Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Microsoft Cloud Services CIM mapping not enabled for all Sourcetypes

becksyboy
Contributor
‎02-10-2025 07:24 AM

Hi,

We noticed for the Splunk Add-on for Microsoft Cloud Services that CIM mapping is not enabled for all the Sourcetypes.

https://splunk.github.io/splunk-add-on-for-microsoft-cloud-services/Sourcetypes/

In particular for the mscs:kql sourcetype we are ingesting Azure Network logs via sourcetype="mscs:kql" Type=AZFWNetworkRule.

I would have expected this Add On to have Network Datamodel CIM mapping included without having to do this ourselves (which we can if required). 

Is this the best Add On to use (or is there a better option) if you want more CIM mapping coverage by default or have you had to do manual CIM mapping when using this TA?

thanks

Labels (1)
Labels
0 Karma
Reply

becksyboy
Contributor
‎02-10-2025 11:53 AM

I agree! 🙃 Oh well self service CIM it is.

0 Karma
Reply

marycordova
SplunkTrust
SplunkTrust
‎02-10-2025 10:06 AM

LOL/SOB

I really wish there was more compliance around CIM, especially for these TAs built by big industry types...

but yes...self-CIM

giphy.gif

@marycordova
Reply

kiran_panchavat
Influencer
‎02-10-2025 08:25 AM

@becksyboy 

For more comprehensive CIM mapping coverage, you might need to perform manual CIM mapping. The Splunk Add-on Builder can help you map fields from your data events to the fields in any data model, including CIM data models.

Check this https://community.splunk.com/t5/Splunk-Enterprise/Azure-Firewall-Logs-Issue/m-p/703787 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top