Release notes for the Splunk Common Information Model Add-on

Version 5.3.1 of the Splunk Common Information Model Add-on was released on December 19, 2023 and contains only backend improvements for cross-platform synchronization.

Version 5.3.2 of the Splunk Common Information Model Add-on was released on March 27, 2024 and contains only backend improvements for cross-platform synchronization.

Version 5.3.3 of the Splunk Common Information Model Add-on was released on February 12, 2025 and contains only backend improvements for cross-platform synchronization.

New features or enhancements

Version 5.3.1 of the Splunk Common Information Model Add-on includes no new features.

Version 5.3.2 of the Splunk Common Information Model Add-on includes no new features.

Version 5.3.3 of the Splunk Common Information Model Add-on includes no new features.

Upgrade requirements

Splunk platform version Upgrade activity
8.0.x or later If you apply custom tags to data mapped to CIM data models and you use these tags in searches and search filters, add these tags to the allowlists for those models. See Set up the Splunk Common Information Model Add-on for details about the tags allow list field.

Compatibility

Version 5.0.x and higher of the Splunk Common Information Model Add-on requires Splunk platform version 8.0.x or higher. Some workarounds, such as the data models spec workaround for tags_allowlist and poll_buckets, are no longer available in version 7.0.x and higher. This might lead to btool check warnings at startup.

Fixed issues

Version 5.3.1

This version of the Splunk Common Information Model Add-on fixes the following issues. If this section is empty, this release has no reported fixed issues.
Date resolved Issue number Description
2023-12-20 CIM-1198 The ESCU detections based on the Changes data model might not work correctly due to the constraint search of the Change data model.
2023-12-18 CIM-1153 The modular_actions_invocations -- comprehensive fixed for search performance
2023-11-30 CIM-1186 Tags are not saved as expected in the "Tags allow list" parameter in Splunk Common Information Model (v5.2.0).
2023-11-07 CIM-1081 Update "recommended" field for Change.user_name, Change.src_user_name, and Alerts.user_name.

Version 5.3.2

This version of the Splunk Common Information Model Add-on fixes the following issues. If this section is empty, this release has no reported fixed issues.
Date resolved Issue number Description
2024-03-06 CIM-1211 CIM Setup View shows page not found from Manage Apps Set up Link.

Version 5.3.3

This version of the Splunk Common Information Model Add-on fixes the following issues. If this section is empty, this release has no reported fixed issues.

Date resolved Issue number Description
2025-01-16 CIM-1305, CIM-1296 CIM 5.3.3 - Fix check_for_search_v1_endpoint
2025-01-13 CIM-1316, CIM-1264 CIM 5.3.3 - Vulnerability fix: Session Key stored cam_queue lookup in clear text

Known issues

Version 5.3.1

This version of the Splunk Common Information Model Add-on has the following reported known issues. If this section is empty, this release has no reported known issues.

Date filed Issue number Description
2024-09-03 CIM-1275 CIM Setup - Improve UI message for DMA index filtering.
2024-08-29 CIM-1272 DLP Data Model - Incidents category field evaluates incorrectly.
2024-08-27 CIM-1269 Biased language fixed within CIM Setup UI Labels.
2024-08-26 CIM-1265 Vulnerability fix validation/testing: Session Key stored cam_queue lookup in clear text.
2024-08-08 CIM-1264, CIM-1258, CIM-1316 Vulnerability fix: Session Key stored cam_queue lookup in clear text.
2024-03-28 CIM-1225 The Authentication data model requires a Session ID to turn on ES use cases.
2024-02-15 CIM-1212, CIM-1193 "Update" datamodel: add prescribed value "failure" to the cim field "status".
2024-02-07 CIM-1211 CIM Setup View shows page not found from Manage Apps Set up Link.
2023-04-03 CIM-1278 Entity Zones are rarely available in ESS and ESCU's default correlation search. Workaround: Clone the correlation search that has a tstats or stats command, provided by the ESCU or ESS you wish to enable and edit the search so that the zone information (e.g., cim_entity_zone field) remains in the search results.
2022-11-28 CIM-1128, SOLNESS-33830 The parent_process_name field is not extracted correctly when events with data model are searched.
2021-11-09 CIM-1069 The prescribed values for the Network sessions actions field don't cleanly match the traffic.

Version 5.3.2

This version of the Splunk Common Information Model Add-on has the following reported known issues. If this section is empty, this release has no reported known issues.

