收集 Splunk CIM 日志
本文档介绍了如何通过配置 Splunk 来收集 Splunk 通用信息模型 (CIM) 日志 和 Google Security Operations 转发器。本文档还列出了支持的日志类型 和受支持的 Splunk 版本
如需了解详情,请参阅将数据注入到 Google Security Operations 中。
概览
以下部署架构图显示了如何将 Splunk 代理配置为向 Google Security Operations 发送日志。每个客户部署都可能 与此表示不同,并且可能更复杂。
架构图显示了以下组件:
数据源:要监控的安装 Splunk 的系统。
Splunk:从数据源收集信息,并将信息转发给 Google Security Operations 转发器。
Google Security Operations 转发器:一个轻量级 软件组件部署在客户的网络中,用于将日志转发到 Google Security Operations。
Google Security Operations:保留和分析来自 舰队服务器
提取标签用于标识将原始日志数据标准化的解析器
结构化 UDM 格式本文档中的信息适用于解析器
提取标签为 SPLUNK
。
准备工作
使用 Google Security Operations 解析器支持的 Splunk 5.0 版。
确保已配置部署架构中的所有系统 (采用世界协调时间 [UTC] 时区)。
配置 Splunk 代理和 Google Security Operations 转发器
从 Splunkbase 安装符合 CIM 标准的代理。
配置 Google Security Operations 转发器,以将日志推送到 Google Security Operations 系统。以下是 Google Security Operations 转发器配置的示例:
- splunk: common: enabled: true data_type: SPLUNK batch_n_seconds: 10 batch_n_bytes: 819200 url: <SPLUNK_URL> query_cim: true is_ignore_cert: true query_string: datamodel Network_Traffic All_Traffic flat
编写 Splunk 搜索查询时的注意事项
Splunk 有自己的搜索语言,类似于 SQL。请确保使用正确的搜索查询语法。创建查询时,请考虑以下搜索特征:
转义字符
如果字符串值包含英文双引号 "
,请使用反斜杠字符对引号进行转义。否则,搜索会错误解读字符串值的末尾。
例如:如需搜索字符串 WHERE _raw="The user "vpatel" isn't authenticated."
,请执行以下操作:
您必须使用序列 \"
来搜索字面量双引号。
按以下格式编写搜索字符串:
WHERE _raw="The user \"vpatel\" isn't authenticated."
若要对反斜杠字符 \
进行转义,请使用序列 \\
搜索反斜杠。
例如,如果存在类似 C:\user\abc
的字符串,则必须将其写成 C:\\user\\abc
。
搜索存在语法问题
如果查询的部分内容无效,则系统不会对整个查询求值,并显示错误消息。
在下面的示例中,查询中缺少搜索模式选项:
multisearch [|datamodel Network_Traffic All_Traffic] [|datamodel Network_Sessions All_Sessions flat]
在此示例中,查询中缺少搜索模式选项。这会导致以下错误:
Error in 'multisearch' command: Multisearch sub searches might only contain purely streaming operations. The search job has failed due to an error.
支持多个数据模型
Splunk 支持跨数据模型的单个大型查询。以下搜索查询从多个数据模型中提取数据:
multisearch [|datamodel Network_Traffic All_Traffic flat] [|datamodel Network_Sessions All_Sessions flat]
以下是此查询跨数据模型的部分组件:
Multisearch
:查询必须以 multisearch
一词开头。数据模型查询必须用方括号 [ ]
括起来,并以竖线 |
字符开头。
Network_Traffic
:数据模型的名称。
All_Traffic
:Network_Traffic
数据模型的数据集。
flat
:搜索模式。其他选项包括 search
和 acceleration_search
。
我们建议使用以下 Splunk 查询搜索多数据模型:
multisearch [|datamodel Network_Traffic All_Traffic flat] [|datamodel Network_Sessions All_Sessions flat]
支持的日志类型和数据模型
Splunk 数据模型 | 支持 |
---|---|
提醒 | 是 |
应用状态(已废弃) | 否 |
身份验证 | 是 |
证书 | 是 |
更改 | 是 |
变更分析(已弃用) | 否 |
数据访问 | 是 |
数据库 | 是 |
数据泄露防护 | 是 |
电子邮件 | 是 |
端点 | 是 |
事件签名 | 是 |
进程间消息传递 | 是 |
入侵检测 | 是 |
广告资源 | 是 |
Java 虚拟机 (JVM) | 是 |
恶意软件 | 是 |
网络解析 (DNS) | 是 |
网络会话 | 是 |
网络流量 | 是 |
性能 | 是 |
Splunk 审核日志 | 是 |
票务管理 | 是 |
更新 | 是 |
漏洞 | 是 |
网站 | 是 |
字段映射参考文档
本部分介绍 Google Security Operations 解析器如何将 Splunk 日志字段映射到数据集的 Google Security Operations 统一数据模型 (UDM) 字段。如需了解详情,请参阅版本 5.0.1 的 Splunk 文档。
提醒
下表列出了 Splunk 数据集提醒的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
应用 | observer.application |
说明 | security_result.description |
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_priority | target.labels.key/value(已弃用) additional.fields |
dest_type | target.resource.resource_type |
id | metadata.product_log_id |
mitre_technique_id | security_result.detection_fields.labels.key/value |
和程度上减少 | security_result.severity |
severity_id | about.labels.key/value(已弃用) additional.fields |
signature | metadata.description |
signature_id | security_result.rule_name |
src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
src_bunit | principal.labels.key/value(已弃用) additional.fields |
src_category | principal.labels.key/value(已弃用) additional.fields |
src_priority | principal.labels.key/value(已弃用) additional.fields |
src_type | principal.resource.resource_type |
标记 | about.labels.key/value(已弃用) additional.fields |
类型 | security_result.alert_state |
用户 | principal.user.user_display_name |
user_bunit | about.labels.key/value(已弃用) additional.fields |
user_category | principal.user.attribute.labels.key/value |
user_name | principal.user.userid |
user_priority | principal.user.attribute.label.key/value |
vendor_account | about.labels.key/value(已弃用) additional.fields |
vendor_region | about.location.country_or_region |
身份验证
下表列出了 Splunk 数据集 Authentication 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
操作 | security_result.action_details security_result.action |
应用 | target.application |
authentication_method | about.labels.key/value(已弃用) additional.fields |
authentication_service | extension.auth.auth_details |
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_nt_domain | target.labels.key/value(已弃用) additional.fields |
dest_priority | target.labels.key/value(已弃用) additional.fields |
时长 | network.session_duration |
原因 | security_result.summary |
response_time | about.labels.key/value(已弃用) additional.fields |
signature | metadata.description |
signature_id | metadata.product_event_type |
src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
src_bunit | principal.labels.key/value(已弃用) additional.fields |
src_category | principal.labels.key/value(已弃用) additional.fields |
src_nt_domain | principal.labels.key/value(已弃用) additional.fields |
src_priority | principal.labels.key/value(已弃用) additional.fields |
src_user | principal.user.user_display_name |
src_user_bunit | principal.labels.key/value(已弃用) additional.fields |
src_user_category | principal.labels.key/value(已弃用) additional.fields |
src_user_id | principal.user.userid |
src_user_priority | principal.labels.key/value(已弃用) additional.fields |
src_user_role | principal.user.attribute.roles.name(重复) |
src_user_type | principal.user.attribute.roles.type |
标记 | about.labels.key/value(已弃用) additional.fields |
用户 | principal.user.user_display_name |
user_agent | network.http.user_agent |
user_bunit | about.labels.key/value(已弃用) additional.fields |
user_category | principal.user.attribute.labels.key/value |
user_id | principal.user.userid |
user_priority | principal.user.attribute.label.key/value |
user_role | principal.user.attribute.roles.name(重复) |
user_type | principal.user.attribute.roles.type |
vendor_account | about.labels.key/value(已弃用) additional.fields |
All_Certificates
下表列出了 Splunk 数据集 All_Certificates 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_port | target.port |
dest_priority | target.labels.key/value(已弃用) additional.fields |
时长 | network.session_duration |
response_time | about.labels.key/value(已弃用) additional.fields |
src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
src_bunit | principal.labels.key/value(已弃用) additional.fields |
src_category | principal.labels.key/value(已弃用) additional.fields |
src_port | principal.port |
src_priority | principal.labels.key/value(已弃用) additional.fields |
标记 | about.labels.key/value(已弃用) additional.fields |
transport | network.ip_protocol |
SSL
下表列出了 Splunk 数据集 SSL 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
ssl_end_time | network.tls.server.certificate.not_after |
ssl_engine | about.labels.key/value(已弃用) additional.fields |
ssl_hash | about.labels.key/value(已弃用) additional.fields |
ssl_is_valid | about.labels.key/value(已弃用) additional.fields |
ssl_issuer | network.tls.server.certificate.issuer |
ssl_issuer_common_name | about.labels.key/value(已弃用) additional.fields |
ssl_issuer_email | about.labels.key/value(已弃用) additional.fields |
ssl_issuer_email_domain | about.labels.key/value(已弃用) additional.fields |
ssl_issuer_locality | about.labels.key/value(已弃用) additional.fields |
ssl_issuer_organization | about.labels.key/value(已弃用) additional.fields |
ssl_issuer_state | about.labels.key/value(已弃用) additional.fields |
ssl_issuer_street | about.labels.key/value(已弃用) additional.fields |
ssl_issuer_unit | about.labels.key/value(已弃用) additional.fields |
ssl_name | about.labels.key/value(已弃用) additional.fields |
ssl_policies | about.labels.key/value(已弃用) additional.fields |
ssl_publickey | about.labels.key/value(已弃用) additional.fields |
ssl_publickey_algorithm | about.labels.key/value(已弃用) additional.fields |
ssl_serial | network.tls.server.certificate.serial |
ssl_session_id | network.session_id |
ssl_signature_algorithm | about.labels.key/value(已弃用) additional.fields |
ssl_start_time | network.tls.server.certificate.not_before |
ssl_subject | network.tls.server.certificate.subject |
ssl_subject_common_name | about.labels.key/value(已弃用) additional.fields |
ssl_subject_email | about.labels.key/value(已弃用) additional.fields |
ssl_subject_email_domain | about.labels.key/value(已弃用) additional.fields |
ssl_subject_locality | about.labels.key/value(已弃用) additional.fields |
ssl_subject_organization | about.labels.key/value(已弃用) additional.fields |
ssl_subject_state | about.labels.key/value(已弃用) additional.fields |
ssl_subject_street | about.labels.key/value(已弃用) additional.fields |
ssl_subject_unit | about.labels.key/value(已弃用) additional.fields |
ssl_validity_window | about.labels.key/value(已弃用) additional.fields |
ssl_version | network.tls.server.certificate.version |
All_Changes
下表列出了 Splunk 数据集 All_Changes 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
操作 | security_result.action_details security_result.action |
change_type | security_result.category_details |
command | principal.process.command_line |
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_priority | target.labels.key/value(已弃用) additional.fields |
dvc | principal.asset.hostname、principal.asset.ip |
对象 | target.resource.name |
object_attrs | about.labels.key/value(已弃用) additional.fields |
object_category | about.labels.key/value(已弃用) additional.fields |
object_id | target.user.product_object_id |
object_path | target.file.full_path |
结果 | metadata.description |
result_id | metadata.product_event_type |
src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
src_bunit | principal.labels.key/value(已弃用) additional.fields |
src_category | principal.labels.key/value(已弃用) additional.fields |
src_priority | principal.labels.key/value(已弃用) additional.fields |
状态 | security_result.summary |
标记 | about.labels.key/value(已弃用) additional.fields |
用户 | target.user.userid |
user_agent | network.http.user_agent |
user_name | principal.user.user_display_name、target.labels.key/value |
user_type | principal.user.attribute.roles.type、target.user.attribute.roles.type |
vendor_account | about.labels.key/value(已弃用) additional.fields |
vendor_product | about.labels.key/value(已弃用) additional.fields |
vendor_region | about.location.country_or_region |
Account_Management
下表列出了 Splunk 数据集 Account_Management 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
dest_nt_domain | target.administrative_domain |
src_nt_domain | principal.administrative_domain |
src_user | principal.user.userid |
src_user_bunit | principal.labels.key/value(已弃用) additional.fields |
src_user_category | principal.labels.key/value(已弃用) additional.fields |
src_user_priority | principal.labels.key/value(已弃用) additional.fields |
src_user_name | principal.labels.key/value(已弃用) additional.fields |
src_user_type | principal.user.attribute.roles.type |
Instance_Changes
下表列出了 Splunk 数据集 Instance_Changes 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
image_id | principal.asset_id |
instance_type | about.labels.key/value(已弃用) additional.fields |
network_Changes
下表列出了 Splunk 数据集 network_Changes 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
dest_ip_range | target.labels.key/value(已弃用) additional.fields |
dest_port_range | target.labels.key/value(已弃用) additional.fields |
方向 | network.direction |
协议 | network.ip_protocol |
rule_action | security_result.action_details security_result.action |
src_ip_range | principal.labels.key/value(已弃用) additional.fields |
src_port_range | principal.labels.key/value(已弃用) additional.fields |
Data_Access
下表列出了 Splunk 数据集 Data_Access 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
操作 | security_result.action_details security_result.action |
应用 | target.application |
app_id | metadata.product_log_id |
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_name | target.administrative_domain |
dest_url | target.url |
dvc | principal.asset.hostname、principal.asset.ip |
电子邮件 | principal.user.email_addresses |
对象 | target.resource.name |
object_category | about.labels.key/value(已弃用) additional.fields |
object_id | target.user.product_object_id |
object_path | target.file.full_path |
object_size | target.file.size |
所有者 | about.labels.key/value(已弃用) additional.fields |
owner_email | about.labels.key/value(已弃用) additional.fields |
owner_id | principal.user.userid |
parent_object | target.resource.parent |
parent_object_id | about.labels.key/value(已弃用) additional.fields |
parent_object_category | about.labels.key/value(已弃用) additional.fields |
src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
tenant_id | about.labels.key/value(已弃用) additional.fields |
用户 | principal.user.user_display_name |
user_agent | network.http.user_agent |
user_group | principal.user.group_identifiers(repeated) |
user_role | principal.user.attribute.roles.name(重复) |
vendor_product | about.labels.key/value(已弃用) additional.fields |
vendor_product_id | about.labels.key/value(已弃用) additional.fields |
All_Databases
下表列出了 Splunk 数据集 All_Databases 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_priority | target.labels.key/value(已弃用) additional.fields |
时长 | network.session_duration |
对象 | target.resource.name |
response_time | about.labels.key/value(已弃用) additional.fields |
src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
src_bunit | principal.labels.key/value(已弃用) additional.fields |
src_category | principal.labels.key/value(已弃用) additional.fields |
src_priority | principal.labels.key/value(已弃用) additional.fields |
标记 | about.labels.key/value(已弃用) additional.fields |
用户 | principal.user.user_display_name |
user_bunit | about.labels.key/value(已弃用) additional.fields |
user_category | principal.user.attribute.labels.key/value |
user_priority | principal.user.attribute.label.key/value |
vendor_product | about.labels.key/value(已弃用) additional.fields |
Database_Instance
下表列出了 Splunk 数据集 Database_Instance 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
instance_name | target.resource.attributes.key/value |
instance_version | target.resource.attributes.key/value |
process_limit | about.labels.key/value(已弃用) additional.fields |
session_limit | about.labels.key/value(已弃用) additional.fields |
Database_Query
下表列出了 Splunk 数据集 Database_Query 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
查询 | about.labels.key/value(已弃用) additional.fields |
query_id | about.labels.key/value(已弃用) additional.fields |
query_time | about.labels.key/value(已弃用) additional.fields |
records_affected | about.labels.key/value(已弃用) additional.fields |
Instance_Stats
下表列出了 Splunk 数据集 Instance_Stats 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
库存状况 | about.labels.key/value(已弃用) additional.fields |
avg_executions | about.labels.key/value(已弃用) additional.fields |
dump_area_used | about.labels.key/value(已弃用) additional.fields |
instance_reads | about.labels.key/value(已弃用) additional.fields |
instance_writes | about.labels.key/value(已弃用) additional.fields |
number_of_users | about.labels.key/value(已弃用) additional.fields |
进程 | about.labels.key/value(已弃用) additional.fields |
专题演讲 | about.labels.key/value(已弃用) additional.fields |
sga_buffer_cache_size | about.labels.key/value(已弃用) additional.fields |
sga_buffer_hit_limit | about.labels.key/value(已弃用) additional.fields |
sga_data_dict_hit_ratio | about.labels.key/value(已弃用) additional.fields |
sga_fixed_area_size | about.labels.key/value(已弃用) additional.fields |
sga_free_memory | about.labels.key/value(已弃用) additional.fields |
sga_library_cache_size | about.labels.key/value(已弃用) additional.fields |
sga_redo_log_buffer_size | about.labels.key/value(已弃用) additional.fields |
sga_shared_pool_size | about.labels.key/value(已弃用) additional.fields |
sga_sql_area_size | about.labels.key/value(已弃用) additional.fields |
start_time | about.labels.key/value(已弃用) additional.fields |
tablespace_used | about.labels.key/value(已弃用) additional.fields |
Session_Info
下表列出了 Splunk 数据集 Session_Info 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
buffer_cache_hit_ratio | about.labels.key/value(已弃用) additional.fields |
项提交 | about.labels.key/value(已弃用) additional.fields |
cpu_used | about.labels.key/value(已弃用) additional.fields |
cursor | about.labels.key/value(已弃用) additional.fields |
elapsed_time | about.labels.key/value(已弃用) additional.fields |
logical_reads | about.labels.key/value(已弃用) additional.fields |
机器 | about.hostname |
memory_sorts | about.labels.key/value(已弃用) additional.fields |
physical_reads | about.labels.key/value(已弃用) additional.fields |
seconds_in_wait | about.labels.key/value(已弃用) additional.fields |
session_id | network.session_id |
session_status | about.labels.key/value(已弃用) additional.fields |
table_scans | about.labels.key/value(已弃用) additional.fields |
wait_state | about.labels.key/value(已弃用) additional.fields |
wait_time | about.labels.key/value(已弃用) additional.fields |
Lock_Info
下表列出了 Splunk 数据集 Lock_Info 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
last_call_minute | about.labels.key/value(已弃用) additional.fields |
lock_mode | about.labels.key/value(已弃用) additional.fields |
lock_session_id | about.labels.key/value(已弃用) additional.fields |
logon_time | about.labels.key/value(已弃用) additional.fields |
obj_name | about.labels.key/value(已弃用) additional.fields |
os_pid | target.process.pid |
serial_num | target.resource.product_object_id |
表空间
下表列出了 Splunk 数据集表空间的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
free_bytes | about.file.size |
tablespace_name | about.resource.name |
tablespace_reads | about.labels.key/value(已弃用) additional.fields |
tablespace_status | about.labels.key/value(已弃用) additional.fields |
tablespace_writes | about.labels.key/value(已弃用) additional.fields |
Query_Stats
下表列出了 Splunk 数据集 Query_Stats 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
indexes_hit | about.labels.key/value(已弃用) additional.fields |
query_plan_hit | about.labels.key/value(已弃用) additional.fields |
stored_procedures_called | about.labels.key/value(已弃用) additional.fields |
tables_hit | about.labels.key/value(已弃用) additional.fields |
DLP_Incidents
下表列出了 Splunk 数据集 DLP_Incidents 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
操作 | security_result.action_details security_result.action |
应用 | target.application |
category | security_result.category_details |
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_priority | target.labels.key/value(已弃用) additional.fields |
dest_zone | target.location.country_or_origin |
dlp_type | about.labels.key/value(已弃用) additional.fields |
dvc | principal.asset.hostname、principal.asset.ip |
dvc_bunit | about.labels.key/value(已弃用) additional.fields |
dvc_category | about.labels.key/value(已弃用) additional.fields |
dvc_priority | about.labels.key/value(已弃用) additional.fields |
dvc_zone | principal.asset.location.country_or_region |
对象 | target.resource.name |
object_category | about.labels.key/value(已弃用) additional.fields |
object_path | target.file.full_path |
和程度上减少 | security_result.severity |
severity_id | about.labels.key/value(已弃用) additional.fields |
signature | metadata.description |
signature_id | metadata.product_event_type |
src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
src_bunit | principal.labels.key/value(已弃用) additional.fields |
src_category | principal.labels.key/value(已弃用) additional.fields |
src_priority | principal.labels.key/value(已弃用) additional.fields |
src_user | principal.user.user_display_name |
src_user_bunit | principal.labels.key/value(已弃用) additional.fields |
src_user_category | principal.labels.key/value(已弃用) additional.fields |
src_user_priority | principal.labels.key/value(已弃用) additional.fields |
src_zone | principal.location.country_or_origin |
标记 | about.labels.key/value(已弃用) additional.fields |
用户 | principal.user.user_display_name |
user_bunit | about.labels.key/value(已弃用) additional.fields |
user_category | principal.user.attribute.labels.key/value |
user_priority | principal.user.attribute.label.key/value |
vendor_product | about.labels.key/value(已弃用) additional.fields |
All_Email
下表列出了 Splunk 数据集 All_Email 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
操作 | security_result.action_details security_result.action |
delay | about.labels.key/value(已弃用) additional.fields |
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_priority | target.labels.key/value(已弃用) additional.fields |
时长 | network.session_duration |
file_hash | about.file.sha256、about.file.md5、about.file.sha1 |
file_name | about.labels.key/value(已弃用) additional.fields |
file_size | about.file.size |
internal_message_id | metadata.product_log_id |
message_id | network.email.mail_id |
message_info | about.labels.key/value(已弃用) additional.fields |
orig_dest | target.labels.key/value(已弃用) additional.fields |
orig_recipient | about.labels.key/value(已弃用) additional.fields |
orig_src | network.email.from |
原始事件 | principal.process.command_line |
process_id | principal.process.pid |
协议 | network.application_protocol |
收件人 | network.email.to |
recipient_count | about.labels.key/value(已弃用) additional.fields |
recipient_domain | about.labels.key/value(已弃用) additional.fields |
recipient_status | about.labels.key/value(已弃用) additional.fields |
response_time | about.labels.key/value(已弃用) additional.fields |
retries | about.labels.key/value(已弃用) additional.fields |
return_addr | about.labels.key/value(已弃用) additional.fields |
大小 | about.labels.key/value(已弃用) additional.fields |
src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
src_bunit | principal.labels.key/value(已弃用) additional.fields |
src_category | principal.labels.key/value(已弃用) additional.fields |
src_priority | principal.labels.key/value(已弃用) additional.fields |
src_user | principal.user.email_addresses |
src_user_bunit | principal.labels.key/value(已弃用) additional.fields |
src_user_category | principal.labels.key/value(已弃用) additional.fields |
src_user_domain | principal.administrative_domain |
src_user_priority | principal.labels.key/value(已弃用) additional.fields |
status_code | about.labels.key/value(已弃用) additional.fields |
subject | network.email.subject(repeated) |
标记 | about.labels.key/value(已弃用) additional.fields |
网址 | about.url |
用户 | principal.user.user_display_name |
user_bunit | about.labels.key/value(已弃用) additional.fields |
user_category | principal.user.attribute.labels.key/value |
user_priority | principal.user.attribute.label.key/value |
vendor_product | about.labels.key/value(已弃用) additional.fields |
Xdelay | about.labels.key/value(已弃用) additional.fields |
xref | about.labels.key/value(已弃用) additional.fields |
过滤
下表列出了 Splunk 数据集过滤的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
filter_action | about.labels.key/value(已弃用) additional.fields |
filter_score | about.labels.key/value(已弃用) additional.fields |
signature | metadata.description |
signature_extra | about.labels.key/value(已弃用) additional.fields |
signature_id | metadata.product_event_type |
端口
下表列出了 Splunk 数据集端口的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
creation_time | about.labels.key/value(已弃用) additional.fields |
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_port | target.port |
dest_priority | target.labels.key/value(已弃用) additional.fields |
dest_requires_av | target.labels.key/value(已弃用) additional.fields |
dest_should_timesync | target.labels.key/value(已弃用) additional.fields |
dest_should_update | target.labels.key/value(已弃用) additional.fields |
process_guid | principal.process.product_specific_process_id |
process_id | principal.process.pid |
src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
src_category | principal.labels.key/value(已弃用) additional.fields |
src_priority | principal.labels.key/value(已弃用) additional.fields |
src_port | principal.port |
src_requires_av | principal.labels.key/value(已弃用) additional.fields |
src_should_timesync | principal.labels.key/value(已弃用) additional.fields |
src_should_update | principal.labels.key/value(已弃用) additional.fields |
state | about.labels.key/value(已弃用) additional.fields |
标记 | about.labels.key/value(已弃用) additional.fields |
transport | network.ip_protocol |
transport_dest_port | target.labels.key/value(已弃用) additional.fields |
用户 | principal.user.user_display_name |
user_bunit | about.labels.key/value(已弃用) additional.fields |
user_category | principal.user.attribute.labels.key/value |
user_priority | principal.user.attribute.label.key/value |
进程
下表列出了 Splunk 数据集“Processes”的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
操作 | security_result.action_details security_result.action |
cpu_load_percent | about.labels.key/value(已弃用) additional.fields |
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_is_expected | target.labels.key/value(已弃用) additional.fields |
dest_priority | target.labels.key/value(已弃用) additional.fields |
dest_requires_av | target.labels.key/value(已弃用) additional.fields |
dest_should_timesync | target.labels.key/value(已弃用) additional.fields |
dest_should_update | target.labels.key/value(已弃用) additional.fields |
mem_used | about.labels.key/value(已弃用) additional.fields |
original_file_name | src.file.full_path |
os | principal.asset.platform_software.platform_version |
parent_process | about.labels.key/value(已弃用) additional.fields |
parent_process_exec | about.labels.key/value(已弃用) additional.fields |
parent_process_id | principal.process.parent_process.parent_pid |
parent_process_guid | principal.process.parent_process.product_specific_process_id |
parent_process_name | about.labels.key/value(已弃用) additional.fields |
parent_process_path | principal.process.parent_process.command_line |
原始事件 | about.labels.key/value(已弃用) additional.fields |
process_current_directory | about.labels.key/value(已弃用) additional.fields |
process_exec | about.labels.key/value(已弃用) additional.fields |
process_hash | principal.process.file.sha256/principal.process.file.md5/principal..process.file.sha1 |
process_guid | principal.process.product_specific_process_id |
process_id | principal.process.pid |
process_integrity_level | security_result.severity |
process_name | principal.process.command_line |
process_path | principal.process.file.full_path |
标记 | about.labels.key/value(已弃用) additional.fields |
用户 | principal.user.user_display_name |
user_id | principal.user.userid |
user_bunit | about.labels.key/value(已弃用) additional.fields |
user_category | principal.user.attribute.labels.key/value |
user_priority | principal.user.attribute.label.key/value |
vendor_product | about.labels.key/value(已弃用) additional.fields |
服务
下表列出了 Splunk 数据集 Service 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
说明 | security_result.description |
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_is_expected | target.labels.key/value(已弃用) additional.fields |
dest_priority | target.labels.key/value(已弃用) additional.fields |
dest_requires_av | target.labels.key/value(已弃用) additional.fields |
dest_should_timesync | target.labels.key/value(已弃用) additional.fields |
dest_should_update | target.labels.key/value(已弃用) additional.fields |
process_guid | principal.process.product_specific_process_id |
process_id | principal.process.pid |
服务 | target.application |
service_dll | about.labels.key/value(已弃用) additional.fields |
service_dll_path | about.file.full_path |
service_dll_hash | about.labels.key/value(已弃用) additional.fields |
service_dll_signature_exists | about.labels.key/value(已弃用) additional.fields |
service_dll_signature_verified | about.labels.key/value(已弃用) additional.fields |
service_exec | target.process.file.full_path |
service_hash | about.labels.key/value(已弃用) additional.fields |
service_id | about.labels.key/value(已弃用) additional.fields |
service_name | about.labels.key/value(已弃用) additional.fields |
service_path | about.labels.key/value(已弃用) additional.fields |
service_signature_exists | about.labels.key/value(已弃用) additional.fields |
service_signature_verified | about.labels.key/value(已弃用) additional.fields |
start_mode | about.labels.key/value(已弃用) additional.fields |
状态 | security_result.summary |
标记 | about.labels.key/value(已弃用) additional.fields |
用户 | principal.user.user_display_name |
user_bunit | about.labels.key/value(已弃用) additional.fields |
user_category | principal.user.attribute.labels.key/value |
user_priority | principal.user.attribute.label.key/value |
vendor_product | about.labels.key/value(已弃用) additional.fields |
文件系统
下表列出了 Splunk 数据集文件系统的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
操作 | security_result.action_details security_result.action |
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_priority | target.labels.key/value(已弃用) additional.fields |
dest_requires_av | target.labels.key/value(已弃用) additional.fields |
dest_should_timesync | target.labels.key/value(已弃用) additional.fields |
dest_should_update | target.labels.key/value(已弃用) additional.fields |
file_access_time | about.labels.key/value(已弃用) additional.fields |
file_create_time | target.asset.attribute.creation_time |
file_hash | target.file.sha256、target.file.md5、target.file.sha1 |
file_modify_time | about.labels.key/value(已弃用) additional.fields |
file_name | about.labels.key/value(已弃用) additional.fields |
file_path | target.file.full_path |
file_acl | about.labels.key/value(已弃用) additional.fields |
file_size | target.file.size |
process_guid | principal.process.product_specific_process_id |
process_id | principal.process.pid |
标记 | about.labels.key/value(已弃用) additional.fields |
用户 | principal.user.user_display_name |
user_bunit | about.labels.key/value(已弃用) additional.fields |
user_category | principal.user.attribute.labels.key/value |
user_priority | principal.user.attribute.label.key/value |
vendor_product | about.labels.key/value(已弃用) additional.fields |
Registry
下表列出了 Splunk 数据集注册表的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
操作 | security_result.action_details security_result.action |
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_priority | target.labels.key/value(已弃用) additional.fields |
dest_requires_av | target.labels.key/value(已弃用) additional.fields |
dest_should_timesync | target.labels.key/value(已弃用) additional.fields |
dest_should_update | target.labels.key/value(已弃用) additional.fields |
process_guid | principal.process.product_specific_process_id |
process_id | principal.process.pid |
registry_hive | about.labels.key/value(已弃用) additional.fields |
registry_path | about.labels.key/value(已弃用) additional.fields |
registry_key_name | target.registry.registry_key |
registry_value_data | target.registry.registry_value_data |
registry_value_name | target.registry.registry_value_name |
registry_value_text | about.labels.key/value(已弃用) additional.fields |
registry_value_type | about.labels.key/value(已弃用) additional.fields |
状态 | security_result.summary |
标记 | about.labels.key/value(已弃用) additional.fields |
用户 | principal.user.user_display_name |
user_bunit | about.labels.key/value(已弃用) additional.fields |
user_category | principal.user.attribute.labels.key/value |
user_priority | principal.user.attribute.label.key/value |
vendor_product | about.labels.key/value(已弃用) additional.fields |
签名
下表列出了 Splunk 数据集签名的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_priority | target.labels.key/value(已弃用) additional.fields |
signature | metadata.description |
signature_id | metadata.product_event_type |
标记 | about.labels.key/value(已弃用) additional.fields |
Signatures_vendor_product
下表列出了 Splunk 数据集 Signatures_vendor_product 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
vendor_product | about.labels.key/value(已弃用) additional.fields |
All_Interprocess_Messaging
下表列出了 Splunk 数据集 All_Interprocess_Messaging 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_priority | target.labels.key/value(已弃用) additional.fields |
时长 | network.session_duration |
端点 | about.labels.key/value(已弃用) additional.fields |
endpoint_version | about.labels.key/value(已弃用) additional.fields |
消息 | about.labels.key/value(已弃用) additional.fields |
message_consumed_time | about.labels.key/value(已弃用) additional.fields |
message_correlation_id | about.labels.key/value(已弃用) additional.fields |
message_delivered_time | about.labels.key/value(已弃用) additional.fields |
message_delivery_mode | about.labels.key/value(已弃用) additional.fields |
message_expiration_time | about.labels.key/value(已弃用) additional.fields |
message_id | metadata.product.log_id |
message_priority | about.labels.key/value(已弃用) additional.fields |
