Understanding Splunk CIM :-
By default, Splunk provides powerful search capabilities for generic IT data. However, more advanced reporting and correlation requires that the data be normalized, categorized, and parsed. CIM allows your normalise r data to a common standard. The Common Information Model (CIM) provides a standard method of parsing, categorizing, and normalizing data. Imported data must conform to the CIM in order for it to be properly reported and correlated
To understand splunk CIM consider below simple example:
Suppose you are forwarding logs of different technologies to splunk.like logs from windows server,linx servers,cisco routers,vmware etc.All of these technologies have different log formats and terminologies/keywords used in logs.consider if yo want to fetch a single report which shows login details of user in all technilogies mentioned above.As keywords/codes to search for login logs are seprate in all technologies its not possible to combine them to single report and format.This can be achieved by splunk CIM model.Splunk CIM model map all different logs to standard keywords/formats which can be used to generate generic reports etc.
-Splnk CIM is backbone of enterprise secrity app
-CIM allows tagging/aliasing of data for enrichmentof schema on the fly - no modification to original logs is required
What is splunk CIM: -
Splunk CIM example :-
Below is step by step procedure on how to create a custom search while leveraging the CIM data model.
Example Use Case: Monitor all Windows user/computer account creation.
Step 1: Make sure Windows data is coming into Splunk according to best practices. This means the data should be properly indexed, sourcetyped, etc.
Step 2: Search splunkbase for any existing Windows TAs. For this example, the Splunk Add-on for Microsoft Windows will work for Windows data.
Step 3: Download the TA.
Step 4: Open the TA. In the default folder, open the eventtypes.conf. Search the eventtypes.conf for any event types that may be useful to search for events involving user/computer account creation. For this example, the event type below will fulfill our use case.
[windows_account_created]
search = sourcetype=*:Security (signature_id=4720 OR signature_id=4741 OR signature_id=624 OR signature_id=645)
#tags = add
Pay particular attention to how these event types are tagged.
Step 5: Through the Splunk GUI, go to Settings > Data models. Search through the CIM data models to find the data model that best matches the use case. For this example, the Change Analysis data model can be used to fulfill our use case.
Step 6: Identify the appropriate child object(s) within the selected data model. For this example, we will utilize the Created Accounts child object. Take notice of the constraints for the child object, specifically the tags (tag = change, tag = account). The tag(s) is what connects the event type to the data model. This means that the event type tag(s) must match the data model child object tag(s) in order to leverage the data model. For this example, the tag(s) do not match. We will have to edit the default setting in a local folder.
Step 7: Create a local folder. Within the local folder, create an eventtypes.conf and a tags.conf file.
Step 8: In the eventtypes.conf file, copy the windows_account_created event type from the default eventtypes.conf file to the local eventtypes.conf file. When copying the event type over, be sure to customize the event type. I usually add the organization name to the beginning of the event type name.
[<organization name>_windows_account_created]
search = sourcetype=*:Security (signature_id=4720 OR signature_id=4741 OR signature_id=624 OR signature_id=645)
#tags = change account
Notice that the commented tags match the tags in the Created Accounts child object.
Step 9: Add the event type to the tags.conf.
[eventtype = <organization name>_windows_account_created]
change = enabled
account = enabled
Step 10: Debug/refresh Splunk through the GUI to allow the configuration changes to take affect.
Step 11: We are now ready to create the accelerated data model search using the tstats command.
| tstats summariesonly=true count
FROM datamodel=Change_Analysis
WHERE nodename=All_Changes.Account_Management.Accounts_Created
GROUPBY _time span=1s index sourcetype host All_Changes.user
For additional guidance on creating accelerated data model searches, reference the Splunk doc link below.
http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Tstats
Below is step by step procedure on how to create a custom search while leveraging the CIM data model.
Example Use Case: Monitor all Windows user/computer account creation.
Step 1: Make sure Windows data is coming into Splunk according to best practices. This means the data should be properly indexed, sourcetyped, etc.
Step 2: Search splunkbase for any existing Windows TAs. For this example, the Splunk Add-on for Microsoft Windows will work for Windows data.
Step 3: Download the TA.
Step 4: Open the TA. In the default folder, open the eventtypes.conf. Search the eventtypes.conf for any event types that may be useful to search for events involving user/computer account creation. For this example, the event type below will fulfill our use case.
[windows_account_created]
search = sourcetype=*:Security (signature_id=4720 OR signature_id=4741 OR signature_id=624 OR signature_id=645)
#tags = add
Pay particular attention to how these event types are tagged.
Step 5: Through the Splunk GUI, go to Settings > Data models. Search through the CIM data models to find the data model that best matches the use case. For this example, the Change Analysis data model can be used to fulfill our use case.
Step 6: Identify the appropriate child object(s) within the selected data model. For this example, we will utilize the Created Accounts child object. Take notice of the constraints for the child object, specifically the tags (tag = change, tag = account). The tag(s) is what connects the event type to the data model. This means that the event type tag(s) must match the data model child object tag(s) in order to leverage the data model. For this example, the tag(s) do not match. We will have to edit the default setting in a local folder.
Step 7: Create a local folder. Within the local folder, create an eventtypes.conf and a tags.conf file.
Step 8: In the eventtypes.conf file, copy the windows_account_created event type from the default eventtypes.conf file to the local eventtypes.conf file. When copying the event type over, be sure to customize the event type. I usually add the organization name to the beginning of the event type name.
[<organization name>_windows_account_created]
search = sourcetype=*:Security (signature_id=4720 OR signature_id=4741 OR signature_id=624 OR signature_id=645)
#tags = change account
Notice that the commented tags match the tags in the Created Accounts child object.
Step 9: Add the event type to the tags.conf.
[eventtype = <organization name>_windows_account_created]
change = enabled
account = enabled
Step 10: Debug/refresh Splunk through the GUI to allow the configuration changes to take affect.
Step 11: We are now ready to create the accelerated data model search using the tstats command.
| tstats summariesonly=true count
FROM datamodel=Change_Analysis
WHERE nodename=All_Changes.Account_Management.Accounts_Created
GROUPBY _time span=1s index sourcetype host All_Changes.user
For additional guidance on creating accelerated data model searches, reference the Splunk doc link below.
http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Tstats
Comment Box is loading comments...
