OCSF-CIM Add-On for Splunk

The OCSF-CIM Add-On for Splunk provides a set of knowledge objects to use Open Cybersecurity Schema Framework (OCSF) formatted data with the Splunk Common Information Model (CIM). It is compatible with CIM 5.X The following event classes are supported today: * 1001 - File System Activity -> Change * 1007 - Process Activity -> Endpoint.Processes * 2001 - Security Finding -> Alerts * 2002 - Vilnerability Finding -> Vulnerabilities * 3001 - Account Change -> All_Changes.Account_Management * 3002 - Authentication -> Authentication * 3003 - Authorization -> Authentication * 3004 - Entity Management -> Change * 3005 - User Access Management -> All_Changes.Account_Management * 4001 - Network Activity -> Network Traffic * 4002 - HTTP Activity -> Web * 4003 - DNS Activity -> Network Resolution * 4014 - Tunnel Activity -> All_Sessions.VPN * 5001 - Cloud API -> Change * 6001 - Web Resources Activity -> All_Changes.Network_Changes * 6003 - API Activity -> Change * 6004 - Web Resources Access Activity -> Data Access * 6005 - Datastore Activity -> Change * 6006 - File Hosting Activity -> Data Access Currently, it does only map events from the core OCSF schema hosted at https://schema.ocsf.io and not vendor-specific extensions. For the full documentation, navigate to the Details tab. For feedback and questions, message the team in #ocsf-cim-addon-for-splunk in the Splunk usergroups Slack - (https://splk.it/slack)