CIM compliance add-on normalizes data to which dat...

kannu · ‎03-05-2024

Hello All ,

Just wanted to know is there any way , in which we can identify that available CIM compliance add on on Splunk base normalizes to which data model of CIM Splunk ,

One way i know is to check tags .conf and eventype.conf , where they mentioned the data model name in form of tag ,

but if tags.conf and eventype.conf is not there then how to identify which data model is being used in addon .

If anybody has also faced the same issue , like me , or knows how to deal with it , please let me know .

gcusello · ‎03-05-2024

Hi @kannu,

there isn't a pre-defined way to associate an Ad-On to a Data Model.

You should see the tags (defined in tags.conf), and map them to the Data Models Constraints that you can find in the pages of these URL: https://docs.splunk.com/Documentation/CIM/5.3.1/User/Howtousethesereferencetables .

Some Add-Ons could also be associated to more than one Data Model.

Ciao.

Giuseppe

kannu · ‎03-06-2024

@gcusello .

I am using tags.conf way only , but in few apps its not there , not even eventype.conf , so for those apps its become very difficult .

Few of them are:

proofpoint-decoder-add-on-for-splunk_100
qintel-pmi-add-on-for-splunk_100
technical-add-on-for-honeypy_10

gcusello · ‎03-06-2024

Hi @kannu,

I understand: there aren't eventtypes.conf and tags.conf, (I don't understand how it was declared CIM compliant!).

The only way is consider them as custom and follow the normalization process using the Add-On builder or the SA-CIM Vlaidator.

Ciao.

Giuseppe

CIM compliance add-on normalizes data to which data model

data model

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?