Recopila registros de CIM de Splunk
En este documento, se describe cómo puedes recopilar registros del modelo de información común (CIM) de Splunk mediante la configuración de Splunk y un servidor de reenvío de Google Security Operations. En este documento, también se enumeran los tipos de registros compatibles y las versiones de Splunk compatibles.
Para obtener más información, consulta Transferencia de datos a Google Security Operations.
Descripción general
En el siguiente diagrama de arquitectura de implementación, se muestra cómo los agentes de Splunk están configurados para enviar registros a Google Security Operations. Cada implementación de cliente puede diferir de esta representación y ser más compleja.
En el diagrama de arquitectura, se muestran los siguientes componentes:
Fuente de datos: Es el sistema que se debe supervisar en el que se instala Splunk.
Splunk: Recopila información de la fuente de datos y la reenvía al servidor de reenvío de Google Security Operations.
Servidor de reenvío de Google Security Operations: Es un componente de software ligero que se implementa en la red del cliente para reenviar los registros a Google Security Operations.
Operaciones de seguridad de Google: Retiene y analiza los registros del servidor de flota.
Una etiqueta de transferencia identifica el analizador que normaliza los datos de registro sin procesar en un formato UDM estructurado. La información de este documento se aplica al analizador con la etiqueta de transferencia SPLUNK.
Antes de comenzar
Usa la versión 5.0 de Splunk que admita el analizador de Google Security Operations.
Asegúrate de que todos los sistemas en la arquitectura de implementación estén configurados en la zona horaria UTC.
Configura un agente de Splunk y un servidor de reenvío de Google Security Operations
Instala un agente de Splunkbase que cumpla con los requisitos de CIM.
Configura un servidor de reenvío de Google Security Operations.
Configurar el servidor de reenvío de Google Security Operations para enviar los registros al sistema de Google Security Operations El siguiente es un ejemplo de una configuración del servidor de reenvío de Google Security Operations:
- splunk: common: enabled: true data_type: SPLUNK batch_n_seconds: 10 batch_n_bytes: 819200 url: <SPLUNK_URL> query_cim: true is_ignore_cert: true query_string: datamodel Network_Traffic All_Traffic flat
Consideraciones para escribir búsquedas de Splunk
Splunk tiene su propio lenguaje de búsqueda, que es similar a SQL. Asegúrate de usar la sintaxis correcta para tu búsqueda. Ten en cuenta las siguientes características de búsqueda cuando crees una consulta:
Carácter de escape
Si un valor de cadena contiene una comilla doble ", utiliza caracteres de barra inversa para escapar las comillas. De lo contrario, la búsqueda malinterpretará el final del valor de la cadena.
Por ejemplo: para buscar una string WHERE _raw="The user "vpatel" isn't authenticated.", debes usar la secuencia \" para buscar una comilla doble literal.
Escribe la cadena de búsqueda en el siguiente formato:
WHERE _raw="The user \"vpatel\" isn't authenticated."
Para escapar un carácter de barra inversa \ , usa la secuencia \\ para buscar una barra inversa.
Por ejemplo, si hay una cadena como C:\user\abc, debe escribirse como C:\\user\\abc.
Búsqueda sintácticamente incorrecta
Si una sección de la consulta no es válida, la consulta completa no se evalúa y aparece un mensaje de error.
Ten en cuenta el siguiente ejemplo, en el que la opción de modo de búsqueda no aparece en la consulta:
multisearch [|datamodel Network_Traffic All_Traffic] [|datamodel Network_Sessions All_Sessions flat]
En este ejemplo, falta la opción de modo de búsqueda en la consulta. Esto genera el siguiente error:
Error in 'multisearch' command: Multisearch sub searches might only contain purely streaming operations. The search job has failed due to an error.
Compatibilidad con varios modelos de datos
Splunk admite una sola consulta grande que abarca modelos de datos. La siguiente consulta de búsqueda extrae datos de varios modelos de datos:
multisearch [|datamodel Network_Traffic All_Traffic flat] [|datamodel Network_Sessions All_Sessions flat]
Estos son los componentes de esta consulta que abarcan modelos de datos:
Multisearch: La consulta debe comenzar con la palabra multisearch. Una consulta de un modelo de datos debe encerrarse entre corchetes [ ] y comenzar con una barra vertical |.
Network_Traffic: Es el nombre del modelo de datos.
All_Traffic: Conjunto de datos del modelo de datos Network_Traffic.
flat: Modo de búsqueda. Las otras opciones son search y acceleration_search.
Recomendamos usar la siguiente consulta de Splunk para la búsqueda de varios modelos de datos:
multisearch [|datamodel Network_Traffic All_Traffic flat] [|datamodel Network_Sessions All_Sessions flat]
Tipos de registros y modelos de datos admitidos
| Modelo de datos de Splunk | Admitido |
|---|---|
| Alertas | Sí |
| Estado de la aplicación (obsoleto) | No |
| Authentication | Sí |
| Certificados | Sí |
| Cambiar | Sí |
| Change Analysis (obsoleto) | No |
| Acceso a los datos | Sí |
| Bases de datos | Sí |
| Prevención de pérdida de datos | Sí |
| Sí | |
| Extremo | Sí |
| Firmas de eventos | Sí |
| Mensajes entre procesos | Sí |
| Detección de intrusiones | Sí |
| Inventario | Sí |
| Máquinas virtuales Java (JVM) | Sí |
| Software malicioso | Sí |
| Resolución de red (DNS) | Sí |
| Sesiones de red | Sí |
| Tráfico de red | Sí |
| Rendimiento | Sí |
| Registros de auditoría de Splunk | Sí |
| Administración de tickets | Sí |
| Actualizaciones | Sí |
| Vulnerabilidades | Sí |
| Web | Sí |
Referencia de la asignación de campos
En esta sección, se explica cómo el analizador de Google Security Operations asigna los campos de registro de Splunk a los campos del modelo de datos unificado (UDM) de Google Security Operations para los conjuntos de datos. Para obtener más información, consulta el documento de Splunk sobre la versión 5.0.1.
Alertas
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para las alertas del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| app | observer.application |
| description | security_result.description |
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| dest_type | target.resource.resource_type |
| id | metadata.product_log_id |
| mitre_technique_id | security_result.detection_fields.labels.key/value |
| gravedad, | security_result.severity |
| severity_id | about.labels.key/value (obsoleto) additional.fields |
| firma | metadata.description |
| signature_id | security_result.rule_name |
| src | principal.ip principal.hostname principal.labels.key/value (obsoleto) |
| src_bunit | principal.labels.key/value (obsoleto) additional.fields |
| src_category | principal.labels.key/value (obsoleto) additional.fields |
| src_priority | principal.labels.key/value (obsoleto) additional.fields |
| src_type | principal.resource.resource_type |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| Tipo | security_result.alert_state |
| usuario | principal.user.user_display_name |
| user_bunit | about.labels.key/value (obsoleto) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_name | principal.user.userid |
| user_priority | principal.user.attribute.label.key/value |
| vendor_account | about.labels.key/value (obsoleto) additional.fields |
| vendor_region | about.location.country_or_region |
Autenticación
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para la autenticación del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| acción | security_result.action_details security_result.action |
| app | target.application |
| authentication_method | about.labels.key/value (obsoleto) additional.fields |
| authentication_service | extension.auth.auth_details |
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_nt_domain | target.labels.key/value (obsoleto) additional.fields |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| duration | network.session_duration |
| Reason | security_result.summary |
| response_time | about.labels.key/value (obsoleto) additional.fields |
| firma | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip principal.hostname principal.labels.key/value (obsoleto) |
| src_bunit | principal.labels.key/value (obsoleto) additional.fields |
| src_category | principal.labels.key/value (obsoleto) additional.fields |
| src_nt_domain | principal.labels.key/value (obsoleto) additional.fields |
| src_priority | principal.labels.key/value (obsoleto) additional.fields |
| src_user | principal.user.user_display_name |
| src_user_bunit | principal.labels.key/value (obsoleto) additional.fields |
| src_user_category | principal.labels.key/value (obsoleto) additional.fields |
| src_user_id | principal.user.userid |
| src_user_priority | principal.labels.key/value (obsoleto) additional.fields |
| src_user_role | principal.user.attribute.roles.name (repetido) |
| src_user_type | principal.user.attribute.roles.type |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| usuario | principal.user.user_display_name |
| user_agent | network.http.user_agent |
| user_bunit | about.labels.key/value (obsoleto) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_id | principal.user.userid |
| user_priority | principal.user.attribute.label.key/value |
| user_role | principal.user.attribute.roles.name (repetido) |
| user_type | principal.user.attribute.roles.type |
| vendor_account | about.labels.key/value (obsoleto) additional.fields |
All_Certificates
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el conjunto de datos de Splunk All_Certificates:
| Campo de registro | Asignación de UDM |
|---|---|
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_port | target.port |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| duration | network.session_duration |
| response_time | about.labels.key/value (obsoleto) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value (obsoleto) |
| src_bunit | principal.labels.key/value (obsoleto) additional.fields |
| src_category | principal.labels.key/value (obsoleto) additional.fields |
| src_port | principal.port |
| src_priority | principal.labels.key/value (obsoleto) additional.fields |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| transport | network.ip_protocol |
SSL
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el SSL del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| ssl_end_time | network.tls.server.certificate.not_after |
| ssl_engine | about.labels.key/value (obsoleto) additional.fields |
| ssl_hash | about.labels.key/value (obsoleto) additional.fields |
| ssl_is_valid | about.labels.key/value (obsoleto) additional.fields |
| ssl_issuer | network.tls.server.certificate.issuer |
| ssl_issuer_common_name | about.labels.key/value (obsoleto) additional.fields |
| ssl_issuer_email | about.labels.key/value (obsoleto) additional.fields |
| ssl_issuer_email_domain | about.labels.key/value (obsoleto) additional.fields |
| ssl_issuer_locality | about.labels.key/value (obsoleto) additional.fields |
| ssl_issuer_organization | about.labels.key/value (obsoleto) additional.fields |
| ssl_issuer_state | about.labels.key/value (obsoleto) additional.fields |
| ssl_issuer_street | about.labels.key/value (obsoleto) additional.fields |
| ssl_issuer_unit | about.labels.key/value (obsoleto) additional.fields |
| ssl_name | about.labels.key/value (obsoleto) additional.fields |
| ssl_policies | about.labels.key/value (obsoleto) additional.fields |
| ssl_publickey | about.labels.key/value (obsoleto) additional.fields |
| ssl_publickey_algorithm | about.labels.key/value (obsoleto) additional.fields |
| ssl_serial | network.tls.server.certificate.serial |
| ssl_session_id | network.session_id |
| ssl_signature_algorithm | about.labels.key/value (obsoleto) additional.fields |
| ssl_start_time | network.tls.server.certificate.not_before |
| ssl_subject | network.tls.server.certificate.subject |
| ssl_subject_common_name | about.labels.key/value (obsoleto) additional.fields |
| ssl_subject_email | about.labels.key/value (obsoleto) additional.fields |
| ssl_subject_email_domain | about.labels.key/value (obsoleto) additional.fields |
| ssl_subject_locality | about.labels.key/value (obsoleto) additional.fields |
| ssl_subject_organization | about.labels.key/value (obsoleto) additional.fields |
| ssl_subject_state | about.labels.key/value (obsoleto) additional.fields |
| ssl_subject_street | about.labels.key/value (obsoleto) additional.fields |
| ssl_subject_unit | about.labels.key/value (obsoleto) additional.fields |
| ssl_validity_window | about.labels.key/value (obsoleto) additional.fields |
| ssl_version | network.tls.server.certificate.version |
All_Changes
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el conjunto de datos de Splunk All_Changes:
| Campo de registro | Asignación de UDM |
|---|---|
| acción | security_result.action_details security_result.action |
| change_type | security_result.category_details |
| CREATE OR REPLACE MODEL. | principal.process.command_line |
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| DVR | principal.asset.hostname, principal.asset.ip |
| objeto | target.resource.name |
| object_attrs | about.labels.key/value (obsoleto) additional.fields |
| object_category | about.labels.key/value (obsoleto) additional.fields |
| object_id | target.user.product_object_id |
| object_path | target.file.full_path |
| Resultado | metadata.description |
| result_id | metadata.product_event_type |
| src | principal.ip principal.hostname principal.labels.key/value (obsoleto) |
| src_bunit | principal.labels.key/value (obsoleto) additional.fields |
| src_category | principal.labels.key/value (obsoleto) additional.fields |
| src_priority | principal.labels.key/value (obsoleto) additional.fields |
| Calendario | security_result.summary |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| usuario | target.user.userid |
| user_agent | network.http.user_agent |
| user_name | principal.user.user_display_name, target.labels.key/value |
| user_type | principal.user.attribute.roles.type, target.user.attribute.roles.type |
| vendor_account | about.labels.key/value (obsoleto) additional.fields |
| vendor_product | about.labels.key/value (obsoleto) additional.fields |
| vendor_region | about.location.country_or_region |
Account_Management
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos de Splunk Account_Management:
| Campo de registro | Asignación de UDM |
|---|---|
| dest_nt_domain | target.administrative_domain |
| src_nt_domain | principal.administrative_domain |
| src_user | principal.user.userid |
| src_user_bunit | principal.labels.key/value (obsoleto) additional.fields |
| src_user_category | principal.labels.key/value (obsoleto) additional.fields |
| src_user_priority | principal.labels.key/value (obsoleto) additional.fields |
| src_user_name | principal.labels.key/value (obsoleto) additional.fields |
| src_user_type | principal.user.attribute.roles.type |
Instance_Changes
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el conjunto de datos de Splunk Instance_Changes:
| Campo de registro | Asignación de UDM |
|---|---|
| image_id | principal.asset_id |
| instance_type | about.labels.key/value (obsoleto) additional.fields |
network_Changes
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el conjunto de datos de Splunk network_Changes:
| Campo de registro | Asignación de UDM |
|---|---|
| dest_ip_range | target.labels.key/value (obsoleto) additional.fields |
| dest_port_range | target.labels.key/value (obsoleto) additional.fields |
| direction | network.direction |
| protocol | network.ip_protocol |
| rule_action | security_result.action_details security_result.action |
| src_ip_range | principal.labels.key/value (obsoleto) additional.fields |
| src_port_range | principal.labels.key/value (obsoleto) additional.fields |
Data_Access
