Hi at all,
I have to create a Technical Add-On to integrate Qumulo Audit logs in Enterprise Security.
I found that there's an archived app but it didn't contain any useful props.
So I tried to make by myself the CIM 4.x normalization.
Is there anyone that encountered and solved this problem or can give me some hint?
Ciao.
Giuseppe
Hi @gcusello
I hope you are well, if you have to create a new add-on for Qumulo Audit logs, please check if your data are compliant with the data model authentication.
please check your your fields naming convention on the documentation.
https://docs.splunk.com/Documentation/CIM/5.0.0/User/Authentication
another app can help you is the splunk cim vladiator
splunkbase.splunk.com/app/2968/
with this app you can check the percentage compliant on your data.
also you can use the add-on builder
splunkbase.splunk.com/app/2962/
I hope this information can help you.
Hi @aasabatini,
it's a pleasure to speak with you!
I'm already making the steps you hinted for the Authentication Data Model.
I was hoping that someone already encountered this kind of log!
Thank you and have a Merry Christmas.
Ciao.
Giuseppe
Hello @gcusello were you ever able to come up with custom qumulo CIM compliance configurations? If so, is that something you'd be willing to share? My company just started injesting a tremendous amount of qumulo syslog events. Thank you - Bill