Field reference for Splunk Asset and Risk Intelligence
Splunk Asset and Risk Intelligence includes fields that you can use for discovery filters, investigations, enrichment rules, and metrics. Splunk Asset and Risk Intelligence includes the following types of fields:
- Asset fields
- IP address fields
- Identity fields
- MAC address fields
- Vulnerability fields
- Software fields
Asset fields
asset_class |
The class of the asset. For example, "desktop" or "phone".
asset_type |
The type of asset. For example, "server" or "workstation".
bunit |
The business unit.
business |
The business name.
category |
The category of the asset. For example, "domain controller".
city |
The city location of the asset.
classification |
The asset classification value.
country |
The country location of the asset.
cpu_cores |
The number of CPU cores.
cpu_count |
The number of CPUs.
cpu_mhz |
The CPU megahertz value.
criticality |
The criticality value of the asset. For example, "high" or "medium".
dns |
The fully qualified domain name (FQDN) of the asset.
environment |
The environment of the asset. For example, "Prod" or "Dev".
fde_encrypted |
A value of either 0 or 1 to designate full disk encryption.
firstdetect |
The time the asset was first detected.
instance_id |
The instance ID of the asset. For example, the AWS EC2 instance_id.
ip |
The IP address of the asset.
ip_translated |
The translated IP address of the asset. For example, an external ip of VPN asset.
ip_zone |
The IP zone address of the asset. If IP zones are not in use, the value is "default".
label |
A label for the asset.
lastdetect |
The time the asset was last detected.
lastdetect_prev |
The time the asset was last detected previously.
lat |
The latitude of the asset.
location_id |
An identifying location code.
lon |
The longitude of the asset.
mac |
The last discovered MAC address of the asset.
mac_vendor |
The vendor associated with MAC address.
mem |
The amount of RAM.
nt_host |
The hostname of the discovered asset.
os |
The operating system.
os_version |
The version of the operating system.
os_platform |
The platform of the operating system.
os_major |
The major version of the operating system.
os_minor |
The minor version of the operating system.
os_build |
The build of the operating system.
os_rev |
The revision of the operating system.
priority |
The priority of the asset. For example, "Critical" or "Low".
product |
The product name of the asset. For example, "Latitude".
product_version |
The product version of the asset. For example, "10".
provider |
The asset provider. For example, "Amazon" or "Google".
sensitivity |
The sensitivity value of the asset.
serial |
The serial number of the asset.
state |
The state or region location of the asset.
status |
The status of the asset. For example, "decommissioned" or "active".
user_id |
The last discovered user of the asset.
vendor |
The vendor of the asset. For example, "Dell".
IP address fields
firstdetect |
The time the IP address was first detected.
ip |
The discovered IP address.
ip_city |
The city location of the IP subnet.
ip_classification |
The IP subnet classification.
ip_country |
The country location of the IP subnet.
ip_criticality |
The criticality of the IP subnet.
ip_description |
The description of the IP subnet.
ip_region |
The region location of the IP subnet.
ip_sensitivity |
The sensitivity value of the IP subnet.
ip_state |
The state location of the IP subnet.
ip_translated |
The translated IP address. For example, an external IP address of a VPN asset.
ip_type |
The type of IP subnet.
ip_vlan |
The IP vlan.
ip_zone |
The IP zone address of the asset associated with the IP address. If IP zones are not in use, the value is "default".
lastdetect |
The time the IP address was last detected.
lastdetect_prev |
The time the IP address was last detected previously.
lat |
The latitude of the IP address.
location_id |
An identifying location code.
lon |
The longitude of the IP address.
mac |
The MAC address of the IP address.
mac_vendor |
The vendor associated with MAC address.
nt_host |
The hostname of the IP address.
user_id |
The user of the IP address.
Identity fields
domain |
The corporate directory domain name.
firstdetect |
The time the user ID was first detected.
ip |
The IP address of the user.
ip_translated |
The translated IP address. For example, an external IP address of a VPN asset.
ip_zone |
The IP zone address of the asset associated with the user. If IP zones are not in use, the value is "default".
lastdetect |
The time the user ID was last detected.
lastdetect_prev |
The time the user ID was last detected previously.
lat |
The latitude location of the user.
lon |
The longitude location of the user.
mac |
The MAC address of the user.
nt_host |
The hostname of the user.
user_bunit |
The matching corporate directory business unit.
user_business |
The matching corporate directory business name.
user_category |
The matching corporate directory user category.
user_city |
The matching corporate directory city.
user_country |
The matching corporate directory country.
user_email |
The matching corporate directory email address.
user_end_date |
The matching end date for the user from the corporate directory.
user_first |
The matching first name from the corporate directory.
user_id |
The discovered user ID.
user_last |
The matching last name of the user from the corporate directory.
user_location_id |
The matching location code from the corporate directory.
user_priority |
The matching priority from the corporate directory.
user_region |
The matching region from the corporate directory.
user_start_date |
The matching start date from the corporate directory.
user_state |
The matching state from the corporate directory.
user_title |
The matching title from the corporate directory.
MAC address fields
firstdetect |
The time the MAC address was first detected.
ip |
The IP address of the MAC address.
ip_zone |
The IP zone address of the asset associated with the MAC address. If IP zones are not in use, the value is "default".
lastdetect |
The time the MAC address was last detected.
lastdetect_prev |
The time the MAC address was last detected previously.
lat |
The latitude location of the MAC address.
location_id |
An identifying location code of the MAC address.
lon |
The longitude location of the MAC address.
mac |
The discovered MAC address.
mac_city |
The city location of the MAC address.
mac_country |
The country location of the MAC address.
mac_product |
The product name of the MAC address. For example, "Latitude".
mac_region |
The region location of the MAC address.
mac_state |
The state location of the MAC address.
mac_vendor |
The vendor of the MAC address.
nt_host |
The hostname of the MAC address.
user_id |
The user of the MAC address.
Vulnerability fields
agent_uuid |
The unique ID for the agent responsible for detecting the vulnerability.
asset_uuid |
The unique ID of the asset associated with the vulnerability.
category |
The category of the asset. For example, "Domain Controller".
cert |
A value that corresponds to an identifier in the vulnerability database provided by the US Computer Emergency Readiness Team.
cve |
A value that corresponds to an identifier provided in the Common Vulnerabilities and Exposures index.
cvss |
A numeric indicator of the common vulnerability scoring system.
firstdetect |
The time the vulnerability was first detected.
lastdetect |
The time the vulnerability was last detected.
lastdetect_prev |
The time the vulnerability was previously last detected.
msft |
A value that corresponds to a Microsoft Security Advisory number.
mskb |
A value that corresponds to a Microsoft Knowledge Base article number.
nt_host |
The hostname of the asset associated with the detected vulnerability.
plugin_id |
The ID of the vulnerability plugin used to detect the vulnerability.
port |
The port used by the detected vulnerability.
protocol |
The OSI layer 3 network protocol of the traffic observed. This value uses a lower case syntax. For example, "ip", "appletalk", or "ipx".
scan_type |
The type of security scan performed.
scan_uuid |
The unique ID for the specific scan done.
service |
The application service that the vulnerability was detected on.
severity |
The severity of the vulnerability detection event. Specific values are required. Use the vendor_severity field for the vendor's own human readable strings, such as "Good" or "Bad". This field is a string. Use the severity_id field for numeric data types.
severity_id |
The numeric or vendor-specific severity indicator corresponding to the event severity.
signature |
The name of the vulnerability detected on the host, such as HPSBMU02785 SSRT100526 rev.2 - HP LoadRunner Running on Windows, Remote Execution of Arbitrary Code, or Denial of Service (DoS). This field is a string. Use the signature_id field for numeric indicators.
signature_id |
The unique identifier or event code of the event signature.
state |
The matching state from the corporate directory.
url |
The URL involved in the discovered vulnerability.
vendor |
The vendor of the asset associated with the vulnerability. For example, "Dell".
vendor_product |
The vendor and product vulnerability scanner. For example, "Tenable IO".
xref |
A cross-reference identifier associated with the vulnerability. In most cases, the xref field contains both the short name of the cross-referenced database and the unique identifier used in the external database.
Software fields
firstdetect |
The time the software was first detected.
lastdetect |
The time the software was last detected.
lastdetect_prev |
The time the software was previously last detected.
nt_host |
The hostname of the asset with the detected software.
product |
The name of the software product. For example, "Skype".
vendor |
The vendor of the software product. For example, "Microsoft".
version |
The version of the software.
Feedback submitted, thanks!