收集 Splunk CIM 日志
本文档介绍了如何通过配置 Splunk 来收集 Splunk 通用信息模型 (CIM) 日志 和 Google Security Operations 转发器。本文档还列出了支持的日志类型 和受支持的 Splunk 版本
如需了解详情,请参阅将数据注入到 Google Security Operations 中。
概览
以下部署架构图显示了如何将 Splunk 代理配置为向 Google Security Operations 发送日志。每个客户部署都可能 与此表示不同,并且可能更复杂。
架构图显示了以下组件:
数据源:要监控的安装 Splunk 的系统。
Splunk:从数据源收集信息,并将信息转发给 Google Security Operations 转发器。
Google Security Operations 转发器:一个轻量级 软件组件部署在客户的网络中,用于将日志转发到 Google Security Operations。
Google Security Operations:保留和分析来自 舰队服务器
提取标签用于标识将原始日志数据标准化的解析器
结构化 UDM 格式本文档中的信息适用于解析器
提取标签为 SPLUNK。
准备工作
使用 Google Security Operations 解析器支持的 Splunk 5.0 版。
确保已配置部署架构中的所有系统 (采用世界协调时间 [UTC] 时区)。
配置 Splunk 代理和 Google Security Operations 转发器
从 Splunkbase 安装符合 CIM 标准的代理。
配置 Google Security Operations 转发器,以将日志推送到 Google Security Operations 系统。以下是 Google Security Operations 转发器配置的示例:
- splunk: common: enabled: true data_type: SPLUNK batch_n_seconds: 10 batch_n_bytes: 819200 url: <SPLUNK_URL> query_cim: true is_ignore_cert: true query_string: datamodel Network_Traffic All_Traffic flat
编写 Splunk 搜索查询时的注意事项
Splunk 有自己的搜索语言,类似于 SQL。请确保使用正确的搜索查询语法。创建查询时,请考虑以下搜索特征:
转义字符
如果字符串值包含英文双引号 ",请使用反斜杠字符对引号进行转义。否则,搜索会错误解读字符串值的末尾。
例如:如需搜索字符串 WHERE _raw="The user "vpatel" isn't authenticated.",请执行以下操作:
您必须使用序列 \" 来搜索字面量双引号。
按以下格式编写搜索字符串:
WHERE _raw="The user \"vpatel\" isn't authenticated."
若要对反斜杠字符 \ 进行转义,请使用序列 \\ 搜索反斜杠。
例如,如果存在类似 C:\user\abc 的字符串,则必须将其写成 C:\\user\\abc。
搜索存在语法问题
如果查询的部分内容无效,则系统不会对整个查询求值,并显示错误消息。
在下面的示例中,查询中缺少搜索模式选项:
multisearch [|datamodel Network_Traffic All_Traffic] [|datamodel Network_Sessions All_Sessions flat]
在此示例中,查询中缺少搜索模式选项。这会导致以下错误:
Error in 'multisearch' command: Multisearch sub searches might only contain purely streaming operations. The search job has failed due to an error.
支持多个数据模型
Splunk 支持跨数据模型的单个大型查询。以下搜索查询从多个数据模型中提取数据:
multisearch [|datamodel Network_Traffic All_Traffic flat] [|datamodel Network_Sessions All_Sessions flat]
以下是此查询跨数据模型的部分组件:
Multisearch:查询必须以 multisearch 一词开头。数据模型查询必须用方括号 [ ] 括起来,并以竖线 | 字符开头。
Network_Traffic:数据模型的名称。
All_Traffic:Network_Traffic 数据模型的数据集。
flat:搜索模式。其他选项包括 search 和 acceleration_search。
我们建议使用以下 Splunk 查询搜索多数据模型:
multisearch [|datamodel Network_Traffic All_Traffic flat] [|datamodel Network_Sessions All_Sessions flat]
支持的日志类型和数据模型
| Splunk 数据模型 | 支持 |
|---|---|
| 提醒 | 是 |
| 应用状态(已废弃) | 否 |
| 身份验证 | 是 |
| 证书 | 是 |
| 更改 | 是 |
| 变更分析(已弃用) | 否 |
| 数据访问 | 是 |
| 数据库 | 是 |
| 数据泄露防护 | 是 |
| 电子邮件 | 是 |
| 端点 | 是 |
| 事件签名 | 是 |
| 进程间消息传递 | 是 |
| 入侵检测 | 是 |
| 广告资源 | 是 |
| Java 虚拟机 (JVM) | 是 |
| 恶意软件 | 是 |
| 网络解析 (DNS) | 是 |
| 网络会话 | 是 |
| 网络流量 | 是 |
| 性能 | 是 |
| Splunk 审核日志 | 是 |
| 票务管理 | 是 |
| 更新 | 是 |
| 漏洞 | 是 |
| 网站 | 是 |
字段映射参考文档
本部分介绍 Google Security Operations 解析器如何将 Splunk 日志字段映射到数据集的 Google Security Operations 统一数据模型 (UDM) 字段。如需了解详情,请参阅版本 5.0.1 的 Splunk 文档。
提醒
下表列出了 Splunk 数据集提醒的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 应用 | observer.application |
| 说明 | security_result.description |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_type | target.resource.resource_type |
| id | metadata.product_log_id |
| mitre_technique_id | security_result.detection_fields.labels.key/value |
| 和程度上减少 | security_result.severity |
| severity_id | about.labels.key/value(已弃用) additional.fields |
| signature | metadata.description |
| signature_id | security_result.rule_name |
| src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
| src_bunit | principal.labels.key/value(已弃用) additional.fields |
| src_category | principal.labels.key/value(已弃用) additional.fields |
| src_priority | principal.labels.key/value(已弃用) additional.fields |
| src_type | principal.resource.resource_type |
| 标记 | about.labels.key/value(已弃用) additional.fields |
| 类型 | security_result.alert_state |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已弃用) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_name | principal.user.userid |
| user_priority | principal.user.attribute.label.key/value |
| vendor_account | about.labels.key/value(已弃用) additional.fields |
| vendor_region | about.location.country_or_region |
身份验证
下表列出了 Splunk 数据集 Authentication 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| 应用 | target.application |
| authentication_method | about.labels.key/value(已弃用) additional.fields |
| authentication_service | extension.auth.auth_details |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_nt_domain | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| 时长 | network.session_duration |
| 原因 | security_result.summary |
| response_time | about.labels.key/value(已弃用) additional.fields |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
| src_bunit | principal.labels.key/value(已弃用) additional.fields |
| src_category | principal.labels.key/value(已弃用) additional.fields |
| src_nt_domain | principal.labels.key/value(已弃用) additional.fields |
| src_priority | principal.labels.key/value(已弃用) additional.fields |
| src_user | principal.user.user_display_name |
| src_user_bunit | principal.labels.key/value(已弃用) additional.fields |
| src_user_category | principal.labels.key/value(已弃用) additional.fields |
| src_user_id | principal.user.userid |
| src_user_priority | principal.labels.key/value(已弃用) additional.fields |
| src_user_role | principal.user.attribute.roles.name(重复) |
| src_user_type | principal.user.attribute.roles.type |
| 标记 | about.labels.key/value(已弃用) additional.fields |
| 用户 | principal.user.user_display_name |
| user_agent | network.http.user_agent |
| user_bunit | about.labels.key/value(已弃用) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_id | principal.user.userid |
| user_priority | principal.user.attribute.label.key/value |
| user_role | principal.user.attribute.roles.name(重复) |
| user_type | principal.user.attribute.roles.type |
| vendor_account | about.labels.key/value(已弃用) additional.fields |
All_Certificates
下表列出了 Splunk 数据集 All_Certificates 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_port | target.port |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| 时长 | network.session_duration |
| response_time | about.labels.key/value(已弃用) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
| src_bunit | principal.labels.key/value(已弃用) additional.fields |
| src_category | principal.labels.key/value(已弃用) additional.fields |
| src_port | principal.port |
| src_priority | principal.labels.key/value(已弃用) additional.fields |
| 标记 | about.labels.key/value(已弃用) additional.fields |
| transport | network.ip_protocol |
SSL
下表列出了 Splunk 数据集 SSL 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| ssl_end_time | network.tls.server.certificate.not_after |
| ssl_engine | about.labels.key/value(已弃用) additional.fields |
| ssl_hash | about.labels.key/value(已弃用) additional.fields |
| ssl_is_valid | about.labels.key/value(已弃用) additional.fields |
| ssl_issuer | network.tls.server.certificate.issuer |
| ssl_issuer_common_name | about.labels.key/value(已弃用) additional.fields |
| ssl_issuer_email | about.labels.key/value(已弃用) additional.fields |
| ssl_issuer_email_domain | about.labels.key/value(已弃用) additional.fields |
| ssl_issuer_locality | about.labels.key/value(已弃用) additional.fields |
| ssl_issuer_organization | about.labels.key/value(已弃用) additional.fields |
| ssl_issuer_state | about.labels.key/value(已弃用) additional.fields |
| ssl_issuer_street | about.labels.key/value(已弃用) additional.fields |
| ssl_issuer_unit | about.labels.key/value(已弃用) additional.fields |
| ssl_name | about.labels.key/value(已弃用) additional.fields |
| ssl_policies | about.labels.key/value(已弃用) additional.fields |
| ssl_publickey | about.labels.key/value(已弃用) additional.fields |
| ssl_publickey_algorithm | about.labels.key/value(已弃用) additional.fields |
| ssl_serial | network.tls.server.certificate.serial |
| ssl_session_id | network.session_id |
| ssl_signature_algorithm | about.labels.key/value(已弃用) additional.fields |
| ssl_start_time | network.tls.server.certificate.not_before |
| ssl_subject | network.tls.server.certificate.subject |
| ssl_subject_common_name | about.labels.key/value(已弃用) additional.fields |
| ssl_subject_email | about.labels.key/value(已弃用) additional.fields |
| ssl_subject_email_domain | about.labels.key/value(已弃用) additional.fields |
| ssl_subject_locality | about.labels.key/value(已弃用) additional.fields |
| ssl_subject_organization | about.labels.key/value(已弃用) additional.fields |
| ssl_subject_state | about.labels.key/value(已弃用) additional.fields |
| ssl_subject_street | about.labels.key/value(已弃用) additional.fields |
| ssl_subject_unit | about.labels.key/value(已弃用) additional.fields |
| ssl_validity_window | about.labels.key/value(已弃用) additional.fields |
| ssl_version | network.tls.server.certificate.version |
All_Changes
下表列出了 Splunk 数据集 All_Changes 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| change_type | security_result.category_details |
| command | principal.process.command_line |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dvc | principal.asset.hostname、principal.asset.ip |
| 对象 | target.resource.name |
| object_attrs | about.labels.key/value(已弃用) additional.fields |
| object_category | about.labels.key/value(已弃用) additional.fields |
| object_id | target.user.product_object_id |
| object_path | target.file.full_path |
| 结果 | metadata.description |
| result_id | metadata.product_event_type |
| src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
| src_bunit | principal.labels.key/value(已弃用) additional.fields |
| src_category | principal.labels.key/value(已弃用) additional.fields |
| src_priority | principal.labels.key/value(已弃用) additional.fields |
| 状态 | security_result.summary |
| 标记 | about.labels.key/value(已弃用) additional.fields |
| 用户 | target.user.userid |
| user_agent | network.http.user_agent |
| user_name | principal.user.user_display_name、target.labels.key/value |
| user_type | principal.user.attribute.roles.type、target.user.attribute.roles.type |
| vendor_account | about.labels.key/value(已弃用) additional.fields |
| vendor_product | about.labels.key/value(已弃用) additional.fields |
| vendor_region | about.location.country_or_region |
Account_Management
下表列出了 Splunk 数据集 Account_Management 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest_nt_domain | target.administrative_domain |
| src_nt_domain | principal.administrative_domain |
| src_user | principal.user.userid |
| src_user_bunit | principal.labels.key/value(已弃用) additional.fields |
| src_user_category | principal.labels.key/value(已弃用) additional.fields |
| src_user_priority | principal.labels.key/value(已弃用) additional.fields |
| src_user_name | principal.labels.key/value(已弃用) additional.fields |
| src_user_type | principal.user.attribute.roles.type |
Instance_Changes
下表列出了 Splunk 数据集 Instance_Changes 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| image_id | principal.asset_id |
| instance_type | about.labels.key/value(已弃用) additional.fields |
network_Changes
下表列出了 Splunk 数据集 network_Changes 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest_ip_range | target.labels.key/value(已弃用) additional.fields |
| dest_port_range | target.labels.key/value(已弃用) additional.fields |
| 方向 | network.direction |
| 协议 | network.ip_protocol |
| rule_action | security_result.action_details security_result.action |
| src_ip_range | principal.labels.key/value(已弃用) additional.fields |
| src_port_range | principal.labels.key/value(已弃用) additional.fields |
Data_Access
下表列出了 Splunk 数据集 Data_Access 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| 应用 | target.application |
| app_id | metadata.product_log_id |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_name | target.administrative_domain |
| dest_url | target.url |
| dvc | principal.asset.hostname、principal.asset.ip |
| 电子邮件 | principal.user.email_addresses |
| 对象 | target.resource.name |
| object_category | about.labels.key/value(已弃用) additional.fields |
| object_id | target.user.product_object_id |
| object_path | target.file.full_path |
| object_size | target.file.size |
| 所有者 | about.labels.key/value(已弃用) additional.fields |
| owner_email | about.labels.key/value(已弃用) additional.fields |
| owner_id | principal.user.userid |
| parent_object | target.resource.parent |
| parent_object_id | about.labels.key/value(已弃用) additional.fields |
| parent_object_category | about.labels.key/value(已弃用) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
| tenant_id | about.labels.key/value(已弃用) additional.fields |
| 用户 | principal.user.user_display_name |
| user_agent | network.http.user_agent |
| user_group | principal.user.group_identifiers(repeated) |
| user_role | principal.user.attribute.roles.name(重复) |
| vendor_product | about.labels.key/value(已弃用) additional.fields |
| vendor_product_id | about.labels.key/value(已弃用) additional.fields |
All_Databases
下表列出了 Splunk 数据集 All_Databases 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| 时长 | network.session_duration |
| 对象 | target.resource.name |
| response_time | about.labels.key/value(已弃用) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
| src_bunit | principal.labels.key/value(已弃用) additional.fields |
| src_category | principal.labels.key/value(已弃用) additional.fields |
| src_priority | principal.labels.key/value(已弃用) additional.fields |
| 标记 | about.labels.key/value(已弃用) additional.fields |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已弃用) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value(已弃用) additional.fields |
Database_Instance
下表列出了 Splunk 数据集 Database_Instance 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| instance_name | target.resource.attributes.key/value |
| instance_version | target.resource.attributes.key/value |
| process_limit | about.labels.key/value(已弃用) additional.fields |
| session_limit | about.labels.key/value(已弃用) additional.fields |
Database_Query
下表列出了 Splunk 数据集 Database_Query 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 查询 | about.labels.key/value(已弃用) additional.fields |
| query_id | about.labels.key/value(已弃用) additional.fields |
| query_time | about.labels.key/value(已弃用) additional.fields |
| records_affected | about.labels.key/value(已弃用) additional.fields |
Instance_Stats
下表列出了 Splunk 数据集 Instance_Stats 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 库存状况 | about.labels.key/value(已弃用) additional.fields |
| avg_executions | about.labels.key/value(已弃用) additional.fields |
| dump_area_used | about.labels.key/value(已弃用) additional.fields |
| instance_reads | about.labels.key/value(已弃用) additional.fields |
| instance_writes | about.labels.key/value(已弃用) additional.fields |
| number_of_users | about.labels.key/value(已弃用) additional.fields |
| 进程 | about.labels.key/value(已弃用) additional.fields |
| 专题演讲 | about.labels.key/value(已弃用) additional.fields |
| sga_buffer_cache_size | about.labels.key/value(已弃用) additional.fields |
| sga_buffer_hit_limit | about.labels.key/value(已弃用) additional.fields |
| sga_data_dict_hit_ratio | about.labels.key/value(已弃用) additional.fields |
| sga_fixed_area_size | about.labels.key/value(已弃用) additional.fields |
| sga_free_memory | about.labels.key/value(已弃用) additional.fields |
| sga_library_cache_size | about.labels.key/value(已弃用) additional.fields |
| sga_redo_log_buffer_size | about.labels.key/value(已弃用) additional.fields |
| sga_shared_pool_size | about.labels.key/value(已弃用) additional.fields |
| sga_sql_area_size | about.labels.key/value(已弃用) additional.fields |
| start_time | about.labels.key/value(已弃用) additional.fields |
| tablespace_used | about.labels.key/value(已弃用) additional.fields |
Session_Info
下表列出了 Splunk 数据集 Session_Info 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| buffer_cache_hit_ratio | about.labels.key/value(已弃用) additional.fields |
| 项提交 | about.labels.key/value(已弃用) additional.fields |
| cpu_used | about.labels.key/value(已弃用) additional.fields |
| cursor | about.labels.key/value(已弃用) additional.fields |
| elapsed_time | about.labels.key/value(已弃用) additional.fields |
| logical_reads | about.labels.key/value(已弃用) additional.fields |
| 机器 | about.hostname |
| memory_sorts | about.labels.key/value(已弃用) additional.fields |
| physical_reads | about.labels.key/value(已弃用) additional.fields |
| seconds_in_wait | about.labels.key/value(已弃用) additional.fields |
| session_id | network.session_id |
| session_status | about.labels.key/value(已弃用) additional.fields |
| table_scans | about.labels.key/value(已弃用) additional.fields |
| wait_state | about.labels.key/value(已弃用) additional.fields |
| wait_time | about.labels.key/value(已弃用) additional.fields |
Lock_Info
下表列出了 Splunk 数据集 Lock_Info 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| last_call_minute | about.labels.key/value(已弃用) additional.fields |
| lock_mode | about.labels.key/value(已弃用) additional.fields |
| lock_session_id | about.labels.key/value(已弃用) additional.fields |
| logon_time | about.labels.key/value(已弃用) additional.fields |
| obj_name | about.labels.key/value(已弃用) additional.fields |
| os_pid | target.process.pid |
| serial_num | target.resource.product_object_id |
表空间
下表列出了 Splunk 数据集表空间的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| free_bytes | about.file.size |
| tablespace_name | about.resource.name |
| tablespace_reads | about.labels.key/value(已弃用) additional.fields |
| tablespace_status | about.labels.key/value(已弃用) additional.fields |
| tablespace_writes | about.labels.key/value(已弃用) additional.fields |
Query_Stats
下表列出了 Splunk 数据集 Query_Stats 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| indexes_hit | about.labels.key/value(已弃用) additional.fields |
| query_plan_hit | about.labels.key/value(已弃用) additional.fields |
| stored_procedures_called | about.labels.key/value(已弃用) additional.fields |
| tables_hit | about.labels.key/value(已弃用) additional.fields |
DLP_Incidents
下表列出了 Splunk 数据集 DLP_Incidents 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| 应用 | target.application |
| category | security_result.category_details |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_zone | target.location.country_or_origin |
| dlp_type | about.labels.key/value(已弃用) additional.fields |
| dvc | principal.asset.hostname、principal.asset.ip |
| dvc_bunit | about.labels.key/value(已弃用) additional.fields |
| dvc_category | about.labels.key/value(已弃用) additional.fields |
| dvc_priority | about.labels.key/value(已弃用) additional.fields |
| dvc_zone | principal.asset.location.country_or_region |
| 对象 | target.resource.name |
| object_category | about.labels.key/value(已弃用) additional.fields |
| object_path | target.file.full_path |
| 和程度上减少 | security_result.severity |
| severity_id | about.labels.key/value(已弃用) additional.fields |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
| src_bunit | principal.labels.key/value(已弃用) additional.fields |
| src_category | principal.labels.key/value(已弃用) additional.fields |
| src_priority | principal.labels.key/value(已弃用) additional.fields |
| src_user | principal.user.user_display_name |
| src_user_bunit | principal.labels.key/value(已弃用) additional.fields |
| src_user_category | principal.labels.key/value(已弃用) additional.fields |
| src_user_priority | principal.labels.key/value(已弃用) additional.fields |
| src_zone | principal.location.country_or_origin |
| 标记 | about.labels.key/value(已弃用) additional.fields |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已弃用) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value(已弃用) additional.fields |
All_Email
下表列出了 Splunk 数据集 All_Email 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| delay | about.labels.key/value(已弃用) additional.fields |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| 时长 | network.session_duration |
| file_hash | about.file.sha256、about.file.md5、about.file.sha1 |
| file_name | about.labels.key/value(已弃用) additional.fields |
| file_size | about.file.size |
| internal_message_id | metadata.product_log_id |
| message_id | network.email.mail_id |
| message_info | about.labels.key/value(已弃用) additional.fields |
| orig_dest | target.labels.key/value(已弃用) additional.fields |
| orig_recipient | about.labels.key/value(已弃用) additional.fields |
| orig_src | network.email.from |
| 原始事件 | principal.process.command_line |
| process_id | principal.process.pid |
| 协议 | network.application_protocol |
| 收件人 | network.email.to |
| recipient_count | about.labels.key/value(已弃用) additional.fields |
| recipient_domain | about.labels.key/value(已弃用) additional.fields |
| recipient_status | about.labels.key/value(已弃用) additional.fields |
| response_time | about.labels.key/value(已弃用) additional.fields |
| retries | about.labels.key/value(已弃用) additional.fields |
| return_addr | about.labels.key/value(已弃用) additional.fields |
| 大小 | about.labels.key/value(已弃用) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
| src_bunit | principal.labels.key/value(已弃用) additional.fields |
| src_category | principal.labels.key/value(已弃用) additional.fields |
| src_priority | principal.labels.key/value(已弃用) additional.fields |
| src_user | principal.user.email_addresses |
| src_user_bunit | principal.labels.key/value(已弃用) additional.fields |
| src_user_category | principal.labels.key/value(已弃用) additional.fields |
| src_user_domain | principal.administrative_domain |
| src_user_priority | principal.labels.key/value(已弃用) additional.fields |
| status_code | about.labels.key/value(已弃用) additional.fields |
| subject | network.email.subject(repeated) |
| 标记 | about.labels.key/value(已弃用) additional.fields |
| 网址 | about.url |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已弃用) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value(已弃用) additional.fields |
| Xdelay | about.labels.key/value(已弃用) additional.fields |
| xref | about.labels.key/value(已弃用) additional.fields |
过滤
下表列出了 Splunk 数据集过滤的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| filter_action | about.labels.key/value(已弃用) additional.fields |
| filter_score | about.labels.key/value(已弃用) additional.fields |
| signature | metadata.description |
| signature_extra | about.labels.key/value(已弃用) additional.fields |
| signature_id | metadata.product_event_type |
端口
下表列出了 Splunk 数据集端口的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| creation_time | about.labels.key/value(已弃用) additional.fields |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_port | target.port |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_requires_av | target.labels.key/value(已弃用) additional.fields |
| dest_should_timesync | target.labels.key/value(已弃用) additional.fields |
| dest_should_update | target.labels.key/value(已弃用) additional.fields |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
| src_category | principal.labels.key/value(已弃用) additional.fields |
| src_priority | principal.labels.key/value(已弃用) additional.fields |
| src_port | principal.port |
| src_requires_av | principal.labels.key/value(已弃用) additional.fields |
| src_should_timesync | principal.labels.key/value(已弃用) additional.fields |
| src_should_update | principal.labels.key/value(已弃用) additional.fields |
| state | about.labels.key/value(已弃用) additional.fields |
| 标记 | about.labels.key/value(已弃用) additional.fields |
| transport | network.ip_protocol |
| transport_dest_port | target.labels.key/value(已弃用) additional.fields |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已弃用) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
进程
下表列出了 Splunk 数据集“Processes”的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| cpu_load_percent | about.labels.key/value(已弃用) additional.fields |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_is_expected | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_requires_av | target.labels.key/value(已弃用) additional.fields |
| dest_should_timesync | target.labels.key/value(已弃用) additional.fields |
| dest_should_update | target.labels.key/value(已弃用) additional.fields |
| mem_used | about.labels.key/value(已弃用) additional.fields |
| original_file_name | src.file.full_path |
| os | principal.asset.platform_software.platform_version |
| parent_process | about.labels.key/value(已弃用) additional.fields |
| parent_process_exec | about.labels.key/value(已弃用) additional.fields |
| parent_process_id | principal.process.parent_process.parent_pid |
| parent_process_guid | principal.process.parent_process.product_specific_process_id |
| parent_process_name | about.labels.key/value(已弃用) additional.fields |
| parent_process_path | principal.process.parent_process.command_line |
| 原始事件 | about.labels.key/value(已弃用) additional.fields |
| process_current_directory | about.labels.key/value(已弃用) additional.fields |
| process_exec | about.labels.key/value(已弃用) additional.fields |
| process_hash | principal.process.file.sha256/principal.process.file.md5/principal..process.file.sha1 |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| process_integrity_level | security_result.severity |
| process_name | principal.process.command_line |
| process_path | principal.process.file.full_path |
| 标记 | about.labels.key/value(已弃用) additional.fields |
| 用户 | principal.user.user_display_name |
| user_id | principal.user.userid |
| user_bunit | about.labels.key/value(已弃用) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value(已弃用) additional.fields |
服务
下表列出了 Splunk 数据集 Service 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 说明 | security_result.description |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_is_expected | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_requires_av | target.labels.key/value(已弃用) additional.fields |
| dest_should_timesync | target.labels.key/value(已弃用) additional.fields |
| dest_should_update | target.labels.key/value(已弃用) additional.fields |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| 服务 | target.application |
| service_dll | about.labels.key/value(已弃用) additional.fields |
| service_dll_path | about.file.full_path |
| service_dll_hash | about.labels.key/value(已弃用) additional.fields |
| service_dll_signature_exists | about.labels.key/value(已弃用) additional.fields |
| service_dll_signature_verified | about.labels.key/value(已弃用) additional.fields |
| service_exec | target.process.file.full_path |
| service_hash | about.labels.key/value(已弃用) additional.fields |
| service_id | about.labels.key/value(已弃用) additional.fields |
| service_name | about.labels.key/value(已弃用) additional.fields |
| service_path | about.labels.key/value(已弃用) additional.fields |
| service_signature_exists | about.labels.key/value(已弃用) additional.fields |
| service_signature_verified | about.labels.key/value(已弃用) additional.fields |
| start_mode | about.labels.key/value(已弃用) additional.fields |
| 状态 | security_result.summary |
| 标记 | about.labels.key/value(已弃用) additional.fields |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已弃用) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value(已弃用) additional.fields |
文件系统
下表列出了 Splunk 数据集文件系统的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_requires_av | target.labels.key/value(已弃用) additional.fields |
| dest_should_timesync | target.labels.key/value(已弃用) additional.fields |
| dest_should_update | target.labels.key/value(已弃用) additional.fields |
| file_access_time | about.labels.key/value(已弃用) additional.fields |
| file_create_time | target.asset.attribute.creation_time |
| file_hash | target.file.sha256、target.file.md5、target.file.sha1 |
| file_modify_time | about.labels.key/value(已弃用) additional.fields |
| file_name | about.labels.key/value(已弃用) additional.fields |
| file_path | target.file.full_path |
| file_acl | about.labels.key/value(已弃用) additional.fields |
| file_size | target.file.size |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| 标记 | about.labels.key/value(已弃用) additional.fields |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已弃用) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value(已弃用) additional.fields |
Registry
下表列出了 Splunk 数据集注册表的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_requires_av | target.labels.key/value(已弃用) additional.fields |
| dest_should_timesync | target.labels.key/value(已弃用) additional.fields |
| dest_should_update | target.labels.key/value(已弃用) additional.fields |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| registry_hive | about.labels.key/value(已弃用) additional.fields |
| registry_path | about.labels.key/value(已弃用) additional.fields |
| registry_key_name | target.registry.registry_key |
| registry_value_data | target.registry.registry_value_data |
| registry_value_name | target.registry.registry_value_name |
| registry_value_text | about.labels.key/value(已弃用) additional.fields |
| registry_value_type | about.labels.key/value(已弃用) additional.fields |
| 状态 | security_result.summary |
| 标记 | about.labels.key/value(已弃用) additional.fields |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已弃用) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value(已弃用) additional.fields |
签名
下表列出了 Splunk 数据集签名的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| 标记 | about.labels.key/value(已弃用) additional.fields |
Signatures_vendor_product
下表列出了 Splunk 数据集 Signatures_vendor_product 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| vendor_product | about.labels.key/value(已弃用) additional.fields |
All_Interprocess_Messaging
下表列出了 Splunk 数据集 All_Interprocess_Messaging 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| 时长 | network.session_duration |
| 端点 | about.labels.key/value(已弃用) additional.fields |
| endpoint_version | about.labels.key/value(已弃用) additional.fields |
| 消息 | about.labels.key/value(已弃用) additional.fields |
| message_consumed_time | about.labels.key/value(已弃用) additional.fields |
| message_correlation_id | about.labels.key/value(已弃用) additional.fields |
| message_delivered_time | about.labels.key/value(已弃用) additional.fields |
| message_delivery_mode | about.labels.key/value(已弃用) additional.fields |
| message_expiration_time | about.labels.key/value(已弃用) additional.fields |
| message_id | metadata.product.log_id |
| message_priority | about.labels.key/value(已弃用) additional.fields |
| message_properties | about.labels.key/value(已弃用) additional.fields |
| message_received_time | about.labels.key/value(已弃用) additional.fields |
| message_redelivered | about.labels.key/value(已弃用) additional.fields |
| message_reply_dest | target.labels.key/value(已弃用) additional.fields |
| message_type | about.labels.key/value(已弃用) additional.fields |
| 参数 | about.labels.key/value(已弃用) additional.fields |
| payload | about.labels.key/value(已弃用) additional.fields |
| payload_type | about.labels.key/value(已弃用) additional.fields |
| request_payload | about.labels.key/value(已弃用) additional.fields |
| request_payload_type | about.labels.key/value(已弃用) additional.fields |
| request_sent_time | about.labels.key/value(已弃用) additional.fields |
| response_code | network.http.response_code |
| response_payload_type | about.labels.key/value(已弃用) additional.fields |
| response_received_time | about.labels.key/value(已弃用) additional.fields |
| response_time | about.labels.key/value(已弃用) additional.fields |
| return_message | about.labels.key/value(已弃用) additional.fields |
| rpc_protocol | network.application_protocol |
| 状态 | security_result.summary |
| 标记 | about.labels.key/value(已弃用) additional.fields |
IDS_Attacks
下表列出了 Splunk 数据集 IDS_Attacks 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| category | security_result.category_details |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dvc | principal.asset.hostname、principal.asset.ip |
| dvc_bunit | about.labels.key/value(已弃用) additional.fields |
| dvc_category | about.labels.key/value(已弃用) additional.fields |
| dvc_priority | about.labels.key/value(已弃用) additional.fields |
| file_hash | target.file.sha256、target.file.md5、target.file.sha1 |
| file_name | about.labels.key/value(已弃用) additional.fields |
| file_path | target.file.full_path |
| ids_type | about.labels.key/value(已弃用) additional.fields |
| 和程度上减少 | security_result.severity |
| severity_id | about.labels.key/value(已弃用) additional.fields |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
| src_bunit | principal.labels.key/value(已弃用) additional.fields |
| src_category | principal.labels.key/value(已弃用) additional.fields |
| src_priority | principal.labels.key/value(已弃用) additional.fields |
| src_port | principal.port |
| 标记 | about.labels.key/value(已弃用) additional.fields |
| transport | network.ip_protocol |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已弃用) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value(已弃用) additional.fields |
DS_Attacks
下表列出了 Splunk 数据集 DS_Attacks 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest_port | target.port |
All_Inventory
下表列出了 Splunk 数据集 All_Inventory 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 说明 | security_result.description |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| 已启用 | about.labels.key/value(已弃用) additional.fields |
| 系列 | about.labels.key/value(已弃用) additional.fields |
| hypervisor_id | about.labels.key/value(已弃用) additional.fields |
| serial | principal.asset.hardware.serial_number |
| 状态 | security_result.summary |
| 标记 | about.labels.key/value(已弃用) additional.fields |
| vendor_product | about.labels.key/value(已弃用) additional.fields |
| version | about.labels.key/value(已弃用) additional.fields |
CPU
下表列出了 Splunk 数据集 CPU 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| cpu_cores | principal.asset.hardware.cpu_number_cores |
| cpu_count | about.labels.key/value(已弃用) additional.fields |
| cpu_mhz | principal.asset.hardware.cpu_clock_speed |
| cpu_load_mhz | principal.asset.hardware.cpu_clock_speed |
| cpu_load_percent | about.labels.key/value(已弃用) additional.fields |
| cpu_time | about.labels.key/value(已弃用) additional.fields |
| cpu_user_percent | about.labels.key/value(已弃用) additional.fields |
内存
下表列出了 Splunk 数据集 Memory 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 内存 | principal.asset.hardware.ram |
| heap_committed | about.labels.key/value(已弃用) additional.fields |
| heap_initial | about.labels.key/value(已弃用) additional.fields |
| heap_max | about.labels.key/value(已弃用) additional.fields |
| heap_used | about.labels.key/value(已弃用) additional.fields |
| non_heap_committed | about.labels.key/value(已弃用) additional.fields |
| non_heap_initial | about.labels.key/value(已弃用) additional.fields |
| non_heap_max | about.labels.key/value(已弃用) additional.fields |
| non_heap_used | about.labels.key/value(已弃用) additional.fields |
| objects_pending | about.labels.key/value(已弃用) additional.fields |
| 内存 | principal.asset.hardware.ram |
| mem_committed | about.labels.key/value(已弃用) additional.fields |
| mem_free | about.labels.key/value(已弃用) additional.fields |
| mem_used | about.labels.key/value(已弃用) additional.fields |
| 交换空间 | about.labels.key/value(已弃用) additional.fields |
| swap_free | about.labels.key/value(已弃用) additional.fields |
| swap_used | about.labels.key/value(已弃用) additional.fields |
network
下表列出了 Splunk 数据集网络的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest_ip | target.ip |
| dns | about.labels.key/value(已弃用) additional.fields |
| inline_nat | about.labels.key/value(已弃用) additional.fields |
| 接口 | about.labels.key/value(已弃用) additional.fields |
| ip | principal.asset.ip |
| lb_method | about.labels.key/value(已弃用) additional.fields |
| Mac | principal.asset.mac |
| name | principal.resource.name |
| 节点 | about.labels.key/value(已弃用) additional.fields |
| node_port | target.port |
| src_ip | principal.ip |
| vip_port | about.labels.key/value(已弃用) additional.fields |
| thruput | about.labels.key/value(已弃用) additional.fields |
| thruput_max | about.labels.key/value(已弃用) additional.fields |
操作系统
下表列出了 Splunk 数据集操作系统的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| os | principal.asset.platform_software.platform_version |
| committed_memory | about.labels.key/value(已弃用) additional.fields |
| cpu_time | about.labels.key/value(已弃用) additional.fields |
| free_physical_memory | about.labels.key/value(已弃用) additional.fields |
| free_swap | about.labels.key/value(已弃用) additional.fields |
| max_file_descriptors | about.labels.key/value(已弃用) additional.fields |
| open_file_descriptors | about.labels.key/value(已弃用) additional.fields |
| os | principal.asset.platform_software.platform_version |
| os_architecture | about.labels.key/value(已弃用) additional.fields |
| os_version | about.labels.key/value(已弃用) additional.fields |
| physical_memory | about.labels.key/value(已弃用) additional.fields |
| swap_space | about.labels.key/value(已弃用) additional.fields |
| system_load | about.labels.key/value(已弃用) additional.fields |
| total_processors | about.labels.key/value(已弃用) additional.fields |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
存储
下表列出了 Splunk 数据集 Storage 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 数组 | about.labels.key/value(已弃用) additional.fields |
| 块规模 | about.labels.key/value(已弃用) additional.fields |
| 集群 | about.resource.resource_type = "集群" |
| fd_max | about.labels.key/value(已弃用) additional.fields |
| 延时 | about.labels.key/value(已弃用) additional.fields |
| mount | principal.resource.attribute.labels.key/value |
| 父级 | principal.resource.parent |
| read_blocks | about.labels.key/value(已弃用) additional.fields |
| read_latency | about.labels.key/value(已弃用) additional.fields |
| read_ops | about.labels.key/value(已弃用) additional.fields |
| 存储 | about.labels.key/value(已弃用) additional.fields |
| write_blocks | about.labels.key/value(已弃用) additional.fields |
| write_latency | about.labels.key/value(已弃用) additional.fields |
| write_ops | about.labels.key/value(已弃用) additional.fields |
| 数组 | about.labels.key/value(已弃用) additional.fields |
| 块规模 | about.labels.key/value(已弃用) additional.fields |
| 集群 | about.resource.resource_type = "集群" |
| fd_max | about.labels.key/value(已弃用) additional.fields |
| fd_used | about.labels.key/value(已弃用) additional.fields |
| 延时 | about.labels.key/value(已弃用) additional.fields |
| mount | about.labels.key/value(已弃用) additional.fields |
| 父级 | principal.resource.parent |
| read_blocks | about.labels.key/value(已弃用) additional.fields |
| read_latency | about.labels.key/value(已弃用) additional.fields |
| read_ops | about.labels.key/value(已弃用) additional.fields |
| 存储 | about.labels.key/value(已弃用) additional.fields |
| storage_free | about.labels.key/value(已弃用) additional.fields |
| storage_free_percent | about.labels.key/value(已弃用) additional.fields |
| storage_used | about.labels.key/value(已弃用) additional.fields |
| storage_used_percent | about.labels.key/value(已弃用) additional.fields |
| write_blocks | about.labels.key/value(已弃用) additional.fields |
| write_latency | about.labels.key/value(已弃用) additional.fields |
| write_ops | about.labels.key/value(已弃用) additional.fields |
| error_code | security_result.description |
| 操作 | about.labels.key/value(已弃用) additional.fields |
| storage_name | about.resource.name |
用户
下表列出了 Splunk 数据集用户的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| interactive | about.labels.key/value(已弃用) additional.fields |
| 密码 | about.labels.key/value(已弃用) additional.fields |
| shell | about.labels.key/value(已弃用) additional.fields |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已弃用) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_id | principal.user.userid |
| user_priority | principal.user.attribute.label.key/value |
Virtual_OS
下表列出了 Splunk 数据集 Virtual_OS 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 管理程序 | about.labels.key/value(已弃用) additional.fields |
快照
下表列出了 Splunk 数据集快照的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 大小 | about.file.size |
| 快照 | about.labels.key/value(已弃用) additional.fields |
| 时间 | about.labels.key/value(已弃用) additional.fields |
JVM
下表列出了 Splunk 数据集 JVM 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| jvm_description | security_result.description |
| 标记 | about.labels.key/value(已弃用) additional.fields |
线程处理
下表列出了 Splunk 数据集 Threading 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| cm_enabled | about.labels.key/value(已弃用) additional.fields |
| cm_supported | about.labels.key/value(已弃用) additional.fields |
| cpu_time_enabled | about.labels.key/value(已弃用) additional.fields |
| cpu_time_supported | about.labels.key/value(已弃用) additional.fields |
| current_cpu_time | about.labels.key/value(已弃用) additional.fields |
| current_user_time | about.labels.key/value(已弃用) additional.fields |
| daemon_thread_count | about.labels.key/value(已弃用) additional.fields |
| omu_supported | about.labels.key/value(已弃用) additional.fields |
| peak_thread_count | about.labels.key/value(已弃用) additional.fields |
| synch_supported | about.labels.key/value(已弃用) additional.fields |
| thread_count | about.labels.key/value(已弃用) additional.fields |
| threads_started | about.labels.key/value(已弃用) additional.fields |
运行时
下表列出了 Splunk 数据集运行时的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| process_name | principal.process.command_line |
| start_time | about.labels.key/value(已弃用) additional.fields |
| uptime | about.labels.key/value(已弃用) additional.fields |
| vendor_product | about.labels.key/value(已弃用) additional.fields |
| version | about.labels.key/value(已弃用) additional.fields |
编译
下表列出了 Splunk 数据集编译的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| compilation_time | about.labels.key/value(已弃用) additional.fields |
类加载
下表列出了 Splunk 数据集 Classloading 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| current_loaded | about.labels.key/value(已弃用) additional.fields |
| total_loaded | about.labels.key/value(已弃用) additional.fields |
| total_unloaded | about.labels.key/value(已弃用) additional.fields |
Malware_Attacks
下表列出了 Splunk 数据集 Malware_Attacks 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| category | security_result.category_details |
| 日期 | about.labels.key/value(已弃用) additional.fields |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_nt_domain | target.administrative_domain |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_requires_av | target.labels.key/value(已弃用) additional.fields |
| file_hash | target.file.sha256、target.file.md5、target.file.sha1 |
| file_name | about.labels.key/value(已弃用) additional.fields |
| file_path | target.file.full_path |
| 和程度上减少 | security_result.severity |
| severity_id | about.labels.key/value(已弃用) additional.fields |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
| src_bunit | principal.labels.key/value(已弃用) additional.fields |
| src_category | principal.labels.key/value(已弃用) additional.fields |
| src_priority | principal.labels.key/value(已弃用) additional.fields |
| src_user | principal.user.user_display_name |
| 标记 | about.labels.key/value(已弃用) additional.fields |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已弃用) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| 网址 | about.url |
| vendor_product | about.labels.key/value(已弃用) additional.fields |
Malware_Operations
下表列出了 Splunk 数据集 Malware_Operations 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_nt_domain | target.labels.key/value(已弃用) additional.fields |
| dest_nt_domain | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_requires_av | target.labels.key/value(已弃用) additional.fields |
| product_version | about.labels.key/value(已弃用) additional.fields |
| signature_version | security_result.rule_version |
| 标记 | about.labels.key/value(已弃用) additional.fields |
| vendor_product | about.labels.key/value(已弃用) additional.fields |
Malware_Operations
下表列出了 Splunk 数据集 Malware_Operations 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest_category | target.labels.key/value(已弃用) additional.fields |
DNS
下表列出了 Splunk 数据集 DNS 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| additional_answer_count | about.labels.key/value(已弃用) additional.fields |
| 答案 | network.dns.answer.data |
| answer_count | about.labels.key/value(已弃用) additional.fields |
| authority_answer_count | about.labels.key/value(已弃用) additional.fields |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_port | target.port |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| 时长 | network.session_duration |
| message_type | about.labels.key/value(已弃用) additional.fields |
| name | about.labels.key/value(已弃用) additional.fields |
| 查询 | network.dns.questions.name |
| query_count | about.labels.key/value(已弃用) additional.fields |
| query_type | network.dns.questions.type |
| record_type | network.dns.answer.type(uint32) |
| reply_code | about.labels.key/value(已弃用) additional.fields |
| reply_code_id | network.dns.response_code |
| response_time | about.labels.key/value(已弃用) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
| src_bunit | principal.labels.key/value(已弃用) additional.fields |
| src_category | principal.labels.key/value(已弃用) additional.fields |
| src_port | principal.port |
| src_priority | principal.labels.key/value(已弃用) additional.fields |
| 标记 | about.labels.key/value(已弃用) additional.fields |
| transaction_id | network.dns.id |
| transport | network.ip_protocol |
| ttl | about.labels.key/value(已弃用) additional.fields |
| vendor_product | about.labels.key/value(已弃用) additional.fields |
All_Sessions
下表列出了 Splunk 数据集 All_Sessions 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_dns | target.labels.key/value(已弃用) additional.fields |
| dest_ip | network.dhcp.ciaddr |
| dest_mac | network.dhcp.chaddr |
| dest_nt_host | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| 时长 | network.session_duration |
| response_time | about.labels.key/value(已弃用) additional.fields |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| src_bunit | principal.labels.key/value(已弃用) additional.fields |
| src_category | principal.labels.key/value(已弃用) additional.fields |
| src_dns | principal.labels.key/value(已弃用) additional.fields |
| src_ip | principal.ip |
| src_mac | principal.mac |
| src_nt_host | principal.labels.key/value(已弃用) additional.fields |
| src_priority | principal.labels.key/value(已弃用) additional.fields |
| 标记 | about.labels.key/value(已弃用) additional.fields |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已弃用) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value(已弃用) additional.fields |
DHCP
下表列出了 Splunk 数据集 DHCP 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| lease_duration | network.dhcp.lease_time_second |
| lease_scope | about.labels.key/value(已弃用) additional.fields |
All_Traffic
下表列出了 Splunk 数据集 All_Traffic 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| 应用 | network.application_protocol |
| 字节 | about.labels.key/value(已弃用) additional.fields |
| bytes_in | network.received_bytes |
| bytes_out | network.sent_bytes |
| channel | about.labels.key/value(已弃用) additional.fields |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_interface | target.labels.key/value(已弃用) additional.fields |
| dest_ip | target.ip |
| dest_mac | target.mac |
| dest_port | target.port |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_translated_ip | target.nat_ip |
| dest_translated_port | target.nat_port |
| dest_zone | target.location.country_or_origin |
| 方向 | network.direction |
| 时长 | network.session_duration |
| dvc | principal.asset.hostname、principal.asset.ip |
| dvc_bunit | about.labels.key/value(已弃用) additional.fields |
| dvc_category | about.labels.key/value(已弃用) additional.fields |
| dvc_ip | about.labels.key/value(已弃用) additional.fields |
| dvc_mac | principal.asset.mac |
| dvc_priority | about.labels.key/value(已弃用) additional.fields |
| dvc_zone | principal.asset.location.country_or_region |
| flow_id | about.labels.key/value(已弃用) additional.fields |
| icmp_code | about.labels.key/value(已弃用) additional.fields |
| icmp_type | about.labels.key/value(已弃用) additional.fields |
| 数据包 | about.labels.key/value(已弃用) additional.fields |
| packets_in | about.labels.key/value(已弃用) additional.fields |
| packets_out | about.labels.key/value(已弃用) additional.fields |
| 协议 | about.labels.key/value(已弃用) additional.fields |
| protocol_version | about.labels.key/value(已弃用) additional.fields |
| response_time | about.labels.key/value(已弃用) additional.fields |
| 规则 | security_result.rule_id |
| session_id | network.session_id |
| src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
| src_bunit | principal.labels.key/value(已弃用) additional.fields |
| src_category | principal.labels.key/value(已弃用) additional.fields |
| src_interface | principal.labels.key/value(已弃用) additional.fields |
| src_ip | principal.ip |
| src_mac | principal.mac |
| src_port | principal.port |
| src_priority | principal.labels.key/value(已弃用) additional.fields |
| src_translated_ip | principal.nat_ip |
| src_translated_port | principal.nat_port |
| src_zone | principal.location.country_or_origin |
| ssid | about.labels.key/value(已弃用) additional.fields |
| 标记 | about.labels.key/value(已弃用) additional.fields |
| tcp_flag | about.labels.key/value(已弃用) additional.fields |
| transport | network.ip_protocol |
| 投注 | about.labels.key/value(已弃用) additional.fields |
| ttl | network.dns.additional.ttl |
| 用户 | principal.user.userid |
| user_bunit | about.labels.key/value(已弃用) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_account | about.labels.key/value(已弃用) additional.fields |
| vendor_product | about.labels.key/value(已弃用) additional.fields |
| vlan | about.labels.key/value(已弃用) additional.fields |
| Wi-Fi | about.labels.key/value(已弃用) additional.fields |
All_Performance
下表列出了 Splunk 数据集 All_Performance 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_should_timesync | target.labels.key/value(已弃用) additional.fields |
| dest_should_update | target.labels.key/value(已弃用) additional.fields |
| hypervisor_id | about.labels.key/value(已弃用) additional.fields |
| resource_type | about.labels.key/value(已弃用) additional.fields |
| 标记 | about.labels.key/value(已弃用) additional.fields |
设施
下表列出了 Splunk 数据集设施的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| fan_speed | about.labels.key/value(已弃用) additional.fields |
| power | about.labels.key/value(已弃用) additional.fields |
| temperature | about.labels.key/value(已弃用) additional.fields |
Timesync
下表列出了 Splunk 数据集 Timesync 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
正常运行时间
下表列出了 Splunk 数据集拨测的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| uptime | about.labels.key/value(已弃用) additional.fields |
View_Activity
下表列出了 Splunk 数据集 View_Activity 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 应用 | target.application |
| 支出 | about.labels.key/value(已弃用) additional.fields |
| uri | about.labels.key/value(已弃用) additional.fields |
| 用户 | principal.user.user_display_name |
| 查看 | about.labels.key/value(已弃用) additional.fields |
Datamodel_Acceleration
下表列出了 Splunk 数据集 Datamodel_Acceleration 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| access_count | about.labels.key/value(已弃用) additional.fields |
| access_time | about.labels.key/value(已弃用) additional.fields |
| 应用 | target.application |
| 存储桶 | about.labels.key/value(已弃用) additional.fields |
| buckets_size | about.labels.key/value(已弃用) additional.fields |
| 完成 | about.labels.key/value(已弃用) additional.fields |
| cron | about.labels.key/value(已弃用) additional.fields |
| datamodel | about.labels.key/value(已弃用) additional.fields |
| 摘要 | about.labels.key/value(已弃用) additional.fields |
| 最早 | about.labels.key/value(已弃用) additional.fields |
| is_inprogress | about.labels.key/value(已弃用) additional.fields |
| last_error | about.labels.key/value(已弃用) additional.fields |
| last_sid | about.labels.key/value(已弃用) additional.fields |
| 最新 | about.labels.key/value(已弃用) additional.fields |
| mod_time | about.labels.key/value(已弃用) additional.fields |
| 保留 | about.labels.key/value(已弃用) additional.fields |
| 大小 | about.file.size |
| summary_id | about.labels.key/value(已弃用) additional.fields |
Search_Activity
下表列出了 Splunk 数据集 Search_Activity 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 主机 | about.hostname |
| 信息 | about.labels.key/value(已弃用) additional.fields |
| search | about.labels.key/value(已弃用) additional.fields |
| search_et | about.labels.key/value(已弃用) additional.fields |
| search_lt | about.labels.key/value(已弃用) additional.fields |
| search_type | about.labels.key/value(已弃用) additional.fields |
| 来源 | principal.labels.key/value(已弃用) additional.fields |
| sourcetype | principal.labels.key/value(已弃用) additional.fields |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已弃用) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
Scheduler_Activity
下表列出了 Splunk 数据集 Scheduler_Activity 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 应用 | target.application |
| 主机 | about.hostname |
| savedsearch_name | about.labels.key/value(已弃用) additional.fields |
| SID | about.labels.key/value(已弃用) additional.fields |
| 来源 | principal.labels.key/value(已弃用) additional.fields |
| sourcetype | principal.labels.key/value(已弃用) additional.fields |
| splunk_server | principal.ip、principal.hostname |
| 状态 | security_result.summary |
| 用户 | principal.user.user_display_name |
Web_Service_Errors
下表列出了 Splunk 数据集 Web_Service_Errors 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 主机 | about.hostname |
| 来源 | principal.labels.key/value(已弃用) additional.fields |
| sourcetype | principal.labels.key/value(已弃用) additional.fields |
| event_id | security_result.rule_name |
Modular_Actions
