"Visibility with CIM" SplunkersDC Meetup - June 28th, 2023 By: Matt Feeley

1. CIM compliance
By Matt Feeley

2. Copyright ©2023 | guidepointsecurity.com
How to see it
Practice of normalizing fields to a common
standard like,
• source_host, source_ip, source -> src
• vendor_action, measure, result -> action
• known_auth, etc.. -> signature
across data sources like,
• Windows
• Linux
• Palo, etc..
within events of matching domains (23)
• Authentication
• Malware
• Intrusion detection, etc..

3. Copyright ©2023 | guidepointsecurity.com
How do you say it?
Toe·ma·tow
Tuh·may·tow
Tomato

4. Copyright ©2023 | guidepointsecurity.com

5. Copyright ©2023 | guidepointsecurity.com

6. Copyright ©2023 | guidepointsecurity.com
• Searches Itself
• Syntax change datamodels, tstats, etc..
• No (index=*) OR (index=win AND index=o365)
• Faster results (saved different on backend)
• Search returns all events per datamodel (regardless of data source)
Why Do CIM?

7. Copyright ©2023 | guidepointsecurity.com
End Result

8. Copyright ©2023 | guidepointsecurity.com
Steps Involved
D E F I N I N G
1. Pre-requistes
1. Install CIM app
2. Identify & Define
1. Identify events to a domain
2. Define eventtypes & tags for event
3. Normalize
1. Review fields
2. Standardize the fields
4. Validate & Complete
1. Validate Check for adverse affects (like
overwriting, existing fields)
2. Setup Common Information Model app
3. Rebuild/Update Datamodel

9. Copyright ©2023 | guidepointsecurity.com
Install CIM App
• You can find the free app on
splunkbase
• The CIM app provides the framework
of datamodels.

10. Copyright ©2023 | guidepointsecurity.com
I D E N T I F Y E V E N T S T O A D O M A I N
• Domains have a constraint
events must meet
• No “tag” field exists

11. Copyright ©2023 | guidepointsecurity.com
D E F I N E E V E N T T Y P E S A N D T A G S
• Search string should be as restrictive
as possible to only show events of
interest
• Tag(s) should contain the required
constraint for datamodel of intersest

12. Copyright ©2023 | guidepointsecurity.com

13. Copyright ©2023 | guidepointsecurity.com
Review Fields
• Use best judgement
• Don’t be afraid to ask Admins of data source to validate
• Every field does NOT need to exist within an event
• Some events might just not contain a field

14. Copyright ©2023 | guidepointsecurity.com
• Ways to Standardize
1. rename
2. extract
3. report
4. KV_MODE
5. fieldalias
6. eval (also known as fields)
7. lookup
Standardize Fields & Values

15. Copyright ©2023 | guidepointsecurity.com
• Order of Precedence
1. rename
2. extract
3. report (usually extractions that involve both props.conf
and transforms.conf)
4. KV_MODE
5. fieldalias
6. eval (also known as fields)
7. lookup
Validate and Check
• Eval method overwriting lookup method for the
field’s value
• You’ll need to validate on Large Volumes of Data

16. Copyright ©2023 | guidepointsecurity.com
Setup
Common
Information
Model app

17. Copyright ©2023 | guidepointsecurity.com
Rebuild/Update Datamodel
• Rebuild Could impact existing dashboard(s). Results zero out,
and will re-populate as new events come in.
• Update Won’t impact existing dashboard(s)

18. Copyright ©2023 | guidepointsecurity.com
Things to watch out for
• Set Global Permission on all Knowledge Objects
• Evals, Extractions, Eventtypes, Tags, etc..
• Always validate pre-existing fields/events work
as expected.
• Knowledge object order of precedence can over
wright other knowledge objects.
1. rename
2. extract
3. report (usually extractions that involve both
props.conf and transforms.conf)
4. KV_MODE
5. fieldalias
6. eval (also known as fields)
7. calculated
8. lookup
PAY ATTENTION!!!
• Attempt to use add-ons from splunkbase.
• Potentially already CIM comply
• The better quality the add-on the less you’ll need to
do that’s custom.
• You should always review and CIM even if add-on
parses accurate
• Rebuild/Update datamodels at any point additional
CIM compliance is done
• Every event will NOT contain every field to
standardize
• Some fields require certain values for output