Solved: CIM help

splunkcol · ‎09-14-2020

I'm reviewing the logs to make sure the fields match the Splunk Enterprise Security CIM and datamodels.

The query shows me this percentage, understanding that they are the fields that are required versus the fields that it is finding, in this order of ideas, to adjust these fields I must create an alias or I must perform an "extract" either by regular expressions or tabs?

rajashekar_s · ‎01-07-2021

Per documentation, for example the action field in network traffic datamodel, prescribed values are allowed, blocked and teardown. But you have many values under action field. As suggested above, you can create a calculated field like

| eval action=case((action="xxx" OR action="yyy"),"allowed",1=1,"blocked")

Doing this on all recommended fields will increase you compliance %

View solution in original post

rajashekar_s · ‎01-07-2021

Per documentation, for example the action field in network traffic datamodel, prescribed values are allowed, blocked and teardown. But you have many values under action field. As suggested above, you can create a calculated field like

| eval action=case((action="xxx" OR action="yyy"),"allowed",1=1,"blocked")

Doing this on all recommended fields will increase you compliance %

richgalloway · ‎09-14-2020

Yes, you need to extract fields or create aliases to increase your CIM compliance.

---
If this reply helps you, Karma would be appreciated.

CIM help

configuration

correlation search

other

using Enterprise Security

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...