why the actions allowed or deferred aren't showing up?
I've checked the macro cim_traffic_actions & it has action

allowed
blocked
teardown
0 Karma

kchamplin_splun
Splunk Employee
Splunk Employee

You may want to ensure that the tags.conf for checkpoint also is pointing to that eventtype you mention (check_point) for:
tag=network tag=communicate. As an example tags.conf:
[eventtype=check_point]
network = enabled
communicate = enabled

A quick litmus test would be to just run a search with something like:
"tag=network OR tag=communicate | stats values(action) by sourcetype"

0 Karma

wgawhh5hbnht
Communicator

In local/tags.conf both are enabled:

[eventtype=check_point_action]
communicate = enabled
network = enabled

Checked splunk cmd to confirm the tags are being used & they are:

Splunk_TA_checkpoint-opseclea]$ splunk cmd btool tags list --debug | grep 'Splunk_TA_checkpoint-opseclea' | egrep 'communicate|network' | sort | uniq
/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/tags.conf communicate = enabled
/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/tags.conf [eventtype=opsec_communicate]
/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/tags.conf network = enabled

Here is the output for tag=network OR tag=communicate action=* | stats values(action) by sourcetype :
sourcetype values(action)
linux_secure success
opendns:dnslogs
Allowed
Blocked
Proxied
opsec:anti_malware

blocked
deferred
opsec:anti_virus deferred
opsec:smartdefense

blocked
deferred
opsec:threat_emulation deferred
opsec:vpn

blocked
dropped

0 Karma

kchamplin_splun
Splunk Employee
Splunk Employee

It's a bit hard to make out based on the formatting, but it looks to me like whatever sources or sourcetypes that are in in the eventtype search "opsec_communicate" is what's missing here...that said it looks like your local overrides for check_point_action eventtype should work, but in any case, if you can get tag=network or tag=communicate to actually return results for action=allowed, that will fix the DM problem.

0 Karma

wgawhh5hbnht
Communicator

Ya, formatting is terrible, I can't upload a picture...
Here is another crack at it with the action values below the sourcetype:
sourcetype values(action)
linux_secure
success

opendns:dnslogs 
Allowed
Blocked
Proxied

opsec:anti_malware  
blocked
deferred

opsec:anti_virus
deferred

opsec:smartdefense  
blocked
deferred

opsec:threat_emulation
deferred

opsec:vpn   
blocked
dropped
0 Karma

lakshman239
SplunkTrust
SplunkTrust

what values do you see for 'action' when you run |from datamodel:"Network_Traffic | stats count by action ? Also, on your TA, check if there is any props/transforms for actions. Also, generally, if its possible to avoid using index= in eventtypes.conf, its better [ as you are restricting the indexes for a datamodel via CIM config]

0 Karma

wgawhh5hbnht
Communicator

For |from datamodel:"Network_Traffic" | stats count by action here are the results:

action  count
blocked 82
deferred    270
dropped 108

The TA is Splunk_TA_checkpoint-opseclea, no local transform & for props there is only this that deals with action:

FIELDALIAS-protocol_for_opsec = proto AS protocol
FIELDALIAS-opsec_action = te_action AS action vendor_action AS action

For default/props.conf here is everything with action:
Splunk_TA_checkpoint-opseclea]$ grep 'action' default/props.conf

REPORT-checkpoint_action_for_checkpoint = action_as_checkpoint_action
REPORT-action_as_threat_emulation_action = action_as_threat_emulation_action
FIELDALIAS-vendor_action = action as vendor_action
LOOKUP-action_for_opsec = checkpoint_opsec_action_lookup vendor_action OUTPUT action
REPORT-action_as_ips_action = action_as_threat_emulation_action
LOOKUP-action_for_av = te_action_lookup te_action OUTPUT action
REPORT-action_as_threat_emulation_action = action_as_threat_emulation_action
REPORT-opsec_vendor_action_field = opsec_vendor_action_field
FIELDALIAS-vendor_action = action as vendor_action
LOOKUP-action_for_opsec = checkpoint_opsec_action_lookup vendor_action OUTPUT action
REPORT-checkpoint_action_for_checkpoint = vendor_action_for_opsec
EVAL-look_up_key = case((Subject="File Operation"),"filesystem",(Operation="Create Object" OR Operation="Modify Object" OR Operation="Delete Object"),Operation,(Operation="Log In" OR Operation="Log Out" OR Operation="Force Log Out"),if(isnull(status),"Success",status),1==1,action)
LOOKUP-checkpoint_audit_action_lookup = checkpoint_audit_action_lookup look_up_key OUTPUT action,app
REPORT-action_as_threat_emulation_action = action_as_threat_emulation_action
FIELDALIAS-category_for_threat_emulation = malware_action as category
LOOKUP-action_for_te = te_action_lookup te_action OUTPUT action
REPORT-action_as_anti_bot_action = action_as_threat_emulation_action
LOOKUP-action_for_te = te_action_lookup te_action OUTPUT action
REPORT-action_as_anti_virus_action = action_as_threat_emulation_action
LOOKUP-action_for_av = te_action_lookup te_action OUTPUT action

0 Karma

lakshman239
SplunkTrust
SplunkTrust

I believe the TA is overriding the action and missing the 'allowed. You can comment out FIELDALIAS-opsec_action = te_action AS action vendor_action AS action any any other related ones and see which one is causing the issue.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...