Splunk Enterprise Security

Cisco ACI Add-on for Splunk Enterprise: What CIM Module data sets does are in compliance for each sourcetype?

guarisma
Contributor

The Cisco ACI Add-on for Splunk Enterprise provides these source types:

cisco:apic:health
cisco:apic:stats
cisco:apic:class
cisco:apic:authentication

And is Common Information Model (CIM) 4.5, 4.4, 4.3, 4.2, 4.1 compliant.

I would like to know what CIM Datasets are in compliant for each source type?

I'm working with Splunk Enterprise Security and which to know what value can Cisco ACI Add-on for Splunk Enterprise can bring to it.

0 Karma
1 Solution

guarisma
Contributor

From: "Nilay Shah -X (nilaysh - MBO PARTNERS INC at Cisco)"
Date: Thursday, January 26, 2017 at 11:32 AM
To: Igor Guarisma
Cc: "aci-splunk-app(mailer list)"
Subject: Re: What CIM Data Model data sets does each source type of the Cisco ACI Add-on compliant?

Hi Igor,

What you mentioned is correct! The sourcetype cisco:apic:authentication is compliant with CIM data models you listed out. All other sourcetypes/data models are custom built but follow the CIM guidelines for field names, field extractions, aliases, etc.

Additionally,

Source type | Description | CIM data model(s)
cisco:apic:health | Health scores of all entities in the fabric | Custom
cisco:apic:stats | Statistical data on packet flows, network communication, etc | Custom
cisco:apic:class | Class info such as Tenants, EPGs, BD's etc. | Custom
cisco:apic:authentication | Audit & access logs | Authentication, Network Session

I hope this information helps you decide on using Cisco ACI add-on for Enterprise Security app.
Let me know if you have any further questions.

Best Regards,
Nilay Shah.

View solution in original post

guarisma
Contributor

From: "Nilay Shah -X (nilaysh - MBO PARTNERS INC at Cisco)"
Date: Thursday, January 26, 2017 at 11:32 AM
To: Igor Guarisma
Cc: "aci-splunk-app(mailer list)"
Subject: Re: What CIM Data Model data sets does each source type of the Cisco ACI Add-on compliant?

Hi Igor,

What you mentioned is correct! The sourcetype cisco:apic:authentication is compliant with CIM data models you listed out. All other sourcetypes/data models are custom built but follow the CIM guidelines for field names, field extractions, aliases, etc.

Additionally,

Source type | Description | CIM data model(s)
cisco:apic:health | Health scores of all entities in the fabric | Custom
cisco:apic:stats | Statistical data on packet flows, network communication, etc | Custom
cisco:apic:class | Class info such as Tenants, EPGs, BD's etc. | Custom
cisco:apic:authentication | Audit & access logs | Authentication, Network Session

I hope this information helps you decide on using Cisco ACI add-on for Enterprise Security app.
Let me know if you have any further questions.

Best Regards,
Nilay Shah.

rpille_splunk
Splunk Employee
Splunk Employee

Hi Guarisma,

That add-on is provided by Cisco, so they're the ones providing the docs for it. The contact information for questions and support is in the Splunkbase details tab, at the bottom: https://splunkbase.splunk.com/app/1897/#/details

You can also probably infer the model mapping my examining the add-on's tags.conf and eventtypes.conf files and comparing the tags you see there to the CIM documentation.

Hope that helps!

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...