splunk
OCSF-CIM Add-On for Splunk
Splunk Cloud
Splunk Labs
This app is NOT supported by Splunk. Please read about what that means for you here.
Overview
Details
The OCSF-CIM Add-On for Splunk provides a set of knowledge objects to use Open Cybersecurity Schema Framework (OCSF) formatted data with the Splunk Common Information Model (CIM). It is compatible with CIM 5.X
The following event classes are supported today:
* 1001 - File System Activity -> Change
* 1007 - Process Activity -> Endpoint.Processes
* 2001 - Security Finding -> Alerts
* 2002 - Vilnerability Finding -> Vulnerabilities
* 3001 - Account Change -> All_Changes.Account_Management
* 3002 - Authentication -> Authentication
* 3003 - Authorization -> Authentication
* 3004 - Entity Management -> Change
* 3005 - User Access Management -> All_Changes.Account_Management
* 4001 - Network Activity -> Network Traffic
* 4002 - HTTP Activity -> Web
* 4003 - DNS Activity -> Network Resolution
* 4014 - Tunnel Activity -> All_Sessions.VPN
* 5001 - Cloud API -> Change
* 6001 - Web Resources Activity -> All_Changes.Network_Changes
* 6003 - API Activity -> Change
* 6004 - Web Resources Access Activity -> Data Access
* 6005 - Datastore Activity -> Change
* 6006 - File Hosting Activity -> Data Access
Currently, it does only map events from the core OCSF schema hosted at https://schema.ocsf.io and not vendor-specific extensions.
For the full documentation, navigate to the Details tab.
For feedback and questions, message the team in #ocsf-cim-addon-for-splunk in the Splunk usergroups Slack - (https://splk.it/slack)
This is not a Splunk-supported application and is provided as-is.
The following event classes are supported today:
* 1001 - File System Activity -> Change
* 1007 - Process Activity -> Endpoint.Processes
* 2001 - Security Finding -> Alerts
* 2002 - Vilnerability Finding -> Vulnerabilities
* 3001 - Account Change -> All_Changes.Account_Management
* 3002 - Authentication -> Authentication
* 3003 - Authorization -> Authentication
* 3004 - Entity Management -> Change
* 3005 - User Access Management -> All_Changes.Account_Management
* 4001 - Network Activity -> Network Traffic
* 4002 - HTTP Activity -> Web
* 4003 - DNS Activity -> Network Resolution
* 4014 - Tunnel Activity -> All_Sessions.VPN
* 5001 - Cloud API -> Change
* 6001 - Web Resources Activity -> All_Changes.Network_Changes
* 6003 - API Activity -> Change
* 6004 - Web Resources Access Activity -> Data Access
* 6005 - Datastore Activity -> Change
* 6006 - File Hosting Activity -> Data Access
Currently, it does only map events from the core OCSF schema hosted at https://schema.ocsf.io and not vendor-specific extensions.
For the full documentation, navigate to the Details tab.
For feedback and questions, message the team in #ocsf-cim-addon-for-splunk in the Splunk usergroups Slack - (https://splk.it/slack)
This is not a Splunk-supported application and is provided as-is.
Find the full documentation here
Usage
After installation, navigate to the Apps Setup page. On this page, configure the sourcetypes in your environment that contain OCSF events. After saving, the following actions will be taken:
- The ocsf_sourcetypes macro will be updated to include the updated set of sourcetypes
- For every configured sourcetype, a props.conf stanza will be generated that contains the relevant field mappings to provide CIM compatibility to the sourcetype
Detection of OCSF sourcetypes is not automatic. If you're onboarding new OCSF data sources in your environment, this Add-On will need to be reconfigured to include the new sourcetype.
Release Notes
Version 0.5.0
April 29, 2024
- Support for OCSF 1.2.0 for existing event classes
- Added mappings for Vulnerability Finding (2002), File Hosting (6006), Datastore Activity (6005), Tunnel Activity (4014)
- Bugfixes and improvements
Version 0.4.1
March 1, 2024
- Initial Adaptions to support OCSF 1.1.0
Version 0.4.0
Sept. 19, 2023
- Adds initial support for OCSF Event Classes 3006, 6001, 6004 - Thanks to Mateusz Macalik!
Version 0.3.15
June 28, 2023
Version 0.1.1
April 4, 2023
- Initial Release