OCSF-CIM Add-On for Splunk

The OCSF-CIM Add-On for Splunk provides a set of knowledge objects to use Open Cybersecurity Schema Framework (OCSF) formatted data with the Splunk Common Information Model (CIM). It is compatible with CIM 5.X The following event classes are supported today: * 1001 - File System Activity -> Change * 1007 - Process Activity -> Endpoint.Processes * 2001 - Security Finding -> Alerts * 2002 - Vilnerability Finding -> Vulnerabilities * 3001 - Account Change -> All_Changes.Account_Management * 3002 - Authentication -> Authentication * 3003 - Authorization -> Authentication * 3004 - Entity Management -> Change * 3005 - User Access Management -> All_Changes.Account_Management * 4001 - Network Activity -> Network Traffic * 4002 - HTTP Activity -> Web * 4003 - DNS Activity -> Network Resolution * 4014 - Tunnel Activity -> All_Sessions.VPN * 5001 - Cloud API -> Change * 6001 - Web Resources Activity -> All_Changes.Network_Changes * 6003 - API Activity -> Change * 6004 - Web Resources Access Activity -> Data Access * 6005 - Datastore Activity -> Change * 6006 - File Hosting Activity -> Data Access Currently, it does only map events from the core OCSF schema hosted at https://schema.ocsf.io and not vendor-specific extensions. For the full documentation, navigate to the Details tab. For feedback and questions, message the team in #ocsf-cim-addon-for-splunk in the Splunk usergroups Slack - (https://splk.it/slack) This is not a Splunk-supported application and is provided as-is.

Built by Splunk Works

Latest Version 0.6.1

September 25, 2024

Release notes

Compatibility

Not Available

Platform Version: 9.4, 9.3, 9.2, 9.1, 9.0

CIM Version: 5.x

Rating

0

(0)

Log in to rate this app

Support

Not Supported

Learn more

The OCSF-CIM Add-On for Splunk provides a set of knowledge objects to use Open Cybersecurity Schema Framework (OCSF) formatted data with the Splunk Common Information Model (CIM). It is compatible with CIM 5.X The following event classes are supported today: * 1001 - File System Activity -> Change * 1007 - Process Activity -> Endpoint.Processes * 2001 - Security Finding -> Alerts * 2002 - Vilnerability Finding -> Vulnerabilities * 3001 - Account Change -> All_Changes.Account_Management * 3002 - Authentication -> Authentication * 3003 - Authorization -> Authentication * 3004 - Entity Management -> Change * 3005 - User Access Management -> All_Changes.Account_Management * 4001 - Network Activity -> Network Traffic * 4002 - HTTP Activity -> Web * 4003 - DNS Activity -> Network Resolution * 4014 - Tunnel Activity -> All_Sessions.VPN * 5001 - Cloud API -> Change * 6001 - Web Resources Activity -> All_Changes.Network_Changes * 6003 - API Activity -> Change * 6004 - Web Resources Access Activity -> Data Access * 6005 - Datastore Activity -> Change * 6006 - File Hosting Activity -> Data Access Currently, it does only map events from the core OCSF schema hosted at https://schema.ocsf.io and not vendor-specific extensions. For the full documentation, navigate to the Details tab. For feedback and questions, message the team in #ocsf-cim-addon-for-splunk in the Splunk usergroups Slack - (https://splk.it/slack) This is not a Splunk-supported application and is provided as-is.