Analyze CIM Compliance

Table of Contents

Introduction

Splunk’s Common Information Model (CIM) prescribes a common set of fields, and sometimes specific values, allowing products to easily speak the same language and allowing your users to more quickly adopt content written to expect CIM. This guide will help you track the CIM compliance of your security products.

Pre-requisites

Data Inventory

Data Source Categories use standardized searches to find data configured with the tags that are used in Splunk’s Common Information Model. You can also add custom products that either don’t match the Common Information Model, or mark that you have products you expect to add in the future.

  1. The Data Inventory dashboard allows you to configure what products you have in your environment. Products have a variety of metadata (sourcetypes, event volume, CIM compliance) and are connected with data source categories, allowing the app to show you what content can be turned on with your present data.

  2. Here’s an example of several data source categories, under the EDR data source. DSCs are detailed categories that have been proven out through thousands of professional services engagements.

  3. When you first open this page, it will prompt you to use the automated scans. If you install SSE on your production search head, most of the work from this page is automated!

  4. There are four automated introspection steps that pulls a variety of data.

  5. For any sources or sourcetypes that are uncommon, you can tell the app what product it is.

  6. If you have a product that wasn’t detected, or you aren’t installing this app on your production search head, you can always manually add products by clicking Add Product. If you don’t have data for a DSC, you can say No Data Present.

Feature

CIM Compliance Check

As a part of Data Inventory introspection, Splunk Security Essentials checks your data against a series of Common Information Model checks. This dashboard will show you the results.

  1. The Common Information Model (CIM) Compliance Check dashboard is intended to check to see if your data aligns to Splunk’s CIM. This is a common set of fields that can be shared across products, allowing you to know that a field like src_ip will bring back results regardless of what the original data looks like.

  2. You will see a list of the products that you’ve configured in Splunk Security Essentials broken out by data source category (e.g., Successful Authentication), and the CIM compliance status of each key field for that DSC.

  3. If you expand the row, you’ll also be able to see the actual values returned when searching that data.

  4. This dashboard builds on the Data Inventory introspection, so if you haven’t configured that yet, make sure to visit that page.