Splunk Enterprise Security

Splunk Add-on for Microsoft Active Directory: Is this add-on compliant with Common Information Model (CIM)?

guarisma
Contributor

Splunkbase says Splunk Add-on for Microsoft Active Directory is complaint with CIM VERSIONS 4.0, 3.0 ( https://splunkbase.splunk.com/app/3207/ ), but I cannot find the documentation like other Splunk built Add-ons about what Data sets from the Common Information Model (CIM) Data Model matches each of the sourcetypes

Does anyone know?

This are the sourcetypes included in the Splunk Add-on for Microsoft Active Directory

MSAD:NT6:Health
MSAD:NT6:SiteInfo
MSAD:NT6:Replication
MSAD:NT6:Netlogon
MSAD:SubnetAffinity

I'm looking for sources that can be ingested by Splunk Enterprise Security

1 Solution

mglauser_splunk
Splunk Employee
Splunk Employee

Hello,

After verifying with the development team, the Splunk Add-on for Microsoft Active Directory is not CIM compliant. Cim compliance has now been removed from the add-on's Splunkbase page to reflect this information.

View solution in original post

mglauser_splunk
Splunk Employee
Splunk Employee

Hello,

After verifying with the development team, the Splunk Add-on for Microsoft Active Directory is not CIM compliant. Cim compliance has now been removed from the add-on's Splunkbase page to reflect this information.

guarisma
Contributor

Is there a replacement for this Add-on?

0 Karma

niemesrw
Path Finder

Hi guarisma - you can see what's CIM compatible by looking at the tags.conf and probably eventtypes.conf files in the TA - usually eventtypes have been tagged with CIM-compatible tags as a sort-of best practice. If something has a tag that matches a CIM tag then that's where you're going to see it map into the CIM.

At first glance, I don't see any tags in the TA, so I don't believe any work has been done to that TA.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...