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el conjunto de datos de Splunk Data_Access:
| Campo de registro | Asignación de UDM |
|---|---|
| acción | security_result.action_details security_result.action |
| app | target.application |
| app_id | metadata.product_log_id |
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_name | target.administrative_domain |
| dest_url | target.url |
| DVR | principal.asset.hostname, principal.asset.ip |
| correo electrónico | principal.user.email_addresses |
| objeto | target.resource.name |
| object_category | about.labels.key/value (obsoleto) additional.fields |
| object_id | target.user.product_object_id |
| object_path | target.file.full_path |
| object_size | target.file.size |
| propietario | about.labels.key/value (obsoleto) additional.fields |
| owner_email | about.labels.key/value (obsoleto) additional.fields |
| owner_id | principal.user.userid |
| parent_object | target.resource.parent |
| parent_object_id | about.labels.key/value (obsoleto) additional.fields |
| parent_object_category | about.labels.key/value (obsoleto) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value (obsoleto) |
| tenant_id | about.labels.key/value (obsoleto) additional.fields |
| usuario | principal.user.user_display_name |
| user_agent | network.http.user_agent |
| user_group | principal.user.group_identifiers(repeated) |
| user_role | principal.user.attribute.roles.name (repetido) |
| vendor_product | about.labels.key/value (obsoleto) additional.fields |
| vendor_product_id | about.labels.key/value (obsoleto) additional.fields |
All_Databases
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el conjunto de datos de Splunk All_Databases:
| Campo de registro | Asignación de UDM |
|---|---|
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| duration | network.session_duration |
| objeto | target.resource.name |
| response_time | about.labels.key/value (obsoleto) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value (obsoleto) |
| src_bunit | principal.labels.key/value (obsoleto) additional.fields |
| src_category | principal.labels.key/value (obsoleto) additional.fields |
| src_priority | principal.labels.key/value (obsoleto) additional.fields |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| usuario | principal.user.user_display_name |
| user_bunit | about.labels.key/value (obsoleto) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value (obsoleto) additional.fields |
Database_Instance
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos de Splunk Database_Instance:
| Campo de registro | Asignación de UDM |
|---|---|
| instance_name | target.resource.attributes.key/value |
| instance_version | target.resource.attributes.key/value |
| process_limit | about.labels.key/value (obsoleto) additional.fields |
| session_limit | about.labels.key/value (obsoleto) additional.fields |
Database_Query
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos de Splunk Database_Query:
| Campo de registro | Asignación de UDM |
|---|---|
| búsqueda | about.labels.key/value (obsoleto) additional.fields |
| query_id | about.labels.key/value (obsoleto) additional.fields |
| query_time | about.labels.key/value (obsoleto) additional.fields |
| records_affected | about.labels.key/value (obsoleto) additional.fields |
Instance_Stats
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos de Splunk Instance_Stats:
| Campo de registro | Asignación de UDM |
|---|---|
| general | about.labels.key/value (obsoleto) additional.fields |
| avg_executions | about.labels.key/value (obsoleto) additional.fields |
| dump_area_used | about.labels.key/value (obsoleto) additional.fields |
| instance_reads | about.labels.key/value (obsoleto) additional.fields |
| instance_writes | about.labels.key/value (obsoleto) additional.fields |
| number_of_users | about.labels.key/value (obsoleto) additional.fields |
| Procesos | about.labels.key/value (obsoleto) additional.fields |
| sesiones | about.labels.key/value (obsoleto) additional.fields |
| sga_buffer_cache_size | about.labels.key/value (obsoleto) additional.fields |
| sga_buffer_hit_limit | about.labels.key/value (obsoleto) additional.fields |
| sga_data_dict_hit_ratio | about.labels.key/value (obsoleto) additional.fields |
| sga_fixed_area_size | about.labels.key/value (obsoleto) additional.fields |
| sga_free_memory | about.labels.key/value (obsoleto) additional.fields |
| sga_library_cache_size | about.labels.key/value (obsoleto) additional.fields |
| sga_redo_log_buffer_size | about.labels.key/value (obsoleto) additional.fields |
| sga_shared_pool_size | about.labels.key/value (obsoleto) additional.fields |
| sga_sql_area_size | about.labels.key/value (obsoleto) additional.fields |
| start_time | about.labels.key/value (obsoleto) additional.fields |
| tablespace_used | about.labels.key/value (obsoleto) additional.fields |
Session_Info
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos de Splunk Session_Info:
| Campo de registro | Asignación de UDM |
|---|---|
| buffer_cache_hit_ratio | about.labels.key/value (obsoleto) additional.fields |
| confirmaciones | about.labels.key/value (obsoleto) additional.fields |
| cpu_used | about.labels.key/value (obsoleto) additional.fields |
| cursor | about.labels.key/value (obsoleto) additional.fields |
| elapsed_time | about.labels.key/value (obsoleto) additional.fields |
| logical_reads | about.labels.key/value (obsoleto) additional.fields |
| máquina | about.hostname |
| memory_sorts | about.labels.key/value (obsoleto) additional.fields |
| physical_reads | about.labels.key/value (obsoleto) additional.fields |
| seconds_in_wait | about.labels.key/value (obsoleto) additional.fields |
| session_id | network.session_id |
| session_status | about.labels.key/value (obsoleto) additional.fields |
| table_scans | about.labels.key/value (obsoleto) additional.fields |
| wait_state | about.labels.key/value (obsoleto) additional.fields |
| wait_time | about.labels.key/value (obsoleto) additional.fields |
Lock_Info
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos de Splunk Lock_Info:
| Campo de registro | Asignación de UDM |
|---|---|
| last_call_minute | about.labels.key/value (obsoleto) additional.fields |
| lock_mode | about.labels.key/value (obsoleto) additional.fields |
| lock_session_id | about.labels.key/value (obsoleto) additional.fields |
| logon_time | about.labels.key/value (obsoleto) additional.fields |
| obj_name | about.labels.key/value (obsoleto) additional.fields |
| os_pid | target.process.pid |
| serial_num | target.resource.product_object_id |
Espacio de tabla
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el espacio de tablas del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| free_bytes | about.file.size |
| tablespace_name | about.resource.name |
| tablespace_reads | about.labels.key/value (obsoleto) additional.fields |
| tablespace_status | about.labels.key/value (obsoleto) additional.fields |
| tablespace_writes | about.labels.key/value (obsoleto) additional.fields |
Query_Stats
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos de Splunk Query_Stats:
| Campo de registro | Asignación de UDM |
|---|---|
| indexes_hit | about.labels.key/value (obsoleto) additional.fields |
| query_plan_hit | about.labels.key/value (obsoleto) additional.fields |
| stored_procedures_called | about.labels.key/value (obsoleto) additional.fields |
| tables_hit | about.labels.key/value (obsoleto) additional.fields |
DLP_Incidents
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos DLP_Incidents de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| acción | security_result.action_details security_result.action |
| app | target.application |
| category | security_result.category_details |
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| dest_zone | target.location.country_or_origin |
| dlp_type | about.labels.key/value (obsoleto) additional.fields |
| DVR | principal.asset.hostname, principal.asset.ip |
| dvc_bunit | about.labels.key/value (obsoleto) additional.fields |
| dvc_category | about.labels.key/value (obsoleto) additional.fields |
| dvc_priority | about.labels.key/value (obsoleto) additional.fields |
| dvc_zone | principal.asset.location.country_or_region |
| objeto | target.resource.name |
| object_category | about.labels.key/value (obsoleto) additional.fields |
| object_path | target.file.full_path |
| gravedad, | security_result.severity |
| severity_id | about.labels.key/value (obsoleto) additional.fields |
| firma | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip principal.hostname principal.labels.key/value (obsoleto) |
| src_bunit | principal.labels.key/value (obsoleto) additional.fields |
| src_category | principal.labels.key/value (obsoleto) additional.fields |
| src_priority | principal.labels.key/value (obsoleto) additional.fields |
| src_user | principal.user.user_display_name |
| src_user_bunit | principal.labels.key/value (obsoleto) additional.fields |
| src_user_category | principal.labels.key/value (obsoleto) additional.fields |
| src_user_priority | principal.labels.key/value (obsoleto) additional.fields |
| src_zone | principal.location.country_or_origin |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| usuario | principal.user.user_display_name |
| user_bunit | about.labels.key/value (obsoleto) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value (obsoleto) additional.fields |
All_Email
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el conjunto de datos de Splunk All_Email:
| Campo de registro | Asignación de UDM |
|---|---|
| acción | security_result.action_details security_result.action |
| delay | about.labels.key/value (obsoleto) additional.fields |
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| duration | network.session_duration |
| file_hash | about.file.sha256, about.file.md5, about.file.sha1 |
| file_name | about.labels.key/value (obsoleto) additional.fields |
| file_size | about.file.size |
| internal_message_id | metadata.product_log_id |
| message_id | network.email.mail_id |
| message_info | about.labels.key/value (obsoleto) additional.fields |
| orig_dest | target.labels.key/value (obsoleto) additional.fields |
| orig_recipient | about.labels.key/value (obsoleto) additional.fields |
| orig_src | network.email.from |
| inversa | principal.process.command_line |
| process_id | principal.process.pid |
| protocol | network.application_protocol |
| destinatario | network.email.to |
| recipient_count | about.labels.key/value (obsoleto) additional.fields |
| recipient_domain | about.labels.key/value (obsoleto) additional.fields |
| recipient_status | about.labels.key/value (obsoleto) additional.fields |
| response_time | about.labels.key/value (obsoleto) additional.fields |
| retries | about.labels.key/value (obsoleto) additional.fields |
| return_addr | about.labels.key/value (obsoleto) additional.fields |
| tamaño | about.labels.key/value (obsoleto) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value (obsoleto) |
| src_bunit | principal.labels.key/value (obsoleto) additional.fields |
| src_category | principal.labels.key/value (obsoleto) additional.fields |
| src_priority | principal.labels.key/value (obsoleto) additional.fields |
| src_user | principal.user.email_addresses |
| src_user_bunit | principal.labels.key/value (obsoleto) additional.fields |
| src_user_category | principal.labels.key/value (obsoleto) additional.fields |
| src_user_domain | principal.administrative_domain |
| src_user_priority | principal.labels.key/value (obsoleto) additional.fields |
| status_code | about.labels.key/value (obsoleto) additional.fields |
| asunto | network.email.subject(repeated) |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| url | about.url |
| usuario | principal.user.user_display_name |
| user_bunit | about.labels.key/value (obsoleto) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value (obsoleto) additional.fields |
| Xdelay | about.labels.key/value (obsoleto) additional.fields |
| Referencia cruzada | about.labels.key/value (obsoleto) additional.fields |
Filtros
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el filtrado del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| filter_action | about.labels.key/value (obsoleto) additional.fields |
| filter_score | about.labels.key/value (obsoleto) additional.fields |
| firma | metadata.description |
| signature_extra | about.labels.key/value (obsoleto) additional.fields |
| signature_id | metadata.product_event_type |
Puertos
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para los puertos del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| creation_time | about.labels.key/value (obsoleto) additional.fields |
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_port | target.port |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| dest_requires_av | target.labels.key/value (obsoleto) additional.fields |
| dest_should_timesync | target.labels.key/value (obsoleto) additional.fields |
| dest_should_update | target.labels.key/value (obsoleto) additional.fields |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| src | principal.ip principal.hostname principal.labels.key/value (obsoleto) |
| src_category | principal.labels.key/value (obsoleto) additional.fields |
| src_priority | principal.labels.key/value (obsoleto) additional.fields |
| src_port | principal.port |
| src_requires_av | principal.labels.key/value (obsoleto) additional.fields |
| src_should_timesync | principal.labels.key/value (obsoleto) additional.fields |
| src_should_update | principal.labels.key/value (obsoleto) additional.fields |
| state | about.labels.key/value (obsoleto) additional.fields |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| transport | network.ip_protocol |
| transport_dest_port | target.labels.key/value (obsoleto) additional.fields |
| usuario | principal.user.user_display_name |
| user_bunit | about.labels.key/value (obsoleto) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
Procesos
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para los procesos del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| acción | security_result.action_details security_result.action |
| cpu_load_percent | about.labels.key/value (obsoleto) additional.fields |
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_is_expected | target.labels.key/value (obsoleto) additional.fields |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| dest_requires_av | target.labels.key/value (obsoleto) additional.fields |
| dest_should_timesync | target.labels.key/value (obsoleto) additional.fields |
| dest_should_update | target.labels.key/value (obsoleto) additional.fields |
| mem_used | about.labels.key/value (obsoleto) additional.fields |
| original_file_name | src.file.full_path |
| os | principal.asset.platform_software.platform_version |
| parent_process | about.labels.key/value (obsoleto) additional.fields |
| parent_process_exec | about.labels.key/value (obsoleto) additional.fields |
| parent_process_id | principal.process.parent_process.parent_pid |
| parent_process_guid | principal.process.parent_process.product_specific_process_id |
| parent_process_name | about.labels.key/value (obsoleto) additional.fields |
| parent_process_path | principal.process.parent_process.command_line |
| inversa | about.labels.key/value (obsoleto) additional.fields |
| process_current_directory | about.labels.key/value (obsoleto) additional.fields |
| process_exec | about.labels.key/value (obsoleto) additional.fields |
| process_hash | principal.process.file.sha256/principal.process.file.md5/principal..process.file.sha1 |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| process_integrity_level | security_result.severity |
| process_name | principal.process.command_line |
| process_path | principal.process.file.full_path |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| usuario | principal.user.user_display_name |
| user_id | principal.user.userid |
| user_bunit | about.labels.key/value (obsoleto) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value (obsoleto) additional.fields |
Servicios
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para los servicios del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| description | security_result.description |
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_is_expected | target.labels.key/value (obsoleto) additional.fields |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| dest_requires_av | target.labels.key/value (obsoleto) additional.fields |
| dest_should_timesync | target.labels.key/value (obsoleto) additional.fields |
| dest_should_update | target.labels.key/value (obsoleto) additional.fields |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| externo | target.application |
| service_dll | about.labels.key/value (obsoleto) additional.fields |
| service_dll_path | about.file.full_path |
| service_dll_hash | about.labels.key/value (obsoleto) additional.fields |
| service_dll_signature_exists | about.labels.key/value (obsoleto) additional.fields |
| service_dll_signature_verified | about.labels.key/value (obsoleto) additional.fields |
| service_exec | target.process.file.full_path |
| service_hash | about.labels.key/value (obsoleto) additional.fields |
| service_id | about.labels.key/value (obsoleto) additional.fields |
| service_name | about.labels.key/value (obsoleto) additional.fields |
| service_path | about.labels.key/value (obsoleto) additional.fields |
| service_signature_exists | about.labels.key/value (obsoleto) additional.fields |
| service_signature_verified | about.labels.key/value (obsoleto) additional.fields |
| start_mode | about.labels.key/value (obsoleto) additional.fields |
| Calendario | security_result.summary |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| usuario | principal.user.user_display_name |
| user_bunit | about.labels.key/value (obsoleto) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value (obsoleto) additional.fields |
Sistema de archivos
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el sistema de archivos del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| acción | security_result.action_details security_result.action |
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| dest_requires_av | target.labels.key/value (obsoleto) additional.fields |
| dest_should_timesync | target.labels.key/value (obsoleto) additional.fields |
| dest_should_update | target.labels.key/value (obsoleto) additional.fields |
| file_access_time | about.labels.key/value (obsoleto) additional.fields |
| file_create_time | target.asset.attribute.creation_time |
| file_hash | target.file.sha256, target.file.md5, target.file.sha1 |
| file_modify_time | about.labels.key/value (obsoleto) additional.fields |
| file_name | about.labels.key/value (obsoleto) additional.fields |
| file_path | target.file.full_path |
| file_acl | about.labels.key/value (obsoleto) additional.fields |
| file_size | target.file.size |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| usuario | principal.user.user_display_name |
| user_bunit | about.labels.key/value (obsoleto) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value (obsoleto) additional.fields |
Registro
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el registro del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| acción | security_result.action_details security_result.action |
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| dest_requires_av | target.labels.key/value (obsoleto) additional.fields |
| dest_should_timesync | target.labels.key/value (obsoleto) additional.fields |
| dest_should_update | target.labels.key/value (obsoleto) additional.fields |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| registry_hive | about.labels.key/value (obsoleto) additional.fields |
| registry_path | about.labels.key/value (obsoleto) additional.fields |
| registry_key_name | target.registry.registry_key |
| registry_value_data | target.registry.registry_value_data |
| registry_value_name | target.registry.registry_value_name |
| registry_value_text | about.labels.key/value (obsoleto) additional.fields |
| registry_value_type | about.labels.key/value (obsoleto) additional.fields |
| Calendario | security_result.summary |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| usuario | principal.user.user_display_name |
| user_bunit | about.labels.key/value (obsoleto) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value (obsoleto) additional.fields |
Firmas
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para las firmas del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| firma | metadata.description |
| signature_id | metadata.product_event_type |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
Signatures_vendor_product
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos de Splunk Signatures_vendor_product:
| Campo de registro | Asignación de UDM |
|---|---|
| vendor_product | about.labels.key/value (obsoleto) additional.fields |
All_Interprocess_Messaging
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el conjunto de datos de Splunk All_Interprocess_Messaging:
| Campo de registro | Asignación de UDM |
|---|---|
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| duration | network.session_duration |
| extremo | about.labels.key/value (obsoleto) additional.fields |
| endpoint_version | about.labels.key/value (obsoleto) additional.fields |
| mensaje | about.labels.key/value (obsoleto) additional.fields |
| message_consumed_time | about.labels.key/value (obsoleto) additional.fields |
| message_correlation_id | about.labels.key/value (obsoleto) additional.fields |
| message_delivered_time | about.labels.key/value (obsoleto) additional.fields |
| message_delivery_mode | about.labels.key/value (obsoleto) additional.fields |
| message_expiration_time | about.labels.key/value (obsoleto) additional.fields |
| message_id | metadata.product.log_id |
| message_priority | about.labels.key/value (obsoleto) additional.fields |
| message_properties | about.labels.key/value (obsoleto) additional.fields |
| message_received_time | about.labels.key/value (obsoleto) additional.fields |
| message_redelivered | about.labels.key/value (obsoleto) additional.fields |
| message_reply_dest | target.labels.key/value (obsoleto) additional.fields |
| message_type | about.labels.key/value (obsoleto) additional.fields |
| Parámetros | about.labels.key/value (obsoleto) additional.fields |
| payload | about.labels.key/value (obsoleto) additional.fields |
| payload_type | about.labels.key/value (obsoleto) additional.fields |
| request_payload | about.labels.key/value (obsoleto) additional.fields |
| request_payload_type | about.labels.key/value (obsoleto) additional.fields |
| request_sent_time | about.labels.key/value (obsoleto) additional.fields |
| response_code | network.http.response_code |
| response_payload_type | about.labels.key/value (obsoleto) additional.fields |
| response_received_time | about.labels.key/value (obsoleto) additional.fields |
| response_time | about.labels.key/value (obsoleto) additional.fields |
| return_message | about.labels.key/value (obsoleto) additional.fields |
| rpc_protocol | network.application_protocol |
| Calendario | security_result.summary |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
IDS_Attacks
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el conjunto de datos de Splunk IDS_Attacks:
| Campo de registro | Asignación de UDM |
|---|---|
| acción | security_result.action_details security_result.action |
| category | security_result.category_details |
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| DVR | principal.asset.hostname, principal.asset.ip |
| dvc_bunit | about.labels.key/value (obsoleto) additional.fields |
| dvc_category | about.labels.key/value (obsoleto) additional.fields |
| dvc_priority | about.labels.key/value (obsoleto) additional.fields |
| file_hash | target.file.sha256, target.file.md5, target.file.sha1 |
| file_name | about.labels.key/value (obsoleto) additional.fields |
| file_path | target.file.full_path |
| ids_type | about.labels.key/value (obsoleto) additional.fields |
| gravedad, | security_result.severity |
| severity_id | about.labels.key/value (obsoleto) additional.fields |
| firma | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip principal.hostname principal.labels.key/value (obsoleto) |
| src_bunit | principal.labels.key/value (obsoleto) additional.fields |
| src_category | principal.labels.key/value (obsoleto) additional.fields |
| src_priority | principal.labels.key/value (obsoleto) additional.fields |
| src_port | principal.port |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| transport | network.ip_protocol |
| usuario | principal.user.user_display_name |
| user_bunit | about.labels.key/value (obsoleto) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value (obsoleto) additional.fields |
DS_Attacks
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el conjunto de datos de Splunk DS_Attacks:
| Campo de registro | Asignación de UDM |
|---|---|
| dest_port | target.port |
All_Inventory
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos de Splunk All_Inventory:
| Campo de registro | Asignación de UDM |
|---|---|
| description | security_result.description |
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| habilitada | about.labels.key/value (obsoleto) additional.fields |
| familia | about.labels.key/value (obsoleto) additional.fields |
| hypervisor_id | about.labels.key/value (obsoleto) additional.fields |
| serial | principal.asset.hardware.serial_number |
| Calendario | security_result.summary |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| vendor_product | about.labels.key/value (obsoleto) additional.fields |
| versión | about.labels.key/value (obsoleto) additional.fields |
CPU
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para la CPU del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| cpu_cores | principal.asset.hardware.cpu_number_cores |
| cpu_count | about.labels.key/value (obsoleto) additional.fields |
| cpu_mhz | principal.asset.hardware.cpu_clock_speed |
| cpu_load_mhz | principal.asset.hardware.cpu_clock_speed |
| cpu_load_percent | about.labels.key/value (obsoleto) additional.fields |
| cpu_time | about.labels.key/value (obsoleto) additional.fields |
| cpu_user_percent | about.labels.key/value (obsoleto) additional.fields |
Memoria
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para la memoria del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| mem | principal.asset.hardware.ram |
| heap_committed | about.labels.key/value (obsoleto) additional.fields |
| heap_initial | about.labels.key/value (obsoleto) additional.fields |
| heap_max | about.labels.key/value (obsoleto) additional.fields |
| heap_used | about.labels.key/value (obsoleto) additional.fields |
| non_heap_committed | about.labels.key/value (obsoleto) additional.fields |
| non_heap_initial | about.labels.key/value (obsoleto) additional.fields |
| non_heap_max | about.labels.key/value (obsoleto) additional.fields |
| non_heap_used | about.labels.key/value (obsoleto) additional.fields |
| objects_pending | about.labels.key/value (obsoleto) additional.fields |
| mem | principal.asset.hardware.ram |
| mem_committed | about.labels.key/value (obsoleto) additional.fields |
| mem_free | about.labels.key/value (obsoleto) additional.fields |
| mem_used | about.labels.key/value (obsoleto) additional.fields |
| Cambio | about.labels.key/value (obsoleto) additional.fields |
| swap_free | about.labels.key/value (obsoleto) additional.fields |
| swap_used | about.labels.key/value (obsoleto) additional.fields |
red
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para la red del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| dest_ip | target.ip |
| dns | about.labels.key/value (obsoleto) additional.fields |
| inline_nat | about.labels.key/value (obsoleto) additional.fields |
| Interfaz | about.labels.key/value (obsoleto) additional.fields |
| ip | principal.asset.ip |
| lb_method | about.labels.key/value (obsoleto) additional.fields |
| mac | principal.asset.mac |
| name | principal.resource.name |
| nodo | about.labels.key/value (obsoleto) additional.fields |
| node_port | target.port |
| src_ip | principal.ip |
| vip_port | about.labels.key/value (obsoleto) additional.fields |
| thrput | about.labels.key/value (obsoleto) additional.fields |
| thruput_max | about.labels.key/value (obsoleto) additional.fields |
SO
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el SO del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| os | principal.asset.platform_software.platform_version |
| committed_memory | about.labels.key/value (obsoleto) additional.fields |
| cpu_time | about.labels.key/value (obsoleto) additional.fields |
| free_physical_memory | about.labels.key/value (obsoleto) additional.fields |
| free_swap | about.labels.key/value (obsoleto) additional.fields |
| max_file_descriptors | about.labels.key/value (obsoleto) additional.fields |
| open_file_descriptors | about.labels.key/value (obsoleto) additional.fields |
| os | principal.asset.platform_software.platform_version |
| os_architecture | about.labels.key/value (obsoleto) additional.fields |
| os_version | about.labels.key/value (obsoleto) additional.fields |
| physical_memory | about.labels.key/value (obsoleto) additional.fields |
| swap_space | about.labels.key/value (obsoleto) additional.fields |
| system_load | about.labels.key/value (obsoleto) additional.fields |
| total_processors | about.labels.key/value (obsoleto) additional.fields |
| firma | metadata.description |
| signature_id | metadata.product_event_type |
Almacenamiento
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el almacenamiento del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| array | about.labels.key/value (obsoleto) additional.fields |
| tamaño de bloque | about.labels.key/value (obsoleto) additional.fields |
| clúster | about.resource.resource_type = "CLUSTER" |
| fd_max | about.labels.key/value (obsoleto) additional.fields |
| latencia | about.labels.key/value (obsoleto) additional.fields |
| mount | principal.resource.attribute.labels.key/value |
| parent | principal.resource.parent |
| read_blocks | about.labels.key/value (obsoleto) additional.fields |
| read_latency | about.labels.key/value (obsoleto) additional.fields |
| read_ops | about.labels.key/value (obsoleto) additional.fields |
| almacenamiento | about.labels.key/value (obsoleto) additional.fields |
| write_blocks | about.labels.key/value (obsoleto) additional.fields |
| write_latency | about.labels.key/value (obsoleto) additional.fields |
| write_ops | about.labels.key/value (obsoleto) additional.fields |
| array | about.labels.key/value (obsoleto) additional.fields |
| tamaño de bloque | about.labels.key/value (obsoleto) additional.fields |
| clúster | about.resource.resource_type = "CLUSTER" |
| fd_max | about.labels.key/value (obsoleto) additional.fields |
| fd_used | about.labels.key/value (obsoleto) additional.fields |
| latencia | about.labels.key/value (obsoleto) additional.fields |
| mount | about.labels.key/value (obsoleto) additional.fields |
| parent | principal.resource.parent |
| read_blocks | about.labels.key/value (obsoleto) additional.fields |
| read_latency | about.labels.key/value (obsoleto) additional.fields |
| read_ops | about.labels.key/value (obsoleto) additional.fields |
| almacenamiento | about.labels.key/value (obsoleto) additional.fields |
| storage_free | about.labels.key/value (obsoleto) additional.fields |
| storage_free_percent | about.labels.key/value (obsoleto) additional.fields |
| storage_used | about.labels.key/value (obsoleto) additional.fields |
| storage_used_percent | about.labels.key/value (obsoleto) additional.fields |
| write_blocks | about.labels.key/value (obsoleto) additional.fields |
| write_latency | about.labels.key/value (obsoleto) additional.fields |
| write_ops | about.labels.key/value (obsoleto) additional.fields |
| error_code | security_result.description |
| operación | about.labels.key/value (obsoleto) additional.fields |
| storage_name | about.resource.name |
Usuario
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el usuario del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| interactive | about.labels.key/value (obsoleto) additional.fields |
| contraseña | about.labels.key/value (obsoleto) additional.fields |
| shell | about.labels.key/value (obsoleto) additional.fields |
| usuario | principal.user.user_display_name |
| user_bunit | about.labels.key/value (obsoleto) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_id | principal.user.userid |
| user_priority | principal.user.attribute.label.key/value |
Virtual_OS
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el conjunto de datos Virtual_OS de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| hipervisor | about.labels.key/value (obsoleto) additional.fields |
Instantánea
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para la instantánea del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| tamaño | about.file.size |
| instantánea | about.labels.key/value (obsoleto) additional.fields |
| tiempo | about.labels.key/value (obsoleto) additional.fields |
JVM
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para la JVM del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| jvm_description | security_result.description |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
Subprocesos
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para los subprocesos del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| cm_enabled | about.labels.key/value (obsoleto) additional.fields |
| cm_supported | about.labels.key/value (obsoleto) additional.fields |
| cpu_time_enabled | about.labels.key/value (obsoleto) additional.fields |
| cpu_time_supported | about.labels.key/value (obsoleto) additional.fields |
| current_cpu_time | about.labels.key/value (obsoleto) additional.fields |
| current_user_time | about.labels.key/value (obsoleto) additional.fields |
| daemon_thread_count | about.labels.key/value (obsoleto) additional.fields |
| omu_supported | about.labels.key/value (obsoleto) additional.fields |
| peak_thread_count | about.labels.key/value (obsoleto) additional.fields |
| synch_supported | about.labels.key/value (obsoleto) additional.fields |
| thread_count | about.labels.key/value (obsoleto) additional.fields |
| threads_started | about.labels.key/value (obsoleto) additional.fields |
Entorno de ejecución
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el entorno de ejecución del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| process_name | principal.process.command_line |
| start_time | about.labels.key/value (obsoleto) additional.fields |
| tiempo de actividad | about.labels.key/value (obsoleto) additional.fields |
| vendor_product | about.labels.key/value (obsoleto) additional.fields |
| versión | about.labels.key/value (obsoleto) additional.fields |
Compilación
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para la compilación del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| compilation_time | about.labels.key/value (obsoleto) additional.fields |
Carga de clases
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos de Splunk de carga de clases:
| Campo de registro | Asignación de UDM |
|---|---|
| current_loaded | about.labels.key/value (obsoleto) additional.fields |
| total_loaded | about.labels.key/value (obsoleto) additional.fields |
| total_unloaded | about.labels.key/value (obsoleto) additional.fields |
Malware_Attacks
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos de Splunk Malware_Attacks:
| Campo de registro | Asignación de UDM |
|---|---|
| acción | security_result.action_details security_result.action |
| category | security_result.category_details |
| date | about.labels.key/value (obsoleto) additional.fields |
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_nt_domain | target.administrative_domain |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| dest_requires_av | target.labels.key/value (obsoleto) additional.fields |
| file_hash | target.file.sha256, target.file.md5, target.file.sha1 |
| file_name | about.labels.key/value (obsoleto) additional.fields |
| file_path | target.file.full_path |
| gravedad, | security_result.severity |
| severity_id | about.labels.key/value (obsoleto) additional.fields |
| firma | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip principal.hostname principal.labels.key/value (obsoleto) |
| src_bunit | principal.labels.key/value (obsoleto) additional.fields |
| src_category | principal.labels.key/value (obsoleto) additional.fields |
| src_priority | principal.labels.key/value (obsoleto) additional.fields |
| src_user | principal.user.user_display_name |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| usuario | principal.user.user_display_name |
| user_bunit | about.labels.key/value (obsoleto) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| url | about.url |
| vendor_product | about.labels.key/value (obsoleto) additional.fields |
Malware_Operations
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos de Splunk Malware_Operations:
| Campo de registro | Asignación de UDM |
|---|---|
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_nt_domain | target.labels.key/value (obsoleto) additional.fields |
| dest_nt_domain | target.labels.key/value (obsoleto) additional.fields |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| dest_requires_av | target.labels.key/value (obsoleto) additional.fields |
| product_version | about.labels.key/value (obsoleto) additional.fields |
| signature_version | security_result.rule_version |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| vendor_product | about.labels.key/value (obsoleto) additional.fields |
Malware_Operations
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos de Splunk Malware_Operations:
| Campo de registro | Asignación de UDM |
|---|---|
| dest_category | target.labels.key/value (obsoleto) additional.fields |
DNS
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el DNS del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| additional_answer_count | about.labels.key/value (obsoleto) additional.fields |
| answer | network.dns.answer.data |
| answer_count | about.labels.key/value (obsoleto) additional.fields |
| authority_answer_count | about.labels.key/value (obsoleto) additional.fields |
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_port | target.port |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| duration | network.session_duration |
| message_type | about.labels.key/value (obsoleto) additional.fields |
| name | about.labels.key/value (obsoleto) additional.fields |
| búsqueda | network.dns.questions.name |
| query_count | about.labels.key/value (obsoleto) additional.fields |
| query_type | network.dns.questions.type |
| record_type | network.dns.answer.type(uint32) |
| reply_code | about.labels.key/value (obsoleto) additional.fields |
| reply_code_id | network.dns.response_code |
| response_time | about.labels.key/value (obsoleto) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value (obsoleto) |
| src_bunit | principal.labels.key/value (obsoleto) additional.fields |
| src_category | principal.labels.key/value (obsoleto) additional.fields |
| src_port | principal.port |
| src_priority | principal.labels.key/value (obsoleto) additional.fields |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| transaction_id | network.dns.id |
| transport | network.ip_protocol |
| ttl | about.labels.key/value (obsoleto) additional.fields |
| vendor_product | about.labels.key/value (obsoleto) additional.fields |
All_Sessions
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos de Splunk All_Sessions:
| Campo de registro | Asignación de UDM |
|---|---|
| acción | security_result.action_details security_result.action |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_dns | target.labels.key/value (obsoleto) additional.fields |
| dest_ip | network.dhcp.ciaddr |
| dest_mac | network.dhcp.chaddr |
| dest_nt_host | target.labels.key/value (obsoleto) additional.fields |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| duration | network.session_duration |
| response_time | about.labels.key/value (obsoleto) additional.fields |
| firma | metadata.description |
| signature_id | metadata.product_event_type |
| src_bunit | principal.labels.key/value (obsoleto) additional.fields |
| src_category | principal.labels.key/value (obsoleto) additional.fields |
| src_dns | principal.labels.key/value (obsoleto) additional.fields |
| src_ip | principal.ip |
| src_mac | principal.mac |
| src_nt_host | principal.labels.key/value (obsoleto) additional.fields |
| src_priority | principal.labels.key/value (obsoleto) additional.fields |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| usuario | principal.user.user_display_name |
| user_bunit | about.labels.key/value (obsoleto) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value (obsoleto) additional.fields |
DHCP
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el DHCP del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| lease_duration | network.dhcp.lease_time_second |
| lease_scope | about.labels.key/value (obsoleto) additional.fields |
All_Traffic
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos de Splunk All_Traffic:
| Campo de registro | Asignación de UDM |
|---|---|
| acción | security_result.action_details security_result.action |
| app | network.application_protocol |
| bytes | about.labels.key/value (obsoleto) additional.fields |
| bytes_in | network.received_bytes |
| bytes_out | network.sent_bytes |
| channel | about.labels.key/value (obsoleto) additional.fields |
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_interface | target.labels.key/value (obsoleto) additional.fields |
| dest_ip | target.ip |
| dest_mac | target.mac |
| dest_port | target.port |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| dest_translated_ip | target.nat_ip |
| dest_translated_port | target.nat_port |
| dest_zone | target.location.country_or_origin |
| direction | network.direction |
| duration | network.session_duration |
| DVR | principal.asset.hostname, principal.asset.ip |
| dvc_bunit | about.labels.key/value (obsoleto) additional.fields |
| dvc_category | about.labels.key/value (obsoleto) additional.fields |
| dvc_ip | about.labels.key/value (obsoleto) additional.fields |
| dvc_mac | principal.asset.mac |
| dvc_priority | about.labels.key/value (obsoleto) additional.fields |
| dvc_zone | principal.asset.location.country_or_region |
| flow_id | about.labels.key/value (obsoleto) additional.fields |
| icmp_code | about.labels.key/value (obsoleto) additional.fields |
| icmp_type | about.labels.key/value (obsoleto) additional.fields |
| paquetes | about.labels.key/value (obsoleto) additional.fields |
| packets_in | about.labels.key/value (obsoleto) additional.fields |
| packets_out | about.labels.key/value (obsoleto) additional.fields |
| protocol | about.labels.key/value (obsoleto) additional.fields |
| protocol_version | about.labels.key/value (obsoleto) additional.fields |
| response_time | about.labels.key/value (obsoleto) additional.fields |
| regla | security_result.rule_id |
| session_id | network.session_id |
| src | principal.ip principal.hostname principal.labels.key/value (obsoleto) |
| src_bunit | principal.labels.key/value (obsoleto) additional.fields |
| src_category | principal.labels.key/value (obsoleto) additional.fields |
| src_interface | principal.labels.key/value (obsoleto) additional.fields |
| src_ip | principal.ip |
| src_mac | principal.mac |
| src_port | principal.port |
| src_priority | principal.labels.key/value (obsoleto) additional.fields |
| src_translated_ip | principal.nat_ip |
| src_translated_port | principal.nat_port |
| src_zone | principal.location.country_or_origin |
| SID | about.labels.key/value (obsoleto) additional.fields |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| tcp_flag | about.labels.key/value (obsoleto) additional.fields |
| transport | network.ip_protocol |
| tos | about.labels.key/value (obsoleto) additional.fields |
| ttl | network.dns.additional.ttl |
| usuario | principal.user.userid |
| user_bunit | about.labels.key/value (obsoleto) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_account | about.labels.key/value (obsoleto) additional.fields |
| vendor_product | about.labels.key/value (obsoleto) additional.fields |
| vlan | about.labels.key/value (obsoleto) additional.fields |
| Wi-Fi | about.labels.key/value (obsoleto) additional.fields |
All_Performance
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos de Splunk All_Performance:
| Campo de registro | Asignación de UDM |
|---|---|
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| dest_should_timesync | target.labels.key/value (obsoleto) additional.fields |
| dest_should_update | target.labels.key/value (obsoleto) additional.fields |
| hypervisor_id | about.labels.key/value (obsoleto) additional.fields |
| resource_type | about.labels.key/value (obsoleto) additional.fields |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
Servicios
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para las instalaciones del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| fan_speed | about.labels.key/value (obsoleto) additional.fields |
| power | about.labels.key/value (obsoleto) additional.fields |
| temperatura | about.labels.key/value (obsoleto) additional.fields |
Sincronización de tiempo
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el conjunto de datos de Splunk Timesync:
| Campo de registro | Asignación de UDM |
|---|---|
| acción | security_result.action_details security_result.action |
Tiempo de actividad
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el tiempo de actividad del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| tiempo de actividad | about.labels.key/value (obsoleto) additional.fields |
View_Activity
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos de Splunk View_Activity:
| Campo de registro | Asignación de UDM |
|---|---|
| app | target.application |
| invertiste | about.labels.key/value (obsoleto) additional.fields |
| uri | about.labels.key/value (obsoleto) additional.fields |
| usuario | principal.user.user_display_name |
| vista | about.labels.key/value (obsoleto) additional.fields |
Datamodel_Acceleration
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos de Splunk Datamodel_Acceleration:
| Campo de registro | Asignación de UDM |
|---|---|
| access_count | about.labels.key/value (obsoleto) additional.fields |
| access_time | about.labels.key/value (obsoleto) additional.fields |
| app | target.application |
| buckets | about.labels.key/value (obsoleto) additional.fields |
| buckets_size | about.labels.key/value (obsoleto) additional.fields |
| completa | about.labels.key/value (obsoleto) additional.fields |
| cron | about.labels.key/value (obsoleto) additional.fields |
| modelo de datos | about.labels.key/value (obsoleto) additional.fields |
| resumen | about.labels.key/value (obsoleto) additional.fields |
| primer | about.labels.key/value (obsoleto) additional.fields |
| is_inprogress | about.labels.key/value (obsoleto) additional.fields |
| last_error | about.labels.key/value (obsoleto) additional.fields |
| last_sid | about.labels.key/value (obsoleto) additional.fields |
| más reciente | about.labels.key/value (obsoleto) additional.fields |
| mod_time | about.labels.key/value (obsoleto) additional.fields |
| retención | about.labels.key/value (obsoleto) additional.fields |
| tamaño | about.file.size |
| summary_id | about.labels.key/value (obsoleto) additional.fields |
Search_Activity
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos de Splunk Search_Activity:
| Campo de registro | Asignación de UDM |
|---|---|
| host | about.hostname |
| información | about.labels.key/value (obsoleto) additional.fields |
| buscar | about.labels.key/value (obsoleto) additional.fields |
| search_et | about.labels.key/value (obsoleto) additional.fields |
| search_lt | about.labels.key/value (obsoleto) additional.fields |
| search_type | about.labels.key/value (obsoleto) additional.fields |
| source | principal.labels.key/value (obsoleto) additional.fields |
| tipo de fuente | principal.labels.key/value (obsoleto) additional.fields |
| usuario | principal.user.user_display_name |
| user_bunit | about.labels.key/value (obsoleto) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
Scheduler_Activity
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos de Splunk Scheduler_Activity:
| Campo de registro | Asignación de UDM |
|---|---|
| app | target.application |
| host | about.hostname |
| savedsearch_name | about.labels.key/value (obsoleto) additional.fields |
| sid | about.labels.key/value (obsoleto) additional.fields |
| source | principal.labels.key/value (obsoleto) additional.fields |
| tipo de fuente | principal.labels.key/value (obsoleto) additional.fields |
| splunk_server | principal.ip y principal.nombredehost |
| Calendario | security_result.summary |
| usuario | principal.user.user_display_name |
Web_Service_Errors
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos de Splunk Web_Service_Errors:
| Campo de registro | Asignación de UDM |
|---|---|
| host | about.hostname |
| source | principal.labels.key/value (obsoleto) additional.fields |
| tipo de fuente | principal.labels.key/value (obsoleto) additional.fields |
| event_id | security_result.rule_name |
Modular_Actions
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos de Splunk Modular_Actions:
| Campo de registro | Asignación de UDM |
|---|---|
| action_mode | about.labels.key/value (obsoleto) additional.fields |
| action_status | about.labels.key/value (obsoleto) additional.fields |
| app | target.application |
| duration | network.session_duration |
| componente | about.labels.key/value (obsoleto) additional.fields |
| orig_rid | about.labels.key/value (obsoleto) additional.fields |
| orig_sid | about.labels.key/value (obsoleto) additional.fields |
| rid | about.labels.key/value (obsoleto) additional.fields |
| search_name | about.labels.key/value (obsoleto) additional.fields |
| action_name | security_result.action_details |
| firma | metadata.description |
| sid | about.labels.key/value (obsoleto) additional.fields |
| usuario | about.labels.key/value (obsoleto) additional.fields |
All_Ticket_Management
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para el conjunto de datos de Splunk All_Ticket_Management:
| Campo de registro | Asignación de UDM |
|---|---|
| affect_dest | target.labels.key/value (obsoleto) additional.fields |
| comentarios | about.labels.key/value (obsoleto) additional.fields |
| description | security_result.description |
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| priority | security_result.priority_details |
| gravedad, | security_result.severity |
| severity_id | about.labels.key/value (obsoleto) additional.fields |
| splunk_id | about.labels.key/value (obsoleto) additional.fields |
| splunk_realm | about.labels.key/value (obsoleto) additional.fields |
| src_user | principal.user.user_display_name |
| src_user_bunit | principal.labels.key/value (obsoleto) additional.fields |
| src_user_category | principal.labels.key/value (obsoleto) additional.fields |
| src_user_priority | principal.labels.key/value (obsoleto) additional.fields |
| Calendario | security_result.summary |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| ticket_id | target.user.attribute.label.ley/valor |
| time_submitted | principal.user.attribute.creation_time |
| usuario | principal.user.user_display_name |
| user_bunit | about.labels.key/value (obsoleto) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
Cambiar
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el cambio del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| cambiar | about.labels.key/value (obsoleto) additional.fields |
Incidente
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el incidente del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| incidente | about.labels.key/value (obsoleto) additional.fields |
Problema
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el problema del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| problema | about.labels.key/value (obsoleto) additional.fields |
Actualizaciones
En la siguiente tabla, se enumeran los campos de registro y las asignaciones de UDM correspondientes para las actualizaciones del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| dest_should_update | target.labels.key/value (obsoleto) additional.fields |
| DVR | principal.asset.hostname, principal.asset.ip |
| file_hash | target.file.sha256, target.file.md5, target.file.sha1 |
| file_name | about.labels.key/value (obsoleto) additional.fields |
| gravedad, | security_result.severity |
| severity_id | about.labels.key/value (obsoleto) additional.fields |
| firma | metadata.description |
| signature_id | metadata.product_event_type |
| Calendario | security_result.summary |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| vendor_product | about.labels.key/value (obsoleto) additional.fields |
Vulnerabilidades
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para las vulnerabilidades del conjunto de datos de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| Bugtraq | about.labels.key/value (obsoleto) additional.fields |
| category | security_result.category_details |
| cert | about.labels.key/value (obsoleto) additional.fields |
| cve | vulnerabilites.cve_description |
| cvss | vulnerabilites.cvss_base_score |
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| DVR | principal.asset.hostname, principal.asset.ip |
| dvc_bunit | about.labels.key/value (obsoleto) additional.fields |
| dvc_category | about.labels.key/value (obsoleto) additional.fields |
| dvc_priority | about.labels.key/value (obsoleto) additional.fields |
| Msft | about.labels.key/value (obsoleto) additional.fields |
| mskb | about.labels.key/value (obsoleto) additional.fields |
| gravedad, | extensions.vulns.vulnerabilites.severity |
| severity_id | about.labels.key/value (obsoleto) additional.fields |
| firma | metadata.description |
| signature_id | metadata.product_event_type |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| url | extensions.vulns.vulnerabilites.about.url |
| usuario | extensions.vulns.vulnerabilites.about.user.user_display_name |
| user_bunit | about.labels.key/value (obsoleto) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value (obsoleto) additional.fields |
| Referencia cruzada | about.labels.key/value (obsoleto) additional.fields |
Web
En la siguiente tabla, se enumeran los campos de registro y las asignaciones UDM correspondientes para el conjunto de datos web de Splunk:
| Campo de registro | Asignación de UDM |
|---|---|
| acción | security_result.action_details security_result.action |
| app | target.application |
| bytes | about.labels.key/value (obsoleto) additional.fields |
| bytes_in | network.received_bytes |
| bytes_out | network.sent_bytes |
| almacenado en caché | about.labels.key/value (obsoleto) additional.fields |
| category | security_result.category_details |
| galleta | about.labels.key/value (obsoleto) additional.fields |
| dest | target.ip target.hostname target.labels.key/value (obsoleto) |
| dest_bunit | target.labels.key/value (obsoleto) additional.fields |
| dest_category | target.labels.key/value (obsoleto) additional.fields |
| dest_priority | target.labels.key/value (obsoleto) additional.fields |
| dest_port | target.port |
| duration | network.session_duration |
| http_content_type | about.labels.key/value (obsoleto) additional.fields |
| http_method | network.http.method |
| http_referrer | network.http.referral_url |
| http_referrer_domain | about.labels.key/value (obsoleto) additional.fields |
| http_user_agent | network.http.user_agent |
| http_user_agent_length | about.labels.key/value (obsoleto) additional.fields |
| response_time | about.labels.key/value (obsoleto) additional.fields |
| sitio | about.labels.key/value (obsoleto) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value (obsoleto) |
| src_bunit | principal.labels.key/value (obsoleto) additional.fields |
| src_category | principal.labels.key/value (obsoleto) additional.fields |
| src_priority | principal.labels.key/value (obsoleto) additional.fields |
| Calendario | network.http.response_code |
| etiqueta | about.labels.key/value (obsoleto) additional.fields |
| uri_path | about.labels.key/value (obsoleto) additional.fields |
| uri_query | about.labels.key/value (obsoleto) additional.fields |
| url | about.url |
| url_domain | about.asset.network_domain |
| url_length | about.labels.key/value (obsoleto) additional.fields |
| usuario | principal.user.user_display_name |
| user_bunit | about.labels.key/value (obsoleto) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value (obsoleto) additional.fields |
Tipos de eventos de UDM
En la siguiente tabla, se enumeran las etiquetas de Splunk y los tipos de eventos de UDM correspondientes:
| Modelo de datos | Etiquetas de Splunk | Tipo de evento de UDM |
|---|---|---|
| Alertas | alerta | STATUS_UPDATE |
| Authentication | authentication | USER_UNCATEGORIZED |
| Certificado | certificado | NETWORK_UNCATEGORIZED |
| Cambiar | cambiar | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| Acceso a los datos | datos, acceso | USER_RESOURCE_ACCESS |
| Bases de datos | base de datos | USER_RESOURCE_ACCESS |
| Bases de datos | base de datos, instancia, estadísticas | STATUS_UPDATE |
| Bases de datos | base de datos, instancia, estado | STATUS_UPDATE |
| Bases de datos | base de datos, instancia, bloqueo | STATUS_UPDATE |
| Bases de datos | base de datos, consulta | STATUS_UPDATE |
| Bases de datos | base de datos, consulta, espacio de tabla | STATUS_UPDATE |
| Bases de datos | base de datos, consulta, estadísticas | STATUS_UPDATE |
| Prevención de pérdida de datos | dlp, incidente | SCAN_UNCATEGORIZED |
| correo electrónico | EMAIL_UNCATEGORIZED | |
| correo electrónico, entrega | EMAIL_TRANSACTION | |
| Extremo | escucha, puerto | SERVICE_UNSPECIFIED |
| Extremo | proceso, informe | PROCESS_UNCATEGORIZED |
| Extremo | servicio, informe | SERVICE_UNSPECIFIED |
| Extremo | extremo, sistema de archivos | FILE_UNCATEGORIZED |
| Extremo | extremo, registro | REGISTRY_UNCATEGORIZED |
| Firma del evento | track_event_signature | STATUS_UPDATE |
| Mensajes entre procesos | mensajería | STATUS_UPDATE |
| Detección de intrusiones | IDs, ataque | SERVICE_UNSPECIFIED |
| Inventario | inventario | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| Máquina virtual Java (JVM) | jvm | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| Software malicioso | malware | STATUS_UPDATE |
| Resolución de red(DNS) | red, resolución, dns | NETWORK_DNS |
| Sesiones de red | red, sesión | NETWORK_CONNECTION |
| Sesiones de red | red, sesión, dhcp | NETWORK_DHCP |
| Tráfico de red | red, comunicarse | NETWORK_CONNECTION |
| Rendimiento | rendimiento | SERVICE_UNSPECIFIED |
| Registros de auditoría de Splunk | moda | STATUS_UPDATE |
| Administración de tickets | venta de entradas | STATUS_UPDATE |
| Administración de tickets | venta de entradas, cambio | STATUS_UPDATE |
| Actualizaciones | update | STATUS_UPDATE |
| Vulnerabilidades | informe, vulnerabilidades | SCAN_UNCATEGORIZED |
| Web | web | NETWORK_UNCATEGORIZED |