Splunk Enterprise Security

Cisco ACI Add-on for Splunk Enterprise: What CIM Module data sets does are in compliance for each sourcetype?

guarisma
Contributor

The Cisco ACI Add-on for Splunk Enterprise provides these source types:

cisco:apic:health
cisco:apic:stats
cisco:apic:class
cisco:apic:authentication

And is Common Information Model (CIM) 4.5, 4.4, 4.3, 4.2, 4.1 compliant.

I would like to know what CIM Datasets are in compliant for each source type?

I'm working with Splunk Enterprise Security and which to know what value can Cisco ACI Add-on for Splunk Enterprise can bring to it.

0 Karma
1 Solution

guarisma
Contributor

From: "Nilay Shah -X (nilaysh - MBO PARTNERS INC at Cisco)"
Date: Thursday, January 26, 2017 at 11:32 AM
To: Igor Guarisma
Cc: "aci-splunk-app(mailer list)"
Subject: Re: What CIM Data Model data sets does each source type of the Cisco ACI Add-on compliant?

Hi Igor,

What you mentioned is correct! The sourcetype cisco:apic:authentication is compliant with CIM data models you listed out. All other sourcetypes/data models are custom built but follow the CIM guidelines for field names, field extractions, aliases, etc.

Additionally,

Source type | Description | CIM data model(s)
cisco:apic:health | Health scores of all entities in the fabric | Custom
cisco:apic:stats | Statistical data on packet flows, network communication, etc | Custom
cisco:apic:class | Class info such as Tenants, EPGs, BD's etc. | Custom
cisco:apic:authentication | Audit & access logs | Authentication, Network Session

I hope this information helps you decide on using Cisco ACI add-on for Enterprise Security app.
Let me know if you have any further questions.

Best Regards,
Nilay Shah.

View solution in original post

guarisma
Contributor

From: "Nilay Shah -X (nilaysh - MBO PARTNERS INC at Cisco)"
Date: Thursday, January 26, 2017 at 11:32 AM
To: Igor Guarisma
Cc: "aci-splunk-app(mailer list)"
Subject: Re: What CIM Data Model data sets does each source type of the Cisco ACI Add-on compliant?

Hi Igor,

What you mentioned is correct! The sourcetype cisco:apic:authentication is compliant with CIM data models you listed out. All other sourcetypes/data models are custom built but follow the CIM guidelines for field names, field extractions, aliases, etc.

Additionally,

Source type | Description | CIM data model(s)
cisco:apic:health | Health scores of all entities in the fabric | Custom
cisco:apic:stats | Statistical data on packet flows, network communication, etc | Custom
cisco:apic:class | Class info such as Tenants, EPGs, BD's etc. | Custom
cisco:apic:authentication | Audit & access logs | Authentication, Network Session

I hope this information helps you decide on using Cisco ACI add-on for Enterprise Security app.
Let me know if you have any further questions.

Best Regards,
Nilay Shah.

rpille_splunk
Splunk Employee
Splunk Employee

Hi Guarisma,

That add-on is provided by Cisco, so they're the ones providing the docs for it. The contact information for questions and support is in the Splunkbase details tab, at the bottom: https://splunkbase.splunk.com/app/1897/#/details

You can also probably infer the model mapping my examining the add-on's tags.conf and eventtypes.conf files and comparing the tags you see there to the CIM documentation.

Hope that helps!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...