Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

CIM help

splunkcol
Builder
‎09-14-2020 11:17 AM

I'm reviewing the logs to make sure the fields match the Splunk Enterprise Security CIM and datamodels.

The query shows me this percentage, understanding that they are the fields that are required versus the fields that it is finding, in this order of ideas, to adjust these fields I must create an alias or I must perform an "extract" either by regular expressions or tabs?

cp_log.png

cp_log2.png

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rajashekar_s
Path Finder
‎01-07-2021 08:31 AM

Per documentation, for example the action field in network traffic datamodel, prescribed values are allowed, blocked and teardown. But you have many values under action field. As suggested above, you can create a calculated field like

| eval action=case((action="xxx" OR action="yyy"),"allowed",1=1,"blocked")

Doing this on all recommended fields will increase you compliance %

View solution in original post

Reply
Solved! Jump to solution
Solution

rajashekar_s
Path Finder
‎01-07-2021 08:31 AM

Per documentation, for example the action field in network traffic datamodel, prescribed values are allowed, blocked and teardown. But you have many values under action field. As suggested above, you can create a calculated field like

| eval action=case((action="xxx" OR action="yyy"),"allowed",1=1,"blocked")

Doing this on all recommended fields will increase you compliance %

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-14-2020 12:26 PM

Yes, you need to extract fields or create aliases to increase your CIM compliance.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...