Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Use the CIM Filters to exclude data

The CIM Filter macros are available to help exclude data from your search results. The macros are a way to reduce false positives by whitelisting categories from lookups, data model objects, event severities, or extracted fields. They are available by default and located in the CIM Filters section of the $SPLUNK_HOME/etc/apps/Splunk_SA_CIM/default/macros.conf file for reference. There is no need to modify the stanzas in this section.

Usage

To use the cim_filter_known_scanners macro, for example, the most common use case is with Splunk Enterprise Security.

In this case, a known scanner is a device on your network that is purposely doing active or passive vulnerability scans. You might get a lot of false positive alerts about this device because the scanning activity is generating a lot of notable events. You know that these events can be ignored because it's your own scanner. You can categorize this device as a known_scanner in the assets and identities system. Then you can use the macro to filter out that category, so you no longer see the device in the search results.

See the "Asset lookup header" section of Format an asset or identity list as a lookup in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual for more information about where to add known_scanner as a category and how to maintain the asset and identity categories list, which is customized to your environment.

Example

The macros are for use with piped searches or where clauses. For the example of cim_filter_known_scanners, you can see in the macros.conf file that you can use it in two ways.

One way to use the macro is with search:

... | search `cim_filter_known_scanners` | ...

The other way to use the macro allows you to pass the DataModel.DataSet object lineage with tstats:

| tstats count from datamodel="Intrusion_Detection.IDS_Attacks" where `cim_filter_known_scanners(IDS_Attacks)`


See Define search macros in Settings in the Splunk Enterprise Knowledge Manager Manual for further information on how to navigate to and edit the macro definition in Splunk Web.

Last modified on 24 October, 2023
Accelerate CIM data models   Use the common action model to build custom alert actions

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.1, 5.3.2, 6.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters