Hello,
How I could figure out whether my indexed DLP data is CIM compliant or not in my Splunk ES.
It is suggesting that you configure this:
But that is only half of the problem; what do you set it to? You can use my app to tell you:
Hi @AL3Z,
CIM field names are predefined ( for more infos see st https://docs.splunk.com/Documentation/CIM/5.1.1/User/Overview).
but it's possible to add custom fields.
Obviously custm fields must follow some rules. e.g. field names cannot contain spaces or special chars.
So which field do you want to add?
Ciao.
Giuseppe
I'm trying to add domain_shared_with field but its not allowing me to add even after removing curly braces also it is showing an error "Field Name can not contain whitespace, double quotes, single quotes, curly braces or asterisks."
And one more thing while adding the auto extracted fields, we need to select what duration of events from the below snapshot
Thanks.
Hi @AL3Z,
create an alias and add it to your Data Model, as I said it isn't a best practice to have spaces or special chars in field names.
you should have the same issue also using this field (with {}) in some commands as eval.
Ciao.
Giuseppe
There are several parts as follows:
1: Get new data in.
2: Do the CIM mapping.
2a: Usually there is an app in splunkbase that does this but is it doing it's job well enough? Check with this: https://docs.splunk.com/Documentation/CIM/latest/User/UsetheCIMtovalidateyourdata
2a1: Sometimes the app does a good job.
2a2: Sometimes the app needs to be fixed.
2a2a: Sometimes the author can be found and cares and will update the app if you send him your fix.
2a2b: Most of the time, your fix is for you alone.
2b: Sometimes there is no app and you have to do ALL of the work yourself.
3: Set your "cim_*_index" macros. You can use a scheduled search in the "CIM Toolkit" app to do this. This search can also be scheduled to let you know when your macro needs to be updated:
https://classic.splunkbase.splunk.com/app/6243
The CIM Toolkit is a treasure trove of useful macros, searches, and ideas on how best to leverage the CIM in a SIEM.
@gcusello
Do we have any option in splunk security essentials APP to check the data is sim compliant or not ?
Hi @AL3Z,
the easiest way is to understand which Add-on are you using for ingestion and parsing anche check in Splunk Baseline is it's CIM compliant or not.
Usually the problem is only for custom or old Add-Ons, or if you don't use an Add-On.
Ciao.
Giuseppe
Hi @AL3Z,
you don't make an Index CIM compiant but an Add-on that ingest data.
Anyway, using an app like Add-On Builder (https://splunkbase.splunk.com/app/2962) or CIM-Validator (https://splunkbase.splunk.com/app/2968), you have an help to identify the intervenes to make your add-on CIM compliant.
Ciao.
Giuseppe