topic Re: How to make a CIM compliant data in splunk ES. in All Apps and Add-ons

How to make a CIM compliant data in Splunk ES?

AL3Z — Wed, 26 Apr 2023 12:48:16 GMT

Hi,

I have a existing dlp data model, Can we add the indexed dlp data to exisiting one to make a cim compliant OR
we need to create a new datamodel to add the data ?

Re: How to make a CIM compliant data in splunk ES.

richgalloway — Thu, 20 Apr 2023 17:45:01 GMT

Every time the datamodel runs (every 5 minutes, by default), it automatically adds indexed data to the model. The indexed data should be CIM-compliant and be tagged as expected by the DM. There is no need to create a new DM.

Re: How to make a CIM compliant data in splunk ES.

woodcock — Fri, 21 Apr 2023 14:29:11 GMT

Add the tags, fields, and field values that the CIM's DLP datamodel uses. Don't start from scratch. If there is not an existing TA on Splunkbase, you will have to do this yourself or hire somebody (we do this all the time for clients).

Re: How to make a CIM compliant data in splunk ES.

AL3Z — Fri, 21 Apr 2023 08:27:08 GMT

@richgalloway ,
How we can make the indexed data to CIM-compliant ?
We have Splunk Common Information Model (Splunk_SA_CIM) in our environment.

Re: How to make a CIM compliant data in splunk ES.

gcusello — Fri, 21 Apr 2023 08:42:49 GMT

Hi @AL3Z,

CIM compliance is usually granted by the Add-On you're using, for this reason, when you have to use a data flow in ES it's a best practice to check the CIM compliance of the used Add-On and you can find this information in Splunk baseline.

If you don't have a CIM Compliant Add_On (because your data flow hasn't an Add-On in Splunk baseline or because you created your own Add-On), you have to manually modify your Add-On.

You can do this with the support of some app like Add-On Builder or CIM_Validator.

In very (and not exhaustive) words you have to:

create eventtypes to tag your data,
create field aliases to normalize your field names,
create some calculated field to normalize values of some fields (e.g. action).

Ciao.

Giuseppe

Re: How to make a CIM compliant data in splunk ES.

AL3Z — Fri, 21 Apr 2023 13:55:55 GMT

Do we need to make the data CIM compliant before adding it to the datasets ?

Re: How to make a CIM compliant data in splunk ES.

gcusello — Fri, 21 Apr 2023 14:12:49 GMT

Hi @AL3Z ,

data are added to Datamodel based on tags generated by eventtypes.

you can also rebuild the Data Model to add past logs, but this operation requires some time.

Ciao.

Giuseppe

Re: How to make a CIM compliant data in splunk ES.

richgalloway — Fri, 21 Apr 2023 16:53:45 GMT

Data models look for events with specific tags. Therefore, your data must have those tags for the DMs to find it.

Additionally, DMs look for specific fields in the events they find. Your data must have those fields (not necessarily all of them - see the CIM docs at https://docs.splunk.com/Documentation/CIM/5.1.1/User/Overview). Use TAs, field aliases, and evals as necessary to incorporate the needed fields into your data.

Re: How to make a CIM compliant data in splunk ES.

AL3Z — Sun, 23 Apr 2023 18:51:29 GMT

@woodcock

I have added the tag field for the respective logs and matched the index inline with the tag fields,

How do we confirm the data is cim compliant?

Using search ?

Thanks

Re: How to make a CIM compliant data in splunk ES.

richgalloway — Sun, 23 Apr 2023 20:10:18 GMT

Use the CIM Validator app (https://splunkbase.splunk.com/app/2968)

Re: How to make a CIM compliant data in splunk ES.

AL3Z — Mon, 24 Apr 2023 05:54:39 GMT

@richgalloway

Is there any other alternate to validated with out using App.

Re: How to make a CIM compliant data in splunk ES?

AL3Z — Mon, 24 Apr 2023 06:39:20 GMT

Hi all,

why the data is not feeding in dlp data model, what could be the cause, how to trouble shoot this issue.

Thanks

Re: How to make a CIM compliant data in splunk ES?

gcusello — Mon, 24 Apr 2023 07:36:41 GMT

Hi @AL3Z,

if you don't have data in DLP data Model, check the tags.

You can easily run a search like the one contained in the Data Model constrains:

(`cim_DLP_indexes`) tag=dlp tag=incident

where the macro contains the list of indexes to check for data and tags are the ones specific of the Data Model.

In this way you have all the events that could be inserted in that Data Model.

If you don't find the data you want, check the eventtypes and tags of your data: probably thet aren't correctly normalized in the Add-On.

Ciao.

Giuseppe

Re: How to make a CIM compliant data in splunk ES.

richgalloway — Mon, 24 Apr 2023 12:19:07 GMT

You could manually perform the same operations the app does.

1) Search your indexes for the tags used in the DM.

2) Compare the field names returned to the list of field names in the CIM manual (https://docs.splunk.com/Documentation/CIM/5.1.1/User/DataLossPrevention)

Re: How to make a CIM compliant data in splunk ES.

AL3Z — Mon, 24 Apr 2023 13:11:17 GMT

Hi,

@richgalloway
I can see data is not fed in data model.

ACCELERATION
Status
100.00% Completed
Access Count
0. Last Access: -
Size on Disk
0 B
Summary Range
604800 second(s)
Buckets
30

Re: How to make a CIM compliant data in splunk ES.

richgalloway — Mon, 24 Apr 2023 13:54:31 GMT

See the response from @gcusello earlier today.

if you don't have data in DLP data Model, check the tags.

You can easily run a search like the one contained in the Data Model constrains:

(`cim_DLP_indexes`) tag=dlp tag=incident

where the macro contains the list of indexes to check for data and tags are the ones specific of the Data Model.

In this way you have all the events that could be inserted in that Data Model.

If you don't find the data you want, check the eventtypes and tags of your data: probably thet aren't correctly normalized in the Add-On.

Re: How to make a CIM compliant data in splunk ES?

AL3Z — Mon, 24 Apr 2023 19:03:09 GMT

I want to check the netscope addon in props.conf and transforms.conf all the respective fields are available in the logs or not so that I can map them. But i am on splunk cloud how do I look for the app props and transform conf files from GUI ?
Thanks..

Re: How to make a CIM compliant data in splunk ES?

gcusello — Tue, 25 Apr 2023 09:11:08 GMT

Hi @AL3Z,

you can install in Splunk Cloud (or in your on-premise test instance) one of this apps:

SA-cim_vladiator (https://splunkbase.splunk.com/app/2968) I used it many times!

CIM_Buddy (https://splunkbase.splunk.com/app/6259) I used sometimes.

CIM Toolkit for Splunk Supporting Common Information Model Add-on (https://splunkbase.splunk.com/app/6243) I neved used it, but I'll try it.

Ciao.

Giuseppe

Re: How to make a CIM compliant data in splunk ES.

AL3Z — Tue, 25 Apr 2023 10:55:44 GMT

@richgalloway @gcusello ,@woodcock

I am unable to see any data on how we can normalize event types in the Add-On. Additionally, there doesn't seem to be a designated column for event types, with only a column available for tags.

Re: How to make a CIM compliant data in splunk ES?

AL3Z — Tue, 25 Apr 2023 12:18:11 GMT

Hi,
@gcusello
@richgalloway
Even after dlp data is added to the dlp datamodel, I didnt see any dlp incidents in the datamodel, what could be the problem here ?

Thanks