Knowledge Management
Highlighted

Enterprise Security: how does the TA determine that a certain index/event-set is cim compliant?

Motivator

How does the TA determine that a certain index/event-set is cim compliant? Does it require all the fields to match or only a certain sub-set.

0 Karma
Highlighted

Re: Enterprise Security: how does the TA determine that a certain index/event-set is cim compliant?

Motivator

AFAIK, TA don't validate an index for CIM compliant. It has to be done manually by the user. In most cases, only key fields (which are CIM compliant) are needed for a Splunk App to work properly.

CIM Validator is a great Splunk app for CIM validation.

View solution in original post

Highlighted

Re: Enterprise Security: how does the TA determine that a certain index/event-set is cim compliant?

Motivator

@danielbb

Please accept the answer if it significantly helped resolve your query for the benefit of other forum members, who might run into a similar issue.

0 Karma
Highlighted

Re: Enterprise Security: how does the TA determine that a certain index/event-set is cim compliant?

Motivator

Sure thing.

You said - In most cases, only key fields (which are CIM compliant) are needed for a TA to work properly.

How can I find out which ones are needed?

0 Karma
Highlighted

Re: Enterprise Security: how does the TA determine that a certain index/event-set is cim compliant?

Motivator

During indexing or search time , the fields are extracted by Addons (as per CIM complaint if configured properly) and the fields are used by Splunk Apps/Dashboards/Datamodels.

Splunk Enterprise Security Suite app utilizes bunch of data models as mentioned here. The list of fields used by each datamodel also provided.

0 Karma
Highlighted

Re: Enterprise Security: how does the TA determine that a certain index/event-set is cim compliant?

Motivator

Makes perfect sense, but which fields are needed in order to certify a certain event as cim compliant?

0 Karma
Highlighted

Re: Enterprise Security: how does the TA determine that a certain index/event-set is cim compliant?

Motivator

It's depend on the use case and app that you use. You can get the list of required fields either from the Splunk query used in the dashboard/reports/datamodels or from the app's documentation.

0 Karma
Highlighted

Re: Enterprise Security: how does the TA determine that a certain index/event-set is cim compliant?

Motivator

The CIM Validator seems like a great app - thank you.

0 Karma
Highlighted

Re: Enterprise Security: how does the TA determine that a certain index/event-set is cim compliant?

Motivator

I'm glad it helped.

Highlighted

Re: Enterprise Security: how does the TA determine that a certain index/event-set is cim compliant?

Motivator

The screenshots at SA-cim_vladiator are really impressive.

0 Karma