Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk CIM and Datamodels and or Macros

domino30
Path Finder
‎04-12-2023 03:00 PM

There a re many good Apps in Splunk Base and if your asking for compliance some APPS will ask you too make sure your data is "CIM compliant"

Mainly the infosec apps and the compliance essentials for splunk

I have done more searching on this than literally anything for Splunk "So Far"

and one thin I can find is a example where they have all details laid out and obvious as to what that looks like.

I guess I figured most of the communities looked the same because the data looks the same going in but it feels like rocket Science.

I tried to follow things like https://www.deductiv.net/blog/splunk-cim-performance/  but even that has had some fields not show up where I know they should in Infosec App especially.

That has me ultimately editing the macro for Authentication but I have also read don't edit this so what gives?

Maybe I am going about this the wrong way.

So if you can either show me what you env looks like----- OR point me to a place that does splunk CIM compliance fomr a-z in all relevant fields for dummies I would be very interested thanks.

0 Karma
Reply

woodcock
Esteemed Legend
‎04-13-2023 08:44 AM

There are several parts as follows:
1: Get new data in.
2: Do the CIM mapping.
2a: Usually there is an app in splunkbase that does this but is it doing it's job well enough?  Check with this: https://docs.splunk.com/Documentation/CIM/latest/User/UsetheCIMtovalidateyourdata
2a1: Sometimes the app does a good job.
2a2: Sometimes the app needs to be fixed.
2a2a: Sometimes the author can be found and cares and will update the app if you send him your fix.
2a2b: Most of the time, your fix is for you alone.
2b: Sometimes there is no app and you have to do ALL of the work yourself.
3: Set your "cim_*_index" macros.  You can use a scheduled search in the "CIM Toolkit" app to do this.  This search can also be scheduled to let you know when your macro needs to be updated: 
https://classic.splunkbase.splunk.com/app/6243

The CIM Toolkit is a treasure trove of useful macros, searches, and ideas on how best to leverage the CIM in a SIEM.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-13-2023 05:29 AM

There is no such thing as 100% CIM compliance.  Each data source contains certain fields, which most likely will not be all of the fields in any given CIM data model.  Such is life.  We work with what we have.

The goal of CIM is to use a s common set of field names to make it easier to write searches.  CIM is not about forcing data to conform to certain models.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...