Mengumpulkan log CIM Splunk
Dokumen ini menjelaskan cara mengumpulkan log Splunk Common Information Model (CIM) dengan mengonfigurasi Splunk dan forwarder Chronicle. Dokumen ini juga mencantumkan jenis log yang didukung dan versi Splunk yang didukung.
Untuk mengetahui informasi selengkapnya, lihat Penyerapan data ke Chronicle.
Ringkasan
Diagram arsitektur deployment berikut menunjukkan cara konfigurasi agen Splunk untuk mengirim log ke Chronicle. Setiap deployment pelanggan mungkin berbeda dari representasi ini dan mungkin lebih kompleks.
Diagram arsitektur menampilkan komponen berikut:
Sumber data: Sistem yang akan dipantau tempat Splunk diinstal.
Splunk: Mengumpulkan informasi dari sumber data dan meneruskan informasi ke penerus Chronicle.
Chronicle forwarder: Komponen software ringan, yang di-deploy di jaringan pelanggan untuk meneruskan log ke Chronicle.
Chronicle: Menyimpan dan menganalisis log dari server Fleet.
Label penyerapan mengidentifikasi parser yang menormalisasi data log mentah
ke format UDM terstruktur. Informasi dalam dokumen ini berlaku untuk parser
dengan label penyerapan SPLUNK.
Sebelum memulai
Gunakan Splunk versi 5.0 yang didukung parser Chronicle.
Pastikan semua sistem dalam arsitektur deployment dikonfigurasi dalam zona waktu UTC.
Mengonfigurasi agen Splunk dan penerusan Chronicle
Instal agen yang sesuai dengan CIM dari Splunkbase.
Konfigurasi penerusan Chronicle untuk mengirim log ke sistem Chronicle. Berikut adalah contoh konfigurasi penerusan Chronicle:
- splunk: common: enabled: true data_type: SPLUNK batch_n_seconds: 10 batch_n_bytes: 819200 url: <SPLUNK_URL> query_cim: true is_ignore_cert: true query_string: datamodel Network_Traffic All_Traffic flat
Pertimbangan untuk menulis kueri penelusuran Splunk
Splunk memiliki bahasa pencarian sendiri, yang mirip dengan SQL. Pastikan Anda menggunakan sintaks yang benar untuk kueri penelusuran Anda. Pertimbangkan karakteristik penelusuran berikut saat Anda membuat kueri:
Karakter escape
Jika nilai string berisi tanda kutip ganda ", gunakan karakter garis miring terbalik untuk meng-escape tanda kutip. Jika tidak, penelusuran akan salah menafsirkan akhir nilai string.
Misalnya: Untuk menelusuri string WHERE _raw="The user "vpatel" isn't authenticated.",
Anda harus menggunakan urutan \" untuk menelusuri tanda kutip ganda literal.
Tulis string penelusuran dalam format berikut:
WHERE _raw="The user \"vpatel\" isn't authenticated."
Untuk meng-escape karakter garis miring terbalik \ , gunakan urutan \\ untuk menelusuri garis miring terbalik.
Misalnya, jika ada string seperti C:\user\abc, string ini harus ditulis sebagai C:\\user\\abc.
Penelusuran yang salah secara sintaksis
Jika sebagian kueri tidak valid, seluruh kueri tidak akan dievaluasi dan pesan error akan muncul.
Perhatikan contoh berikut yang opsi mode penelusurannya tidak ada dalam kueri:
multisearch [|datamodel Network_Traffic All_Traffic] [|datamodel Network_Sessions All_Sessions flat]
Dalam contoh ini, opsi mode penelusuran tidak ada dalam kueri. Hal ini menghasilkan error berikut:
Error in 'multisearch' command: Multisearch sub searches might only contain purely streaming operations. The search job has failed due to an error.
Dukungan untuk beberapa model data
Splunk mendukung satu kueri besar yang mencakup model data. Kueri penelusuran berikut mengekstrak data dari beberapa model data:
multisearch [|datamodel Network_Traffic All_Traffic flat] [|datamodel Network_Sessions All_Sessions flat]
Berikut adalah komponen kueri ini yang mencakup model data:
Multisearch: Kueri harus diawali dengan kata multisearch. Kueri untuk model data harus diapit dalam tanda kurung siku [ ] dan dimulai dengan karakter pipa |.
Network_Traffic: Nama model data.
All_Traffic: Set data dari model data Network_Traffic.
flat: Mode penelusuran. Opsi lainnya adalah search dan acceleration_search.
Sebaiknya gunakan kueri Splunk berikut untuk penelusuran beberapa model data:
multisearch [|datamodel Network_Traffic All_Traffic flat] [|datamodel Network_Sessions All_Sessions flat]
Jenis log dan model data yang didukung
| Model data Splunk | Didukung |
|---|---|
| Pemberitahuan | Ya |
| Status Aplikasi (tidak digunakan lagi) | Tidak |
| Authentication | Ya |
| Sertifikat | Ya |
| Ubah | Ya |
| Analisis Perubahan (tidak digunakan lagi) | Tidak |
| Akses Data | Ya |
| Database | Ya |
| Pencegahan Kebocoran Data | Ya |
| Ya | |
| Endpoint | Ya |
| Tanda Tangan Acara | Ya |
| Pesan Antar-proses | Ya |
| Deteksi Penyusupan | Ya |
| Inventaris | Ya |
| Java Virtual Machine (JVM) | Ya |
| Malware | Ya |
| Resolusi Jaringan (DNS) | Ya |
| Sesi Jaringan | Ya |
| Traffic Jaringan | Ya |
| Performa | Ya |
| Log Audit Splunk | Ya |
| Pengelolaan Tiket | Ya |
| Update | Ya |
| Kerentanan | Ya |
| Web | Ya |
Referensi pemetaan kolom
Bagian ini menjelaskan cara parser Chronicle memetakan kolom log Splunk ke kolom Chronicle Unified Data Model (UDM) untuk set data. Untuk informasi selengkapnya, lihat dokumen Splunk untuk versi 5.0.1.
Pemberitahuan
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk set data Splunk Alerts:
| Kolom log | Pemetaan UDM |
|---|---|
| aplikasi | observer.application |
| deskripsi | security_result.description |
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dest_type | target.resource.resource_type |
| id | metadata.product_log_id |
| mitre_technique_id | security_result.detection_fields.labels.key/value |
| tingkat keseriusan | security_result.severity |
| severity_id | about.labels.key/value |
| tanda tangan | metadata.description |
| signature_id | security_result.rule_name |
| src | principal.ip, principal.nama host, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_priority | principal.labels.key/value |
| src_type | principal.resource.resource_type |
| tag | about.labels.key/value |
| jenis | security_result.alert_state |
| pengguna | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_name | principal.user.userid |
| user_priority | principal.user.attribute.label.key/value |
| vendor_account | about.labels.key/value |
| vendor_region | about.location.country_or_region |
Authentication
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk Autentikasi set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| action | security_result.action_details security_result.action |
| aplikasi | target.application |
| authentication_method | about.labels.key/value |
| authentication_service | extension.auth.auth_details |
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_nt_domain | target.labels.key/value |
| dest_priority | target.labels.key/value |
| durasi | network.session_duration |
| alasan | security_result.summary |
| response_time | about.labels.key/value |
| tanda tangan | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip, principal.nama host, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_nt_domain | principal.labels.key/value |
| src_priority | principal.labels.key/value |
| src_user | principal.user.user_display_name |
| src_user_bunit | principal.labels.key/value |
| src_user_category | principal.labels.key/value |
| src_user_id | principal.user.userid |
| src_user_priority | principal.labels.key/value |
| src_user_role | principal.user.attribute.roles.name (berulang) |
| src_user_type | principal.user.attribute.roles.type |
| tag | about.labels.key/value |
| pengguna | principal.user.user_display_name |
| user_agent | network.http.user_agent |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_id | principal.user.userid |
| user_priority | principal.user.attribute.label.key/value |
| user_role | principal.user.attribute.roles.name (berulang) |
| user_type | principal.user.attribute.roles.type |
| vendor_account | about.labels.key/value |
All_Certificates
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk All_Certificates:
| Kolom log | Pemetaan UDM |
|---|---|
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_port | target.port |
| dest_priority | target.labels.key/value |
| durasi | network.session_duration |
| response_time | about.labels.key/value |
| src | principal.ip, principal.nama host, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_port | principal.port |
| src_priority | principal.labels.key/value |
| tag | about.labels.key/value |
| {i>transport<i} | network.ip_protocol |
SSL
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk set data Splunk SSL:
| Kolom log | Pemetaan UDM |
|---|---|
| ssl_end_time | network.tls.server.certificate.not_after |
| ssl_engine | about.labels.key/value |
| ssl_hash | about.labels.key/value |
| ssl_is_valid | about.labels.key/value |
| ssl_issuer | network.tls.server.certificate.issuer |
| ssl_issuer_common_name | about.labels.key/value |
| ssl_issuer_email | about.labels.key/value |
| ssl_issuer_email_domain | about.labels.key/value |
| ssl_issuer_locality | about.labels.key/value |
| ssl_issuer_organization | about.labels.key/value |
| ssl_issuer_state | about.labels.key/value |
| ssl_issuer_street | about.labels.key/value |
| ssl_issuer_unit | about.labels.key/value |
| ssl_name | about.labels.key/value |
| ssl_policies | about.labels.key/value |
| ssl_publickey | about.labels.key/value |
| ssl_publickey_algorithm | about.labels.key/value |
| ssl_serial | network.tls.server.certificate.serial |
| ssl_session_id | network.session_id |
| ssl_signature_algorithm | about.labels.key/value |
| ssl_start_time | network.tls.server.certificate.not_before |
| ssl_subject | network.tls.server.certificate.subject |
| ssl_subject_common_name | about.labels.key/value |
| ssl_subject_email | about.labels.key/value |
| ssl_subject_email_domain | about.labels.key/value |
| ssl_subject_locality | about.labels.key/value |
| ssl_subject_organization | about.labels.key/value |
| ssl_subject_state | about.labels.key/value |
| ssl_subject_street | about.labels.key/value |
| ssl_subject_unit | about.labels.key/value |
| ssl_validity_window | about.labels.key/value |
| ssl_version | network.tls.server.certificate.version |
All_Changes
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk All_Changes:
| Kolom log | Pemetaan UDM |
|---|---|
| action | security_result.action_details security_result.action |
| change_type | security_result.category_details |
| perintah | principal.process.command_line |
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dvc | principal.asset.nama host, principal.asset.ip |
| objek | target.resource.name |
| object_attrs | about.labels.key/value |
| object_category | about.labels.key/value |
| object_id | target.user.product_object_id |
| object_path | target.file.full_path |
| hasil | metadata.description |
| result_id | metadata.product_event_type |
| src | principal.ip, principal.nama host, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_priority | principal.labels.key/value |
| status | security_result.summary |
| tag | about.labels.key/value |
| pengguna | target.user.userid |
| user_agent | network.http.user_agent |
| user_name | principal.user.user_display_name, target.labels.key/value |
| user_type | principal.user.attribute.roles.type, target.user.attribute.roles.type |
| vendor_account | about.labels.key/value |
| vendor_product | about.labels.key/value |
| vendor_region | about.location.country_or_region |
Account_Management
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk Account_Management:
| Kolom log | Pemetaan UDM |
|---|---|
| dest_nt_domain | target.administrative_domain |
| src_nt_domain | principal.administrative_domain |
| src_user | principal.user.userid |
| src_user_bunit | principal.labels.key/value |
| src_user_category | principal.labels.key/value |
| src_user_priority | principal.labels.key/value |
| src_user_name | principal.labels.key/value |
| src_user_type | principal.user.attribute.roles.type |
Instance_Changes
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk Instance_Changes:
| Kolom log | Pemetaan UDM |
|---|---|
| image_id | principal.asset_id |
| instance_type | about.labels.key/value |
network_Changes
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk set data Splunk network_Changes:
| Kolom log | Pemetaan UDM |
|---|---|
| dest_ip_range | target.labels.key/value |
| dest_port_range | target.labels.key/value |
| direction | network.direction |
| protokol | network.ip_protocol |
| rule_action | security_result.action_details security_result.action |
| src_ip_range | principal.labels.key/value |
| src_port_range | principal.labels.key/value |
Data_Access
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk set data Splunk Data_Access:
| Kolom log | Pemetaan UDM |
|---|---|
| action | security_result.action_details security_result.action |
| aplikasi | target.application |
| app_id | metadata.product_log_id |
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_name | target.administrative_domain |
| dest_url | target.url |
| dvc | principal.asset.nama host, principal.asset.ip |
| principal.user.email_addresses | |
| objek | target.resource.name |
| object_category | about.labels.key/value |
| object_id | target.user.product_object_id |
| object_path | target.file.full_path |
| object_size | target.file.size |
| owner | about.labels.key/value |
| owner_email | about.labels.key/value |
| owner_id | principal.user.userid |
| parent_object | target.resource.parent |
| parent_object_id | about.labels.key/value |
| parent_object_category | about.labels.key/value |
| src | principal.ip, principal.nama host, principal.labels.key/value |
| tenant_id | about.labels.key/value |
| pengguna | principal.user.user_display_name |
| user_agent | network.http.user_agent |
| user_group | principal.user.group_identifiers(repeated) |
| user_role | principal.user.attribute.roles.name (berulang) |
| vendor_product | about.labels.key/value |
| vendor_product_id | about.labels.key/value |
All_Databases
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk All_Databases:
| Kolom log | Pemetaan UDM |
|---|---|
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| durasi | network.session_duration |
| objek | target.resource.name |
| response_time | about.labels.key/value |
| src | principal.ip, principal.nama host, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_priority | principal.labels.key/value |
| tag | about.labels.key/value |
| pengguna | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value |
Database_Instance
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk set data Splunk Database_Instance:
| Kolom log | Pemetaan UDM |
|---|---|
| instance_name | target.resource.attributes.key/value |
| instance_version | target.resource.attributes.key/value |
| process_limit | about.labels.key/value |
| session_limit | about.labels.key/value |
Database_Query
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk Database_Query:
| Kolom log | Pemetaan UDM |
|---|---|
| query | about.labels.key/value |
| query_id | about.labels.key/value |
| query_time | about.labels.key/value |
| records_affected | about.labels.key/value |
Instance_Stats
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk Instance_Stats:
| Kolom log | Pemetaan UDM |
|---|---|
| ketersediaan | about.labels.key/value |
| avg_executions | about.labels.key/value |
| dump_area_used | about.labels.key/value |
| instance_reads | about.labels.key/value |
| instance_writes | about.labels.key/value |
| number_of_users | about.labels.key/value |
| proses | about.labels.key/value |
| sesi | about.labels.key/value |
| sga_buffer_cache_size | about.labels.key/value |
| sga_buffer_hit_limit | about.labels.key/value |
| sga_data_dict_hit_ratio | about.labels.key/value |
| sga_fixed_area_size | about.labels.key/value |
| sga_free_memory | about.labels.key/value |
| sga_library_cache_size | about.labels.key/value |
| sga_redo_log_buffer_size | about.labels.key/value |
| sga_shared_pool_size | about.labels.key/value |
| sga_sql_area_size | about.labels.key/value |
| start_time | about.labels.key/value |
| tablespace_used | about.labels.key/value |
Session_Info
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk Session_Info:
| Kolom log | Pemetaan UDM |
|---|---|
| buffer_cache_hit_ratio | about.labels.key/value |
| commit | about.labels.key/value |
| cpu_used | about.labels.key/value |
| cursor | about.labels.key/value |
| elapsed_time | about.labels.key/value |
| logical_reads | about.labels.key/value |
| mesin | about.hostname |
| memory_sorts | about.labels.key/value |
| physical_reads | about.labels.key/value |
| seconds_in_wait | about.labels.key/value |
| session_id | network.session_id |
| session_status | about.labels.key/value |
| table_scans | about.labels.key/value |
| wait_state | about.labels.key/value |
| wait_time | about.labels.key/value |
Lock_Info
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk Lock_Info:
| Kolom log | Pemetaan UDM |
|---|---|
| last_call_minute | about.labels.key/value |
| lock_mode | about.labels.key/value |
| lock_session_id | about.labels.key/value |
| logon_time | about.labels.key/value |
| obj_name | about.labels.key/value |
| os_pid | target.process.pid |
| serial_num | target.resource.product_object_id |
Ruang meja
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk Tablespace kumpulan data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| free_bytes | about.file.size |
| tablespace_name | about.resource.name |
| tablespace_reads | about.labels.key/value |
| tablespace_status | about.labels.key/value |
| tablespace_writes | about.labels.key/value |
Query_Stats
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk Query_Stats:
| Kolom log | Pemetaan UDM |
|---|---|
| indexes_hit | about.labels.key/value |
| query_plan_hit | about.labels.key/value |
| stored_procedures_called | about.labels.key/value |
| tables_hit | about.labels.key/value |
DLP_Incidents
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk DLP_Incidents:
| Kolom log | Pemetaan UDM |
|---|---|
| action | security_result.action_details security_result.action |
| aplikasi | target.application |
| category | security_result.category_details |
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dest_zone | target.location.country_or_origin |
| dlp_type | about.labels.key/value |
| dvc | principal.asset.nama host, principal.asset.ip |
| dvc_bunit | about.labels.key/value |
| dvc_category | about.labels.key/value |
| dvc_priority | about.labels.key/value |
| dvc_zone | principal.asset.location.country_or_region |
| objek | target.resource.name |
| object_category | about.labels.key/value |
| object_path | target.file.full_path |
| tingkat keseriusan | security_result.severity |
| severity_id | about.labels.key/value |
| tanda tangan | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip, principal.nama host, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_priority | principal.labels.key/value |
| src_user | principal.user.user_display_name |
| src_user_bunit | principal.labels.key/value |
| src_user_category | principal.labels.key/value |
| src_user_priority | principal.labels.key/value |
| src_zone | principal.location.country_or_origin |
| tag | about.labels.key/value |
| pengguna | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value |
All_Email
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk All_Email:
| Kolom log | Pemetaan UDM |
|---|---|
| action | security_result.action_details security_result.action |
| delay | about.labels.key/value |
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| durasi | network.session_duration |
| file_hash | about.file.sha256, about.file.md5, about.file.sha1 |
| file_name | about.labels.key/value |
| file_size | about.file.size |
| internal_message_id | metadata.product_log_id |
| message_id | network.email.mail_id |
| message_info | about.labels.key/value |
| orig_dest | target.labels.key/value |
| orig_recipient | about.labels.key/value |
| orig_src | network.email.from |
| mundur | principal.process.command_line |
| process_id | principal.process.pid |
| protokol | network.application_protocol |
| penerima | network.email.to |
| recipient_count | about.labels.key/value |
| recipient_domain | about.labels.key/value |
| recipient_status | about.labels.key/value |
| response_time | about.labels.key/value |
| upaya coba lagi | about.labels.key/value |
| return_addr | about.labels.key/value |
| ukuran | about.labels.key/value |
| src | principal.ip, principal.nama host, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_priority | principal.labels.key/value |
| src_user | principal.user.email_addresses |
| src_user_bunit | principal.labels.key/value |
| src_user_category | principal.labels.key/value |
| src_user_domain | principal.administrative_domain |
| src_user_priority | principal.labels.key/value |
| status_code | about.labels.key/value |
| subject | network.email.subject(repeated) |
| tag | about.labels.key/value |
| url | about.url |
| pengguna | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value |
| xdelay | about.labels.key/value |
| {i>xref<i} | about.labels.key/value |
Pemfilteran
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk Pemfilteran set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| filter_action | about.labels.key/value |
| filter_score | about.labels.key/value |
| tanda tangan | metadata.description |
| signature_extra | about.labels.key/value |
| signature_id | metadata.product_event_type |
Port
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk Port set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| creation_time | about.labels.key/value |
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_port | target.port |
| dest_priority | target.labels.key/value |
| dest_requires_av | target.labels.key/value |
| dest_should_timesync | target.labels.key/value |
| dest_should_update | target.labels.key/value |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| src | principal.ip, principal.nama host, principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_priority | principal.labels.key/value |
| src_port | principal.port |
| src_requires_av | principal.labels.key/value |
| src_should_timesync | principal.labels.key/value |
| src_should_update | principal.labels.key/value |
| state | about.labels.key/value |
| tag | about.labels.key/value |
| {i>transport<i} | network.ip_protocol |
| transport_dest_port | target.labels.key/value |
| pengguna | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
Proses
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk Proses set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| action | security_result.action_details security_result.action |
| cpu_load_percent | about.labels.key/value |
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_is_expected | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dest_requires_av | target.labels.key/value |
| dest_should_timesync | target.labels.key/value |
| dest_should_update | target.labels.key/value |
| mem_used | about.labels.key/value |
| original_file_name | src.file.full_path |
| os | principal.asset.platform_software.platform_version |
| parent_process | about.labels.key/value |
| parent_process_exec | about.labels.key/value |
| parent_process_id | principal.process.parent_process.parent_pid |
| parent_process_guid | principal.process.parent_process.product_specific_process_id |
| parent_process_name | about.labels.key/value |
| parent_process_path | principal.process.parent_process.command_line |
| mundur | about.labels.key/value |
| process_current_directory | about.labels.key/value |
| process_exec | about.labels.key/value |
| process_hash | Principal.process.file.sha256/principal.process.file.md5/principal..process.file.sha1 |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| process_integrity_level | security_result.severity |
| process_name | principal.process.command_line |
| process_path | principal.process.file.full_path |
| tag | about.labels.key/value |
| pengguna | principal.user.user_display_name |
| user_id | principal.user.userid |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value |
Service
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk Service set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| deskripsi | security_result.description |
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_is_expected | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dest_requires_av | target.labels.key/value |
| dest_should_timesync | target.labels.key/value |
| dest_should_update | target.labels.key/value |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| pelanggan | target.application |
| service_dll | about.labels.key/value |
| service_dll_path | about.file.full_path |
| service_dll_hash | about.labels.key/value |
| service_dll_signature_exists | about.labels.key/value |
| service_dll_signature_verified | about.labels.key/value |
| service_exec | target.process.file.full_path |
| service_hash | about.labels.key/value |
| service_id | about.labels.key/value |
| service_name | about.labels.key/value |
| service_path | about.labels.key/value |
| service_signature_exists | about.labels.key/value |
| service_signature_verified | about.labels.key/value |
| start_mode | about.labels.key/value |
| status | security_result.summary |
| tag | about.labels.key/value |
| pengguna | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value |
Filesystem
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk Filesystem kumpulan data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| action | security_result.action_details security_result.action |
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dest_requires_av | target.labels.key/value |
| dest_should_timesync | target.labels.key/value |
| dest_should_update | target.labels.key/value |
| file_access_time | about.labels.key/value |
| file_create_time | target.asset.attribute.creation_time |
| file_hash | target.file.sha256, target.file.md5, target.file.sha1 |
| file_modify_time | about.labels.key/value |
| file_name | about.labels.key/value |
| file_path | target.file.full_path |
| file_acl | about.labels.key/value |
| file_size | target.file.size |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| tag | about.labels.key/value |
| pengguna | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value |
Registry
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk Registry set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| action | security_result.action_details security_result.action |
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dest_requires_av | target.labels.key/value |
| dest_should_timesync | target.labels.key/value |
| dest_should_update | target.labels.key/value |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| registry_hive | about.labels.key/value |
| registry_path | about.labels.key/value |
| registry_key_name | target.registry.registry_key |
| registry_value_data | target.registry.registry_value_data |
| registry_value_name | target.registry.registry_value_name |
| registry_value_text | about.labels.key/value |
| registry_value_type | about.labels.key/value |
| status | security_result.summary |
| tag | about.labels.key/value |
| pengguna | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value |
Tanda tangan
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk tanda tangan set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| tanda tangan | metadata.description |
| signature_id | metadata.product_event_type |
| tag | about.labels.key/value |
Signatures_vendor_product
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk Signatures_vendor_product:
| Kolom log | Pemetaan UDM |
|---|---|
| vendor_product | about.labels.key/value |
All_Interprocess_Messaging
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk All_Interprocess_Messaging:
| Kolom log | Pemetaan UDM |
|---|---|
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| durasi | network.session_duration |
| endpoint | about.labels.key/value |
| endpoint_version | about.labels.key/value |
| pesan | about.labels.key/value |
| message_consumed_time | about.labels.key/value |
| message_correlation_id | about.labels.key/value |
| message_delivered_time | about.labels.key/value |
| message_delivery_mode | about.labels.key/value |
| message_expiration_time | about.labels.key/value |
| message_id | metadata.product.log_id |
| message_priority | about.labels.key/value |
| message_properties | about.labels.key/value |
| message_received_time | about.labels.key/value |
| message_redelivered | about.labels.key/value |
| message_reply_dest | target.labels.key/value |
| message_type | about.labels.key/value |
| parameter | about.labels.key/value |
| payload | about.labels.key/value |
| payload_type | about.labels.key/value |
| request_payload | about.labels.key/value |
| request_payload_type | about.labels.key/value |
| request_sent_time | about.labels.key/value |
| response_code | network.http.response_code |
| response_payload_type | about.labels.key/value |
| response_received_time | about.labels.key/value |
| response_time | about.labels.key/value |
| return_message | about.labels.key/value |
| rpc_protocol | network.application_protocol |
| status | security_result.summary |
| tag | about.labels.key/value |
IDS_Attacks
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk IDS_Attacks:
| Kolom log | Pemetaan UDM |
|---|---|
| action | security_result.action_details security_result.action |
| category | security_result.category_details |
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dvc | principal.asset.nama host, principal.asset.ip |
| dvc_bunit | about.labels.key/value |
| dvc_category | about.labels.key/value |
| dvc_priority | about.labels.key/value |
| file_hash | target.file.sha256, target.file.md5, target.file.sha1 |
| file_name | about.labels.key/value |
| file_path | target.file.full_path |
| ids_type | about.labels.key/value |
| tingkat keseriusan | security_result.severity |
| severity_id | about.labels.key/value |
| tanda tangan | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip, principal.nama host, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_priority | principal.labels.key/value |
| src_port | principal.port |
| tag | about.labels.key/value |
| {i>transport<i} | network.ip_protocol |
| pengguna | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value |
DS_Attacks
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk DS_Attacks:
| Kolom log | Pemetaan UDM |
|---|---|
| dest_port | target.port |
All_Inventory
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk All_Inventory:
| Kolom log | Pemetaan UDM |
|---|---|
| deskripsi | security_result.description |
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| diaktifkan | about.labels.key/value |
| keluarga | about.labels.key/value |
| hypervisor_id | about.labels.key/value |
| serial | principal.asset.hardware.serial_number |
| status | security_result.summary |
| tag | about.labels.key/value |
| vendor_product | about.labels.key/value |
| version | about.labels.key/value |
CPU
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk CPU set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| cpu_cores | principal.asset.hardware.cpu_number_cores |
| cpu_count | about.labels.key/value |
| cpu_mhz | principal.asset.hardware.cpu_clock_speed |
| cpu_load_mhz | principal.asset.hardware.cpu_clock_speed |
| cpu_load_percent | about.labels.key/value |
| cpu_time | about.labels.key/value |
| cpu_user_percent | about.labels.key/value |
Memori
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk Memory:
| Kolom log | Pemetaan UDM |
|---|---|
| mem | principal.asset.hardware.ram |
| heap_committed | about.labels.key/value |
| heap_initial | about.labels.key/value |
| heap_max | about.labels.key/value |
| heap_used | about.labels.key/value |
| non_heap_committed | about.labels.key/value |
| non_heap_initial | about.labels.key/value |
| non_heap_max | about.labels.key/value |
| non_heap_used | about.labels.key/value |
| objects_pending | about.labels.key/value |
| mem | principal.asset.hardware.ram |
| mem_committed | about.labels.key/value |
| mem_free | about.labels.key/value |
| mem_used | about.labels.key/value |
| tukar | about.labels.key/value |
| swap_free | about.labels.key/value |
| swap_used | about.labels.key/value |
jaringan
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk jaringan set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| dest_ip | target.ip |
| dns | about.labels.key/value |
| inline_nat | about.labels.key/value |
| antarmuka | about.labels.key/value |
| ip | principal.asset.ip |
| lb_method | about.labels.key/value |
| mac | principal.asset.mac |
| name | principal.resource.name |
| node | about.labels.key/value |
| node_port | target.port |
| src_ip | principal.ip |
| vip_port | about.labels.key/value |
| thruput | about.labels.key/value |
| thruput_max | about.labels.key/value |
OS
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk OS set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| os | principal.asset.platform_software.platform_version |
| committed_memory | about.labels.key/value |
| cpu_time | about.labels.key/value |
| free_physical_memory | about.labels.key/value |
| free_swap | about.labels.key/value |
| max_file_descriptors | about.labels.key/value |
| open_file_descriptors | about.labels.key/value |
| os | principal.asset.platform_software.platform_version |
| os_architecture | about.labels.key/value |
| os_version | about.labels.key/value |
| physical_memory | about.labels.key/value |
| swap_space | about.labels.key/value |
| system_load | about.labels.key/value |
| total_processors | about.labels.key/value |
| tanda tangan | metadata.description |
| signature_id | metadata.product_event_type |
Penyimpanan
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk Storage set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| array | about.labels.key/value |
| ukuran blok | about.labels.key/value |
| cluster | about.resource.resource_type = "CLUSTER" |
| fd_max | about.labels.key/value |
| latency | about.labels.key/value |
| mount | principal.resource.attribute.labels.key/value |
| parent | principal.resource.parent |
| read_blocks | about.labels.key/value |
| read_latency | about.labels.key/value |
| read_ops | about.labels.key/value |
| storage | about.labels.key/value |
| write_blocks | about.labels.key/value |
| write_latency | about.labels.key/value |
| write_ops | about.labels.key/value |
| array | about.labels.key/value |
| ukuran blok | about.labels.key/value |
| cluster | about.resource.resource_type = "CLUSTER" |
| fd_max | about.labels.key/value |
| fd_used | about.labels.key/value |
| latency | about.labels.key/value |
| mount | about.labels.key/value |
| parent | principal.resource.parent |
| read_blocks | about.labels.key/value |
| read_latency | about.labels.key/value |
| read_ops | about.labels.key/value |
| storage | about.labels.key/value |
| storage_free | about.labels.key/value |
| storage_free_percent | about.labels.key/value |
| storage_used | about.labels.key/value |
| storage_used_percent | about.labels.key/value |
| write_blocks | about.labels.key/value |
| write_latency | about.labels.key/value |
| write_ops | about.labels.key/value |
| error_code | security_result.description |
| operasi | about.labels.key/value |
| storage_name | about.resource.name |
Pengguna
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk User set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| interaktif | about.labels.key/value |
| sandi | about.labels.key/value |
| shell | about.labels.key/value |
| pengguna | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_id | principal.user.userid |
| user_priority | principal.user.attribute.label.key/value |
Virtual_OS
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk Virtual_OS:
| Kolom log | Pemetaan UDM |
|---|---|
| hypervisor | about.labels.key/value |
Mengambil snapshot
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk Snapshot set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| ukuran | about.file.size |
| snapshot | about.labels.key/value |
| waktu | about.labels.key/value |
JVM
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk JVM set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| jvm_description | security_result.description |
| tag | about.labels.key/value |
Threading
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk Threading set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| cm_enabled | about.labels.key/value |
| cm_supported | about.labels.key/value |
| cpu_time_enabled | about.labels.key/value |
| cpu_time_supported | about.labels.key/value |
| current_cpu_time | about.labels.key/value |
| current_user_time | about.labels.key/value |
| daemon_thread_count | about.labels.key/value |
| omu_supported | about.labels.key/value |
| peak_thread_count | about.labels.key/value |
| synch_supported | about.labels.key/value |
| thread_count | about.labels.key/value |
| threads_started | about.labels.key/value |
Runtime
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk Runtime set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| process_name | principal.process.command_line |
| start_time | about.labels.key/value |
| waktu beroperasi | about.labels.key/value |
| vendor_product | about.labels.key/value |
| version | about.labels.key/value |
Kompilasi
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk Kompilasi set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| compilation_time | about.labels.key/value |
Classload
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk Classloading kumpulan data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| current_loaded | about.labels.key/value |
| total_loaded | about.labels.key/value |
| total_unloaded | about.labels.key/value |
Malware_Attacks
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk Malware_Attacks:
| Kolom log | Pemetaan UDM |
|---|---|
| action | security_result.action_details security_result.action |
| category | security_result.category_details |
| tanggal | about.labels.key/value |
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_nt_domain | target.administrative_domain |
| dest_priority | target.labels.key/value |
| dest_requires_av | target.labels.key/value |
| file_hash | target.file.sha256, target.file.md5, target.file.sha1 |
| file_name | about.labels.key/value |
| file_path | target.file.full_path |
| tingkat keseriusan | security_result.severity |
| severity_id | about.labels.key/value |
| tanda tangan | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip, principal.nama host, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_priority | principal.labels.key/value |
| src_user | principal.user.user_display_name |
| tag | about.labels.key/value |
| pengguna | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| url | about.url |
| vendor_product | about.labels.key/value |
Malware_Operations
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk Malware_Operations:
| Kolom log | Pemetaan UDM |
|---|---|
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_nt_domain | target.labels.key/value |
| dest_nt_domain | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dest_requires_av | target.labels.key/value |
| product_version | about.labels.key/value |
| signature_version | security_result.rule_version |
| tag | about.labels.key/value |
| vendor_product | about.labels.key/value |
Malware_Operations
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk Malware_Operations:
| Kolom log | Pemetaan UDM |
|---|---|
| dest_category | target.labels.key/value |
DNS
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk DNS set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| additional_answer_count | about.labels.key/value |
| answer | network.dns.answer.data |
| answer_count | about.labels.key/value |
| authority_answer_count | about.labels.key/value |
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_port | target.port |
| dest_priority | target.labels.key/value |
| durasi | network.session_duration |
| message_type | about.labels.key/value |
| name | about.labels.key/value |
| query | network.dns.questions.name |
| query_count | about.labels.key/value |
| query_type | network.dns.questions.type |
| record_type | network.dns.answer.type(uint32) |
| reply_code | about.labels.key/value |
| reply_code_id | network.dns.response_code |
| response_time | about.labels.key/value |
| src | principal.ip, principal.nama host, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_port | principal.port |
| src_priority | principal.labels.key/value |
| tag | about.labels.key/value |
| transaction_id | network.dns.id |
| {i>transport<i} | network.ip_protocol |
| ttl | about.labels.key/value |
| vendor_product | about.labels.key/value |
All_Sessions
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk All_Sessions:
| Kolom log | Pemetaan UDM |
|---|---|
| action | security_result.action_details security_result.action |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_dns | target.labels.key/value |
| dest_ip | network.dhcp.ciaddr |
| dest_mac | network.dhcp.chaddr |
| dest_nt_host | target.labels.key/value |
| dest_priority | target.labels.key/value |
| durasi | network.session_duration |
| response_time | about.labels.key/value |
| tanda tangan | metadata.description |
| signature_id | metadata.product_event_type |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_dns | principal.labels.key/value |
| src_ip | principal.ip |
| src_mac | principal.mac |
| src_nt_host | principal.labels.key/value |
| src_priority | principal.labels.key/value |
| tag | about.labels.key/value |
| pengguna | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value |
DHCP
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk DHCP set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| lease_duration | network.dhcp.lease_time_second |
| lease_scope | about.labels.key/value |
All_Traffic
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk All_Traffic:
| Kolom log | Pemetaan UDM |
|---|---|
| action | security_result.action_details security_result.action |
| aplikasi | network.application_protocol |
| byte | about.labels.key/value |
| bytes_in | network.received_bytes |
| bytes_out | network.sent_bytes |
| channel | about.labels.key/value |
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_interface | target.labels.key/value |
| dest_ip | target.ip |
| dest_mac | target.mac |
| dest_port | target.port |
| dest_priority | target.labels.key/value |
| dest_translated_ip | target.nat_ip |
| dest_translated_port | target.nat_port |
| dest_zone | target.location.country_or_origin |
| direction | network.direction |
| durasi | network.session_duration |
| dvc | principal.asset.nama host, principal.asset.ip |
| dvc_bunit | about.labels.key/value |
| dvc_category | about.labels.key/value |
| dvc_ip | about.labels.key/value |
| dvc_mac | principal.asset.mac |
| dvc_priority | about.labels.key/value |
| dvc_zone | principal.asset.location.country_or_region |
| flow_id | about.labels.key/value |
| icmp_code | about.labels.key/value |
| icmp_type | about.labels.key/value |
| paket | about.labels.key/value |
| packets_in | about.labels.key/value |
| packets_out | about.labels.key/value |
| protokol | about.labels.key/value |
| protocol_version | about.labels.key/value |
| response_time | about.labels.key/value |
| aturan | security_result.rule_id |
| session_id | network.session_id |
| src | principal.ip, principal.nama host, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_interface | principal.labels.key/value |
| src_ip | principal.ip |
| src_mac | principal.mac |
| src_port | principal.port |
| src_priority | principal.labels.key/value |
| src_translated_ip | principal.nat_ip |
| src_translated_port | principal.nat_port |
| src_zone | principal.location.country_or_origin |
| ssid | about.labels.key/value |
| tag | about.labels.key/value |
| tcp_flag | about.labels.key/value |
| {i>transport<i} | network.ip_protocol |
| tos | about.labels.key/value |
| ttl | network.dns.additional.ttl |
| pengguna | principal.user.userid |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_account | about.labels.key/value |
| vendor_product | about.labels.key/value |
| vlan | about.labels.key/value |
| wifi | about.labels.key/value |
All_Performance
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk All_Performance:
| Kolom log | Pemetaan UDM |
|---|---|
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dest_should_timesync | target.labels.key/value |
| dest_should_update | target.labels.key/value |
| hypervisor_id | about.labels.key/value |
| resource_type | about.labels.key/value |
| tag | about.labels.key/value |
Fasilitas
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk Fasilitas set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| fan_speed | about.labels.key/value |
| power | about.labels.key/value |
| suhu | about.labels.key/value |
Sinkronisasi waktu
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk Timesync kumpulan data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| action | security_result.action_details security_result.action |
Waktu beroperasi
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk Uptime setelan data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| waktu beroperasi | about.labels.key/value |
View_Activity
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk View_Activity:
| Kolom log | Pemetaan UDM |
|---|---|
| aplikasi | target.application |
| pembelanjaan | about.labels.key/value |
| uri | about.labels.key/value |
| pengguna | principal.user.user_display_name |
| tampilkan | about.labels.key/value |
Datamodel_Acceleration
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk set data Splunk Datamodel_Acceleration:
| Kolom log | Pemetaan UDM |
|---|---|
| access_count | about.labels.key/value |
| access_time | about.labels.key/value |
| aplikasi | target.application |
| bucket | about.labels.key/value |
| buckets_size | about.labels.key/value |
| selesai | about.labels.key/value |
| cron | about.labels.key/value |
| model data | about.labels.key/value |
| digest | about.labels.key/value |
| paling awal | about.labels.key/value |
| is_inprogress | about.labels.key/value |
| last_error | about.labels.key/value |
| last_sid | about.labels.key/value |
| terbaru | about.labels.key/value |
| mod_time | about.labels.key/value |
| retensi | about.labels.key/value |
| ukuran | about.file.size |
| summary_id | about.labels.key/value |
Search_Activity
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk Search_Activity:
| Kolom log | Pemetaan UDM |
|---|---|
| host | about.hostname |
| info | about.labels.key/value |
| penelusuran | about.labels.key/value |
| search_et | about.labels.key/value |
| search_lt | about.labels.key/value |
| search_type | about.labels.key/value |
| sumber | principal.labels.key/value |
| jenis sumber | principal.labels.key/value |
| pengguna | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
Scheduler_Activity
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk set data Splunk Scheduler_Activity:
| Kolom log | Pemetaan UDM |
|---|---|
| aplikasi | target.application |
| host | about.hostname |
| savedsearch_name | about.labels.key/value |
| sid | about.labels.key/value |
| sumber | principal.labels.key/value |
| jenis sumber | principal.labels.key/value |
| splunk_server | principal.ip, principal.nama host |
| status | security_result.summary |
| pengguna | principal.user.user_display_name |
Web_Service_Errors
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk Web_Service_Errors:
| Kolom log | Pemetaan UDM |
|---|---|
| host | about.hostname |
| sumber | principal.labels.key/value |
| jenis sumber | principal.labels.key/value |
| event_id | security_result.rule_name |
Modular_Actions
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk Modular_Actions:
| Kolom log | Pemetaan UDM |
|---|---|
| action_mode | about.labels.key/value |
| action_status | about.labels.key/value |
| aplikasi | target.application |
| durasi | network.session_duration |
| komponen | about.labels.key/value |
| orig_rid | about.labels.key/value |
| orig_sid | about.labels.key/value |
| rid | about.labels.key/value |
| search_name | about.labels.key/value |
| action_name | security_result.action_details |
| tanda tangan | metadata.description |
| sid | about.labels.key/value |
| pengguna | about.labels.key/value |
All_Ticket_Management
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk kumpulan data Splunk All_Ticket_Management:
| Kolom log | Pemetaan UDM |
|---|---|
| affect_dest | target.labels.key/value |
| komentar | about.labels.key/value |
| deskripsi | security_result.description |
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| priority | security_result.priority_details |
| tingkat keseriusan | security_result.severity |
| severity_id | about.labels.key/value |
| splunk_id | about.labels.key/value |
| splunk_realm | about.labels.key/value |
| src_user | principal.user.user_display_name |
| src_user_bunit | principal.labels.key/value |
| src_user_category | principal.labels.key/value |
| src_user_priority | principal.labels.key/value |
| status | security_result.summary |
| tag | about.labels.key/value |
| ticket_id | target.user.attribute.label.ley/value |
| time_submitted | principal.user.attribute.creation_time |
| pengguna | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
Ubah
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk perubahan set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| ubah | about.labels.key/value |
Insiden
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk Incident set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| insiden | about.labels.key/value |
Masalah
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| soal | about.labels.key/value |
Update
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk update set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dest_should_update | target.labels.key/value |
| dvc | principal.asset.nama host, principal.asset.ip |
| file_hash | target.file.sha256, target.file.md5, target.file.sha1 |
| file_name | about.labels.key/value |
| tingkat keseriusan | security_result.severity |
| severity_id | about.labels.key/value |
| tanda tangan | metadata.description |
| signature_id | metadata.product_event_type |
| status | security_result.summary |
| tag | about.labels.key/value |
| vendor_product | about.labels.key/value |
Kerentanan
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk Kerentanan set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| Bugtraq | about.labels.key/value |
| category | security_result.category_details |
| cert | about.labels.key/value |
| cve | vulnerabilites.cve_description |
| cvss | vulnerabilites.cvss_base_score |
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dvc | principal.asset.nama host, principal.asset.ip |
| dvc_bunit | about.labels.key/value |
| dvc_category | about.labels.key/value |
| dvc_priority | about.labels.key/value |
| msft | about.labels.key/value |
| mskb | about.labels.key/value |
| tingkat keseriusan | extensions.vulns.vulnerabilites.severity |
| severity_id | about.labels.key/value |
| tanda tangan | metadata.description |
| signature_id | metadata.product_event_type |
| tag | about.labels.key/value |
| url | extensions.vulns.vulnerabilites.about.url |
| pengguna | extensions.vulns.vulnerabilites.about.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value |
| {i>xref<i} | about.labels.key/value |
Web
Tabel berikut mencantumkan kolom log dan pemetaan UDM yang sesuai untuk Web set data Splunk:
| Kolom log | Pemetaan UDM |
|---|---|
| action | security_result.action_details security_result.action |
| aplikasi | target.application |
| byte | about.labels.key/value |
| bytes_in | network.received_bytes |
| bytes_out | network.sent_bytes |
| di-cache | about.labels.key/value |
| category | security_result.category_details |
| kue | about.labels.key/value |
| tujuan | target.ip, target.nama host, target.labels.key/value |
| dest_bunit | target.labels.key/value |
| dest_category | target.labels.key/value |
| dest_priority | target.labels.key/value |
| dest_port | target.port |
| durasi | network.session_duration |
| http_content_type | about.labels.key/value |
| http_method | network.http.method |
| http_referrer | network.http.referral_url |
| http_referrer_domain | about.labels.key/value |
| http_user_agent | network.http.user_agent |
| http_user_agent_length | about.labels.key/value |
| response_time | about.labels.key/value |
| situs | about.labels.key/value |
| src | principal.ip, principal.nama host, principal.labels.key/value |
| src_bunit | principal.labels.key/value |
| src_category | principal.labels.key/value |
| src_priority | principal.labels.key/value |
| status | network.http.response_code |
| tag | about.labels.key/value |
| uri_path | about.labels.key/value |
| uri_query | about.labels.key/value |
| url | about.url |
| url_domain | about.asset.network_domain |
| url_length | about.labels.key/value |
| pengguna | principal.user.user_display_name |
| user_bunit | about.labels.key/value |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value |
Jenis peristiwa UDM
Tabel berikut mencantumkan tag Splunk dan jenis peristiwa UDM yang sesuai:
| Model data | Tag Splunk | Jenis peristiwa UDM |
|---|---|---|
| Pemberitahuan | pemberitahuan | STATUS_UPDATE |
| Authentication | autentikasi | USER_UNCATEGORIZED |
| Certificate | sertifikat | NETWORK_UNCATEGORIZED |
| Ubah | ubah | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| Akses Data | data, akses | USER_RESOURCE_ACCESS |
| Database | database | USER_RESOURCE_ACCESS |
| Database | {i>database<i}, instance, statistik | STATUS_UPDATE |
| Database | database, instance, status | STATUS_UPDATE |
| Database | basis data, instance, kunci | STATUS_UPDATE |
| Database | {i>database<i}, kueri | STATUS_UPDATE |
| Database | {i>database<i}, kueri, ruang tabel | STATUS_UPDATE |
| Database | {i>database<i}, kueri, statistik | STATUS_UPDATE |
| Pencegahan Kebocoran Data | dlp, insiden | SCAN_UNCATEGORIZED |
| EMAIL_UNCATEGORIZED | ||
| email, pengiriman | EMAIL_TRANSACTION | |
| Endpoint | mendengarkan, port | SERVICE_UNSPECIFIED |
| Endpoint | memproses, melaporkan | PROCESS_UNCATEGORIZED |
| Endpoint | layanan, laporan | SERVICE_UNSPECIFIED |
| Endpoint | endpoint, sistem file | FILE_UNCATEGORIZED |
| Endpoint | endpoint, registry | REGISTRY_UNCATEGORIZED |
| Tanda Tangan Acara | track_event_signature | STATUS_UPDATE |
| Pesan Antar-Proses | pesan | STATUS_UPDATE |
| Deteksi Instrusi | id, serangan | SERVICE_UNSPECIFIED |
| Inventaris | inventaris | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| Java Virtual Machine (JVM) | jvm | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| Malware | malware | STATUS_UPDATE |
| Resolusi Jaringan(DNS) | jaringan, resolusi, dns | NETWORK_DNS |
| Sesi Jaringan | jaringan, sesi | NETWORK_CONNECTION |
| Sesi Jaringan | jaringan, sesi, dhcp | NETWORK_DHCP |
| Traffic Jaringan | berjejaring, berkomunikasi | NETWORK_CONNECTION |
| Performa | performa | SERVICE_UNSPECIFIED |
| Log Audit Splunk | modifikasi | STATUS_UPDATE |
| Pengelolaan Tiket | penjualan tiket | STATUS_UPDATE |
| Pengelolaan Tiket | penjualan tiket, perubahan | STATUS_UPDATE |
| Update | update | STATUS_UPDATE |
| Kerentanan | laporan, kerentanan | SCAN_UNCATEGORIZED |
| Web | web | NETWORK_UNCATEGORIZED |