Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Vulnerabilities

The fields in the Vulnerabilities data model and Vulnerability event category describe vulnerability detection data.

Tags used with the Vulnerabilities data model and event category

Object name(s) Tag name Required?
Vulnerabilities report YES
Vulnerabilities vulnerability YES

Fields for the Vulnerabilities data model and event category

Object name(s) Field name Data type Description Possible values
Vulnerabilities bugtraq string Corresponds to an identifier in the vulnerability database provided by the Security Focus website (searchable at http://www.securityfocus.com/).
Vulnerabilities category string The category of the discovered vulnerability, such as DoS.

Note: This field is a string. Please use a category_id field for fields that are integer data type. Keep in mind that the category_id field is optional and thus is not part of the CIM.
Vulnerabilities cert string Corresponds to an identifier in the vulnerability database provided by the US Computer Emergency Readiness Team (US-CERT, searchable at http://www.kb.cert.org/vuls/).
Vulnerabilities cve string Corresponds to an identifier provided in the Common Vulnerabilities and Exposures index (searchable at http://cve.mitre.org).
Vulnerabilities dest string The host with the discovered vulnerability. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
Vulnerabilities dvc string The system that discovered the vulnerability. May be aliased from more specific fields, such as dvc_host, dvc_ip, or dvc_name.
Vulnerabilities msft string Corresponds to a Microsoft Security Advisory number (http://technet.microsoft.com/en-us/security/advisory/).
Vulnerabilities mskb string Corresponds to a Microsoft Knowledge Base article number (http://support.microsoft.com/kb/).
Vulnerabilities product string The product or service that detected the vulnerability. This field is used to automatically produce the vendor_product field used by data models.
Vulnerabilities severity string The severity of the vulnerability detection event. Specific values are required. Use vendor_severity for the vendor's own human readable strings (such as Good, Bad, and Really Bad).

Note: This field is a string. Please use a severity_id field for severity ID fields that are integer data types. Keep in mind that the severity_id field is optional and thus is not part of the CIM.
critical, high, informational, low, medium, unknown
Vulnerabilities signature string The name of the vulnerability detected on the host, such as HPSBMU02785 SSRT100526 rev.2 - HP LoadRunner Running on Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS).

Note: This field has a string value. Please use signature_id for numeric indicators. Keep in mind that the signature_id field is optional and thus is not part of the CIM.
Vulnerabilities vendor string The vendor of the vulnerability detection product or service. This field is used to automatically produce the vendor_product field used by data models.
Vulnerabilities xref string A cross-reference identifier associated with the vulnerability. In most cases, the xref field contains both the short name of the database being cross-referenced and the unique identifier used in the external database.
Last modified on 16 October, 2013
Updates   Web

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 3.0, 3.0.1, 3.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters