I’ve created a custom TA in order to make it work with Enterprise Security and packaged it with 'TA_foo' deploying it on my Splunk instance.
The eventtypes worked fine on Search & Report app, showing every field mapped with CIM attack and ids but when I change the App context to Enterprise Security it doesn’t seem to show up properly.
All permissions are set to global.
↧