Hi Team,
Recently started ingesting 1password telemetry into Splunk and I noticed that the fields are not CIM compliant and therefor can't be easily accelerated into their respective datamodels i.e. authentication, change.
This means that bespoke custom detection code is required to alert on this data source. Are there any plans to normalise this data in compliance with Splunk CIM so that it is eligible for datamodel acceleration?
Kind regards,
Kyle.
Hi Team,
Recently started ingesting 1password telemetry into Splunk and I noticed that the fields are not CIM compliant and therefor can't be easily accelerated into their respective datamodels i.e. authentication, change.
This means that bespoke custom detection code is required to alert on this data source. Are there any plans to normalise this data in compliance with Splunk CIM so that it is eligible for datamodel acceleration?
Kind regards,
Kyle.