Other Usage
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to make DLP data to CIM compliant?

AL3Z
Builder
‎04-14-2023 05:29 AM

Hello,


How I could figure out whether my indexed  DLP data is CIM compliant or not in my Splunk ES.  

Labels (1)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
‎04-17-2023 09:58 AM

It is suggesting that you configure this:

https://YourSplunkHere/en-US/manager/Splunk_SA_CIM/data/macros?ns=Splunk_SA_CIM&pwnr=-&app_only=1&se...

But that is only half of the problem; what do you set it to?  You can use my app to tell you:

https://classic.splunkbase.splunk.com/app/6243/

Reply

AL3Z
Builder
‎04-16-2023 10:56 PM

Hi All,
@woodcock @gcusello 

As I'm seeing the message " This object has no explicit index constraint. Consider adding one for better performance." for DLP datamodel.
How we could add the dlp index to this data model.

Thanks..

0 Karma
Reply

AL3Z
Builder
‎04-17-2023 05:35 AM

Hi,
@woodcock @gcusello 
What we need to fill over here for DLP data

AL3Z_0-1681734854252.png
Thanks

 

0 Karma
Reply

AL3Z
Builder
‎04-19-2023 05:23 AM

@woodcock 
@gcusello 

In general for DLP what should be the Dataset ID and Constraints ?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-19-2023 05:41 AM

Hi @AL3Z,

In CIM, there's a Data Model called "Data Lost Prevention" for this scope.

Ciao.

Giuseppe

0 Karma
Reply

AL3Z
Builder
‎04-19-2023 07:39 AM

@gcusello 
@woodcock 

In Add Auto-Extracted Field window for a dataset what should be the filed name and display name has to be mentioned for the DLP data ?

"Field Name can not contain whitespace, double quotes, single quotes, curly braces or asterisks."  It is showing an ERROR like this.

Thanks

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-19-2023 09:15 AM

Hi @AL3Z,

CIM field names are predefined ( for more infos see st https://docs.splunk.com/Documentation/CIM/5.1.1/User/Overview).

but it's possible to add custom fields.

Obviously custm fields must follow some rules. e.g. field names cannot contain spaces or special chars.

So which field do you want to add?

Ciao.

Giuseppe

 

0 Karma
Reply

AL3Z
Builder
‎04-19-2023 10:10 AM


I'm trying to add domain_shared_with field but its not allowing me to add even after removing curly braces also it is showing an error "Field Name can not contain whitespace, double quotes, single quotes, curly braces or asterisks."

 

 

 

And one more thing while adding the auto extracted fields, we need to select  what duration of events from the below snapshot 

 

 

 

Thanks.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-19-2023 11:38 PM

Hi @AL3Z,

create an alias and add it to your Data Model, as I said it isn't a best practice to have spaces or special chars in field names.

you should have the same issue also using this field (with {}) in some commands as eval.

Ciao.

Giuseppe

0 Karma
Reply

woodcock
Esteemed Legend
‎04-14-2023 12:27 PM

There are several parts as follows:
1: Get new data in.
2: Do the CIM mapping.
2a: Usually there is an app in splunkbase that does this but is it doing it's job well enough?  Check with this: https://docs.splunk.com/Documentation/CIM/latest/User/UsetheCIMtovalidateyourdata
2a1: Sometimes the app does a good job.
2a2: Sometimes the app needs to be fixed.
2a2a: Sometimes the author can be found and cares and will update the app if you send him your fix.
2a2b: Most of the time, your fix is for you alone.
2b: Sometimes there is no app and you have to do ALL of the work yourself.
3: Set your "cim_*_index" macros.  You can use a scheduled search in the "CIM Toolkit" app to do this.  This search can also be scheduled to let you know when your macro needs to be updated: 
https://classic.splunkbase.splunk.com/app/6243

The CIM Toolkit is a treasure trove of useful macros, searches, and ideas on how best to leverage the CIM in a SIEM.

0 Karma
Reply

AL3Z
Builder
‎04-14-2023 05:52 AM

@gcusello 
Do we have any option in splunk security essentials APP to check the data is sim compliant or not ?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-14-2023 06:13 AM

Hi @AL3Z,

the easiest way is to understand which Add-on are you using for ingestion and parsing anche check in Splunk Baseline is it's CIM compliant or not.

Usually the problem is only for custom or old Add-Ons, or if you don't use an Add-On.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-14-2023 05:36 AM

Hi @AL3Z,

you don't make an Index CIM compiant but an Add-on that ingest data.

Anyway, using an app like Add-On Builder (https://splunkbase.splunk.com/app/2962) or CIM-Validator (https://splunkbase.splunk.com/app/2968), you have an help to identify the intervenes to make your add-on CIM compliant.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...