Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk CIM and Datamodels and or Macros

domino30
Path Finder
‎04-12-2023 03:00 PM

There a re many good Apps in Splunk Base and if your asking for compliance some APPS will ask you too make sure your data is "CIM compliant"

Mainly the infosec apps and the compliance essentials for splunk

I have done more searching on this than literally anything for Splunk "So Far"

and one thin I can find is a example where they have all details laid out and obvious as to what that looks like.

I guess I figured most of the communities looked the same because the data looks the same going in but it feels like rocket Science.

I tried to follow things like https://www.deductiv.net/blog/splunk-cim-performance/  but even that has had some fields not show up where I know they should in Infosec App especially.

That has me ultimately editing the macro for Authentication but I have also read don't edit this so what gives?

Maybe I am going about this the wrong way.

So if you can either show me what you env looks like----- OR point me to a place that does splunk CIM compliance fomr a-z in all relevant fields for dummies I would be very interested thanks.

0 Karma
Reply

woodcock
Esteemed Legend
‎04-13-2023 08:44 AM

There are several parts as follows:
1: Get new data in.
2: Do the CIM mapping.
2a: Usually there is an app in splunkbase that does this but is it doing it's job well enough?  Check with this: https://docs.splunk.com/Documentation/CIM/latest/User/UsetheCIMtovalidateyourdata
2a1: Sometimes the app does a good job.
2a2: Sometimes the app needs to be fixed.
2a2a: Sometimes the author can be found and cares and will update the app if you send him your fix.
2a2b: Most of the time, your fix is for you alone.
2b: Sometimes there is no app and you have to do ALL of the work yourself.
3: Set your "cim_*_index" macros.  You can use a scheduled search in the "CIM Toolkit" app to do this.  This search can also be scheduled to let you know when your macro needs to be updated: 
https://classic.splunkbase.splunk.com/app/6243

The CIM Toolkit is a treasure trove of useful macros, searches, and ideas on how best to leverage the CIM in a SIEM.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-13-2023 05:29 AM

There is no such thing as 100% CIM compliance.  Each data source contains certain fields, which most likely will not be all of the fields in any given CIM data model.  Such is life.  We work with what we have.

The goal of CIM is to use a s common set of field names to make it easier to write searches.  CIM is not about forcing data to conform to certain models.

---
If this reply helps you, Karma would be appreciated.
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...