Can someone explain to me what the idea is behind some of the choices made in the XSL file that is bundled with the Splunk TA for Cyberark?
It places the Cyberark "Reason" field in both the cn2 part of the CEF message as well as the msg part. Even though cn2 is actually labeled "Ticket ID". Also: in the msg part, the Reason value is passed through a replacer that escapes any '=' signs, to prevent issues with Splunk's field extractions. While in the cn2 part, the reason field is dumped without escaping. So if the Reason field from Cyberark contains key value pairs, this completely messes up the field extractions. Why duplicating data and moreover: why doing it in an inconsistent way?
Relevant snippet from the xsl:
cn2Label="Ticket Id" cn2=" msg="Failure:
Also, this final bit with the severity choice, does this print the text "Failure:" after the content of the msg field? What is the point in that? Shouldn't that be printed at the start of the msg field?
The original arcsight.sample.xsl as bundled with cyberark (that probably was the inspiration for the file bundled with the splunk TA) does not use the cn2 field, and populates the msg field in a more sensible way: "Reason, ExtraDetails, Failure: Message" (with Failure printed only based on severity).
msg=Failure:
↧