Skip to content

Overview

The OCSF-CIM Add-On provides a set of knowledge objects to make OCSF events compatible to Splunk Common Information Model (CIM).

Why the OCSF-CIM Add-On exists

Lots of Splunk content (dashboards, correlation searches) use the data models provided by the Common Information Model as a normalization layer. This includes Splunk premium solutions such as Enterprise Security or ITSI and content repositories like research.splunk.com or Splunk Security Essentials. Popular Splunkbase apps such as the Infosec App make use of the CIM data models as well.

With OCSF (Open Cybersecurity Schema Framework) emerging as a new effort around data normalization in cybersecurity there is a need to be able to OCSF-formatted data with content developed against the CIM. This capability is provided by this Add-On. It provides search-time knowledge objects to map OCSF events to the CIM and make them compliant.

To get started with installing the OCSF-CIM Add-On for Splunk, start with Installation.