Solved: Re: CIM help

splunkcol · ‎09-14-2020

I'm reviewing the logs to make sure the fields match the Splunk Enterprise Security CIM and datamodels.

The query shows me this percentage, understanding that they are the fields that are required versus the fields that it is finding, in this order of ideas, to adjust these fields I must create an alias or I must perform an "extract" either by regular expressions or tabs?

rajashekar_s · ‎01-07-2021

Per documentation, for example the action field in network traffic datamodel, prescribed values are allowed, blocked and teardown. But you have many values under action field. As suggested above, you can create a calculated field like

| eval action=case((action="xxx" OR action="yyy"),"allowed",1=1,"blocked")

Doing this on all recommended fields will increase you compliance %

View solution in original post

rajashekar_s · ‎01-07-2021

Per documentation, for example the action field in network traffic datamodel, prescribed values are allowed, blocked and teardown. But you have many values under action field. As suggested above, you can create a calculated field like

| eval action=case((action="xxx" OR action="yyy"),"allowed",1=1,"blocked")

Doing this on all recommended fields will increase you compliance %

richgalloway · ‎09-14-2020

Yes, you need to extract fields or create aliases to increase your CIM compliance.

---
If this reply helps you, Karma would be appreciated.

CIM help

configuration

correlation search

other

using Enterprise Security

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability