Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Can I inherit from the CIM Model?

beano501
Explorer
‎03-01-2022 10:05 AM

We have lots of firewalls (both internal and internet facing) feeding into our CIM Network_Traffic Model within Enterprise Security. I would like to be able to distinguish the traffic that comes from the internet with other traffic.

One way that occurred to be is to modify the CIM Network_Traffic model to have an extra "inheritance" (alongside Allowed_Traffic and Blocked_Traffic). Something line Internet_Traffic with the constraint specifying the appropriate dvc and src_interface values. 

Is this a good idea? Would it break anything? How would it work w.r.t. update/upgrades to the CIM model?

Labels (1)
Labels
0 Karma
Reply

lakshman239
Influencer
‎03-01-2022 11:55 AM

@beano501 My recommendation would be not updating the datamodel as much as possible. One way to achieve what you are looking is to using the 'src_interface' and 'dest_interface' fields in https://docs.splunk.com/Documentation/CIM/5.0.0/User/NetworkTraffic . Populate these fields with your values from the firewall logs, which can then be used in your searches. Additionally the mapping can also be used via lookup table to enrich data as necessary.

Additionally, I would also suggest you to capture all your firewalls in a lookup within the ES Assets, using appropriate values in 'category' (e.g. internal_fw, external_fw, dmzfw etc..). This would then be available both in your searches and in your datam

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-01-2022 11:54 AM

Yes, you can modify a datamodel, but I don't advise it.  Just like a local modification of a dashboard overrides all future delivered versions of that dashboard, so does a locally modified datamodel never see updates from future CIM releases.

You can do it, but you're committing yourself to having to update your version whenever the delivered version changes.

I'd consider cloning the Network_Traffic DM and modifying the clone to contain only your dataset.  Accelerating that DM will mean running extra searches, but it will be easier to maintain.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...