Splunk Enterprise Security

Can splunk be 100% CIM Compliance?

ujuka
New Member

My team is always complainin that splunk is not cim compliance. Most of data sources in splunk such as symantec endpoint and bluecoat logs are not completely cim compliance. They are 80% cim compliance. My question is can splunk ever be 100%cim compliance or am I trying to do something that cant be achieved.

0 Karma
1 Solution

LukeMurphey
Champion

I'm one of the founders of Enterprise Security (which was a big driver in the CIM, which I also helped develop) and I completely agree that CIM compliance in the way that your coworkers are describing is flawed.

Here are some observations:

  1. The main point of CIM compliance is to enable use-cases and help you solve problems. The question ought to be less "what is the rate of CIM compliance?", the question should rather be "what use-cases can I not do as a result of logs that don't match the CIM?". Conversely, you could even have high compliance while missing key use-cases (e.g. "I have 99% compliance but I just so happen to ignore those log messages that say my firewall is failing").
  2. The CIM doesn't have models for every conceivable type of data, it was never meant to cover absolutely everything. This is why the CIM is updated with new models every once in a while.
  3. Some logs are extremely complicated to parse consistently because they include several formats. Consider Unix logs which may have many, many sources and several formats. 100% coverage would be unrealistic.
  4. CIM compliance often follows the Pareto Principle in that the first 80% of the data takes 20% of the effort. The last 20% will likely be as hard if not harder than the first 80%. One needs to consider the real value of that 20% before determining if it is worth spending the time to get them compliant. It likely isn't worth the effort (assuming it can even be done).

View solution in original post

LukeMurphey
Champion

I'm one of the founders of Enterprise Security (which was a big driver in the CIM, which I also helped develop) and I completely agree that CIM compliance in the way that your coworkers are describing is flawed.

Here are some observations:

  1. The main point of CIM compliance is to enable use-cases and help you solve problems. The question ought to be less "what is the rate of CIM compliance?", the question should rather be "what use-cases can I not do as a result of logs that don't match the CIM?". Conversely, you could even have high compliance while missing key use-cases (e.g. "I have 99% compliance but I just so happen to ignore those log messages that say my firewall is failing").
  2. The CIM doesn't have models for every conceivable type of data, it was never meant to cover absolutely everything. This is why the CIM is updated with new models every once in a while.
  3. Some logs are extremely complicated to parse consistently because they include several formats. Consider Unix logs which may have many, many sources and several formats. 100% coverage would be unrealistic.
  4. CIM compliance often follows the Pareto Principle in that the first 80% of the data takes 20% of the effort. The last 20% will likely be as hard if not harder than the first 80%. One needs to consider the real value of that 20% before determining if it is worth spending the time to get them compliant. It likely isn't worth the effort (assuming it can even be done).

ujuka
New Member

Hi Luke,
Thanks for answering the question. Hope this would explain the team to drive the percentage of CIM Compliance with use cases.

Thank You,
Ujuka

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I doubt you will ever see 100% CIM compliance. That would require every event to contain every CIM field for a given datamodel and that just doesn't happen, IME. I'm not saying it isn't possible, but it's probably impractical. I'd be very happy with 80% compliance, TBH.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...