Stay organized with collections Save and categorize content based on your preferences.

Collect Splunk CIM logs

This document describes how you can collect Splunk Common Information Model (CIM) logs by configuring Splunk and a Chronicle forwarder. This document also lists the supported log types and supported Splunk versions.

For more information, see Data ingestion to Chronicle.

Overview

The following deployment architecture diagram shows how Splunk agents are configured to send logs to Chronicle. Each customer deployment might differ from this representation and might be more complex.

Deployment architecture

The architecture diagram shows the following components:

  • Data source: The system to be monitored in which Splunk is installed.

  • Splunk: Collects information from the data source and forwards the information to Chronicle forwarder.

  • Chronicle forwarder: A lightweight software component, deployed in the customer's network to forward the logs to Chronicle.

  • Chronicle: Retains and analyzes the logs from the Fleet server.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with SPLUNK ingestion label.

Before you begin

  • Use Splunk version 5.0 that Chronicle parser supports.

  • Ensure that all systems in the deployment architecture are configured in the UTC time zone.

Configure a Splunk agent and a Chronicle forwarder

  1. Set up Splunk Enterprise.

  2. Install a CIM compliant agent from Splunkbase.

  3. Set up a Chronicle forwarder.

  4. Configure Chronicle forwarder to push the logs into the Chronicle system. The following is an example of a Chronicle forwarder configuration:

      - splunk:
          common:
            enabled: true
            data_type: SPLUNK
            batch_n_seconds: 10
            batch_n_bytes: 819200
          url: <SPLUNK_URL>
          query_cim: true
          is_ignore_cert: true
          query_string: | datamodel Network_Traffic All_Traffic
    

Supported Log types and data models

Splunk data model Supported
Alerts Yes
Application State (deprecated) No
Authentication Yes
Certificates Yes
Change Yes
Change Analysis (deprecated) No
Data Access Yes
Databases Yes
Data Loss Prevention Yes
Email Yes
Endpoint Yes
Event Signatures Yes
Interprocess Messaging Yes
Intrusion Detection Yes
Inventory Yes
Java Virtual Machines (JVM) Yes
Malware Yes
Network Resolution (DNS) Yes
Network Sessions Yes
Network Traffic Yes
Performance Yes
Splunk Audit Logs Yes
Ticket Management Yes
Updates Yes
Vulnerabilities Yes
Web Yes

Field mapping reference

This section explains how the Chronicle parser maps Splunk log fields to Chronicle Unified Data Model (UDM) fields for the data sets. For more information, see Splunk document for version 5.0.1.

Alerts

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Alerts:

Log field UDM mapping
app observer.application
description security_result.description
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_priority target.labels.key/value
dest_type target.resource.resource_type
id metadata.product_log_id
mitre_technique_id security_result.detection_fields.labels.key/value
severity security_result.severity
severity_id about.labels.key/value
signature metadata.description
signature_id security_result.rule_name
src principal.ip, principal.hostname, principal.labels.key/value
src_bunit principal.labels.key/value
src_category principal.labels.key/value
src_priority principal.labels.key/value
src_type principal.resource.resource_type
tag about.labels.key/value
type security_result.alert_state
user principal.user.user_display_name
user_bunit about.labels.key/value
user_category principal.user.attribute.labels.key/value
user_name principal.user.userid
user_priority principal.user.attribute.label.key/value
vendor_account about.labels.key/value
vendor_region about.location.country_or_region

Authentication

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Authentication:

Log field UDM mapping
action security_result.action_details
security_result.action
app target.application
authentication_method about.labels.key/value
authentication_service extension.auth.auth_details
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_nt_domain target.labels.key/value
dest_priority target.labels.key/value
duration network.session_duration
reason security_result.summary
response_time about.labels.key/value
signature metadata.description
signature_id metadata.product_event_type
src principal.ip, principal.hostname, principal.labels.key/value
src_bunit principal.labels.key/value
src_category principal.labels.key/value
src_nt_domain principal.labels.key/value
src_priority principal.labels.key/value
src_user principal.user.user_display_name
src_user_bunit principal.labels.key/value
src_user_category principal.labels.key/value
src_user_id principal.user.userid
src_user_priority principal.labels.key/value
src_user_role principal.user.attribute.roles.name (repeated)
src_user_type principal.user.attribute.roles.type
tag about.labels.key/value
user principal.user.user_display_name
user_agent network.http.user_agent
user_bunit about.labels.key/value
user_category principal.user.attribute.labels.key/value
user_id principal.user.userid
user_priority principal.user.attribute.label.key/value
user_role principal.user.attribute.roles.name (repeated)
user_type principal.user.attribute.roles.type
vendor_account about.labels.key/value

All_Certificates

The following table lists the log fields and corresponding UDM mappings for the Splunk data set All_Certificates:

Log field UDM mapping
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_port target.port
dest_priority target.labels.key/value
duration network.session_duration
response_time about.labels.key/value
src principal.ip, principal.hostname, principal.labels.key/value
src_bunit principal.labels.key/value
src_category principal.labels.key/value
src_port principal.port
src_priority principal.labels.key/value
tag about.labels.key/value
transport network.ip_protocol

SSL

The following table lists the log fields and corresponding UDM mappings for the Splunk data set SSL:

Log field UDM mapping
ssl_end_time network.tls.server.certificate.not_after
ssl_engine about.labels.key/value
ssl_hash about.labels.key/value
ssl_is_valid about.labels.key/value
ssl_issuer network.tls.server.certificate.issuer
ssl_issuer_common_name about.labels.key/value
ssl_issuer_email about.labels.key/value
ssl_issuer_email_domain about.labels.key/value
ssl_issuer_locality about.labels.key/value
ssl_issuer_organization about.labels.key/value
ssl_issuer_state about.labels.key/value
ssl_issuer_street about.labels.key/value
ssl_issuer_unit about.labels.key/value
ssl_name about.labels.key/value
ssl_policies about.labels.key/value
ssl_publickey about.labels.key/value
ssl_publickey_algorithm about.labels.key/value
ssl_serial network.tls.server.certificate.serial
ssl_session_id network.session_id
ssl_signature_algorithm about.labels.key/value
ssl_start_time network.tls.server.certificate.not_before
ssl_subject network.tls.server.certificate.subject
ssl_subject_common_name about.labels.key/value
ssl_subject_email about.labels.key/value
ssl_subject_email_domain about.labels.key/value
ssl_subject_locality about.labels.key/value
ssl_subject_organization about.labels.key/value
ssl_subject_state about.labels.key/value
ssl_subject_street about.labels.key/value
ssl_subject_unit about.labels.key/value
ssl_validity_window about.labels.key/value
ssl_version network.tls.server.certificate.version

All_Changes

The following table lists the log fields and corresponding UDM mappings for the Splunk data set All_Changes:

Log field UDM mapping
action security_result.action_details
security_result.action
change_type security_result.category_details
command principal.process.command_line
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_priority target.labels.key/value
dvc principal.asset.hostname, principal.asset.ip
object target.resource.name
object_attrs about.labels.key/value
object_category about.labels.key/value
object_id target.user.product_object_id
object_path target.file.full_path
result security_result.description
result_id about.labels.key/value
src principal.ip, principal.hostname, principal.labels.key/value
src_bunit principal.labels.key/value
src_category principal.labels.key/value
src_priority principal.labels.key/value
status security_result.summary
tag about.labels.key/value
user target.user.user_display_name, principal.user.user_display_name
user_agent network.http.user_agent
user_name principal.user.userid, target.user.userid
user_type principal.user.attribute.roles.type, target.user.attribute.roles.type
vendor_account about.labels.key/value
vendor_product about.labels.key/value
vendor_region about.location.country_or_region

Account_Management

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Account_Management:

Log field UDM mapping
dest_nt_domain target.administrative_domain
src_nt_domain principal.administrative_domain
src_user principal.user.user_display_name
src_user_bunit principal.labels.key/value
src_user_category principal.labels.key/value
src_user_priority principal.labels.key/value
src_user_name principal.labels.key/value
src_user_type principal.user.attribute.roles.type

Instance_Changes

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Instance_Changes:

Log field UDM mapping
image_id principal.asset_id
instance_type about.labels.key/value

network_Changes

The following table lists the log fields and corresponding UDM mappings for the Splunk data set network_Changes:

Log field UDM mapping
dest_ip_range target.labels.key/value
dest_port_range target.labels.key/value
direction network.direction
protocol network.ip_protocol
rule_action security_result.action_details
security_result.action
src_ip_range principal.labels.key/value
src_port_range principal.labels.key/value

Data_Access

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Data_Access:

Log field UDM mapping
action security_result.action_details
security_result.action
app target.application
app_id metadata.product_log_id
dest target.ip, target.hostname, target.labels.key/value
dest_name target.administrative_domain
dest_url target.url
dvc principal.asset.hostname, principal.asset.ip
email principal.user.email_addresses
object target.resource.name
object_category about.labels.key/value
object_id target.user.product_object_id
object_path target.file.full_path
object_size target.file.size
owner about.labels.key/value
owner_email about.labels.key/value
owner_id principal.user.userid
parent_object target.resource.parent
parent_object_id about.labels.key/value
parent_object_category about.labels.key/value
src principal.ip, principal.hostname, principal.labels.key/value
tenant_id about.labels.key/value
user principal.user.user_display_name
user_agent network.http.user_agent
user_group principal.user.group_identifiers(repeated)
user_role principal.user.attribute.roles.name (repeated)
vendor_product about.labels.key/value
vendor_product_id about.labels.key/value

All_Databases

The following table lists the log fields and corresponding UDM mappings for the Splunk data set All_Databases:

Log field UDM mapping
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_priority target.labels.key/value
duration network.session_duration
object target.resource.name
response_time about.labels.key/value
src principal.ip, principal.hostname, principal.labels.key/value
src_bunit principal.labels.key/value
src_category principal.labels.key/value
src_priority principal.labels.key/value
tag about.labels.key/value
user principal.user.user_display_name
user_bunit about.labels.key/value
user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.key/value
vendor_product about.labels.key/value

Database_Instance

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Database_Instance:

Log field UDM mapping
instance_name target.resource.attributes.key/value
instance_version target.resource.attributes.key/value
process_limit about.labels.key/value
session_limit about.labels.key/value

Database_Query

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Database_Query:

Log field UDM mapping
query about.labels.key/value
query_id about.labels.key/value
query_time about.labels.key/value
records_affected about.labels.key/value

Instance_Stats

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Instance_Stats:

Log field UDM mapping
availability about.labels.key/value
avg_executions about.labels.key/value
dump_area_used about.labels.key/value
instance_reads about.labels.key/value
instance_writes about.labels.key/value
number_of_users about.labels.key/value
processes about.labels.key/value
sessions about.labels.key/value
sga_buffer_cache_size about.labels.key/value
sga_buffer_hit_limit about.labels.key/value
sga_data_dict_hit_ratio about.labels.key/value
sga_fixed_area_size about.labels.key/value
sga_free_memory about.labels.key/value
sga_library_cache_size about.labels.key/value
sga_redo_log_buffer_size about.labels.key/value
sga_shared_pool_size about.labels.key/value
sga_sql_area_size about.labels.key/value
start_time about.labels.key/value
tablespace_used about.labels.key/value

Session_Info

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Session_Info:

Log field UDM mapping
buffer_cache_hit_ratio about.labels.key/value
commits about.labels.key/value
cpu_used about.labels.key/value
cursor about.labels.key/value
elapsed_time about.labels.key/value
logical_reads about.labels.key/value
machine about.hostname
memory_sorts about.labels.key/value
physical_reads about.labels.key/value
seconds_in_wait about.labels.key/value
session_id network.session_id
session_status about.labels.key/value
table_scans about.labels.key/value
wait_state about.labels.key/value
wait_time about.labels.key/value

Lock_Info

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Lock_Info:

Log field UDM mapping
last_call_minute about.labels.key/value
lock_mode about.labels.key/value
lock_session_id about.labels.key/value
logon_time about.labels.key/value
obj_name about.labels.key/value
os_pid target.process.pid
serial_num target.resource.product_object_id

Tablespace

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Tablespace:

Log field UDM mapping
free_bytes about.file.size
tablespace_name about.resource.name
tablespace_reads about.labels.key/value
tablespace_status about.labels.key/value
tablespace_writes about.labels.key/value

Query_Stats

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Query_Stats:

Log field UDM mapping
indexes_hit about.labels.key/value
query_plan_hit about.labels.key/value
stored_procedures_called about.labels.key/value
tables_hit about.labels.key/value

DLP_Incidents

The following table lists the log fields and corresponding UDM mappings for the Splunk data set DLP_Incidents:

Log field UDM mapping
action security_result.action_details
security_result.action
app target.application
category security_result.category_details
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_priority target.labels.key/value
dest_zone target.location.country_or_origin
dlp_type about.labels.key/value
dvc principal.asset.hostname, principal.asset.ip
dvc_bunit about.labels.key/value
dvc_category about.labels.key/value
dvc_priority about.labels.key/value
dvc_zone principal.asset.location.country_or_region
object target.resource.name
object_category about.labels.key/value
object_path target.file.full_path
severity security_result.severity
severity_id about.labels.key/value
signature metadata.description
signature_id metadata.product_event_type
src principal.ip, principal.hostname, principal.labels.key/value
src_bunit principal.labels.key/value
src_category principal.labels.key/value
src_priority principal.labels.key/value
src_user principal.user.user_display_name
src_user_bunit principal.labels.key/value
src_user_category principal.labels.key/value
src_user_priority principal.labels.key/value
src_zone principal.location.country_or_origin
tag about.labels.key/value
user principal.user.user_display_name
user_bunit about.labels.key/value
user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.key/value
vendor_product about.labels.key/value

All_Email

The following table lists the log fields and corresponding UDM mappings for the Splunk data set All_Email:

Log field UDM mapping
action security_result.action_details
security_result.action
delay about.labels.key/value
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_priority target.labels.key/value
duration network.session_duration
file_hash about.file.sha256, about.file.md5, about.file.sha1
file_name about.labels.key/value
file_size about.file.size
internal_message_id metadata.product_log_id
message_id network.email.mail_id
message_info about.labels.key/value
orig_dest target.labels.key/value
orig_recipient about.labels.key/value
orig_src network.email.from
process principal.process.command_line
process_id principal.process.pid
protocol network.application_protocol
recipient network.email.to
recipient_count about.labels.key/value
recipient_domain about.labels.key/value
recipient_status about.labels.key/value
response_time about.labels.key/value
retries about.labels.key/value
return_addr about.labels.key/value
size about.labels.key/value
src principal.ip, principal.hostname, principal.labels.key/value
src_bunit principal.labels.key/value
src_category principal.labels.key/value
src_priority principal.labels.key/value
src_user principal.user.email_addresses
src_user_bunit principal.labels.key/value
src_user_category principal.labels.key/value
src_user_domain principal.administrative_domain
src_user_priority principal.labels.key/value
status_code about.labels.key/value
subject network.email.subject(repeated)
tag about.labels.key/value
url about.url
user principal.user.user_display_name
user_bunit about.labels.key/value
user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.key/value
vendor_product about.labels.key/value
xdelay about.labels.key/value
xref about.labels.key/value

Filtering

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Filtering:

Log field UDM mapping
filter_action about.labels.key/value
filter_score about.labels.key/value
signature metadata.description
signature_extra about.labels.key/value
signature_id metadata.product_event_type

Ports

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Ports:

Log field UDM mapping
creation_time about.labels.key/value
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_port target.port
dest_priority target.labels.key/value
dest_requires_av target.labels.key/value
dest_should_timesync target.labels.key/value
dest_should_update target.labels.key/value
process_guid principal.process.product_specific_process_id
process_id principal.process.pid
src principal.ip, principal.hostname, principal.labels.key/value
src_category principal.labels.key/value
src_priority principal.labels.key/value
src_port principal.port
src_requires_av principal.labels.key/value
src_should_timesync principal.labels.key/value
src_should_update principal.labels.key/value
state about.labels.key/value
tag about.labels.key/value
transport network.ip_protocol
transport_dest_port target.labels.key/value
user principal.user.user_display_name
user_bunit about.labels.key/value
user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.key/value

Processes

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Processes:

Log field UDM mapping
action security_result.action_details
security_result.action
cpu_load_percent about.labels.key/value
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_is_expected target.labels.key/value
dest_priority target.labels.key/value
dest_requires_av target.labels.key/value
dest_should_timesync target.labels.key/value
dest_should_update target.labels.key/value
mem_used about.labels.key/value
original_file_name src.file.full_path
os principal.asset.platform_software.platform_version
parent_process about.labels.key/value
parent_process_exec about.labels.key/value
parent_process_id principal.process.parent_process.parent_pid
parent_process_guid principal.process.parent_process.product_specific_process_id
parent_process_name about.labels.key/value
parent_process_path principal.process.parent_process.command_line
process about.labels.key/value
process_current_directory about.labels.key/value
process_exec about.labels.key/value
process_hash principal.process.file.sha256/principal.process.file.md5/principal..process.file.sha1
process_guid principal.process.product_specific_process_id
process_id principal.process.pid
process_integrity_level security_result.severity
process_name principal.process.command_line
process_path principal.process.file.full_path
tag about.labels.key/value
user principal.user.user_display_name
user_id principal.user.userid
user_bunit about.labels.key/value
user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.key/value
vendor_product about.labels.key/value

Services

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Services:

Log field UDM mapping
description security_result.description
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_is_expected target.labels.key/value
dest_priority target.labels.key/value
dest_requires_av target.labels.key/value
dest_should_timesync target.labels.key/value
dest_should_update target.labels.key/value
process_guid principal.process.product_specific_process_id
process_id principal.process.pid
service target.application
service_dll about.labels.key/value
service_dll_path about.file.full_path
service_dll_hash about.labels.key/value
service_dll_signature_exists about.labels.key/value
service_dll_signature_verified about.labels.key/value
service_exec target.process.file.full_path
service_hash about.labels.key/value
service_id about.labels.key/value
service_name about.labels.key/value
service_path about.labels.key/value
service_signature_exists about.labels.key/value
service_signature_verified about.labels.key/value
start_mode about.labels.key/value
status security_result.summary
tag about.labels.key/value
user principal.user.user_display_name
user_bunit about.labels.key/value
user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.key/value
vendor_product about.labels.key/value

Filesystem

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Filesystem:

Log field UDM mapping
action security_result.action_details
security_result.action
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_priority target.labels.key/value
dest_requires_av target.labels.key/value
dest_should_timesync target.labels.key/value
dest_should_update target.labels.key/value
file_access_time about.labels.key/value
file_create_time target.asset.attribute.creation_time
file_hash target.file.sha256, target.file.md5, target.file.sha1
file_modify_time about.labels.key/value
file_name about.labels.key/value
file_path target.file.full_path
file_acl about.labels.key/value
file_size target.file.size
process_guid principal.process.product_specific_process_id
process_id principal.process.pid
tag about.labels.key/value
user principal.user.user_display_name
user_bunit about.labels.key/value
user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.key/value
vendor_product about.labels.key/value

Registry

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Registry:

Log field UDM mapping
action security_result.action_details
security_result.action
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_priority target.labels.key/value
dest_requires_av target.labels.key/value
dest_should_timesync target.labels.key/value
dest_should_update target.labels.key/value
process_guid principal.process.product_specific_process_id
process_id principal.process.pid
registry_hive about.labels.key/value
registry_path about.labels.key/value
registry_key_name target.registry.registry_key
registry_value_data target.registry.registry_value_data
registry_value_name target.registry.registry_value_name
registry_value_text about.labels.key/value
registry_value_type about.labels.key/value
status security_result.summary
tag about.labels.key/value
user principal.user.user_display_name
user_bunit about.labels.key/value
user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.key/value
vendor_product about.labels.key/value

Signatures

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Signatures:

Log field UDM mapping
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_priority target.labels.key/value
signature metadata.description
signature_id metadata.product_event_type
tag about.labels.key/value

Signatures_vendor_product

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Signatures_vendor_product:

Log field UDM mapping
vendor_product about.labels.key/value

All_Interprocess_Messaging

The following table lists the log fields and corresponding UDM mappings for the Splunk data set All_Interprocess_Messaging:

Log field UDM mapping
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_priority target.labels.key/value
duration network.session_duration
endpoint about.labels.key/value
endpoint_version about.labels.key/value
message about.labels.key/value
message_consumed_time about.labels.key/value
message_correlation_id about.labels.key/value
message_delivered_time about.labels.key/value
message_delivery_mode about.labels.key/value
message_expiration_time about.labels.key/value
message_id metadata.product.log_id
message_priority about.labels.key/value
message_properties about.labels.key/value
message_received_time about.labels.key/value
message_redelivered about.labels.key/value
message_reply_dest target.labels.key/value
message_type about.labels.key/value
parameters about.labels.key/value
payload about.labels.key/value
payload_type about.labels.key/value
request_payload about.labels.key/value
request_payload_type about.labels.key/value
request_sent_time about.labels.key/value
response_code network.http.response_code
response_payload_type about.labels.key/value
response_received_time about.labels.key/value
response_time about.labels.key/value
return_message about.labels.key/value
rpc_protocol network.application_protocol
status security_result.summary
tag about.labels.key/value

IDS_Attacks

The following table lists the log fields and corresponding UDM mappings for the Splunk data set IDS_Attacks:

Log field UDM mapping
action security_result.action_details
security_result.action
category security_result.category_details
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_priority target.labels.key/value
dvc principal.asset.hostname, principal.asset.ip
dvc_bunit about.labels.key/value
dvc_category about.labels.key/value
dvc_priority about.labels.key/value
file_hash target.file.sha256, target.file.md5, target.file.sha1
file_name about.labels.key/value
file_path target.file.full_path
ids_type about.labels.key/value
severity security_result.severity
severity_id about.labels.key/value
signature metadata.description
signature_id metadata.product_event_type
src principal.ip, principal.hostname, principal.labels.key/value
src_bunit principal.labels.key/value
src_category principal.labels.key/value
src_priority principal.labels.key/value
src_port principal.port
tag about.labels.key/value
transport network.ip_protocol
user principal.user.user_display_name
user_bunit about.labels.key/value
user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.key/value
vendor_product about.labels.key/value

DS_Attacks

The following table lists the log fields and corresponding UDM mappings for the Splunk data set DS_Attacks:

Log field UDM mapping
dest_port target.port

All_Inventory

The following table lists the log fields and corresponding UDM mappings for the Splunk data set All_Inventory:

Log field UDM mapping
description security_result.description
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_priority target.labels.key/value
enabled about.labels.key/value
family about.labels.key/value
hypervisor_id about.labels.key/value
serial principal.asset.hardware.serial_number
status security_result.summary
tag about.labels.key/value
vendor_product about.labels.key/value
version about.labels.key/value

CPU

The following table lists the log fields and corresponding UDM mappings for the Splunk data set CPU:

Log field UDM mapping
cpu_cores principal.asset.hardware.cpu_number_cores
cpu_count about.labels.key/value
cpu_mhz principal.asset.hardware.cpu_clock_speed
cpu_load_mhz principal.asset.hardware.cpu_clock_speed
cpu_load_percent about.labels.key/value
cpu_time about.labels.key/value
cpu_user_percent about.labels.key/value

Memory

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Memory:

Log field UDM mapping
mem principal.asset.hardware.ram
heap_committed about.labels.key/value
heap_initial about.labels.key/value
heap_max about.labels.key/value
heap_used about.labels.key/value
non_heap_committed about.labels.key/value
non_heap_initial about.labels.key/value
non_heap_max about.labels.key/value
non_heap_used about.labels.key/value
objects_pending about.labels.key/value
mem principal.asset.hardware.ram
mem_committed about.labels.key/value
mem_free about.labels.key/value
mem_used about.labels.key/value
swap about.labels.key/value
swap_free about.labels.key/value
swap_used about.labels.key/value

network

The following table lists the log fields and corresponding UDM mappings for the Splunk data set network:

Log field UDM mapping
dest_ip target.ip
dns about.labels.key/value
inline_nat about.labels.key/value
interface about.labels.key/value
ip principal.asset.ip
lb_method about.labels.key/value
mac principal.asset.mac
name principal.resource.name
node about.labels.key/value
node_port target.port
src_ip principal.ip
vip_port about.labels.key/value
thruput about.labels.key/value
thruput_max about.labels.key/value

OS

The following table lists the log fields and corresponding UDM mappings for the Splunk data set OS:

Log field UDM mapping
os principal.asset.platform_software.platform_version
committed_memory about.labels.key/value
cpu_time about.labels.key/value
free_physical_memory about.labels.key/value
free_swap about.labels.key/value
max_file_descriptors about.labels.key/value
open_file_descriptors about.labels.key/value
os principal.asset.platform_software.platform_version
os_architecture about.labels.key/value
os_version about.labels.key/value
physical_memory about.labels.key/value
swap_space about.labels.key/value
system_load about.labels.key/value
total_processors about.labels.key/value
signature metadata.description
signature_id metadata.product_event_type

Storage

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Storage:

Log field UDM mapping
array about.labels.key/value
blocksize about.labels.key/value
cluster about.resource.resource_type = "CLUSTER"
fd_max about.labels.key/value
latency about.labels.key/value
mount principal.resource.attribute.labels.key/value
parent principal.resource.parent
read_blocks about.labels.key/value
read_latency about.labels.key/value
read_ops about.labels.key/value
storage about.labels.key/value
write_blocks about.labels.key/value
write_latency about.labels.key/value
write_ops about.labels.key/value
array about.labels.key/value
blocksize about.labels.key/value
cluster about.resource.resource_type = "CLUSTER"
fd_max about.labels.key/value
fd_used about.labels.key/value
latency about.labels.key/value
mount about.labels.key/value
parent principal.resource.parent
read_blocks about.labels.key/value
read_latency about.labels.key/value
read_ops about.labels.key/value
storage about.labels.key/value
storage_free about.labels.key/value
storage_free_percent about.labels.key/value
storage_used about.labels.key/value
storage_used_percent about.labels.key/value
write_blocks about.labels.key/value
write_latency about.labels.key/value
write_ops about.labels.key/value
error_code security_result.description
operation about.labels.key/value
storage_name about.resource.name

User

The following table lists the log fields and corresponding UDM mappings for the Splunk data set User:

Log field UDM mapping
interactive about.labels.key/value
password about.labels.key/value
shell about.labels.key/value
user principal.user.user_display_name
user_bunit about.labels.key/value
user_category principal.user.attribute.labels.key/value
user_id principal.user.userid
user_priority principal.user.attribute.label.key/value

Virtual_OS

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Virtual_OS:

Log field UDM mapping
hypervisor about.labels.key/value

Snapshot

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Snapshot:

Log field UDM mapping
size about.file.size
snapshot about.labels.key/value
time about.labels.key/value

JVM

The following table lists the log fields and corresponding UDM mappings for the Splunk data set JVM:

Log field UDM mapping
jvm_description security_result.description
tag about.labels.key/value

Threading

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Threading:

Log field UDM mapping
cm_enabled about.labels.key/value
cm_supported about.labels.key/value
cpu_time_enabled about.labels.key/value
cpu_time_supported about.labels.key/value
current_cpu_time about.labels.key/value
current_user_time about.labels.key/value
daemon_thread_count about.labels.key/value
omu_supported about.labels.key/value
peak_thread_count about.labels.key/value
synch_supported about.labels.key/value
thread_count about.labels.key/value
threads_started about.labels.key/value

Runtime

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Runtime:

Log field UDM mapping
process_name principal.process.command_line
start_time about.labels.key/value
uptime about.labels.key/value
vendor_product about.labels.key/value
version about.labels.key/value

Compilation

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Compilation:

Log field UDM mapping
compilation_time about.labels.key/value

Classloading

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Classloading:

Log field UDM mapping
current_loaded about.labels.key/value
total_loaded about.labels.key/value
total_unloaded about.labels.key/value

Malware_Attacks

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Malware_Attacks:

Log field UDM mapping
action security_result.action_details
security_result.action
category security_result.category_details
date about.labels.key/value
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_nt_domain target.administrative_domain
dest_priority target.labels.key/value
dest_requires_av target.labels.key/value
file_hash target.file.sha256, target.file.md5, target.file.sha1
file_name about.labels.key/value
file_path target.file.full_path
severity security_result.severity
severity_id about.labels.key/value
signature metadata.description
signature_id metadata.product_event_type
src principal.ip, principal.hostname, principal.labels.key/value
src_bunit principal.labels.key/value
src_category principal.labels.key/value
src_priority principal.labels.key/value
src_user principal.user.user_display_name
tag about.labels.key/value
user principal.user.user_display_name
user_bunit about.labels.key/value
user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.key/value
url about.url
vendor_product about.labels.key/value

Malware_Operations

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Malware_Operations:

Log field UDM mapping
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_nt_domain target.labels.key/value
dest_nt_domain target.labels.key/value
dest_priority target.labels.key/value
dest_requires_av target.labels.key/value
product_version about.labels.key/value
signature_version security_result.rule_version
tag about.labels.key/value
vendor_product about.labels.key/value

Malware_Operations

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Malware_Operations:

Log field UDM mapping
dest_category target.labels.key/value

DNS

The following table lists the log fields and corresponding UDM mappings for the Splunk data set DNS:

Log field UDM mapping
additional_answer_count about.labels.key/value
answer network.dns.answer.data
answer_count about.labels.key/value
authority_answer_count about.labels.key/value
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_port target.port
dest_priority target.labels.key/value
duration network.session_duration
message_type about.labels.key/value
name about.labels.key/value
query network.dns.questions.name
query_count about.labels.key/value
query_type network.dns.questions.type
record_type network.dns.answer.type(uint32)
reply_code about.labels.key/value
reply_code_id network.dns.response_code
response_time about.labels.key/value
src principal.ip, principal.hostname, principal.labels.key/value
src_bunit principal.labels.key/value
src_category principal.labels.key/value
src_port principal.port
src_priority principal.labels.key/value
tag about.labels.key/value
transaction_id network.dns.id
transport network.ip_protocol
ttl about.labels.key/value
vendor_product about.labels.key/value

All_Sessions

The following table lists the log fields and corresponding UDM mappings for the Splunk data set All_Sessions:

Log field UDM mapping
action security_result.action_details
security_result.action
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_dns target.labels.key/value
dest_ip network.dhcp.ciaddr
dest_mac network.dhcp.chaddr
dest_nt_host target.labels.key/value
dest_priority target.labels.key/value
duration network.session_duration
response_time about.labels.key/value
signature metadata.description
signature_id metadata.product_event_type
src_bunit principal.labels.key/value
src_category principal.labels.key/value
src_dns principal.labels.key/value
src_ip principal.ip
src_mac principal.mac
src_nt_host principal.labels.key/value
src_priority principal.labels.key/value
tag about.labels.key/value
user principal.user.user_display_name
user_bunit about.labels.key/value
user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.key/value
vendor_product about.labels.key/value

DHCP

The following table lists the log fields and corresponding UDM mappings for the Splunk data set DHCP:

Log field UDM mapping
lease_duration network.dhcp.lease_time_second
lease_scope about.labels.key/value

All_Traffic

The following table lists the log fields and corresponding UDM mappings for the Splunk data set All_Traffic:

Log field UDM mapping
action security_result.action_details
security_result.action
app network.application_protocol
bytes about.labels.key/value
bytes_in network.received_bytes
bytes_out network.sent_bytes
channel about.labels.key/value
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_interface target.labels.key/value
dest_ip target.ip
dest_mac target.mac
dest_port target.port
dest_priority target.labels.key/value
dest_translated_ip target.nat_ip
dest_translated_port target.nat_port
dest_zone target.location.country_or_origin
direction network.direction
duration network.session_duration
dvc principal.asset.hostname, principal.asset.ip
dvc_bunit about.labels.key/value
dvc_category about.labels.key/value
dvc_ip about.labels.key/value
dvc_mac principal.asset.mac
dvc_priority about.labels.key/value
dvc_zone principal.asset.location.country_or_region
flow_id about.labels.key/value
icmp_code about.labels.key/value
icmp_type about.labels.key/value
packets about.labels.key/value
packets_in about.labels.key/value
packets_out about.labels.key/value
protocol about.labels.key/value
protocol_version about.labels.key/value
response_time about.labels.key/value
rule security_result.rule_id
session_id network.session_id
src principal.ip, principal.hostname, principal.labels.key/value
src_bunit principal.labels.key/value
src_category principal.labels.key/value
src_interface principal.labels.key/value
src_ip principal.ip
src_mac principal.mac
src_port principal.port
src_priority principal.labels.key/value
src_translated_ip principal.nat_ip
src_translated_port principal.nat_port
src_zone principal.location.country_or_origin
ssid about.labels.key/value
tag about.labels.key/value
tcp_flag about.labels.key/value
transport network.ip_protocol
tos about.labels.key/value
ttl network.dns.additional.ttl
user about.labels.key/value
user_bunit about.labels.key/value
user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.key/value
vendor_account about.labels.key/value
vendor_product about.labels.key/value
vlan about.labels.key/value
wifi about.labels.key/value

All_Performance

The following table lists the log fields and corresponding UDM mappings for the Splunk data set All_Performance:

Log field UDM mapping
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_priority target.labels.key/value
dest_should_timesync target.labels.key/value
dest_should_update target.labels.key/value
hypervisor_id about.labels.key/value
resource_type about.labels.key/value
tag about.labels.key/value

Facilities

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Facilities:

Log field UDM mapping
fan_speed about.labels.key/value
power about.labels.key/value
temperature about.labels.key/value

Timesync

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Timesync:

Log field UDM mapping
action security_result.action_details
security_result.action

Uptime

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Uptime:

Log field UDM mapping
uptime about.labels.key/value

View_Activity

The following table lists the log fields and corresponding UDM mappings for the Splunk data set View_Activity:

Log field UDM mapping
app target.application
spent about.labels.key/value
uri about.labels.key/value
user principal.user.user_display_name
view about.labels.key/value

Datamodel_Acceleration

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Datamodel_Acceleration:

Log field UDM mapping
access_count about.labels.key/value
access_time about.labels.key/value
app target.application
buckets about.labels.key/value
buckets_size about.labels.key/value
complete about.labels.key/value
cron about.labels.key/value
datamodel about.labels.key/value
digest about.labels.key/value
earliest about.labels.key/value
is_inprogress about.labels.key/value
last_error about.labels.key/value
last_sid about.labels.key/value
latest about.labels.key/value
mod_time about.labels.key/value
retention about.labels.key/value
size about.file.size
summary_id about.labels.key/value

Search_Activity

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Search_Activity:

Log field UDM mapping
host about.hostname
info about.labels.key/value
search about.labels.key/value
search_et about.labels.key/value
search_lt about.labels.key/value
search_type about.labels.key/value
source principal.labels.key/value
sourcetype principal.labels.key/value
user principal.user.user_display_name
user_bunit about.labels.key/value
user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.key/value

Scheduler_Activity

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Scheduler_Activity:

Log field UDM mapping
app target.application
host about.hostname
savedsearch_name about.labels.key/value
sid about.labels.key/value
source principal.labels.key/value
sourcetype principal.labels.key/value
splunk_server principal.ip, principal.hostname
status security_result.summary
user principal.user.user_display_name

Web_Service_Errors

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Web_Service_Errors:

Log field UDM mapping
host about.hostname
source principal.labels.key/value
sourcetype principal.labels.key/value
event_id security_result.rule_name

Modular_Actions

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Modular_Actions:

Log field UDM mapping
action_mode about.labels.key/value
action_status about.labels.key/value
app target.application
duration network.session_duration
component about.labels.key/value
orig_rid about.labels.key/value
orig_sid about.labels.key/value
rid about.labels.key/value
search_name about.labels.key/value
action_name security_result.action_details
signature metadata.description
sid about.labels.key/value
user about.labels.key/value

All_Ticket_Management

The following table lists the log fields and corresponding UDM mappings for the Splunk data set All_Ticket_Management:

Log field UDM mapping
affect_dest target.labels.key/value
comments about.labels.key/value
description security_result.description
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_priority target.labels.key/value
priority security_result.priority_details
severity security_result.severity
severity_id about.labels.key/value
splunk_id about.labels.key/value
splunk_realm about.labels.key/value
src_user principal.user.user_display_name
src_user_bunit principal.labels.key/value
src_user_category principal.labels.key/value
src_user_priority principal.labels.key/value
status security_result.summary
tag about.labels.key/value
ticket_id target.user.attribute.label.ley/value
time_submitted principal.user.attribute.creation_time
user principal.user.user_display_name
user_bunit about.labels.key/value
user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.key/value

Change

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Change:

Log field UDM mapping
change about.labels.key/value

Incident

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Incident:

Log field UDM mapping
incident about.labels.key/value

Problem

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Problem:

Log field UDM mapping
problem about.labels.key/value

Updates

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Updates:

Log field UDM mapping
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_priority target.labels.key/value
dest_should_update target.labels.key/value
dvc principal.asset.hostname, principal.asset.ip
file_hash target.file.sha256, target.file.md5, target.file.sha1
file_name about.labels.key/value
severity security_result.severity
severity_id about.labels.key/value
signature metadata.description
signature_id metadata.product_event_type
status security_result.summary
tag about.labels.key/value
vendor_product about.labels.key/value

Vulnerabilities

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Vulnerabilities:

Log field UDM mapping
bugtraq about.labels.key/value
category security_result.category_details
cert about.labels.key/value
cve vulnerabilites.cve_description
cvss vulnerabilites.cvss_base_score
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_priority target.labels.key/value
dvc principal.asset.hostname, principal.asset.ip
dvc_bunit about.labels.key/value
dvc_category about.labels.key/value
dvc_priority about.labels.key/value
msft about.labels.key/value
mskb about.labels.key/value
severity extensions.vulns.vulnerabilites.severity
severity_id about.labels.key/value
signature metadata.description
signature_id metadata.product_event_type
tag about.labels.key/value
url extensions.vulns.vulnerabilites.about.url
user extensions.vulns.vulnerabilites.about.user.user_display_name
user_bunit about.labels.key/value
user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.key/value
vendor_product about.labels.key/value
xref about.labels.key/value

Web

The following table lists the log fields and corresponding UDM mappings for the Splunk data set Web:

Log field UDM mapping
action security_result.action_details
security_result.action
app target.application
bytes about.labels.key/value
bytes_in network.received_bytes
bytes_out network.sent_bytes
cached about.labels.key/value
category security_result.category_details
cookie about.labels.key/value
dest target.ip, target.hostname, target.labels.key/value
dest_bunit target.labels.key/value
dest_category target.labels.key/value
dest_priority target.labels.key/value
dest_port target.port
duration network.session_duration
http_content_type about.labels.key/value
http_method network.http.method
http_referrer network.http.referral_url
http_referrer_domain about.labels.key/value
http_user_agent network.http.user_agent
http_user_agent_length about.labels.key/value
response_time about.labels.key/value
site about.labels.key/value
src principal.ip, principal.hostname, principal.labels.key/value
src_bunit principal.labels.key/value
src_category principal.labels.key/value
src_priority principal.labels.key/value
status network.http.response_code
tag about.labels.key/value
uri_path about.labels.key/value
uri_query about.labels.key/value
url about.url
url_domain about.asset.network_domain
url_length about.labels.key/value
user principal.user.user_display_name
user_bunit about.labels.key/value
user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.key/value
vendor_product about.labels.key/value

UDM event types

The following table lists the Splunk tags and the corresponding UDM event types:

Data model Splunk tags UDM event type
Alerts alert STATUS_UPDATE
Authentication authentication USER_UNCATEGORIZED
Certificate certificate NETWORK_UNCATEGORIZED
Change change SYSTEM_AUDIT_LOG_UNCATEGORIZED
Data Access data, access USER_RESOURCE_ACCESS
Databases database USER_RESOURCE_ACCESS
Databases database, instance, stats STATUS_UPDATE
Databases database, instance, status STATUS_UPDATE
Databases database, instance, lock STATUS_UPDATE
Databases database, query STATUS_UPDATE
Databases database, query, tablespace STATUS_UPDATE
Databases database, query, stats STATUS_UPDATE
Data Loss Prevention dlp, incident SCAN_UNCATEGORIZED
Email email EMAIL_UNCATEGORIZED
Email email, delivery EMAIL_TRANSACTION
Endpoint listening, port SERVICE_UNSPECIFIED
Endpoint process, report PROCESS_UNCATEGORIZED
Endpoint service, report SERVICE_UNSPECIFIED
Endpoint endpoint, filesystem FILE_UNCATEGORIZED
Endpoint endpoint, registry REGISTRY_UNCATEGORIZED
Event Signature track_event_signature STATUS_UPDATE
Inter Process Messaging messaging STATUS_UPDATE
Instrusion Detection ids, attack SERVICE_UNSPECIFIED
Inventory inventory SYSTEM_AUDIT_LOG_UNCATEGORIZED
Java Virtual Machine (JVM) jvm SYSTEM_AUDIT_LOG_UNCATEGORIZED
Malware malware STATUS_UPDATE
Network Resolution(DNS) network, resolution, dns NETWORK_DNS
Network Sessions network, session NETWORK_CONNECTION
Network Sessions network, session, dhcp NETWORK_DHCP
Network Traffic network, communicate NETWORK_CONNECTION
Performance performance SERVICE_UNSPECIFIED
Splunk Audit Logs modaction STATUS_UPDATE
Ticket Management ticketing STATUS_UPDATE
Ticket Management ticketing, change STATUS_UPDATE
Updates update STATUS_UPDATE
Vulnerabilities report, vulnerabilites SCAN_UNCATEGORIZED
Web web NETWORK_UNCATEGORIZED

What's next