message_properties | about.labels.key/value(已弃用) additional.fields |
message_received_time | about.labels.key/value(已弃用) additional.fields |
message_redelivered | about.labels.key/value(已弃用) additional.fields |
message_reply_dest | target.labels.key/value(已弃用) additional.fields |
message_type | about.labels.key/value(已弃用) additional.fields |
参数 | about.labels.key/value(已弃用) additional.fields |
payload | about.labels.key/value(已弃用) additional.fields |
payload_type | about.labels.key/value(已弃用) additional.fields |
request_payload | about.labels.key/value(已弃用) additional.fields |
request_payload_type | about.labels.key/value(已弃用) additional.fields |
request_sent_time | about.labels.key/value(已弃用) additional.fields |
response_code | network.http.response_code |
response_payload_type | about.labels.key/value(已弃用) additional.fields |
response_received_time | about.labels.key/value(已弃用) additional.fields |
response_time | about.labels.key/value(已弃用) additional.fields |
return_message | about.labels.key/value(已弃用) additional.fields |
rpc_protocol | network.application_protocol |
状态 | security_result.summary |
标记 | about.labels.key/value(已弃用) additional.fields |
IDS_Attacks
下表列出了 Splunk 数据集 IDS_Attacks 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
操作 | security_result.action_details security_result.action |
category | security_result.category_details |
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_priority | target.labels.key/value(已弃用) additional.fields |
dvc | principal.asset.hostname、principal.asset.ip |
dvc_bunit | about.labels.key/value(已弃用) additional.fields |
dvc_category | about.labels.key/value(已弃用) additional.fields |
dvc_priority | about.labels.key/value(已弃用) additional.fields |
file_hash | target.file.sha256、target.file.md5、target.file.sha1 |
file_name | about.labels.key/value(已弃用) additional.fields |
file_path | target.file.full_path |
ids_type | about.labels.key/value(已弃用) additional.fields |
和程度上减少 | security_result.severity |
severity_id | about.labels.key/value(已弃用) additional.fields |
signature | metadata.description |
signature_id | metadata.product_event_type |
src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
src_bunit | principal.labels.key/value(已弃用) additional.fields |
src_category | principal.labels.key/value(已弃用) additional.fields |
src_priority | principal.labels.key/value(已弃用) additional.fields |
src_port | principal.port |
标记 | about.labels.key/value(已弃用) additional.fields |
transport | network.ip_protocol |
用户 | principal.user.user_display_name |
user_bunit | about.labels.key/value(已弃用) additional.fields |
user_category | principal.user.attribute.labels.key/value |
user_priority | principal.user.attribute.label.key/value |
vendor_product | about.labels.key/value(已弃用) additional.fields |
DS_Attacks
下表列出了 Splunk 数据集 DS_Attacks 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
dest_port | target.port |
All_Inventory
下表列出了 Splunk 数据集 All_Inventory 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
说明 | security_result.description |
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_priority | target.labels.key/value(已弃用) additional.fields |
已启用 | about.labels.key/value(已弃用) additional.fields |
系列 | about.labels.key/value(已弃用) additional.fields |
hypervisor_id | about.labels.key/value(已弃用) additional.fields |
serial | principal.asset.hardware.serial_number |
状态 | security_result.summary |
标记 | about.labels.key/value(已弃用) additional.fields |
vendor_product | about.labels.key/value(已弃用) additional.fields |
version | about.labels.key/value(已弃用) additional.fields |
CPU
下表列出了 Splunk 数据集 CPU 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
cpu_cores | principal.asset.hardware.cpu_number_cores |
cpu_count | about.labels.key/value(已弃用) additional.fields |
cpu_mhz | principal.asset.hardware.cpu_clock_speed |
cpu_load_mhz | principal.asset.hardware.cpu_clock_speed |
cpu_load_percent | about.labels.key/value(已弃用) additional.fields |
cpu_time | about.labels.key/value(已弃用) additional.fields |
cpu_user_percent | about.labels.key/value(已弃用) additional.fields |
内存
下表列出了 Splunk 数据集 Memory 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
内存 | principal.asset.hardware.ram |
heap_committed | about.labels.key/value(已弃用) additional.fields |
heap_initial | about.labels.key/value(已弃用) additional.fields |
heap_max | about.labels.key/value(已弃用) additional.fields |
heap_used | about.labels.key/value(已弃用) additional.fields |
non_heap_committed | about.labels.key/value(已弃用) additional.fields |
non_heap_initial | about.labels.key/value(已弃用) additional.fields |
non_heap_max | about.labels.key/value(已弃用) additional.fields |
non_heap_used | about.labels.key/value(已弃用) additional.fields |
objects_pending | about.labels.key/value(已弃用) additional.fields |
内存 | principal.asset.hardware.ram |
mem_committed | about.labels.key/value(已弃用) additional.fields |
mem_free | about.labels.key/value(已弃用) additional.fields |
mem_used | about.labels.key/value(已弃用) additional.fields |
交换空间 | about.labels.key/value(已弃用) additional.fields |
swap_free | about.labels.key/value(已弃用) additional.fields |
swap_used | about.labels.key/value(已弃用) additional.fields |
network
下表列出了 Splunk 数据集网络的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
dest_ip | target.ip |
dns | about.labels.key/value(已弃用) additional.fields |
inline_nat | about.labels.key/value(已弃用) additional.fields |
接口 | about.labels.key/value(已弃用) additional.fields |
ip | principal.asset.ip |
lb_method | about.labels.key/value(已弃用) additional.fields |
Mac | principal.asset.mac |
name | principal.resource.name |
节点 | about.labels.key/value(已弃用) additional.fields |
node_port | target.port |
src_ip | principal.ip |
vip_port | about.labels.key/value(已弃用) additional.fields |
thruput | about.labels.key/value(已弃用) additional.fields |
thruput_max | about.labels.key/value(已弃用) additional.fields |
操作系统
下表列出了 Splunk 数据集操作系统的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
os | principal.asset.platform_software.platform_version |
committed_memory | about.labels.key/value(已弃用) additional.fields |
cpu_time | about.labels.key/value(已弃用) additional.fields |
free_physical_memory | about.labels.key/value(已弃用) additional.fields |
free_swap | about.labels.key/value(已弃用) additional.fields |
max_file_descriptors | about.labels.key/value(已弃用) additional.fields |
open_file_descriptors | about.labels.key/value(已弃用) additional.fields |
os | principal.asset.platform_software.platform_version |
os_architecture | about.labels.key/value(已弃用) additional.fields |
os_version | about.labels.key/value(已弃用) additional.fields |
physical_memory | about.labels.key/value(已弃用) additional.fields |
swap_space | about.labels.key/value(已弃用) additional.fields |
system_load | about.labels.key/value(已弃用) additional.fields |
total_processors | about.labels.key/value(已弃用) additional.fields |
signature | metadata.description |
signature_id | metadata.product_event_type |
存储
下表列出了 Splunk 数据集 Storage 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
数组 | about.labels.key/value(已弃用) additional.fields |
块规模 | about.labels.key/value(已弃用) additional.fields |
集群 | about.resource.resource_type = "集群" |
fd_max | about.labels.key/value(已弃用) additional.fields |
延时 | about.labels.key/value(已弃用) additional.fields |
mount | principal.resource.attribute.labels.key/value |
父级 | principal.resource.parent |
read_blocks | about.labels.key/value(已弃用) additional.fields |
read_latency | about.labels.key/value(已弃用) additional.fields |
read_ops | about.labels.key/value(已弃用) additional.fields |
存储 | about.labels.key/value(已弃用) additional.fields |
write_blocks | about.labels.key/value(已弃用) additional.fields |
write_latency | about.labels.key/value(已弃用) additional.fields |
write_ops | about.labels.key/value(已弃用) additional.fields |
数组 | about.labels.key/value(已弃用) additional.fields |
块规模 | about.labels.key/value(已弃用) additional.fields |
集群 | about.resource.resource_type = "集群" |
fd_max | about.labels.key/value(已弃用) additional.fields |
fd_used | about.labels.key/value(已弃用) additional.fields |
延时 | about.labels.key/value(已弃用) additional.fields |
mount | about.labels.key/value(已弃用) additional.fields |
父级 | principal.resource.parent |
read_blocks | about.labels.key/value(已弃用) additional.fields |
read_latency | about.labels.key/value(已弃用) additional.fields |
read_ops | about.labels.key/value(已弃用) additional.fields |
存储 | about.labels.key/value(已弃用) additional.fields |
storage_free | about.labels.key/value(已弃用) additional.fields |
storage_free_percent | about.labels.key/value(已弃用) additional.fields |
storage_used | about.labels.key/value(已弃用) additional.fields |
storage_used_percent | about.labels.key/value(已弃用) additional.fields |
write_blocks | about.labels.key/value(已弃用) additional.fields |
write_latency | about.labels.key/value(已弃用) additional.fields |
write_ops | about.labels.key/value(已弃用) additional.fields |
error_code | security_result.description |
操作 | about.labels.key/value(已弃用) additional.fields |
storage_name | about.resource.name |
用户
下表列出了 Splunk 数据集用户的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
interactive | about.labels.key/value(已弃用) additional.fields |
密码 | about.labels.key/value(已弃用) additional.fields |
shell | about.labels.key/value(已弃用) additional.fields |
用户 | principal.user.user_display_name |
user_bunit | about.labels.key/value(已弃用) additional.fields |
user_category | principal.user.attribute.labels.key/value |
user_id | principal.user.userid |
user_priority | principal.user.attribute.label.key/value |
Virtual_OS
下表列出了 Splunk 数据集 Virtual_OS 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
管理程序 | about.labels.key/value(已弃用) additional.fields |
快照
下表列出了 Splunk 数据集快照的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
大小 | about.file.size |
快照 | about.labels.key/value(已弃用) additional.fields |
时间 | about.labels.key/value(已弃用) additional.fields |
JVM
下表列出了 Splunk 数据集 JVM 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
jvm_description | security_result.description |
标记 | about.labels.key/value(已弃用) additional.fields |
线程处理
下表列出了 Splunk 数据集 Threading 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
cm_enabled | about.labels.key/value(已弃用) additional.fields |
cm_supported | about.labels.key/value(已弃用) additional.fields |
cpu_time_enabled | about.labels.key/value(已弃用) additional.fields |
cpu_time_supported | about.labels.key/value(已弃用) additional.fields |
current_cpu_time | about.labels.key/value(已弃用) additional.fields |
current_user_time | about.labels.key/value(已弃用) additional.fields |
daemon_thread_count | about.labels.key/value(已弃用) additional.fields |
omu_supported | about.labels.key/value(已弃用) additional.fields |
peak_thread_count | about.labels.key/value(已弃用) additional.fields |
synch_supported | about.labels.key/value(已弃用) additional.fields |
thread_count | about.labels.key/value(已弃用) additional.fields |
threads_started | about.labels.key/value(已弃用) additional.fields |
运行时
下表列出了 Splunk 数据集运行时的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
process_name | principal.process.command_line |
start_time | about.labels.key/value(已弃用) additional.fields |
uptime | about.labels.key/value(已弃用) additional.fields |
vendor_product | about.labels.key/value(已弃用) additional.fields |
version | about.labels.key/value(已弃用) additional.fields |
编译
下表列出了 Splunk 数据集编译的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
compilation_time | about.labels.key/value(已弃用) additional.fields |
类加载
下表列出了 Splunk 数据集 Classloading 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
current_loaded | about.labels.key/value(已弃用) additional.fields |
total_loaded | about.labels.key/value(已弃用) additional.fields |
total_unloaded | about.labels.key/value(已弃用) additional.fields |
Malware_Attacks
下表列出了 Splunk 数据集 Malware_Attacks 的日志字段和相应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
操作 | security_result.action_details security_result.action |
category | security_result.category_details |
日期 | about.labels.key/value(已弃用) additional.fields |
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_nt_domain | target.administrative_domain |
dest_priority | target.labels.key/value(已弃用) additional.fields |
dest_requires_av | target.labels.key/value(已弃用) additional.fields |
file_hash | target.file.sha256、target.file.md5、target.file.sha1 |
file_name | about.labels.key/value(已弃用) additional.fields |
file_path | target.file.full_path |
和程度上减少 | security_result.severity |
severity_id | about.labels.key/value(已弃用) additional.fields |
signature | metadata.description |
signature_id | metadata.product_event_type |
src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
src_bunit | principal.labels.key/value(已弃用) additional.fields |
src_category | principal.labels.key/value(已弃用) additional.fields |
src_priority | principal.labels.key/value(已弃用) additional.fields |
src_user | principal.user.user_display_name |
标记 | about.labels.key/value(已弃用) additional.fields |
用户 | principal.user.user_display_name |
user_bunit | about.labels.key/value(已弃用) additional.fields |
user_category | principal.user.attribute.labels.key/value |
user_priority | principal.user.attribute.label.key/value |
网址 | about.url |
vendor_product | about.labels.key/value(已弃用) additional.fields |
Malware_Operations
下表列出了 Splunk 数据集 Malware_Operations 的日志字段和相应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_nt_domain | target.labels.key/value(已弃用) additional.fields |
dest_nt_domain | target.labels.key/value(已弃用) additional.fields |
dest_priority | target.labels.key/value(已弃用) additional.fields |
dest_requires_av | target.labels.key/value(已弃用) additional.fields |
product_version | about.labels.key/value(已弃用) additional.fields |
signature_version | security_result.rule_version |
标记 | about.labels.key/value(已弃用) additional.fields |
vendor_product | about.labels.key/value(已弃用) additional.fields |
Malware_Operations
下表列出了 Splunk 数据集 Malware_Operations 的日志字段和相应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
dest_category | target.labels.key/value(已弃用) additional.fields |
DNS
下表列出了 Splunk 数据集 DNS 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
additional_answer_count | about.labels.key/value(已弃用) additional.fields |
答案 | network.dns.answer.data |
answer_count | about.labels.key/value(已弃用) additional.fields |
authority_answer_count | about.labels.key/value(已弃用) additional.fields |
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_port | target.port |
dest_priority | target.labels.key/value(已弃用) additional.fields |
时长 | network.session_duration |
message_type | about.labels.key/value(已弃用) additional.fields |
name | about.labels.key/value(已弃用) additional.fields |
查询 | network.dns.questions.name |
query_count | about.labels.key/value(已弃用) additional.fields |
query_type | network.dns.questions.type |
record_type | network.dns.answer.type(uint32) |
reply_code | about.labels.key/value(已弃用) additional.fields |
reply_code_id | network.dns.response_code |
response_time | about.labels.key/value(已弃用) additional.fields |
src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
src_bunit | principal.labels.key/value(已弃用) additional.fields |
src_category | principal.labels.key/value(已弃用) additional.fields |
src_port | principal.port |
src_priority | principal.labels.key/value(已弃用) additional.fields |
标记 | about.labels.key/value(已弃用) additional.fields |
transaction_id | network.dns.id |
transport | network.ip_protocol |
ttl | about.labels.key/value(已弃用) additional.fields |
vendor_product | about.labels.key/value(已弃用) additional.fields |
All_Sessions
下表列出了 Splunk 数据集 All_Sessions 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
操作 | security_result.action_details security_result.action |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_dns | target.labels.key/value(已弃用) additional.fields |
dest_ip | network.dhcp.ciaddr |
dest_mac | network.dhcp.chaddr |
dest_nt_host | target.labels.key/value(已弃用) additional.fields |
dest_priority | target.labels.key/value(已弃用) additional.fields |
时长 | network.session_duration |
response_time | about.labels.key/value(已弃用) additional.fields |
signature | metadata.description |
signature_id | metadata.product_event_type |
src_bunit | principal.labels.key/value(已弃用) additional.fields |
src_category | principal.labels.key/value(已弃用) additional.fields |
src_dns | principal.labels.key/value(已弃用) additional.fields |
src_ip | principal.ip |
src_mac | principal.mac |
src_nt_host | principal.labels.key/value(已弃用) additional.fields |
src_priority | principal.labels.key/value(已弃用) additional.fields |
标记 | about.labels.key/value(已弃用) additional.fields |
用户 | principal.user.user_display_name |
user_bunit | about.labels.key/value(已弃用) additional.fields |
user_category | principal.user.attribute.labels.key/value |
user_priority | principal.user.attribute.label.key/value |
vendor_product | about.labels.key/value(已弃用) additional.fields |
DHCP
下表列出了 Splunk 数据集 DHCP 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
lease_duration | network.dhcp.lease_time_second |
lease_scope | about.labels.key/value(已弃用) additional.fields |
All_Traffic
下表列出了 Splunk 数据集 All_Traffic 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
操作 | security_result.action_details security_result.action |
应用 | network.application_protocol |
字节 | about.labels.key/value(已弃用) additional.fields |
bytes_in | network.received_bytes |
bytes_out | network.sent_bytes |
channel | about.labels.key/value(已弃用) additional.fields |
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_interface | target.labels.key/value(已弃用) additional.fields |
dest_ip | target.ip |
dest_mac | target.mac |
dest_port | target.port |
dest_priority | target.labels.key/value(已弃用) additional.fields |
dest_translated_ip | target.nat_ip |
dest_translated_port | target.nat_port |
dest_zone | target.location.country_or_origin |
方向 | network.direction |
时长 | network.session_duration |
dvc | principal.asset.hostname、principal.asset.ip |
dvc_bunit | about.labels.key/value(已弃用) additional.fields |
dvc_category | about.labels.key/value(已弃用) additional.fields |
dvc_ip | about.labels.key/value(已弃用) additional.fields |
dvc_mac | principal.asset.mac |
dvc_priority | about.labels.key/value(已弃用) additional.fields |
dvc_zone | principal.asset.location.country_or_region |
flow_id | about.labels.key/value(已弃用) additional.fields |
icmp_code | about.labels.key/value(已弃用) additional.fields |
icmp_type | about.labels.key/value(已弃用) additional.fields |
数据包 | about.labels.key/value(已弃用) additional.fields |
packets_in | about.labels.key/value(已弃用) additional.fields |
packets_out | about.labels.key/value(已弃用) additional.fields |
协议 | about.labels.key/value(已弃用) additional.fields |
protocol_version | about.labels.key/value(已弃用) additional.fields |
response_time | about.labels.key/value(已弃用) additional.fields |
规则 | security_result.rule_id |
session_id | network.session_id |
src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
src_bunit | principal.labels.key/value(已弃用) additional.fields |
src_category | principal.labels.key/value(已弃用) additional.fields |
src_interface | principal.labels.key/value(已弃用) additional.fields |
src_ip | principal.ip |
src_mac | principal.mac |
src_port | principal.port |
src_priority | principal.labels.key/value(已弃用) additional.fields |
src_translated_ip | principal.nat_ip |
src_translated_port | principal.nat_port |
src_zone | principal.location.country_or_origin |
ssid | about.labels.key/value(已弃用) additional.fields |
标记 | about.labels.key/value(已弃用) additional.fields |
tcp_flag | about.labels.key/value(已弃用) additional.fields |
transport | network.ip_protocol |
投注 | about.labels.key/value(已弃用) additional.fields |
ttl | network.dns.additional.ttl |
用户 | principal.user.userid |
user_bunit | about.labels.key/value(已弃用) additional.fields |
user_category | principal.user.attribute.labels.key/value |
user_priority | principal.user.attribute.label.key/value |
vendor_account | about.labels.key/value(已弃用) additional.fields |
vendor_product | about.labels.key/value(已弃用) additional.fields |
vlan | about.labels.key/value(已弃用) additional.fields |
Wi-Fi | about.labels.key/value(已弃用) additional.fields |
All_Performance
下表列出了 Splunk 数据集 All_Performance 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_priority | target.labels.key/value(已弃用) additional.fields |
dest_should_timesync | target.labels.key/value(已弃用) additional.fields |
dest_should_update | target.labels.key/value(已弃用) additional.fields |
hypervisor_id | about.labels.key/value(已弃用) additional.fields |
resource_type | about.labels.key/value(已弃用) additional.fields |
标记 | about.labels.key/value(已弃用) additional.fields |
设施
下表列出了 Splunk 数据集设施的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
fan_speed | about.labels.key/value(已弃用) additional.fields |
power | about.labels.key/value(已弃用) additional.fields |
temperature | about.labels.key/value(已弃用) additional.fields |
Timesync
下表列出了 Splunk 数据集 Timesync 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
操作 | security_result.action_details security_result.action |
正常运行时间
下表列出了 Splunk 数据集拨测的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
uptime | about.labels.key/value(已弃用) additional.fields |
View_Activity
下表列出了 Splunk 数据集 View_Activity 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
应用 | target.application |
支出 | about.labels.key/value(已弃用) additional.fields |
uri | about.labels.key/value(已弃用) additional.fields |
用户 | principal.user.user_display_name |
查看 | about.labels.key/value(已弃用) additional.fields |
Datamodel_Acceleration
下表列出了 Splunk 数据集 Datamodel_Acceleration 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
access_count | about.labels.key/value(已弃用) additional.fields |
access_time | about.labels.key/value(已弃用) additional.fields |
应用 | target.application |
存储桶 | about.labels.key/value(已弃用) additional.fields |
buckets_size | about.labels.key/value(已弃用) additional.fields |
完成 | about.labels.key/value(已弃用) additional.fields |
cron | about.labels.key/value(已弃用) additional.fields |
datamodel | about.labels.key/value(已弃用) additional.fields |
摘要 | about.labels.key/value(已弃用) additional.fields |
最早 | about.labels.key/value(已弃用) additional.fields |
is_inprogress | about.labels.key/value(已弃用) additional.fields |
last_error | about.labels.key/value(已弃用) additional.fields |
last_sid | about.labels.key/value(已弃用) additional.fields |
最新 | about.labels.key/value(已弃用) additional.fields |
mod_time | about.labels.key/value(已弃用) additional.fields |
保留 | about.labels.key/value(已弃用) additional.fields |
大小 | about.file.size |
summary_id | about.labels.key/value(已弃用) additional.fields |
Search_Activity
下表列出了 Splunk 数据集 Search_Activity 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
主机 | about.hostname |
信息 | about.labels.key/value(已弃用) additional.fields |
search | about.labels.key/value(已弃用) additional.fields |
search_et | about.labels.key/value(已弃用) additional.fields |
search_lt | about.labels.key/value(已弃用) additional.fields |
search_type | about.labels.key/value(已弃用) additional.fields |
来源 | principal.labels.key/value(已弃用) additional.fields |
sourcetype | principal.labels.key/value(已弃用) additional.fields |
用户 | principal.user.user_display_name |
user_bunit | about.labels.key/value(已弃用) additional.fields |
user_category | principal.user.attribute.labels.key/value |
user_priority | principal.user.attribute.label.key/value |
Scheduler_Activity
下表列出了 Splunk 数据集 Scheduler_Activity 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
应用 | target.application |
主机 | about.hostname |
savedsearch_name | about.labels.key/value(已弃用) additional.fields |
SID | about.labels.key/value(已弃用) additional.fields |
来源 | principal.labels.key/value(已弃用) additional.fields |
sourcetype | principal.labels.key/value(已弃用) additional.fields |
splunk_server | principal.ip、principal.hostname |
状态 | security_result.summary |
用户 | principal.user.user_display_name |
Web_Service_Errors
下表列出了 Splunk 数据集 Web_Service_Errors 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
主机 | about.hostname |
来源 | principal.labels.key/value(已弃用) additional.fields |
sourcetype | principal.labels.key/value(已弃用) additional.fields |
event_id | security_result.rule_name |
Modular_Actions
下表列出了 Splunk 数据集 Modular_Actions 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
action_mode | about.labels.key/value(已弃用) additional.fields |
action_status | about.labels.key/value(已弃用) additional.fields |
应用 | target.application |
时长 | network.session_duration |
组件 | about.labels.key/value(已弃用) additional.fields |
orig_rid | about.labels.key/value(已弃用) additional.fields |
orig_sid | about.labels.key/value(已弃用) additional.fields |
摆脱 | about.labels.key/value(已弃用) additional.fields |
search_name | about.labels.key/value(已弃用) additional.fields |
action_name | security_result.action_details |
signature | metadata.description |
SID | about.labels.key/value(已弃用) additional.fields |
用户 | about.labels.key/value(已弃用) additional.fields |
All_Ticket_Management
下表列出了 Splunk 数据集 All_Ticket_Management 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
affect_dest | target.labels.key/value(已弃用) additional.fields |
备注 | about.labels.key/value(已弃用) additional.fields |
说明 | security_result.description |
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_priority | target.labels.key/value(已弃用) additional.fields |
优先级 | security_result.priority_details |
和程度上减少 | security_result.severity |
severity_id | about.labels.key/value(已弃用) additional.fields |
splunk_id | about.labels.key/value(已弃用) additional.fields |
splunk_realm | about.labels.key/value(已弃用) additional.fields |
src_user | principal.user.user_display_name |
src_user_bunit | principal.labels.key/value(已弃用) additional.fields |
src_user_category | principal.labels.key/value(已弃用) additional.fields |
src_user_priority | principal.labels.key/value(已弃用) additional.fields |
状态 | security_result.summary |
标记 | about.labels.key/value(已弃用) additional.fields |
ticket_id | target.user.attribute.label.ley/value |
time_submitted | principal.user.attribute.creation_time |
用户 | principal.user.user_display_name |
user_bunit | about.labels.key/value(已弃用) additional.fields |
user_category | principal.user.attribute.labels.key/value |
user_priority | principal.user.attribute.label.key/value |
更改
下表列出了 Splunk 数据集 Change 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
更改 | about.labels.key/value(已弃用) additional.fields |
突发事件
下表列出了 Splunk 数据集突发事件的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
事件 | about.labels.key/value(已弃用) additional.fields |
问题
下表列出了 Splunk 数据集问题的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
题目 | about.labels.key/value(已弃用) additional.fields |
更新
下表列出了 Splunk 数据集更新的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_priority | target.labels.key/value(已弃用) additional.fields |
dest_should_update | target.labels.key/value(已弃用) additional.fields |
dvc | principal.asset.hostname、principal.asset.ip |
file_hash | target.file.sha256、target.file.md5、target.file.sha1 |
file_name | about.labels.key/value(已弃用) additional.fields |
和程度上减少 | security_result.severity |
severity_id | about.labels.key/value(已弃用) additional.fields |
signature | metadata.description |
signature_id | metadata.product_event_type |
状态 | security_result.summary |
标记 | about.labels.key/value(已弃用) additional.fields |
vendor_product | about.labels.key/value(已弃用) additional.fields |
漏洞
下表列出了 Splunk 数据集漏洞的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
bugtraq | about.labels.key/value(已弃用) additional.fields |
category | security_result.category_details |
cert | about.labels.key/value(已弃用) additional.fields |
Cve | vulnerabilites.cve_description |
CVS | vulnerabilites.cvss_base_score |
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_priority | target.labels.key/value(已弃用) additional.fields |
dvc | principal.asset.hostname、principal.asset.ip |
dvc_bunit | about.labels.key/value(已弃用) additional.fields |
dvc_category | about.labels.key/value(已弃用) additional.fields |
dvc_priority | about.labels.key/value(已弃用) additional.fields |
MSF | about.labels.key/value(已弃用) additional.fields |
MSKB | about.labels.key/value(已弃用) additional.fields |
和程度上减少 | extensions.vulns.vulnerabilites.severity |
severity_id | about.labels.key/value(已弃用) additional.fields |
signature | metadata.description |
signature_id | metadata.product_event_type |
标记 | about.labels.key/value(已弃用) additional.fields |
网址 | extensions.vulns.vulnerabilites.about.url |
用户 | extensions.vulns.vulnerabilites.about.user.user_display_name |
user_bunit | about.labels.key/value(已弃用) additional.fields |
user_category | principal.user.attribute.labels.key/value |
user_priority | principal.user.attribute.label.key/value |
vendor_product | about.labels.key/value(已弃用) additional.fields |
xref | about.labels.key/value(已弃用) additional.fields |
Web
下表列出了 Splunk 数据集 Web 的日志字段和对应的 UDM 映射:
日志字段 | UDM 映射 |
---|---|
操作 | security_result.action_details security_result.action |
应用 | target.application |
字节 | about.labels.key/value(已弃用) additional.fields |
bytes_in | network.received_bytes |
bytes_out | network.sent_bytes |
已缓存 | about.labels.key/value(已弃用) additional.fields |
category | security_result.category_details |
饼干 | about.labels.key/value(已弃用) additional.fields |
dest | target.ip target.hostname target.labels.key/value(已弃用) |
dest_bunit | target.labels.key/value(已弃用) additional.fields |
dest_category | target.labels.key/value(已弃用) additional.fields |
dest_priority | target.labels.key/value(已弃用) additional.fields |
dest_port | target.port |
时长 | network.session_duration |
http_content_type | about.labels.key/value(已弃用) additional.fields |
http_method | network.http.method |
http_referrer | network.http.referral_url |
http_referrer_domain | about.labels.key/value(已弃用) additional.fields |
http_user_agent | network.http.user_agent |
http_user_agent_length | about.labels.key/value(已弃用) additional.fields |
response_time | about.labels.key/value(已弃用) additional.fields |
网站 | about.labels.key/value(已弃用) additional.fields |
src | principal.ip principal.hostname principal.labels.key/value(已弃用) |
src_bunit | principal.labels.key/value(已弃用) additional.fields |
src_category | principal.labels.key/value(已弃用) additional.fields |
src_priority | principal.labels.key/value(已弃用) additional.fields |
状态 | network.http.response_code |
标记 | about.labels.key/value(已弃用) additional.fields |
uri_path | about.labels.key/value(已弃用) additional.fields |
uri_query | about.labels.key/value(已弃用) additional.fields |
网址 | about.url |
url_domain | about.asset.network_domain |
url_length | about.labels.key/value(已弃用) additional.fields |
用户 | principal.user.user_display_name |
user_bunit | about.labels.key/value(已弃用) additional.fields |
user_category | principal.user.attribute.labels.key/value |
user_priority | principal.user.attribute.label.key/value |
vendor_product | about.labels.key/value(已弃用) additional.fields |
UDM 事件类型
下表列出了 Splunk 标记和对应的 UDM 事件类型:
数据模型 | Splunk 标记 | UDM 事件类型 |
---|---|---|
提醒 | 提醒 | STATUS_UPDATE |
身份验证 | 身份验证 | USER_UNCATEGORIZED |
证书 | 证书 | NETWORK_UNCATEGORIZED |
更改 | 更改 | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
数据访问 | 数据, 访问权限, data, access | USER_RESOURCE_ACCESS |
数据库 | 数据库 | USER_RESOURCE_ACCESS |
数据库 | 数据库、实例、统计信息 | STATUS_UPDATE |
数据库 | 数据库、实例、状态 | STATUS_UPDATE |
数据库 | 数据库、实例、锁定 | STATUS_UPDATE |
数据库 | 数据库, 查询, database, query | STATUS_UPDATE |
数据库 | 数据库、查询、表空间 | STATUS_UPDATE |
数据库 | 数据库, 查询, 统计信息, database, query, stats | STATUS_UPDATE |
数据泄露防护 | DLP, 突发事件 | SCAN_UNCATEGORIZED |
电子邮件 | 电子邮件 | EMAIL_UNCATEGORIZED |
电子邮件 | 电子邮件, 传送 | EMAIL_TRANSACTION |
端点 | 监听, 端口 | SERVICE_UNSPECIFIED |
端点 | 流程, 报告, process, report | PROCESS_UNCATEGORIZED |
端点 | 服务, 报告, service, report | SERVICE_UNSPECIFIED |
端点 | 端点、文件系统 | FILE_UNCATEGORIZED |
端点 | 端点、注册表 | REGISTRY_UNCATEGORIZED |
事件签名 | track_event_signature | STATUS_UPDATE |
进程间消息传递 | 消息 | STATUS_UPDATE |
入侵检测 | 攻击 | SERVICE_UNSPECIFIED |
广告资源 | 广告资源 | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Java 虚拟机 (JVM) | jvm | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
恶意软件 | 恶意软件 | STATUS_UPDATE |
网络解析(DNS) | 网络, 分辨率, dns | NETWORK_DNS |
网络会话 | 网络、会话 | NETWORK_CONNECTION |
网络会话 | 网络, 会话, dhcp | NETWORK_DHCP |
网络流量 | 网络, 通信 | NETWORK_CONNECTION |
性能 | 性能 | SERVICE_UNSPECIFIED |
Splunk 审核日志 | 修改 | STATUS_UPDATE |
票务管理 | 票务 | STATUS_UPDATE |
票务管理 | 票务, 更改 | STATUS_UPDATE |
更新 | 更新 | STATUS_UPDATE |
漏洞 | 报告, 漏洞, report, vulnerabilites | SCAN_UNCATEGORIZED |
网站 | 网页 | NETWORK_UNCATEGORIZED |