samsonnguyen
commented
7 years ago Hi @ThomasMethlie ,
are you able to provide more details? Specifically:
Symptoms observed in Splunk Steps to reproduce Expectations
Closed ThomasMethlie closed 7 years ago
samsonnguyen
commented
7 years ago Hi @ThomasMethlie ,
are you able to provide more details? Specifically:
Symptoms observed in Splunk Steps to reproduce Expectations
ThomasMethlie
commented
7 years ago Hi @samsonnguyen , I seem to have made some sort of mistake but I'm now able to see the events in Splunk with "unkown" action status, which seems to be correct according to the CIM model. Sorry for troubling you. (The malware had status "quarantine:failed" in amp dashboard, not blocked as I originally thought).
Is it possible to add event_type_id 1090519054 to the .csv file mapping? Now a lot of searches in ES returns empty results.