Fields are not renamed to follow CIM

[balajifunny]

I see many of the fields are not mapped with Malware Datamodel.

[diogofgm]

Which fields are you missing? For almost all the splunk apps and add-one I develop I try to extract the fields used by enterprise security as much as it's available in the data I have access. If you do have some data that has data that could be mapped to the malware CIM datamodel can you post here so I can have a look?
From my experience several apps do not contain fields available in the data to be mapped against all the available fields in the CIM datamodels. Some have more others have really few.

[balajifunny]

filepath is the field available in events but that doesn't match field file_path in Malware datamodel. Hash field is not extracted.
Hash: 1da542bbc1b14ec2bb2b03096b8b3a7e9247ddbf98db81cfb4283d8c4ecbefdc
I am talking about sourcetype: sourcetype="kaspersky:gnrl"

[balajifunny]

username field not aliased to user which is used in datamodel

[diogofgm]

The file path is extracted as file_path in the add-on. So that extraction you're seeing is not coming from the add-on. Can you share some sample events where you are being this happening?
Regrading the hash the sample data I had access to build the add-on did not include file hash. Can you share some sample events where you see those?
Regarding the user name, again I don't have extractions with "username", just user. These cases might be related to the auto kv splunk does.