How to make action field CIM compliant

Haleb · ‎04-17-2024

I need to bring events related to creating and changing a user in the application to this CIM (Change->Account Management). To do this, I need the following values to be specified in the action field - acl_modified, cleared, created, deleted, modified, stopped, lockout, read, logoff, updated, started, restarted, unlocked according to this documentation. The problem is that the action field already exists in events with the following values - create, delete and it is used not only to describe actions with users but also for other objects. What method can you recommend to make the field CIM compliant?
Event example:

{ [-]
   action: delete
   actor_details: { [+]
   }
   actor_uuid: 11111111
   location: { [+]
   }
   object_details: { [+]
   }
   object_type: user #Also can be item, vault, etc
   object_uuid: 333333333
   session: { [+]
   }
   timestamp: 33213123
   uuid: 4444444
}

marnall · ‎04-17-2024

Assuming you are only cim-normalizing Change->Account Management, you could filter the logs to object_type=user

Make an eventtype with search string:

<yoursearch>
| search object_type=user
```Or put the above search filter in the first line of your search```

And set the tags to "change,account"

Then you can make the action field cim-compliant by making a calculated field:

Name: action
Eval expression: case(action="create","created",action="delete","deleted",1=1,action)

How to make action field CIM compliant

troubleshooting

using Splunk Enterprise

Get ready to show some Splunk Certification swagger at .conf24!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...