https://community.splunk.com/t5/All-Apps-and-Add-ons/Cannot-get-Infosec-App-to-work/m-p/473424#M58183 <P>Hi @wbueno2, as others pointed out, CIM compliant data is a must for the InfoSec app to work. Here is what you may want to do: </P> <OL> <LI>Review the <A href="https://splunkbase.splunk.com/app/4240/#/details">installation instructions</A> for the InfoSec app <UL> <LI>Check whether you have the <A href="https://splunkbase.splunk.com/app/1621/">CIM add-on</A> installed </LI> <LI>Accelerate the data models (Settings&gt;Data Models) listed in the instructions</LI> </UL></LI> <LI>Check whether you use CIM-compliant add-ons for your data. In your case, for example, you should have <A href="https://splunkbase.splunk.com/app/1620/">Cisco ASA</A> and <A href="https://splunkbase.splunk.com/app/742/">Windows</A> add-ons installed on your Splunk server (or Search Heads in distributed environment). Check installation instructions for the add-ons. </LI> <LI>Go to InfoSec app &gt; Health and Stats and check the following two tables: <UL> <LI>"Data Models Used by the InfoSec App: Events in Past 24 Hours"</LI> <LI>"All Data Models: Status" (You may need to wait from 5 minutes to an hour or more depending how much data you are sending to Splunk and how behind data models are on acceleration) </LI> </UL></LI> <LI>If you see only red in the tables above, your data is not CIM compliant and/or data models are not accelerated. This is where you may want to look at these two resources: <UL> <LI><A href="https://youtu.be/QTklD7OiN74">Overview of Splunk CIM</A></LI> <LI><A href="https://docs.splunk.com/Documentation/CIM/4.14.0/User/Overview">Official Splunk CIM doc</A></LI> </UL></LI> </OL> Fri, 03 Jan 2020 17:26:00 GMT igifrin_splunk 2020-01-03T17:26:00Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cannot-get-Infosec-App-to-work/m-p/473419#M58178 <P>Hello there,</P> <P>I would like to know what I´m doing wrong? I´m sending all logs sugested by the app but it seems something is wrong. Can anyone please help me to get this sorted?</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8138iDD7428A1047E0FB7/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 30 Dec 2019 13:29:53 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cannot-get-Infosec-App-to-work/m-p/473419#M58178 wbueno2 2019-12-30T13:29:53Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cannot-get-Infosec-App-to-work/m-p/473420#M58179 <P>What are you expecting to see?</P> Mon, 30 Dec 2019 14:14:58 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cannot-get-Infosec-App-to-work/m-p/473420#M58179 richgalloway 2019-12-30T14:14:58Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cannot-get-Infosec-App-to-work/m-p/473421#M58180 <P>There´s no data coming to infosec.</P> Mon, 30 Dec 2019 15:12:40 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cannot-get-Infosec-App-to-work/m-p/473421#M58180 wbueno2 2019-12-30T15:12:40Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cannot-get-Infosec-App-to-work/m-p/473422#M58181 <P>Have you reviewed the setup requirements? Must be CIM compliant data with acceleration on required data models...<BR /> <A href="https://splunkbase.splunk.com/app/4240/#/details">https://splunkbase.splunk.com/app/4240/#/details</A></P> Mon, 30 Dec 2019 15:26:56 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cannot-get-Infosec-App-to-work/m-p/473422#M58181 mydog8it 2019-12-30T15:26:56Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cannot-get-Infosec-App-to-work/m-p/473423#M58182 <P>How can I make sure the data is coming is CIM compliant? Apart from that I followed all the steps.</P> Mon, 30 Dec 2019 17:10:02 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cannot-get-Infosec-App-to-work/m-p/473423#M58182 wbueno2 2019-12-30T17:10:02Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cannot-get-Infosec-App-to-work/m-p/473424#M58183 <P>Hi @wbueno2, as others pointed out, CIM compliant data is a must for the InfoSec app to work. Here is what you may want to do: </P> <OL> <LI>Review the <A href="https://splunkbase.splunk.com/app/4240/#/details">installation instructions</A> for the InfoSec app <UL> <LI>Check whether you have the <A href="https://splunkbase.splunk.com/app/1621/">CIM add-on</A> installed </LI> <LI>Accelerate the data models (Settings&gt;Data Models) listed in the instructions</LI> </UL></LI> <LI>Check whether you use CIM-compliant add-ons for your data. In your case, for example, you should have <A href="https://splunkbase.splunk.com/app/1620/">Cisco ASA</A> and <A href="https://splunkbase.splunk.com/app/742/">Windows</A> add-ons installed on your Splunk server (or Search Heads in distributed environment). Check installation instructions for the add-ons. </LI> <LI>Go to InfoSec app &gt; Health and Stats and check the following two tables: <UL> <LI>"Data Models Used by the InfoSec App: Events in Past 24 Hours"</LI> <LI>"All Data Models: Status" (You may need to wait from 5 minutes to an hour or more depending how much data you are sending to Splunk and how behind data models are on acceleration) </LI> </UL></LI> <LI>If you see only red in the tables above, your data is not CIM compliant and/or data models are not accelerated. This is where you may want to look at these two resources: <UL> <LI><A href="https://youtu.be/QTklD7OiN74">Overview of Splunk CIM</A></LI> <LI><A href="https://docs.splunk.com/Documentation/CIM/4.14.0/User/Overview">Official Splunk CIM doc</A></LI> </UL></LI> </OL> Fri, 03 Jan 2020 17:26:00 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cannot-get-Infosec-App-to-work/m-p/473424#M58183 igifrin_splunk 2020-01-03T17:26:00Z