All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Wrong assignment for field 'action' in ePO sourcetype?

evelenke
Contributor
‎08-05-2019 09:21 AM

Hi Team ,

in Splunk Add-on for McAfee you have query option in inputs (template\example) configuration : [EPOEvents].[ThreatActionTaken] as [vendor_action].
Then we have 2 neighbours in props.conf:
FIELDALIAS-vendor_action_for_mcafee_epo=action AS vendor_action
LOOKUP-action_for_mcafee_epo=epo_action_lookup vendor_action OUTPUT action

According to sequence of operations, value of vendor_action obtains the value of action, which is obviously NULL. As a result both action and vendor_action returns NULL.

Could you, please correct this or correct me, if I'm wrong 🙂

0 Karma
Reply

marycordova
SplunkTrust
SplunkTrust
‎08-05-2019 03:54 PM

here is the props.conf statement I used to cobble together a decent "action" field:

| eval action=replace((replace((replace((case(
'ProductFamily'=="UDLP" OR 
match(lower('event_description'),"on-") OR 
match(lower('event_description'),"dll") OR 
match(lower('event_description'),"oss") OR 
match(lower('event_description'),"svm") OR 
match(lower('event_description'),"^scan") OR 
match(lower('event_description'),"policy") OR 
match(lower('event_description'),"service") OR 
match(lower('event_description'),"deferred") OR 
match(lower('event_description'),"update") OR 
match(lower('event_description'),"mcafee security") OR 
match(lower('event_description'),"protection \w+abled") OR
(match(lower('event_description'),"move") AND 'threat_handled'=="0"),lower('event_description'),

match(lower('event_description'),"pending") OR 
match(lower('event_description'),"unable to") OR
match(lower('event_description'),"not blocked") OR 
match(lower('event_description'),"would delete") OR 
match(lower('event_description'),"delete on reboot") OR 
(match(lower('event_description'),"handled") AND 'threat_handled'=="0") OR 
(match(lower('event_description'),"spam") AND match(lower('vendor_action'),"clean")) OR 
(match(lower('event_description'),"failed") AND NOT match(lower('event_description'),"deleted")) OR 
(match(lower('event_description'),"browser") AND NOT match(lower('ThreatName'),"web control violation")),"allowed",

match(lower('event_description'),"spam") OR 
match(lower('event_description'),"denied") OR 
match(lower('event_description'),"blocked") OR 
match(lower('event_description'),"handled") OR 
match(lower('event_description'),"deleted") OR 
match(lower('event_description'),"cleaned") OR 
match(lower('event_description'),"browser") OR
match(lower('event_description'),"quarantine") OR 
(match(lower('event_description'),"detected") AND 'threat_handled'=="1"),"blocked",

isnotnull('event_description'),lower('event_description'),
isnull('event_description'),"none")),",","")),"\.","")),";","")
@marycordova
0 Karma
Reply

marycordova
SplunkTrust
SplunkTrust
‎08-05-2019 04:05 PM

well, this was the GUI based statement i was building off of...tweak the pre-pended syntax to make it a props.conf config:

EVAL-action = ...

@marycordova
0 Karma
Reply

evelenke
Contributor
‎08-06-2019 10:12 AM

Hi Mary,

thank you, that's a great example.
What I'm trying to say - with described add-on configuration you should not get any value for fields vendor_action and action on Search head, even if you have vendor_action in events.
I see you use condition AND match(lower('vendor_action') - does your 'vendor_action' field fulfilled with values?

0 Karma
Reply

marycordova
SplunkTrust
SplunkTrust
‎08-06-2019 02:27 PM

yeah...it does, unfortunately at this current job I no longer have access to the config files...I believe our admins at least start with stock TA/app deployments and customize to hell 😛

but I would say, if you have a stock TA/app and its weird, you could comment out the problem statements in the stock version then just make a quick custom app with only the things you need in it

for example you could make an app directory custom_$tech$, custom_mcafee_epo, and then drop local and metadata directories in and just the *.conf files you need in each plus the local.meta file

I could have sworn I had a post about making an IR app that gives you a nice little app shell...cant find it now sorry!

@marycordova
0 Karma
Reply

marycordova
SplunkTrust
SplunkTrust
‎08-06-2019 02:29 PM

here it is: https://answers.splunk.com/answers/741035/how-to-index-evtx-files-exported-from-a-windows-sy.html

needs updated already too...

@marycordova
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...