Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Release notes for the Splunk Common Information Model Add-on

Version 6.0.0 of the Splunk Common Information Model Add-on was released on November 1, 2024 and contains only backend improvements for cross-platform synchronization.

New features or enhancements

Version 6.0.0 of the Splunk Common Information Model Add-on includes no new features.


Upgrade requirements

Splunk platform version Upgrade activity
8.0.x or later If you apply custom tags to data mapped to CIM data models and you use these tags in searches and search filters, add these tags to the allowlists for those models. See Set up the Splunk Common Information Model Add-on for details about the tags allow list field.

Compatibility

Version 5.0.x of the Splunk Common Information Model Add-on requires Splunk platform version 8.0.x or later. Some workarounds, such as the datamodels spec workaround for tags_allowlist and poll_buckets, are no longer available in version 7.0.x and later. This might lead to btool check warnings at startup.

Fixed issues

This version of the Splunk Common Information Model Add-on fixes the following issues. If this section is empty, this release has no reported fixed issues.

Date resolved Issue number Description
2024-10-31 CIM-1264, CIM-1258 Vulnerability fix: Session Key stored cam_queue lookup in clear text
2024-09-03 CIM-1269 Biased language fixed within CIM Setup UI Labels
2024-09-03 CIM-1275 CIM Setup - Improve UI message for DMA index filtering
2024-08-20 CIM-1253 "action" field is updated unexpectedly in audit events when search string contains specified strings
2024-07-11 CIM-1225 The Auth DM needs a Session ID to enable ES usecases
2024-07-08 CIM-1224 CIM field "protocol_version" should have description saying that it should be in lower case
2024-07-08 CIM-1156 Description of the cim field "power" needs correction in the Performance.json
2024-07-03 CIM-1177 Correct the description of the signature cim field in the Intrusion Detection DM .json
2024-06-10 CIM-1069 Network sessions actions field prescribed values don't cleanly match the traffic
2024-05-14 CIM-1100 "Launch Home" hyperlink from Splunk SA_CIM incorrectly opens other random apps.

Limitations

If you are in a search head cluster environment on Splunk Cloud Platform, you might see error messages related to adaptive response actions. To troubleshoot these issues, see Troubleshoot adaptive response actions in search head cluster deployments on Splunk Cloud Platform.


Known issues

This version of the Splunk Common Information Model Add-on has the following reported known issues. If this section is empty, this release has no reported known issues.

Date filed Issue number Description
2024-11-15 CIM-1300 CIM Setup - Broken link to edit index filtering macros after upgrading to CIM 6.0.0

Workaround:
The CIM App needs to be set to the "configured" state via the CIM Setup page before access to other App related pages is allowed.
  • Navigate to the CIM Setup page
  • Click the Save button
  • User can access the edit index allowlist macro link within CIM Setup
  • User can access the index allowlist macros via Splunk manager pages
2024-11-05 CIM-1295 Unable to render CIM Setup (setup.xml) on Cloud search head cluster deployments

Workaround:
As per the comment in [1],

Navigated through the below URL

<Stack URL>/en-US/app/search/cim_setup

Which took us to the setup page.

The app has a broken navigation system which needs to be fixed.

2024-08-29 CIM-1272 DLP Data Model - Incidents category field evaluates incorrectly
2024-02-15 CIM-1212, CIM-1193 "Update" datamodel: add prescribed value "failure" to the cim field "status"
2023-04-03 CIM-1278 Entity Zones are rarely available in ESS and ESCU's default correlation search.

Workaround:
Clone the correlation search that has a tstats or stats command, provided by the ESCU or ESS you wish to enable and edit the search so that the zone information (e.g., cim_entity_zone field) remains in the search results.
2022-11-28 CIM-1128, SOLNESS-33830 The parent_process_name field is not extracted correctly when events with data model are searched.

Deprecated or removed features

The following are deprecated or removed features:

As of version 6.0.0:

  • N/A

As of version 5.3.3:

  • N/A

As of version 5.3.2:

  • N/A

As of version 5.3.1:

  • N/A

As of version 5.2.0:

  • N/A

As of version 5.1.1:

  • N/A

As of version 5.1.0:

  • N/A

As of version 5.0.1:

  • N/A

As of version 5.0.0:

  • N/A

As of version 4.20.2:

  • N/A

As of version 4.20.0:

  • N/A

As of version 4.19.0:

  • N/A

As of version 4.18.0:

  • The body field is deprecated in favor of the description field in the Alerts data model and will be removed in a future version.
  • The subject field is deprecated in favor of the signature field in the Alerts data model and will be removed in a future version.

As of version 4.15.0:

  • The Predictive Analytics dashboard is removed in favor of Machine Learning Toolkit functionality.

As of version 4.14.0:

  • The Predictive Analytics dashboard is deprecated in favor of Machine Learning Toolkit functionality and will be removed in a future version.

As of version 4.13.0:

  • N/A

Third-party software attributions

The Splunk Common Information Model Add-on does not incorporate any third-party software or libraries.

Last modified on 22 November, 2024
Set up the Splunk Common Information Model Add-on   Support and resource links for the Splunk Common Information Model Add-on

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 6.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters