https://community.splunk.com/t5/Splunk-Enterprise-Security/Can-splunk-be-100-CIM-Compliance/m-p/483157#M7830 <P>I doubt you will ever see 100% CIM compliance. That would require every event to contain every CIM field for a given datamodel and that just doesn't happen, IME. I'm not saying it isn't possible, but it's probably impractical. I'd be very happy with 80% compliance, TBH.</P> Tue, 14 Jan 2020 21:40:53 GMT richgalloway 2020-01-14T21:40:53Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Can-splunk-be-100-CIM-Compliance/m-p/483156#M7829 <P>My team is always complainin that splunk is not cim compliance. Most of data sources in splunk such as symantec endpoint and bluecoat logs are not completely cim compliance. They are 80% cim compliance. My question is can splunk ever be 100%cim compliance or am I trying to do something that cant be achieved.</P> Tue, 14 Jan 2020 20:17:41 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Can-splunk-be-100-CIM-Compliance/m-p/483156#M7829 ujuka 2020-01-14T20:17:41Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Can-splunk-be-100-CIM-Compliance/m-p/483157#M7830 <P>I doubt you will ever see 100% CIM compliance. That would require every event to contain every CIM field for a given datamodel and that just doesn't happen, IME. I'm not saying it isn't possible, but it's probably impractical. I'd be very happy with 80% compliance, TBH.</P> Tue, 14 Jan 2020 21:40:53 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Can-splunk-be-100-CIM-Compliance/m-p/483157#M7830 richgalloway 2020-01-14T21:40:53Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Can-splunk-be-100-CIM-Compliance/m-p/483158#M7831 <P>I'm one of the founders of Enterprise Security (which was a big driver in the CIM, which I also helped develop) and I completely agree that CIM compliance in the way that your coworkers are describing is flawed.</P> <P>Here are some observations:</P> <OL> <LI>The main point of CIM compliance is to enable use-cases and help you solve problems. The question ought to be less "what is the rate of CIM compliance?", <STRONG>the question should rather be "what use-cases can I <EM>not</EM> do as a result of logs that don't match the CIM?"</STRONG>. Conversely, you could even have high compliance while missing key use-cases (e.g. "I have 99% compliance but I just so happen to ignore those log messages that say my firewall is failing").</LI> <LI><STRONG>The CIM doesn't have models for every conceivable type of data, it was never meant to cover absolutely everything.</STRONG> This is why the CIM is updated with new models every once in a while.</LI> <LI><STRONG>Some logs are extremely complicated to parse consistently because they include several formats.</STRONG> Consider Unix logs which may have many, many sources and several formats. 100% coverage would be unrealistic.</LI> <LI>CIM compliance often follows the Pareto Principle in that the first 80% of the data takes 20% of the effort. The last 20% will likely be as hard if not harder than the first 80%. <STRONG>One needs to consider the real value of that 20% before determining if it is worth spending the time to get them compliant. It likely isn't worth the effort</STRONG> (assuming it can even be done).</LI> </OL> Tue, 14 Jan 2020 22:48:35 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Can-splunk-be-100-CIM-Compliance/m-p/483158#M7831 LukeMurphey 2020-01-14T22:48:35Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Can-splunk-be-100-CIM-Compliance/m-p/483159#M7832 <P>Hi Luke,<BR /> Thanks for answering the question. Hope this would explain the team to drive the percentage of CIM Compliance with use cases. </P> <P>Thank You,<BR /> Ujuka</P> Wed, 15 Jan 2020 13:52:10 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Can-splunk-be-100-CIM-Compliance/m-p/483159#M7832 ujuka 2020-01-15T13:52:10Z