Hello team: i am working on Splunk Endpoint Data Model and i have windows audit logs in splunk.
My concern is if i were to use the Splunk Endpoint Data Model with Windows logs how do i properly map windows
Process_Names vs New_Process_Name Vs Object_Name Vs Caller_Process_Name vs Target_Process_Name fields to that of what the Endpoint DataModel is expecting like
parent_process_exec, parent_process_path, process_current_directory, process_exec, process_path. apart from these there are eval expressed fields like process, process_name by default from CIM App
My understanding is Endpoint is expecting sysmon fields to be matched. However i am trying to see how i can map my windows default fields to Endpoint Data Model expected fields. IF so how do i map parent_process and child_process, is there any mapping that i can rely on. Or is there any standard that someone else is following.
↧