topic Re: Splunk CIM and Datamodels and or Macros in Splunk Enterprise

Splunk CIM and Datamodels and or Macros

domino30 — Wed, 12 Apr 2023 22:00:43 GMT

There a re many good Apps in Splunk Base and if your asking for compliance some APPS will ask you too make sure your data is "CIM compliant"

Mainly the infosec apps and the compliance essentials for splunk

I have done more searching on this than literally anything for Splunk "So Far"

and one thin I can find is a example where they have all details laid out and obvious as to what that looks like.

I guess I figured most of the communities looked the same because the data looks the same going in but it feels like rocket Science.

I tried to follow things like https://www.deductiv.net/blog/splunk-cim-performance/ but even that has had some fields not show up where I know they should in Infosec App especially.

That has me ultimately editing the macro for Authentication but I have also read don't edit this so what gives?

Maybe I am going about this the wrong way.

So if you can either show me what you env looks like----- OR point me to a place that does splunk CIM compliance fomr a-z in all relevant fields for dummies I would be very interested thanks.

Re: Splunk CIM and Datamodels and or Macros

richgalloway — Thu, 13 Apr 2023 12:29:33 GMT

There is no such thing as 100% CIM compliance. Each data source contains certain fields, which most likely will not be all of the fields in any given CIM data model. Such is life. We work with what we have.

The goal of CIM is to use a s common set of field names to make it easier to write searches. CIM is not about forcing data to conform to certain models.

Re: Splunk CIM and Datamodels and or Macros

woodcock — Thu, 13 Apr 2023 15:44:39 GMT

There are several parts as follows:
1: Get new data in.
2: Do the CIM mapping.
2a: Usually there is an app in splunkbase that does this but is it doing it's job well enough? Check with this: https://docs.splunk.com/Documentation/CIM/latest/User/UsetheCIMtovalidateyourdata
2a1: Sometimes the app does a good job.
2a2: Sometimes the app needs to be fixed.
2a2a: Sometimes the author can be found and cares and will update the app if you send him your fix.
2a2b: Most of the time, your fix is for you alone.
2b: Sometimes there is no app and you have to do ALL of the work yourself.
3: Set your "cim_*_index" macros. You can use a scheduled search in the "CIM Toolkit" app to do this. This search can also be scheduled to let you know when your macro needs to be updated:
https://classic.splunkbase.splunk.com/app/6243

The CIM Toolkit is a treasure trove of useful macros, searches, and ideas on how best to leverage the CIM in a SIEM.