Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Authentication

The fields and tags in the Authentication data model and event category describe login activities from any data source.

Tags used with the Authentication event category

Object name(s) Tag name Required?
Authentication authentication YES
Authentication
Privileged_Authentication
privileged YES
Authentication
Default_Authentication
default YES
Authentication cleartext NO
Authentication insecure NO

Fields for the Authentication event category

Object name(s) Field name Data type Description Expected values
Authentication action string The action performed on the resource. success, failure, unknown
Authentication app string The application involved in the event (such as ssh, splunk, win:local).
Authentication dest string The target involved in the authentication. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_nt_host.
Authentication src string The source involved in the authentication. In the case of endpoint protection authentication the src is the client. May be aliased from more specific fields, such as src_host, src_ip, or src_nt_host.

Note: Do not confuse src with the event source or sourcetype fields.
Authentication src_user string In privilege escalation events, src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.
Authentication user string The name of the user involved in the event, or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation.
Last modified on 08 February, 2017
Application State   Change Analysis

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 3.0, 3.0.1, 3.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters