Connectra CIM field extraction

[simonsigre]

Historically under LEA the following;

sourcetype=opsec product="connectra"

Where not CIM compatible, we have noted many missing fields, the most important are those required to complete the Authentication datamodel. https://docs.splunk.com/Documentation/CIM/4.12.0/User/Authentication

These can be seen when running the following index=* (sourcetype=opsec product="connectra") | table action app dest duration signature signature_id src user (under LEA)

The following fields are required at a minimum

action
app
dest
duration
signature
src
user

hi @simonsigre,
Thank you for your feedback.

Authentication datamodel is not part of our current mapping.
It may be added in the future.

However, all fields you mentioned before are exported by default and the new name "connectra" was replaced with "Mobile Access".
Therefore, I would suggest you to look for product="mobile access" in order to get connectra logs.

Regards