Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Release notes for the Splunk Common Information Model Add-on

Version 4.18.0 of the Splunk Common Information Model Add-on was released on November 19, 2020.

New features

Version 4.18.x of the Splunk Common Information Model Add-on includes the following new features.

Enhancement Description
The severity_id field is included in additional data models for consistency across data models with severity. See Alerts, Data Loss Prevention, Intrusion Detection, Malware, TicketManagement, Updates,Vulnerabilities.
The signature_id field is included in additional data models for consistency across data models with signature. See Alerts, Data Loss Prevention, Intrusion Detection, Malware, Network Sessions, Performance, Vulnerabilities.
The src_user field is included in the Malware data model. See Malware.
The Change data model is updated with Instance_Changes data set. New fields in the data model include image_id, instance_type, and vendor_region. See Change.
The Change data model is updated with Network data set. New fields in the data model include dest_ip_range, dest_port_range, direction, protocol, rule_action, src_ip_range, and src_port_range. See Change.
Domain can be extracted from Certificates, Email, and Web data models.
  • New fields in the Certificates data model include ssl_issuer_email_domain and ssl_subject_email_domain. See Certificates.
  • New fields in the Email data model include recipient_domain and src_user_domain. See Email.
  • New fields in the Web data model include http_referrer_domain and url_domain. See Web.
The Alerts data model has a variety of updates. New fields in the data model include description, dest_type, mitre_technique_id, signature, signature_id, src_type, user, user_bunit, user_category, user_priority, vendor_account, and vendor_region. Deprecated fields include body and subject. See Alerts.
Behavior change for consistency in case-sensitive matching Reverse lookups are now case insensitive, so that the behavior is consistent with | search logic in the search bar. The lookup stanzas in transforms.conf are revised to include the flag for reverse_lookup_honor_case_sensitive_match = false.

Upgrade requirements

Splunk platform version Upgrade activity
8.0.x or later If you apply custom tags to data mapped to CIM data models and you use these tags in searches and search filters, add these tags to the whitelists for those models. See Set up the Splunk Common Information Model Add-on for details about the tags whitelist field.

Compatibility

Version 4.18.x of the Splunk Common Information Model Add-on requires Splunk platform version 8.0.x or later. Some workarounds, such as the datamodels spec workaround for tags_whitelist and poll_buckets, are no longer available in version 7.0.x and later. This might lead to btool check warnings at startup.

Fixed issues

This version of the Splunk Common Information Model Add-on fixes the following issues.


Date resolved Issue number Description
2020-09-04 CIM-958, SOLNESS-23805, SOLNPCI-1796 CIM: Ship explicit configuration for reverse_lookup_honor_case_sensitive_match

Known issues

This version of the Splunk Common Information Model Add-on has the following reported known issues. If this section is empty, this release has no reported known issues.

Date filed Issue number Description
2021-01-04 CIM-978, CIM-1033 CIM Setup: "An error occurred fetching assets"

Workaround:
You can update datamodels.conf directly but this is not convenient and not all users have access to the .conf files.

Deprecated or removed features

As of version 4.18.0:

  • The body field is deprecated in favor of the description field in the Alerts data model and will be removed in a future version.
  • The subject field is deprecated in favor of the signature field in the Alerts data model and will be removed in a future version.

As of version 4.15.0:

  • The Predictive Analytics dashboard is removed in favor of Machine Learning Toolkit functionality.

As of version 4.14.0:

  • The Predictive Analytics dashboard is deprecated in favor of Machine Learning Toolkit functionality and will be removed in a future version.

As of version 4.13.0:

  • N/A

As of version 4.12.0:

  • The modaction_invocations_rest_handler.py (alerts/modaction_invocations) is deprecated and will be removed in a future version.
  • The following previously deprecated configurations are removed.
    • `search_activity` macro
    • `search_typer` macro
  • Deprecated data models: Application State and Change Analysis

As of version 4.11.0:

  • The index definition cim_summary is removed.
  • Several configurations are deprecated and will be removed in a future release.
    • datamodel_for_audittrail transform
    • savedsearch_name_for_audittrail transform
    • user_for_audittrail transform

Third-party software attributions

The Splunk Common Information Model Add-on does not incorporate any third-party software or libraries.

Last modified on 21 June, 2021
Set up the Splunk Common Information Model Add-on   Support and resource links for the Splunk Common Information Model Add-on

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.18.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters