Collect Splunk CIM logs
This document describes how you can collect Splunk Common Information Model (CIM) logs by configuring Splunk and a Chronicle forwarder. This document also lists the supported log types and supported Splunk versions.
For more information, see Data ingestion to Chronicle.
Overview
The following deployment architecture diagram shows how Splunk agents are configured to send logs to Chronicle. Each customer deployment might differ from this representation and might be more complex.
The architecture diagram shows the following components:
Data source: The system to be monitored in which Splunk is installed.
Splunk: Collects information from the data source and forwards the information to Chronicle forwarder.
Chronicle forwarder: A lightweight software component, deployed in the customer's network to forward the logs to Chronicle.
Chronicle: Retains and analyzes the logs from the Fleet server.
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser
with SPLUNK ingestion label.
Before you begin
Use Splunk version 5.0 that Chronicle parser supports.
Ensure that all systems in the deployment architecture are configured in the UTC time zone.
Configure a Splunk agent and a Chronicle forwarder
Install a CIM compliant agent from Splunkbase.
Configure Chronicle forwarder to push the logs into the Chronicle system. The following is an example of a Chronicle forwarder configuration:
- splunk: common: enabled: true data_type: SPLUNK batch_n_seconds: 10 batch_n_bytes: 819200 url: <SPLUNK_URL> query_cim: true is_ignore_cert: true query_string: datamodel Network_Traffic All_Traffic flat
Considerations for writing Splunk search queries
Splunk has its own search language, which is similar to SQL. Make sure you use the correct syntax for your search query. Consider the following search characteristics when you create a query:
Escape character
If a string value contains a double quotation mark ", use backslash characters to escape the quotation mark. Otherwise, the search misinterprets the end of the string value.
For example: To search a string WHERE _raw="The user "vpatel" isn't authenticated.",
you must use the sequence \" to search for a literal double quotation mark.
Write the search string in the following format:
WHERE _raw="The user \"vpatel\" isn't authenticated."
To escape a backslash character \ , use the sequence \\ to search for a backslash.
For example, if there is a string like C:\user\abc then this must be written as C:\\user\\abc.
Syntactically incorrect search
If a section of the query is invalid, the entire query is not evaluated and an error message appears.
Consider the following example in which the search mode option is missing in the query:
multisearch [|datamodel Network_Traffic All_Traffic] [|datamodel Network_Sessions All_Sessions flat]
In this example, the search mode option is missing in the query. This results in the following error:
Error in 'multisearch' command: Multisearch sub searches might only contain purely streaming operations. The search job has failed due to an error.
Support for multiple data models
Splunk supports a single large query that spans data models. The following search query extracts data from multiple data models:
multisearch [|datamodel Network_Traffic All_Traffic flat] [|datamodel Network_Sessions All_Sessions flat]
Here are the components of this query that spans data models:
Multisearch: The query must start with the word multisearch. A query for a data model must be enclosed within square brackets [ ] and start with a pipe | character.
Network_Traffic: The name of the data model.
All_Traffic: Dataset of Network_Traffic data model.
flat: Search mode. The other options are search and acceleration_search.
We recommend using the following Splunk query for multiple data model search:
multisearch [|datamodel Network_Traffic All_Traffic flat] [|datamodel Network_Sessions All_Sessions flat]
Supported log types and data models
| Splunk data model | Supported |
|---|---|
| Alerts | Yes |
| Application State (deprecated) | No |
| Authentication | Yes |
| Certificates | Yes |
| Change | Yes |
| Change Analysis (deprecated) | No |
| Data Access | Yes |
| Databases | Yes |
| Data Loss Prevention | Yes |
| Yes | |
| Endpoint | Yes |
| Event Signatures | Yes |
| Interprocess Messaging | Yes |
| Intrusion Detection | Yes |
| Inventory | Yes |
| Java Virtual Machines (JVM) | Yes |
| Malware | Yes |
| Network Resolution (DNS) | Yes |
| Network Sessions | Yes |
| Network Traffic | Yes |
| Performance | Yes |
| Splunk Audit Logs | Yes |
| Ticket Management | Yes |
| Updates | Yes |
| Vulnerabilities | Yes |
| Web | Yes |
Field mapping reference
This section explains how the Chronicle parser maps Splunk log fields to Chronicle Unified Data Model (UDM) fields for the data sets. For more information, see Splunk document for version 5.0.1.
Alerts
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Alerts:
| Log field | UDM mapping |
|---|---|
| app | observer.application |
| description | security_result.description |
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dest_type | target.resource.resource_type |
| id | metadata.product_log_id |
| mitre_technique_id | security_result.detection_fields.labels.key/value |
| severity | security_result.severity |
| severity_id | about.labels.key/value |
| signature | metadata.description |
| signature_id | security_result.rule_name |
| src | principal.ip, principal.hostname, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_priority | principal.labels.key/value |
| src_type | principal.resource.resource_type |
| tag | about.labels.key/value |
| type | security_result.alert_state |
| user | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_name | principal.user.userid |
| user_priority | principal.user.attribute.label.key/value |
| vendor_account | about.labels.key/value |
| vendor_region | about.location.country_or_region |
Authentication
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Authentication:
| Log field | UDM mapping |
|---|---|
| action | security_result.action_details security_result.action |
| app | target.application |
| authentication_method | about.labels.key/value |
| authentication_service | extension.auth.auth_details |
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_nt_domain | target.labels.key/value |
| dest_priority | target.labels.key/value |
| duration | network.session_duration |
| reason | security_result.summary |
| response_time | about.labels.key/value |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip, principal.hostname, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_nt_domain | principal.labels.key/value |
| src_priority | principal.labels.key/value |
| src_user | principal.user.user_display_name |
| src_user_bunit | principal.labels.key/value |
| src_user_category | principal.labels.key/value |
| src_user_id | principal.user.userid |
| src_user_priority | principal.labels.key/value |
| src_user_role | principal.user.attribute.roles.name (repeated) |
| src_user_type | principal.user.attribute.roles.type |
| tag | about.labels.key/value |
| user | principal.user.user_display_name |
| user_agent | network.http.user_agent |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_id | principal.user.userid |
| user_priority | principal.user.attribute.label.key/value |
| user_role | principal.user.attribute.roles.name (repeated) |
| user_type | principal.user.attribute.roles.type |
| vendor_account | about.labels.key/value |
All_Certificates
The following table lists the log fields and corresponding UDM mappings for the Splunk data set All_Certificates:
| Log field | UDM mapping |
|---|---|
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_port | target.port |
| dest_priority | target.labels.key/value |
| duration | network.session_duration |
| response_time | about.labels.key/value |
| src | principal.ip, principal.hostname, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_port | principal.port |
| src_priority | principal.labels.key/value |
| tag | about.labels.key/value |
| transport | network.ip_protocol |
SSL
The following table lists the log fields and corresponding UDM mappings for the Splunk data set SSL:
| Log field | UDM mapping |
|---|---|
| ssl_end_time | network.tls.server.certificate.not_after |
| ssl_engine | about.labels.key/value |
| ssl_hash | about.labels.key/value |
| ssl_is_valid | about.labels.key/value |
| ssl_issuer | network.tls.server.certificate.issuer |
| ssl_issuer_common_name | about.labels.key/value |
| ssl_issuer_email | about.labels.key/value |
| ssl_issuer_email_domain | about.labels.key/value |
| ssl_issuer_locality | about.labels.key/value |
| ssl_issuer_organization | about.labels.key/value |
| ssl_issuer_state | about.labels.key/value |
| ssl_issuer_street | about.labels.key/value |
| ssl_issuer_unit | about.labels.key/value |
| ssl_name | about.labels.key/value |
| ssl_policies | about.labels.key/value |
| ssl_publickey | about.labels.key/value |
| ssl_publickey_algorithm | about.labels.key/value |
| ssl_serial | network.tls.server.certificate.serial |
| ssl_session_id | network.session_id |
| ssl_signature_algorithm | about.labels.key/value |
| ssl_start_time | network.tls.server.certificate.not_before |
| ssl_subject | network.tls.server.certificate.subject |
| ssl_subject_common_name | about.labels.key/value |
| ssl_subject_email | about.labels.key/value |
| ssl_subject_email_domain | about.labels.key/value |
| ssl_subject_locality | about.labels.key/value |
| ssl_subject_organization | about.labels.key/value |
| ssl_subject_state | about.labels.key/value |
| ssl_subject_street | about.labels.key/value |
| ssl_subject_unit | about.labels.key/value |
| ssl_validity_window | about.labels.key/value |
| ssl_version | network.tls.server.certificate.version |
All_Changes
The following table lists the log fields and corresponding UDM mappings for the Splunk data set All_Changes:
| Log field | UDM mapping |
|---|---|
| action | security_result.action_details security_result.action |
| change_type | security_result.category_details |
| command | principal.process.command_line |
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dvc | principal.asset.hostname, principal.asset.ip |
| object | target.resource.name |
| object_attrs | about.labels.key/value |
| object_category | about.labels.key/value |
| object_id | target.user.product_object_id |
| object_path | target.file.full_path |
| result | metadata.description |
| result_id | metadata.product_event_type |
| src | principal.ip, principal.hostname, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_priority | principal.labels.key/value |
| status | security_result.summary |
| tag | about.labels.key/value |
| user | target.user.userid |
| user_agent | network.http.user_agent |
| user_name | principal.user.user_display_name, target.labels.key/value |
| user_type | principal.user.attribute.roles.type, target.user.attribute.roles.type |
| vendor_account | about.labels.key/value |
| vendor_product | about.labels.key/value |
| vendor_region | about.location.country_or_region |
Account_Management
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Account_Management:
| Log field | UDM mapping |
|---|---|
| dest_nt_domain | target.administrative_domain |
| src_nt_domain | principal.administrative_domain |
| src_user | principal.user.userid |
| src_user_bunit | principal.labels.key/value |
| src_user_category | principal.labels.key/value |
| src_user_priority | principal.labels.key/value |
| src_user_name | principal.labels.key/value |
| src_user_type | principal.user.attribute.roles.type |
Instance_Changes
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Instance_Changes:
| Log field | UDM mapping |
|---|---|
| image_id | principal.asset_id |
| instance_type | about.labels.key/value |
network_Changes
The following table lists the log fields and corresponding UDM mappings for the Splunk data set network_Changes:
| Log field | UDM mapping |
|---|---|
| dest_ip_range | target.labels.key/value |
| dest_port_range | target.labels.key/value |
| direction | network.direction |
| protocol | network.ip_protocol |
| rule_action | security_result.action_details security_result.action |
| src_ip_range | principal.labels.key/value |
| src_port_range | principal.labels.key/value |
Data_Access
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Data_Access:
| Log field | UDM mapping |
|---|---|
| action | security_result.action_details security_result.action |
| app | target.application |
| app_id | metadata.product_log_id |
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_name | target.administrative_domain |
| dest_url | target.url |
| dvc | principal.asset.hostname, principal.asset.ip |
| principal.user.email_addresses | |
| object | target.resource.name |
| object_category | about.labels.key/value |
| object_id | target.user.product_object_id |
| object_path | target.file.full_path |
| object_size | target.file.size |
| owner | about.labels.key/value |
| owner_email | about.labels.key/value |
| owner_id | principal.user.userid |
| parent_object | target.resource.parent |
| parent_object_id | about.labels.key/value |
| parent_object_category | about.labels.key/value |
| src | principal.ip, principal.hostname, principal.labels.key/value |
| tenant_id | about.labels.key/value |
| user | principal.user.user_display_name |
| user_agent | network.http.user_agent |
| user_group | principal.user.group_identifiers(repeated) |
| user_role | principal.user.attribute.roles.name (repeated) |
| vendor_product | about.labels.key/value |
| vendor_product_id | about.labels.key/value |
All_Databases
The following table lists the log fields and corresponding UDM mappings for the Splunk data set All_Databases:
| Log field | UDM mapping |
|---|---|
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| duration | network.session_duration |
| object | target.resource.name |
| response_time | about.labels.key/value |
| src | principal.ip, principal.hostname, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_priority | principal.labels.key/value |
| tag | about.labels.key/value |
| user | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value |
Database_Instance
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Database_Instance:
| Log field | UDM mapping |
|---|---|
| instance_name | target.resource.attributes.key/value |
| instance_version | target.resource.attributes.key/value |
| process_limit | about.labels.key/value |
| session_limit | about.labels.key/value |
Database_Query
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Database_Query:
| Log field | UDM mapping |
|---|---|
| query | about.labels.key/value |
| query_id | about.labels.key/value |
| query_time | about.labels.key/value |
| records_affected | about.labels.key/value |
Instance_Stats
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Instance_Stats:
| Log field | UDM mapping |
|---|---|
| availability | about.labels.key/value |
| avg_executions | about.labels.key/value |
| dump_area_used | about.labels.key/value |
| instance_reads | about.labels.key/value |
| instance_writes | about.labels.key/value |
| number_of_users | about.labels.key/value |
| processes | about.labels.key/value |
| sessions | about.labels.key/value |
| sga_buffer_cache_size | about.labels.key/value |
| sga_buffer_hit_limit | about.labels.key/value |
| sga_data_dict_hit_ratio | about.labels.key/value |
| sga_fixed_area_size | about.labels.key/value |
| sga_free_memory | about.labels.key/value |
| sga_library_cache_size | about.labels.key/value |
| sga_redo_log_buffer_size | about.labels.key/value |
| sga_shared_pool_size | about.labels.key/value |
| sga_sql_area_size | about.labels.key/value |
| start_time | about.labels.key/value |
| tablespace_used | about.labels.key/value |
Session_Info
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Session_Info:
| Log field | UDM mapping |
|---|---|
| buffer_cache_hit_ratio | about.labels.key/value |
| commits | about.labels.key/value |
| cpu_used | about.labels.key/value |
| cursor | about.labels.key/value |
| elapsed_time | about.labels.key/value |
| logical_reads | about.labels.key/value |
| machine | about.hostname |
| memory_sorts | about.labels.key/value |
| physical_reads | about.labels.key/value |
| seconds_in_wait | about.labels.key/value |
| session_id | network.session_id |
| session_status | about.labels.key/value |
| table_scans | about.labels.key/value |
| wait_state | about.labels.key/value |
| wait_time | about.labels.key/value |
Lock_Info
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Lock_Info:
| Log field | UDM mapping |
|---|---|
| last_call_minute | about.labels.key/value |
| lock_mode | about.labels.key/value |
| lock_session_id | about.labels.key/value |
| logon_time | about.labels.key/value |
| obj_name | about.labels.key/value |
| os_pid | target.process.pid |
| serial_num | target.resource.product_object_id |
Tablespace
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Tablespace:
| Log field | UDM mapping |
|---|---|
| free_bytes | about.file.size |
| tablespace_name | about.resource.name |
| tablespace_reads | about.labels.key/value |
| tablespace_status | about.labels.key/value |
| tablespace_writes | about.labels.key/value |
Query_Stats
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Query_Stats:
| Log field | UDM mapping |
|---|---|
| indexes_hit | about.labels.key/value |
| query_plan_hit | about.labels.key/value |
| stored_procedures_called | about.labels.key/value |
| tables_hit | about.labels.key/value |
DLP_Incidents
The following table lists the log fields and corresponding UDM mappings for the Splunk data set DLP_Incidents:
| Log field | UDM mapping |
|---|---|
| action | security_result.action_details security_result.action |
| app | target.application |
| category | security_result.category_details |
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dest_zone | target.location.country_or_origin |
| dlp_type | about.labels.key/value |
| dvc | principal.asset.hostname, principal.asset.ip |
| dvc_bunit | about.labels.key/value |
| dvc_category | about.labels.key/value |
| dvc_priority | about.labels.key/value |
| dvc_zone | principal.asset.location.country_or_region |
| object | target.resource.name |
| object_category | about.labels.key/value |
| object_path | target.file.full_path |
| severity | security_result.severity |
| severity_id | about.labels.key/value |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip, principal.hostname, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_priority | principal.labels.key/value |
| src_user | principal.user.user_display_name |
| src_user_bunit | principal.labels.key/value |
| src_user_category | principal.labels.key/value |
| src_user_priority | principal.labels.key/value |
| src_zone | principal.location.country_or_origin |
| tag | about.labels.key/value |
| user | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value |
All_Email
The following table lists the log fields and corresponding UDM mappings for the Splunk data set All_Email:
| Log field | UDM mapping |
|---|---|
| action | security_result.action_details security_result.action |
| delay | about.labels.key/value |
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| duration | network.session_duration |
| file_hash | about.file.sha256, about.file.md5, about.file.sha1 |
| file_name | about.labels.key/value |
| file_size | about.file.size |
| internal_message_id | metadata.product_log_id |
| message_id | network.email.mail_id |
| message_info | about.labels.key/value |
| orig_dest | target.labels.key/value |
| orig_recipient | about.labels.key/value |
| orig_src | network.email.from |
| process | principal.process.command_line |
| process_id | principal.process.pid |
| protocol | network.application_protocol |
| recipient | network.email.to |
| recipient_count | about.labels.key/value |
| recipient_domain | about.labels.key/value |
| recipient_status | about.labels.key/value |
| response_time | about.labels.key/value |
| retries | about.labels.key/value |
| return_addr | about.labels.key/value |
| size | about.labels.key/value |
| src | principal.ip, principal.hostname, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_priority | principal.labels.key/value |
| src_user | principal.user.email_addresses |
| src_user_bunit | principal.labels.key/value |
| src_user_category | principal.labels.key/value |
| src_user_domain | principal.administrative_domain |
| src_user_priority | principal.labels.key/value |
| status_code | about.labels.key/value |
| subject | network.email.subject(repeated) |
| tag | about.labels.key/value |
| url | about.url |
| user | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value |
| xdelay | about.labels.key/value |
| xref | about.labels.key/value |
Filtering
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Filtering:
| Log field | UDM mapping |
|---|---|
| filter_action | about.labels.key/value |
| filter_score | about.labels.key/value |
| signature | metadata.description |
| signature_extra | about.labels.key/value |
| signature_id | metadata.product_event_type |
Ports
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Ports:
| Log field | UDM mapping |
|---|---|
| creation_time | about.labels.key/value |
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_port | target.port |
| dest_priority | target.labels.key/value |
| dest_requires_av | target.labels.key/value |
| dest_should_timesync | target.labels.key/value |
| dest_should_update | target.labels.key/value |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| src | principal.ip, principal.hostname, principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_priority | principal.labels.key/value |
| src_port | principal.port |
| src_requires_av | principal.labels.key/value |
| src_should_timesync | principal.labels.key/value |
| src_should_update | principal.labels.key/value |
| state | about.labels.key/value |
| tag | about.labels.key/value |
| transport | network.ip_protocol |
| transport_dest_port | target.labels.key/value |
| user | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
Processes
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Processes:
| Log field | UDM mapping |
|---|---|
| action | security_result.action_details security_result.action |
| cpu_load_percent | about.labels.key/value |
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_is_expected | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dest_requires_av | target.labels.key/value |
| dest_should_timesync | target.labels.key/value |
| dest_should_update | target.labels.key/value |
| mem_used | about.labels.key/value |
| original_file_name | src.file.full_path |
| os | principal.asset.platform_software.platform_version |
| parent_process | about.labels.key/value |
| parent_process_exec | about.labels.key/value |
| parent_process_id | principal.process.parent_process.parent_pid |
| parent_process_guid | principal.process.parent_process.product_specific_process_id |
| parent_process_name | about.labels.key/value |
| parent_process_path | principal.process.parent_process.command_line |
| process | about.labels.key/value |
| process_current_directory | about.labels.key/value |
| process_exec | about.labels.key/value |
| process_hash | principal.process.file.sha256/principal.process.file.md5/principal..process.file.sha1 |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| process_integrity_level | security_result.severity |
| process_name | principal.process.command_line |
| process_path | principal.process.file.full_path |
| tag | about.labels.key/value |
| user | principal.user.user_display_name |
| user_id | principal.user.userid |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value |
Services
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Services:
| Log field | UDM mapping |
|---|---|
| description | security_result.description |
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_is_expected | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dest_requires_av | target.labels.key/value |
| dest_should_timesync | target.labels.key/value |
| dest_should_update | target.labels.key/value |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| service | target.application |
| service_dll | about.labels.key/value |
| service_dll_path | about.file.full_path |
| service_dll_hash | about.labels.key/value |
| service_dll_signature_exists | about.labels.key/value |
| service_dll_signature_verified | about.labels.key/value |
| service_exec | target.process.file.full_path |
| service_hash | about.labels.key/value |
| service_id | about.labels.key/value |
| service_name | about.labels.key/value |
| service_path | about.labels.key/value |
| service_signature_exists | about.labels.key/value |
| service_signature_verified | about.labels.key/value |
| start_mode | about.labels.key/value |
| status | security_result.summary |
| tag | about.labels.key/value |
| user | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value |
Filesystem
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Filesystem:
| Log field | UDM mapping |
|---|---|
| action | security_result.action_details security_result.action |
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dest_requires_av | target.labels.key/value |
| dest_should_timesync | target.labels.key/value |
| dest_should_update | target.labels.key/value |
| file_access_time | about.labels.key/value |
| file_create_time | target.asset.attribute.creation_time |
| file_hash | target.file.sha256, target.file.md5, target.file.sha1 |
| file_modify_time | about.labels.key/value |
| file_name | about.labels.key/value |
| file_path | target.file.full_path |
| file_acl | about.labels.key/value |
| file_size | target.file.size |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| tag | about.labels.key/value |
| user | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value |
Registry
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Registry:
| Log field | UDM mapping |
|---|---|
| action | security_result.action_details security_result.action |
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dest_requires_av | target.labels.key/value |
| dest_should_timesync | target.labels.key/value |
| dest_should_update | target.labels.key/value |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| registry_hive | about.labels.key/value |
| registry_path | about.labels.key/value |
| registry_key_name | target.registry.registry_key |
| registry_value_data | target.registry.registry_value_data |
| registry_value_name | target.registry.registry_value_name |
| registry_value_text | about.labels.key/value |
| registry_value_type | about.labels.key/value |
| status | security_result.summary |
| tag | about.labels.key/value |
| user | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value |
Signatures
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Signatures:
| Log field | UDM mapping |
|---|---|
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| tag | about.labels.key/value |
Signatures_vendor_product
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Signatures_vendor_product:
| Log field | UDM mapping |
|---|---|
| vendor_product | about.labels.key/value |
All_Interprocess_Messaging
The following table lists the log fields and corresponding UDM mappings for the Splunk data set All_Interprocess_Messaging:
| Log field | UDM mapping |
|---|---|
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| duration | network.session_duration |
| endpoint | about.labels.key/value |
| endpoint_version | about.labels.key/value |
| message | about.labels.key/value |
| message_consumed_time | about.labels.key/value |
| message_correlation_id | about.labels.key/value |
| message_delivered_time | about.labels.key/value |
| message_delivery_mode | about.labels.key/value |
| message_expiration_time | about.labels.key/value |
| message_id | metadata.product.log_id |
| message_priority | about.labels.key/value |
| message_properties | about.labels.key/value |
| message_received_time | about.labels.key/value |
| message_redelivered | about.labels.key/value |
| message_reply_dest | target.labels.key/value |
| message_type | about.labels.key/value |
| parameters | about.labels.key/value |
| payload | about.labels.key/value |
| payload_type | about.labels.key/value |
| request_payload | about.labels.key/value |
| request_payload_type | about.labels.key/value |
| request_sent_time | about.labels.key/value |
| response_code | network.http.response_code |
| response_payload_type | about.labels.key/value |
| response_received_time | about.labels.key/value |
| response_time | about.labels.key/value |
| return_message | about.labels.key/value |
| rpc_protocol | network.application_protocol |
| status | security_result.summary |
| tag | about.labels.key/value |
IDS_Attacks
The following table lists the log fields and corresponding UDM mappings for the Splunk data set IDS_Attacks:
| Log field | UDM mapping |
|---|---|
| action | security_result.action_details security_result.action |
| category | security_result.category_details |
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dvc | principal.asset.hostname, principal.asset.ip |
| dvc_bunit | about.labels.key/value |
| dvc_category | about.labels.key/value |
| dvc_priority | about.labels.key/value |
| file_hash | target.file.sha256, target.file.md5, target.file.sha1 |
| file_name | about.labels.key/value |
| file_path | target.file.full_path |
| ids_type | about.labels.key/value |
| severity | security_result.severity |
| severity_id | about.labels.key/value |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip, principal.hostname, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_priority | principal.labels.key/value |
| src_port | principal.port |
| tag | about.labels.key/value |
| transport | network.ip_protocol |
| user | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value |
DS_Attacks
The following table lists the log fields and corresponding UDM mappings for the Splunk data set DS_Attacks:
| Log field | UDM mapping |
|---|---|
| dest_port | target.port |
All_Inventory
The following table lists the log fields and corresponding UDM mappings for the Splunk data set All_Inventory:
| Log field | UDM mapping |
|---|---|
| description | security_result.description |
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| enabled | about.labels.key/value |
| family | about.labels.key/value |
| hypervisor_id | about.labels.key/value |
| serial | principal.asset.hardware.serial_number |
| status | security_result.summary |
| tag | about.labels.key/value |
| vendor_product | about.labels.key/value |
| version | about.labels.key/value |
CPU
The following table lists the log fields and corresponding UDM mappings for the Splunk data set CPU:
| Log field | UDM mapping |
|---|---|
| cpu_cores | principal.asset.hardware.cpu_number_cores |
| cpu_count | about.labels.key/value |
| cpu_mhz | principal.asset.hardware.cpu_clock_speed |
| cpu_load_mhz | principal.asset.hardware.cpu_clock_speed |
| cpu_load_percent | about.labels.key/value |
| cpu_time | about.labels.key/value |
| cpu_user_percent | about.labels.key/value |
Memory
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Memory:
| Log field | UDM mapping |
|---|---|
| mem | principal.asset.hardware.ram |
| heap_committed | about.labels.key/value |
| heap_initial | about.labels.key/value |
| heap_max | about.labels.key/value |
| heap_used | about.labels.key/value |
| non_heap_committed | about.labels.key/value |
| non_heap_initial | about.labels.key/value |
| non_heap_max | about.labels.key/value |
| non_heap_used | about.labels.key/value |
| objects_pending | about.labels.key/value |
| mem | principal.asset.hardware.ram |
| mem_committed | about.labels.key/value |
| mem_free | about.labels.key/value |
| mem_used | about.labels.key/value |
| swap | about.labels.key/value |
| swap_free | about.labels.key/value |
| swap_used | about.labels.key/value |
network
The following table lists the log fields and corresponding UDM mappings for the Splunk data set network:
| Log field | UDM mapping |
|---|---|
| dest_ip | target.ip |
| dns | about.labels.key/value |
| inline_nat | about.labels.key/value |
| interface | about.labels.key/value |
| ip | principal.asset.ip |
| lb_method | about.labels.key/value |
| mac | principal.asset.mac |
| name | principal.resource.name |
| node | about.labels.key/value |
| node_port | target.port |
| src_ip | principal.ip |
| vip_port | about.labels.key/value |
| thruput | about.labels.key/value |
| thruput_max | about.labels.key/value |
OS
The following table lists the log fields and corresponding UDM mappings for the Splunk data set OS:
| Log field | UDM mapping |
|---|---|
| os | principal.asset.platform_software.platform_version |
| committed_memory | about.labels.key/value |
| cpu_time | about.labels.key/value |
| free_physical_memory | about.labels.key/value |
| free_swap | about.labels.key/value |
| max_file_descriptors | about.labels.key/value |
| open_file_descriptors | about.labels.key/value |
| os | principal.asset.platform_software.platform_version |
| os_architecture | about.labels.key/value |
| os_version | about.labels.key/value |
| physical_memory | about.labels.key/value |
| swap_space | about.labels.key/value |
| system_load | about.labels.key/value |
| total_processors | about.labels.key/value |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
Storage
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Storage:
| Log field | UDM mapping |
|---|---|
| array | about.labels.key/value |
| blocksize | about.labels.key/value |
| cluster | about.resource.resource_type = "CLUSTER" |
| fd_max | about.labels.key/value |
| latency | about.labels.key/value |
| mount | principal.resource.attribute.labels.key/value |
| parent | principal.resource.parent |
| read_blocks | about.labels.key/value |
| read_latency | about.labels.key/value |
| read_ops | about.labels.key/value |
| storage | about.labels.key/value |
| write_blocks | about.labels.key/value |
| write_latency | about.labels.key/value |
| write_ops | about.labels.key/value |
| array | about.labels.key/value |
| blocksize | about.labels.key/value |
| cluster | about.resource.resource_type = "CLUSTER" |
| fd_max | about.labels.key/value |
| fd_used | about.labels.key/value |
| latency | about.labels.key/value |
| mount | about.labels.key/value |
| parent | principal.resource.parent |
| read_blocks | about.labels.key/value |
| read_latency | about.labels.key/value |
| read_ops | about.labels.key/value |
| storage | about.labels.key/value |
| storage_free | about.labels.key/value |
| storage_free_percent | about.labels.key/value |
| storage_used | about.labels.key/value |
| storage_used_percent | about.labels.key/value |
| write_blocks | about.labels.key/value |
| write_latency | about.labels.key/value |
| write_ops | about.labels.key/value |
| error_code | security_result.description |
| operation | about.labels.key/value |
| storage_name | about.resource.name |
User
The following table lists the log fields and corresponding UDM mappings for the Splunk data set User:
| Log field | UDM mapping |
|---|---|
| interactive | about.labels.key/value |
| password | about.labels.key/value |
| shell | about.labels.key/value |
| user | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_id | principal.user.userid |
| user_priority | principal.user.attribute.label.key/value |
Virtual_OS
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Virtual_OS:
| Log field | UDM mapping |
|---|---|
| hypervisor | about.labels.key/value |
Snapshot
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Snapshot:
| Log field | UDM mapping |
|---|---|
| size | about.file.size |
| snapshot | about.labels.key/value |
| time | about.labels.key/value |
JVM
The following table lists the log fields and corresponding UDM mappings for the Splunk data set JVM:
| Log field | UDM mapping |
|---|---|
| jvm_description | security_result.description |
| tag | about.labels.key/value |
Threading
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Threading:
| Log field | UDM mapping |
|---|---|
| cm_enabled | about.labels.key/value |
| cm_supported | about.labels.key/value |
| cpu_time_enabled | about.labels.key/value |
| cpu_time_supported | about.labels.key/value |
| current_cpu_time | about.labels.key/value |
| current_user_time | about.labels.key/value |
| daemon_thread_count | about.labels.key/value |
| omu_supported | about.labels.key/value |
| peak_thread_count | about.labels.key/value |
| synch_supported | about.labels.key/value |
| thread_count | about.labels.key/value |
| threads_started | about.labels.key/value |
Runtime
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Runtime:
| Log field | UDM mapping |
|---|---|
| process_name | principal.process.command_line |
| start_time | about.labels.key/value |
| uptime | about.labels.key/value |
| vendor_product | about.labels.key/value |
| version | about.labels.key/value |
Compilation
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Compilation:
| Log field | UDM mapping |
|---|---|
| compilation_time | about.labels.key/value |
Classloading
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Classloading:
| Log field | UDM mapping |
|---|---|
| current_loaded | about.labels.key/value |
| total_loaded | about.labels.key/value |
| total_unloaded | about.labels.key/value |
Malware_Attacks
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Malware_Attacks:
| Log field | UDM mapping |
|---|---|
| action | security_result.action_details security_result.action |
| category | security_result.category_details |
| date | about.labels.key/value |
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_nt_domain | target.administrative_domain |
| dest_priority | target.labels.key/value |
| dest_requires_av | target.labels.key/value |
| file_hash | target.file.sha256, target.file.md5, target.file.sha1 |
| file_name | about.labels.key/value |
| file_path | target.file.full_path |
| severity | security_result.severity |
| severity_id | about.labels.key/value |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip, principal.hostname, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_priority | principal.labels.key/value |
| src_user | principal.user.user_display_name |
| tag | about.labels.key/value |
| user | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| url | about.url |
| vendor_product | about.labels.key/value |
Malware_Operations
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Malware_Operations:
| Log field | UDM mapping |
|---|---|
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_nt_domain | target.labels.key/value |
| dest_nt_domain | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dest_requires_av | target.labels.key/value |
| product_version | about.labels.key/value |
| signature_version | security_result.rule_version |
| tag | about.labels.key/value |
| vendor_product | about.labels.key/value |
Malware_Operations
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Malware_Operations:
| Log field | UDM mapping |
|---|---|
| dest_category | target.labels.key/value |
DNS
The following table lists the log fields and corresponding UDM mappings for the Splunk data set DNS:
| Log field | UDM mapping |
|---|---|
| additional_answer_count | about.labels.key/value |
| answer | network.dns.answer.data |
| answer_count | about.labels.key/value |
| authority_answer_count | about.labels.key/value |
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_port | target.port |
| dest_priority | target.labels.key/value |
| duration | network.session_duration |
| message_type | about.labels.key/value |
| name | about.labels.key/value |
| query | network.dns.questions.name |
| query_count | about.labels.key/value |
| query_type | network.dns.questions.type |
| record_type | network.dns.answer.type(uint32) |
| reply_code | about.labels.key/value |
| reply_code_id | network.dns.response_code |
| response_time | about.labels.key/value |
| src | principal.ip, principal.hostname, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_port | principal.port |
| src_priority | principal.labels.key/value |
| tag | about.labels.key/value |
| transaction_id | network.dns.id |
| transport | network.ip_protocol |
| ttl | about.labels.key/value |
| vendor_product | about.labels.key/value |
All_Sessions
The following table lists the log fields and corresponding UDM mappings for the Splunk data set All_Sessions:
| Log field | UDM mapping |
|---|---|
| action | security_result.action_details security_result.action |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_dns | target.labels.key/value |
| dest_ip | network.dhcp.ciaddr |
| dest_mac | network.dhcp.chaddr |
| dest_nt_host | target.labels.key/value |
| dest_priority | target.labels.key/value |
| duration | network.session_duration |
| response_time | about.labels.key/value |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_dns | principal.labels.key/value |
| src_ip | principal.ip |
| src_mac | principal.mac |
| src_nt_host | principal.labels.key/value |
| src_priority | principal.labels.key/value |
| tag | about.labels.key/value |
| user | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value |
DHCP
The following table lists the log fields and corresponding UDM mappings for the Splunk data set DHCP:
| Log field | UDM mapping |
|---|---|
| lease_duration | network.dhcp.lease_time_second |
| lease_scope | about.labels.key/value |
All_Traffic
The following table lists the log fields and corresponding UDM mappings for the Splunk data set All_Traffic:
| Log field | UDM mapping |
|---|---|
| action | security_result.action_details security_result.action |
| app | network.application_protocol |
| bytes | about.labels.key/value |
| bytes_in | network.received_bytes |
| bytes_out | network.sent_bytes |
| channel | about.labels.key/value |
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_interface | target.labels.key/value |
| dest_ip | target.ip |
| dest_mac | target.mac |
| dest_port | target.port |
| dest_priority | target.labels.key/value |
| dest_translated_ip | target.nat_ip |
| dest_translated_port | target.nat_port |
| dest_zone | target.location.country_or_origin |
| direction | network.direction |
| duration | network.session_duration |
| dvc | principal.asset.hostname, principal.asset.ip |
| dvc_bunit | about.labels.key/value |
| dvc_category | about.labels.key/value |
| dvc_ip | about.labels.key/value |
| dvc_mac | principal.asset.mac |
| dvc_priority | about.labels.key/value |
| dvc_zone | principal.asset.location.country_or_region |
| flow_id | about.labels.key/value |
| icmp_code | about.labels.key/value |
| icmp_type | about.labels.key/value |
| packets | about.labels.key/value |
| packets_in | about.labels.key/value |
| packets_out | about.labels.key/value |
| protocol | about.labels.key/value |
| protocol_version | about.labels.key/value |
| response_time | about.labels.key/value |
| rule | security_result.rule_id |
| session_id | network.session_id |
| src | principal.ip, principal.hostname, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_interface | principal.labels.key/value |
| src_ip | principal.ip |
| src_mac | principal.mac |
| src_port | principal.port |
| src_priority | principal.labels.key/value |
| src_translated_ip | principal.nat_ip |
| src_translated_port | principal.nat_port |
| src_zone | principal.location.country_or_origin |
| ssid | about.labels.key/value |
| tag | about.labels.key/value |
| tcp_flag | about.labels.key/value |
| transport | network.ip_protocol |
| tos | about.labels.key/value |
| ttl | network.dns.additional.ttl |
| user | principal.user.userid |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_account | about.labels.key/value |
| vendor_product | about.labels.key/value |
| vlan | about.labels.key/value |
| wifi | about.labels.key/value |
All_Performance
The following table lists the log fields and corresponding UDM mappings for the Splunk data set All_Performance:
| Log field | UDM mapping |
|---|---|
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dest_should_timesync | target.labels.key/value |
| dest_should_update | target.labels.key/value |
| hypervisor_id | about.labels.key/value |
| resource_type | about.labels.key/value |
| tag | about.labels.key/value |
Facilities
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Facilities:
| Log field | UDM mapping |
|---|---|
| fan_speed | about.labels.key/value |
| power | about.labels.key/value |
| temperature | about.labels.key/value |
Timesync
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Timesync:
| Log field | UDM mapping |
|---|---|
| action | security_result.action_details security_result.action |
Uptime
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Uptime:
| Log field | UDM mapping |
|---|---|
| uptime | about.labels.key/value |
View_Activity
The following table lists the log fields and corresponding UDM mappings for the Splunk data set View_Activity:
| Log field | UDM mapping |
|---|---|
| app | target.application |
| spent | about.labels.key/value |
| uri | about.labels.key/value |
| user | principal.user.user_display_name |
| view | about.labels.key/value |
Datamodel_Acceleration
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Datamodel_Acceleration:
| Log field | UDM mapping |
|---|---|
| access_count | about.labels.key/value |
| access_time | about.labels.key/value |
| app | target.application |
| buckets | about.labels.key/value |
| buckets_size | about.labels.key/value |
| complete | about.labels.key/value |
| cron | about.labels.key/value |
| datamodel | about.labels.key/value |
| digest | about.labels.key/value |
| earliest | about.labels.key/value |
| is_inprogress | about.labels.key/value |
| last_error | about.labels.key/value |
| last_sid | about.labels.key/value |
| latest | about.labels.key/value |
| mod_time | about.labels.key/value |
| retention | about.labels.key/value |
| size | about.file.size |
| summary_id | about.labels.key/value |
Search_Activity
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Search_Activity:
| Log field | UDM mapping |
|---|---|
| host | about.hostname |
| info | about.labels.key/value |
| search | about.labels.key/value |
| search_et | about.labels.key/value |
| search_lt | about.labels.key/value |
| search_type | about.labels.key/value |
| source | principal.labels.key/value |
| sourcetype | principal.labels.key/value |
| user | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
Scheduler_Activity
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Scheduler_Activity:
| Log field | UDM mapping |
|---|---|
| app | target.application |
| host | about.hostname |
| savedsearch_name | about.labels.key/value |
| sid | about.labels.key/value |
| source | principal.labels.key/value |
| sourcetype | principal.labels.key/value |
| splunk_server | principal.ip, principal.hostname |
| status | security_result.summary |
| user | principal.user.user_display_name |
Web_Service_Errors
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Web_Service_Errors:
| Log field | UDM mapping |
|---|---|
| host | about.hostname |
| source | principal.labels.key/value |
| sourcetype | principal.labels.key/value |
| event_id | security_result.rule_name |
Modular_Actions
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Modular_Actions:
| Log field | UDM mapping |
|---|---|
| action_mode | about.labels.key/value |
| action_status | about.labels.key/value |
| app | target.application |
| duration | network.session_duration |
| component | about.labels.key/value |
| orig_rid | about.labels.key/value |
| orig_sid | about.labels.key/value |
| rid | about.labels.key/value |
| search_name | about.labels.key/value |
| action_name | security_result.action_details |
| signature | metadata.description |
| sid | about.labels.key/value |
| user | about.labels.key/value |
All_Ticket_Management
The following table lists the log fields and corresponding UDM mappings for the Splunk data set All_Ticket_Management:
| Log field | UDM mapping |
|---|---|
| affect_dest | target.labels.key/value |
| comments | about.labels.key/value |
| description | security_result.description |
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| priority | security_result.priority_details |
| severity | security_result.severity |
| severity_id | about.labels.key/value |
| splunk_id | about.labels.key/value |
| splunk_realm | about.labels.key/value |
| src_user | principal.user.user_display_name |
| src_user_bunit | principal.labels.key/value |
| src_user_category | principal.labels.key/value |
| src_user_priority | principal.labels.key/value |
| status | security_result.summary |
| tag | about.labels.key/value |
| ticket_id | target.user.attribute.label.ley/value |
| time_submitted | principal.user.attribute.creation_time |
| user | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
Change
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Change:
| Log field | UDM mapping |
|---|---|
| change | about.labels.key/value |
Incident
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Incident:
| Log field | UDM mapping |
|---|---|
| incident | about.labels.key/value |
Problem
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Problem:
| Log field | UDM mapping |
|---|---|
| problem | about.labels.key/value |
Updates
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Updates:
| Log field | UDM mapping |
|---|---|
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dest_should_update | target.labels.key/value |
| dvc | principal.asset.hostname, principal.asset.ip |
| file_hash | target.file.sha256, target.file.md5, target.file.sha1 |
| file_name | about.labels.key/value |
| severity | security_result.severity |
| severity_id | about.labels.key/value |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| status | security_result.summary |
| tag | about.labels.key/value |
| vendor_product | about.labels.key/value |
Vulnerabilities
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Vulnerabilities:
| Log field | UDM mapping |
|---|---|
| bugtraq | about.labels.key/value |
| category | security_result.category_details |
| cert | about.labels.key/value |
| cve | vulnerabilites.cve_description |
| cvss | vulnerabilites.cvss_base_score |
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dvc | principal.asset.hostname, principal.asset.ip |
| dvc_bunit | about.labels.key/value |
| dvc_category | about.labels.key/value |
| dvc_priority | about.labels.key/value |
| msft | about.labels.key/value |
| mskb | about.labels.key/value |
| severity | extensions.vulns.vulnerabilites.severity |
| severity_id | about.labels.key/value |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| tag | about.labels.key/value |
| url | extensions.vulns.vulnerabilites.about.url |
| user | extensions.vulns.vulnerabilites.about.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value |
| xref | about.labels.key/value |
Web
The following table lists the log fields and corresponding UDM mappings for the Splunk data set Web:
| Log field | UDM mapping |
|---|---|
| action | security_result.action_details security_result.action |
| app | target.application |
| bytes | about.labels.key/value |
| bytes_in | network.received_bytes |
| bytes_out | network.sent_bytes |
| cached | about.labels.key/value |
| category | security_result.category_details |
| cookie | about.labels.key/value |
| dest | target.ip, target.hostname, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dest_port | target.port |
| duration | network.session_duration |
| http_content_type | about.labels.key/value |
| http_method | network.http.method |
| http_referrer | network.http.referral_url |
| http_referrer_domain | about.labels.key/value |
| http_user_agent | network.http.user_agent |
| http_user_agent_length | about.labels.key/value |
| response_time | about.labels.key/value |
| site | about.labels.key/value |
| src | principal.ip, principal.hostname, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_priority | principal.labels.key/value |
| status | network.http.response_code |
| tag | about.labels.key/value |
| uri_path | about.labels.key/value |
| uri_query | about.labels.key/value |
| url | about.url |
| url_domain | about.asset.network_domain |
| url_length | about.labels.key/value |
| user | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value |
UDM event types
The following table lists the Splunk tags and the corresponding UDM event types:
| Data model | Splunk tags | UDM event type |
|---|---|---|
| Alerts | alert | STATUS_UPDATE |
| Authentication | authentication | USER_UNCATEGORIZED |
| Certificate | certificate | NETWORK_UNCATEGORIZED |
| Change | change | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| Data Access | data, access | USER_RESOURCE_ACCESS |
| Databases | database | USER_RESOURCE_ACCESS |
| Databases | database, instance, stats | STATUS_UPDATE |
| Databases | database, instance, status | STATUS_UPDATE |
| Databases | database, instance, lock | STATUS_UPDATE |
| Databases | database, query | STATUS_UPDATE |
| Databases | database, query, tablespace | STATUS_UPDATE |
| Databases | database, query, stats | STATUS_UPDATE |
| Data Loss Prevention | dlp, incident | SCAN_UNCATEGORIZED |
| EMAIL_UNCATEGORIZED | ||
| email, delivery | EMAIL_TRANSACTION | |
| Endpoint | listening, port | SERVICE_UNSPECIFIED |
| Endpoint | process, report | PROCESS_UNCATEGORIZED |
| Endpoint | service, report | SERVICE_UNSPECIFIED |
| Endpoint | endpoint, filesystem | FILE_UNCATEGORIZED |
| Endpoint | endpoint, registry | REGISTRY_UNCATEGORIZED |
| Event Signature | track_event_signature | STATUS_UPDATE |
| Inter Process Messaging | messaging | STATUS_UPDATE |
| Instrusion Detection | ids, attack | SERVICE_UNSPECIFIED |
| Inventory | inventory | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| Java Virtual Machine (JVM) | jvm | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| Malware | malware | STATUS_UPDATE |
| Network Resolution(DNS) | network, resolution, dns | NETWORK_DNS |
| Network Sessions | network, session | NETWORK_CONNECTION |
| Network Sessions | network, session, dhcp | NETWORK_DHCP |
| Network Traffic | network, communicate | NETWORK_CONNECTION |
| Performance | performance | SERVICE_UNSPECIFIED |
| Splunk Audit Logs | modaction | STATUS_UPDATE |
| Ticket Management | ticketing | STATUS_UPDATE |
| Ticket Management | ticketing, change | STATUS_UPDATE |
| Updates | update | STATUS_UPDATE |
| Vulnerabilities | report, vulnerabilites | SCAN_UNCATEGORIZED |
| Web | web | NETWORK_UNCATEGORIZED |