下表列出了 Splunk 数据集 Modular_Actions 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| action_mode | about.labels.key/value(已弃用) additional.fields |
| action_status | about.labels.key/value(已弃用) additional.fields |
| 应用 | target.application |
| 时长 | network.session_duration |
| 组件 | about.labels.key/value(已弃用) additional.fields |
| orig_rid | about.labels.key/value(已弃用) additional.fields |
| orig_sid | about.labels.key/value(已弃用) additional.fields |
| 摆脱 | about.labels.key/value(已弃用) additional.fields |
| search_name | about.labels.key/value(已弃用) additional.fields |
| action_name | security_result.action_details |
| signature | metadata.description |
| SID | about.labels.key/value(已弃用) additional.fields |
| 用户 | about.labels.key/value(已弃用) additional.fields |
All_Ticket_Management
下表列出了 Splunk 数据集 All_Ticket_Management 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| affect_dest | target.labels.key/value(已弃用) additional.fields |
| 备注 | about.labels.key/value(已弃用) additional.fields |
| 说明 | security_result.description |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| 优先级 | security_result.priority_details |
| 和程度上减少 | security_result.severity |
| severity_id | about.labels.key/value(已弃用) additional.fields |
| splunk_id | about.labels.key/value(已弃用) additional.fields |
| splunk_realm | about.labels.key/value(已弃用) additional.fields |
| src_user | principal.user.user_display_name |
| src_user_bunit | principal.labels.key/value(已弃用) additional.fields |
| src_user_category | principal.labels.key/value(已弃用) additional.fields |
| src_user_priority | principal.labels.key/value(已弃用) additional.fields |
| 状态 | security_result.summary |
| 标记 | about.labels.key/value(已弃用) additional.fields |
| ticket_id | target.user.attribute.label.ley/value |
| time_submitted | principal.user.attribute.creation_time |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已弃用) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
更改
下表列出了 Splunk 数据集 Change 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 更改 | about.labels.key/value(已弃用) additional.fields |
突发事件
下表列出了 Splunk 数据集突发事件的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 事件 | about.labels.key/value(已弃用) additional.fields |
问题
下表列出了 Splunk 数据集问题的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 题目 | about.labels.key/value(已弃用) additional.fields |
更新
下表列出了 Splunk 数据集更新的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_should_update | target.labels.key/value(已弃用) additional.fields |
| dvc | principal.asset.hostname、principal.asset.ip |
| file_hash | target.file.sha256、target.file.md5、target.file.sha1 |
| file_name | about.labels.key/value(已弃用) additional.fields |
| 和程度上减少 | security_result.severity |
| severity_id | about.labels.key/value(已弃用) additional.fields |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| 状态 | security_result.summary |
| 标记 | about.labels.key/value(已弃用) additional.fields |
| vendor_product | about.labels.key/value(已弃用) additional.fields |
漏洞
下表列出了 Splunk 数据集漏洞的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| bugtraq | about.labels.key/value(已弃用) additional.fields |
| category | security_result.category_details |
| cert | about.labels.key/value(已弃用) additional.fields |
| Cve | vulnerabilites.cve_description |
| CVS | vulnerabilites.cvss_base_score |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dvc | principal.asset.hostname、principal.asset.ip |
| dvc_bunit | about.labels.key/value(已弃用) additional.fields |
| dvc_category | about.labels.key/value(已弃用) additional.fields |
| dvc_priority | about.labels.key/value(已弃用) additional.fields |
| MSF | about.labels.key/value(已弃用) additional.fields |
| MSKB | about.labels.key/value(已弃用) additional.fields |
| 和程度上减少 | extensions.vulns.vulnerabilites.severity |
| severity_id | about.labels.key/value(已弃用) additional.fields |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| 标记 | about.labels.key/value(已弃用) additional.fields |
| 网址 | extensions.vulns.vulnerabilites.about.url |
| 用户 | extensions.vulns.vulnerabilites.about.user.user_display_name |
| user_bunit | about.labels.key/value(已弃用) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value(已弃用) additional.fields |
| xref | about.labels.key/value(已弃用) additional.fields |
Web
下表列出了 Splunk 数据集 Web 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| 应用 | target.application |
| 字节 | about.labels.key/value(已弃用) additional.fields |
| bytes_in | network.received_bytes |
| bytes_out | network.sent_bytes |
| 已缓存 | about.labels.key/value(已弃用) additional.fields |
| category | security_result.category_details |
| 饼干 | about.labels.key/value(已弃用) additional.fields |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_port | target.port |
| 时长 | network.session_duration |
| http_content_type | about.labels.key/value(已弃用) additional.fields |
| http_method | network.http.method |
| http_referrer | network.http.referral_url |
| http_referrer_domain | about.labels.key/value(已弃用) additional.fields |
| http_user_agent | network.http.user_agent |
| http_user_agent_length | about.labels.key/value(已弃用) additional.fields |
| response_time | about.labels.key/value(已弃用) additional.fields |
| 网站 | about.labels.key/value(已弃用) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
| src_bunit | principal.labels.key/value(已弃用) additional.fields |
| src_category | principal.labels.key/value(已弃用) additional.fields |
| src_priority | principal.labels.key/value(已弃用) additional.fields |
| 状态 | network.http.response_code |
| 标记 | about.labels.key/value(已弃用) additional.fields |
| uri_path | about.labels.key/value(已弃用) additional.fields |
| uri_query | about.labels.key/value(已弃用) additional.fields |
| 网址 | about.url |
| url_domain | about.asset.network_domain |
| url_length | about.labels.key/value(已弃用) additional.fields |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已弃用) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value(已弃用) additional.fields |
UDM 事件类型
下表列出了 Splunk 标记和对应的 UDM 事件类型:
| 数据模型 | Splunk 标记 | UDM 事件类型 |
|---|---|---|
| 提醒 | 提醒 | STATUS_UPDATE |
| 身份验证 | 身份验证 | USER_UNCATEGORIZED |
| 证书 | 证书 | NETWORK_UNCATEGORIZED |
| 更改 | 更改 | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| 数据访问 | 数据, 访问权限, data, access | USER_RESOURCE_ACCESS |
| 数据库 | 数据库 | USER_RESOURCE_ACCESS |
| 数据库 | 数据库、实例、统计信息 | STATUS_UPDATE |
| 数据库 | 数据库、实例、状态 | STATUS_UPDATE |
| 数据库 | 数据库、实例、锁定 | STATUS_UPDATE |
| 数据库 | 数据库, 查询, database, query | STATUS_UPDATE |
| 数据库 | 数据库、查询、表空间 | STATUS_UPDATE |
| 数据库 | 数据库, 查询, 统计信息, database, query, stats | STATUS_UPDATE |
| 数据泄露防护 | DLP, 突发事件 | SCAN_UNCATEGORIZED |
| 电子邮件 | 电子邮件 | EMAIL_UNCATEGORIZED |
| 电子邮件 | 电子邮件, 传送 | EMAIL_TRANSACTION |
| 端点 | 监听, 端口 | SERVICE_UNSPECIFIED |
| 端点 | 流程, 报告, process, report | PROCESS_UNCATEGORIZED |
| 端点 | 服务, 报告, service, report | SERVICE_UNSPECIFIED |
| 端点 | 端点、文件系统 | FILE_UNCATEGORIZED |
| 端点 | 端点、注册表 | REGISTRY_UNCATEGORIZED |
| 事件签名 | track_event_signature | STATUS_UPDATE |
| 进程间消息传递 | 消息 | STATUS_UPDATE |
| 入侵检测 | 攻击 | SERVICE_UNSPECIFIED |
| 广告资源 | 广告资源 | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| Java 虚拟机 (JVM) | jvm | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| 恶意软件 | 恶意软件 | STATUS_UPDATE |
| 网络解析(DNS) | 网络, 分辨率, dns | NETWORK_DNS |
| 网络会话 | 网络、会话 | NETWORK_CONNECTION |
| 网络会话 | 网络, 会话, dhcp | NETWORK_DHCP |
| 网络流量 | 网络, 通信 | NETWORK_CONNECTION |
| 性能 | 性能 | SERVICE_UNSPECIFIED |
| Splunk 审核日志 | 修改 | STATUS_UPDATE |
| 票务管理 | 票务 | STATUS_UPDATE |
| 票务管理 | 票务, 更改 | STATUS_UPDATE |
| 更新 | 更新 | STATUS_UPDATE |
| 漏洞 | 报告, 漏洞, report, vulnerabilites | SCAN_UNCATEGORIZED |
| 网站 | 网页 | NETWORK_UNCATEGORIZED |