How do I create a TA CIM compliant for Qumulo?

gcusello · ‎12-17-2021

Hi at all,

I have to create a Technical Add-On to integrate Qumulo Audit logs in Enterprise Security.

I found that there's an archived app but it didn't contain any useful props.

So I tried to make by myself the CIM 4.x normalization.

Is there anyone that encountered and solved this problem or can give me some hint?

Ciao.

Giuseppe

aasabatini · ‎12-17-2021

Hi @gcusello

I hope you are well, if you have to create a new add-on for Qumulo Audit logs, please check if your data are compliant with the data model authentication.

please check your your fields naming convention on the documentation.

https://docs.splunk.com/Documentation/CIM/5.0.0/User/Authentication

another app can help you is the splunk cim vladiator

splunkbase.splunk.com/app/2968/

with this app you can check the percentage compliant on your data.

also you can use the add-on builder

splunkbase.splunk.com/app/2962/

I hope this information can help you.

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

gcusello · ‎12-17-2021

Hi @aasabatini,

it's a pleasure to speak with you!

I'm already making the steps you hinted for the Authentication Data Model.

I was hoping that someone already encountered this kind of log!

Thank you and have a Merry Christmas.

Ciao.

Giuseppe

bill_king · ‎03-10-2022

Hello @gcusello were you ever able to come up with custom qumulo CIM compliance configurations? If so, is that something you'd be willing to share? My company just started injesting a tremendous amount of qumulo syslog events. Thank you - Bill

How do I create a TA CIM compliant for Qumulo?

props.conf

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!