Conversation
bpluta-splunk
requested review from
ljstella,
nasbench and
patel-bhavin
as code owners
|
stream_events.log |
|
Adding the dataset via this PR, could you tweak the test dataset link to point to the new file? |
|
For whatever reason, it looks like the datasets/suspicious_behaviour/crowdstrike_stream/event_stream_events/stream_events_2.log that got merged is not correct. It should have valid events, which what was merged looks to just have some metadata info. |
|
@bpluta-splunk is this not the 76kb file you linked above? 
|
|
That is correct. When I looked at the files changed for the attack_data MR https://github.com/splunk/attack_data/pull/1132/changes#diff-c724781f62e3c0105e4ae872cfe484d22f10d4a964c1d136839cdc69915ccd23 it was not showing that content for the file. |
|
That's because of git-lfs which stores the files separately, the way every single log in attack_data is stored. |
3 participants
Details
New search to leverage changes crowdstrike made to the raw events being sent.
Checklist
<platform>_<mitre att&ck technique>_<short description>nomenclatureNotes For Submitters and Reviewers
buildCI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.