Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Microsoft Cloud Services CIM mapping not enabled for all Sourcetypes

becksyboy
Contributor
‎02-10-2025 07:24 AM

Hi,

We noticed for the Splunk Add-on for Microsoft Cloud Services that CIM mapping is not enabled for all the Sourcetypes.

https://splunk.github.io/splunk-add-on-for-microsoft-cloud-services/Sourcetypes/

In particular for the mscs:kql sourcetype we are ingesting Azure Network logs via sourcetype="mscs:kql" Type=AZFWNetworkRule.

I would have expected this Add On to have Network Datamodel CIM mapping included without having to do this ourselves (which we can if required). 

Is this the best Add On to use (or is there a better option) if you want more CIM mapping coverage by default or have you had to do manual CIM mapping when using this TA?

thanks

Labels (1)
Labels
0 Karma
Reply

becksyboy
Contributor
‎02-10-2025 11:53 AM

I agree! 🙃 Oh well self service CIM it is.

0 Karma
Reply

marycordova
SplunkTrust
SplunkTrust
‎02-10-2025 10:06 AM

LOL/SOB

I really wish there was more compliance around CIM, especially for these TAs built by big industry types...

but yes...self-CIM

giphy.gif

@marycordova
Reply

kiran_panchavat
Champion
‎02-10-2025 08:25 AM

@becksyboy 

For more comprehensive CIM mapping coverage, you might need to perform manual CIM mapping. The Splunk Add-on Builder can help you map fields from your data events to the fields in any data model, including CIM data models.

Check this https://community.splunk.com/t5/Splunk-Enterprise/Azure-Firewall-Logs-Issue/m-p/703787 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...