SIEM Operations • Room 2

The CIM Check

In Splunk Enterprise Security, searches don't look for specific sourcetypes like "cisco:asa". Instead, they look at the Common Information Model (CIM) datasets.

If your data isn't mapped to the CIM (e.g., aliasing `src_ip` to `src`), ES correlation searches will be blind to it.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Verify that data is correctly accelerated in the "Authentication" datamodel by writing a `tstats` count grouping by the `Authentication.action` field.

Splunk Search Bar