Splunk Enterprise Security

Is there some sort of list of which CIM area common sourcetypes fit in?


Hello everyone,

There is extensive documentation on what fields need to exist in order for a data source to fit into a certain CIM data model, but as far as I know everyone is reinventing the wheel in terms of finding which common sources/apps can fit the data model but do not because of some reason.

For example, I am ingesting Windows logs and I'm running ES. I open up the "Alerts" data model and go to the pivot, split rows by sourcetype. Choose a good, representative range (7 days for me) and I get a nice list of all my sourcetypes that are working with this data model. That are CIM compliant for this data model.

I do not, however, have any easy method of looking at what sources could work with it, but do not.

I was wondering if anyone knew if some sort of list existed that did so? Or perhaps an efficient way of finding it? Alerts was just an example, ideally it'd be for every data model.

If not, I plan to put together a google doc that does just this and will happily share it once it becomes something worth looking at.


I think the big issue is you can call sourcetypes anything you want. Even if you abstract that a level up though I don't think there is a list of which technologies map, or can map, to specific CIM data model simply because the number of technologies is essentially infinite not to mention fluid. The way I tried to address that in my deployment is look at the fields for each of the DMs and then see how closely each of my sourcetypes (I have ~600+ in my environment) map to any particular one DM. This allowed me to make some changes for CIM compliant fields based on knowledge of the sourcetype and volume of that particular data source. I've also kicked the tires on creating a data taxonomy for my sourcetypes. This is similar to and has overlap with the CIM but is useful in its own right and to some different ends. I didn't capture using the taxonomy in my Splunk answers writeup or blog post but it helped in the overall effort.

At any rate my experience with the field mapping is captured in this Splunk answers post which you might have already run across.


I like this question, poking it up on some Splunk forums and whatnot to see if I can get it a little more traction.

0 Karma