Date filed Issue number Description
2024-12-09 CIM-1305, CIM-1296 CIM 5.3.3 - Fix check_for_search_v1_endpoint
2024-11-05 CIM-1295 CIM configuration issue: Unable to render CIM Setup (setup.xml) on Cloud search head cluster deployments. Workaround: Users can manually navigate to the CIM set up page using the following link: {{http://<splunk-host>/en-US/app/Splunk_SA_CIM/cim_setup}}
2024-09-03 CIM-1275 CIM Setup: Improve UI message for DMA index filtering.
2024-08-29 CIM-1272 DLP Data Model: Incidents category field evaluates incorrectly.
2024-08-27 CIM-1269 Biased language fixed within CIM Setup UI labels.
2024-08-26 CIM-1265 Vulnerability fix validation or testing: Session Key stored cam_queue lookup in clear text.
2024-08-08 CIM-1264, CIM-1258, CIM-1316 Vulnerability fix: Session Key stored cam_queue lookup in clear text.
2024-06-25 CIM-1253 The "action" field is updated unexpectedly in audit events when search string contains specified strings. Workaround:Update EVAL-action to: <search>{noformat}EVAL-action = case(match(_raw,"action\=search"),"search",match(_raw,"action\=login\sattempt") AND match(_raw,"info\=succeeded"),"success",match(_raw,"action\=login\sattempt") AND match(_raw,"info\=failed"),"failure",match(_raw,"action\=add"),"created",match(_raw,"action\=delete"),"deleted",match(_raw,"action\=update"),"modified",1=1,action){noformat}</search> so that it populates the "search" action to "search" and won't overwrite it to "modified".
2024-05-13 CIM-1240 Network Resolution DM: Correct the list of prescribed values for the record_type field.
2024-03-28 CIM-1225 The Authentication DM needs a Session ID to enable ES use cases.
2024-02-15 CIM-1212, CIM-1193 In the "Update" datamodel, add prescribed value "failure" to the cim field "status".
2023-04-03 CIM-1278 Entity Zones are rarely available in ESS and ESCU's default correlation search. Workaround: Clone the correlation search that has a tstats or stats command, provided by the ESCU or ESS you wish to turn on and edit the search so that the zone information (such as cim_entity_zone field) remains in the search results.
2022-11-28 CIM-1128, SOLNESS-33830 The parent_process_name field is not extracted correctly when events with data model are searched.
2021-11-09 CIM-1069 The prescribed values for the Network sessions actions field don't cleanly match the traffic.

Version 5.3.3

This version of the Splunk Common Information Model Add-on has the following reported known issues. If this section is empty, this release has no reported known issues.

Date filed Issue number Description
2024-11-05 CIM-1295 CIM configuration issue: Unable to render CIM Setup (setup.xml) on Cloud search head cluster deployments
Workaround:
Users can manually navigate to the CIM set up page using the following link:

{{http://<splunk-host>/en-US/app/Splunk_SA_CIM/cim_setup}}
2024-06-25 CIM-1253 "action" field is updated unexpectedly in audit events when search string contains specified strings
Workaround:
Update EVAL-action to:

{noformat}EVAL-action = case(match(_raw,"action\=search"),"search",match(_raw,"action\=login\sattempt") AND match(_raw,"info\=succeeded"),"success",match(_raw,"action\=login\sattempt") AND match(_raw,"info\=failed"),"failure",match(_raw,"action\=add"),"created",match(_raw,"action\=delete"),"deleted",match(_raw,"action\=update"),"modified",1=1,action){noformat}

so that it populate "search" action to "search" and won't overwrite it to "modified"
2024-02-15 CIM-1212, CIM-1193 "Update" datamodel: add prescribed value "failure" to the cim field "status"
2023-04-03 CIM-1278 Entity Zones are rarely available in ESS and ESCU's default correlation search.
Workaround:
Clone the correlation search that has a tstats or stats command, provided by the ESCU or ESS you wish to enable and edit the search so that the zone information (e.g., cim_entity_zone field) remains in the search results.
2022-11-28 CIM-1128, SOLNESS-33830 The parent_process_name field is not extracted correctly when events with data model are searched.
2021-11-09 CIM-1069 Network sessions actions field prescribed values don't cleanly match the traffic

Deprecated or removed features

The following are deprecated or removed features:

As of version 5.3.3:

  • N/A

As of version 5.3.2:

  • N/A

As of version 5.3.1:

  • N/A

As of version 5.2.0:

  • N/A

As of version 5.1.1:

  • N/A

As of version 5.1.0:

  • N/A

As of version 5.0.1:

  • N/A

As of version 5.0.0:

  • N/A

As of version 4.20.2:

  • N/A

As of version 4.20.0:

  • N/A

As of version 4.19.0:

  • N/A

As of version 4.18.0:

  • The body field is deprecated in favor of the description field in the Alerts data model and will be removed in a future version.
  • The subject field is deprecated in favor of the signature field in the Alerts data model and will be removed in a future version.

As of version 4.15.0:

  • The Predictive Analytics dashboard is removed in favor of Machine Learning Toolkit functionality.

As of version 4.14.0:

  • The Predictive Analytics dashboard is deprecated in favor of Machine Learning Toolkit functionality and will be removed in a future version.

As of version 4.13.0:

  • N/A

Third-party software attributions

The Splunk Common Information Model Add-on does not incorporate any third-party software or libraries.