Splunk Enterprise Security

Splunk Enterprise Security: How to exclude indexes from Authentication Data Model

lucas4394
Path Finder

How to exclude some indexes from authentication data model?

We have some indexes such as lastchanceindex, but eventtype was defined within Splunk_TA_nix.

Any clues?

Thanks.

0 Karma
1 Solution

memarshall63
Communicator

The indexes to include in each data model are defined within the CIM app (Splunk_SA_CIM).

As an administrator, you can access the Common Information Model app under "Manage Apps" and then select "Setup" -- this takes you to a page that shows the data models configuration. The page address is:

https: //(URL of your Splunk deployment)/en-US/app/Splunk_SA_CIM/cim_setup?action=edit.

Each data model has an "Index Whitelist". By default, this whitelist is set to "All Indexes". You can restrict the data model in that field to only examine your desired indexes.

These whitelisted indexes are then referenced in the macros like cim_Authentication_indexes in the dataset definitions.

You can find more documentation on this here: https://docs.splunk.com/Documentation/CIM/latest/User/Setup

View solution in original post

memarshall63
Communicator

The indexes to include in each data model are defined within the CIM app (Splunk_SA_CIM).

As an administrator, you can access the Common Information Model app under "Manage Apps" and then select "Setup" -- this takes you to a page that shows the data models configuration. The page address is:

https: //(URL of your Splunk deployment)/en-US/app/Splunk_SA_CIM/cim_setup?action=edit.

Each data model has an "Index Whitelist". By default, this whitelist is set to "All Indexes". You can restrict the data model in that field to only examine your desired indexes.

These whitelisted indexes are then referenced in the macros like cim_Authentication_indexes in the dataset definitions.

You can find more documentation on this here: https://docs.splunk.com/Documentation/CIM/latest/User/Setup

lucas4394
Path Finder

Do you recommend to exclude the indexes from the the macro or other workarounds?

0 Karma

memarshall63
Communicator

I really don't have a recommendation on 'exclusions'.

I don't know where those macros are referenced, but I would assume they're at the basis of the data model.
Definitely the datasets are established from them. Possibly, acceleration jobs leverage them, too.. Can't say for sure.

Unless you've got a solid reason to the contrary. I'd use the whitelist.

0 Karma

solarboyz1
Builder

Each of the data models is created using a search string. The default for the Authentication DM is based on the macro cim_Authentication_indexes

Find the macro cim_Authentication_indexes, and modify it to include or exclude specific indexes.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...