Data Engineering • Room 2

The CIM & Normalization

Enterprise Security relies completely on the Common Information Model (CIM). If data isn't mapped to CIM fields (e.g., `src_ip`, `dest_ip`, `action`), correlation searches won't see it.

Engineers use Field Aliases (`FIELDALIAS`), Event Types, and Tags to normalize disparate vendor logs into a unified format.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

❤️❤️❤️

Question 1 of 1

A firewall log contains the proprietary field `fw_destination_address`. Which configuration is best to map this to the CIM?

ACreate an index-time field extraction to permanently rewrite the raw log.

BUse `props.conf` to create a search-time Field Alias mapping `fw_destination_address` to the CIM field `dest_ip`.

CRequire the firewall vendor to change their logging format.

DWrite a custom Python script to parse the logs before they hit Splunk.