Splunk Enterprise Security

Splunk Add-on for Microsoft Active Directory: Is this add-on compliant with Common Information Model (CIM)?

guarisma
Contributor

Splunkbase says Splunk Add-on for Microsoft Active Directory is complaint with CIM VERSIONS 4.0, 3.0 ( https://splunkbase.splunk.com/app/3207/ ), but I cannot find the documentation like other Splunk built Add-ons about what Data sets from the Common Information Model (CIM) Data Model matches each of the sourcetypes

Does anyone know?

This are the sourcetypes included in the Splunk Add-on for Microsoft Active Directory

MSAD:NT6:Health
MSAD:NT6:SiteInfo
MSAD:NT6:Replication
MSAD:NT6:Netlogon
MSAD:SubnetAffinity

I'm looking for sources that can be ingested by Splunk Enterprise Security

1 Solution

mglauser_splunk
Splunk Employee
Splunk Employee

Hello,

After verifying with the development team, the Splunk Add-on for Microsoft Active Directory is not CIM compliant. Cim compliance has now been removed from the add-on's Splunkbase page to reflect this information.

View solution in original post

mglauser_splunk
Splunk Employee
Splunk Employee

Hello,

After verifying with the development team, the Splunk Add-on for Microsoft Active Directory is not CIM compliant. Cim compliance has now been removed from the add-on's Splunkbase page to reflect this information.

guarisma
Contributor

Is there a replacement for this Add-on?

0 Karma

niemesrw
Path Finder

Hi guarisma - you can see what's CIM compatible by looking at the tags.conf and probably eventtypes.conf files in the TA - usually eventtypes have been tagged with CIM-compatible tags as a sort-of best practice. If something has a tag that matches a CIM tag then that's where you're going to see it map into the CIM.

At first glance, I don't see any tags in the TA, so I don't believe any work has been done to that TA.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...