Data Source Integration Manual

 


Common Information Model field reference

This documentation does not apply to the most recent version of ES. Click here for the latest version.

Common Information Model field reference

The tables below define the fields used in the Common Information Model. The Data Type column describes the type of data expected and the Description provides information about what the value of the field should represent and which values are allowed (if the field is restricted to a defined set of potential values).

Access Protection

The Access Protection domain provides information about authentication attempts and access control related events (login, logout, access allowed, access failure, use of default accounts, and so on).

Account Management

Field Name Data Type Explanation
signature string Description of the change performed
src_nt_domain string The domain that contains the user that generated the account management event
dest_nt_domain string The domain that contains the user that is affected by the account management event

Authentication

Field Name Data Type Explanation
action string Must be either "success" or "failure".
app string The application involved in authentication. (for example, ssh, splunk, win:local).
dest string The target involved in authentication. (one of: dest_host,dest_ip,dest_ipv6,dest_nt_host)
src string The source involved in authentication. (one of: src_host,src_ip,src_ipv6,src_nt_host)
src_user string Privilege escalation events must include this field to represent the user who initiated the privilege escalation.
user string The user involved in authentication. For privilege escalation events this should represent the user targeted by the escalation.

Endpoint Protection

The Endpoint Protection domain includes information about endpoints such as malware infections, system configuration, system state (CPU usage, open ports, uptime, etc.), system update history (which updates have been applied), and time synchronization information.

Authentication

Field Name Data Type Explanation
src string The client. Required for this entire Enterprise Security domain. (one of: src_host, src_ip, src_nt_host)

Change Analysis

Field Name Data Type Explanation
dest string The host that was affected by the change (one of: dest_host, dest_ip, dest_ipv6, dest_nt_host)
change_type string The type of change discovered
action string The action performed on the resource
path string The path of the resource that was changed
isdir Boolean Indicates whether or not the resource changed is a directory
size int The size of the object changed
gid int The group ID of the item changed
uid int The user ID of the item changed
modtime string The modification time of the modified resource
mode int The permissions mode of the modified resource
hash string The hash signature of the modified resource.

Update

Field Name Data Type Explanation
package string Name of the update that was installed

Malware

Field Name Data Type Explanation
action string The outcome of the infection; must be one of "allowed", "blocked", or "deferred".
product string The product name of the vendor technology (the "vendor" field) generating malware data. (for example, Antivirus, EPO)
signature string The name of the malware infection detected on the client (the "src"), (for example, Trojan.Vundo, Spyware.Gaobot, W32.Nimbda).

Note: This field is a string. Please use the "signature_id" field for numbers.

dest string The target affected or infected by the malware (for example, dest_host, dest_ip, dest_ipv6, dest_nt_host).
dest_nt_domain string The NT domain of the destination (the "dest_bestmatch").
src_nt_domain string The NT domain of the source (the "src")
vendor string The name of the vendor technology generating malware data. (for example, Symantec, McAfee)
file_path string The path of the file in the event (such as the infected or malicious file)
file_hash string The cryptographic hash of the file associated with the event (such as the infected or malicious file).
user string The user involved in a malware event
file_name string The name of the file in the event (such as the infected or malicious file)
product_version string The product version number of the vendor technology installed on the client (for example,. 10.4.3, 11.0.2)
signature_version string The current signature set (a.k.a. definitions) running on the client. (for example, 11hsvx)

System Center

Field Name Data Type Explanation
TotalMBytes int The amount of memory available on the system (the "src" field).
UsedMBytes int The amount of memory used on the system (the "src" field).
FreeMBytes int The amount of disk space available per drive or mount (the "mount" field) on the system (the "src" field).
mount string The drive or mount reporting available disk space (the "FreeMegabytes" field) on the system (the "src" field).
PercentProcessorTime int The percentage of processor utilization.
src_port int The TCP/UDP source port on the system
app string The running application or service (e.g., explorer.exe, sshd) on the system (the "src" field).
user string The User Account present on the system (the "src" field).
shell string The shell provided to the User Account (the "user" field) upon logging into the system (the "src" field).
setlocaldefs int The setlocaldefs setting from the SE Linux configuration
Startmode string The start mode of the given service (disabled, enabled, or auto).
sshd_protocol string The version of the sshd protocol.
selinux string Values from the selinux configuration file (disabled or enforcing)
selinuxtype string The SE Linux type (such as targeted)
updates int The number of updates the system (the "src" field) is missing.
SystemUptime int The number of seconds since the system (the "src") has been "up".
label string Human-readable version of the system uptime.
os string The name of the operating system installed on the host (the "src"). (for example, Microsoft Windows Server 2003, GNU/Linux)
kernel_release string The version of operating system installed on the host (the "src"). (for example, 6.0.1.4, 2.6.27.30-170.2.82.fc10.x86_64)

Network Protection

Network Protection includes information about network traffic provided from devices such as firewalls, routers, and network based intrusion detection systems.

Change Analysis

Field Name Data Type Explanation
dvc string The device that is directly affected by the change
action string The type of change observed.
user string The user that initiated the given change
command string The command that initiated the given change

Proxy

Field Name Data Type Explanation
action string The action taken by the proxy.
status int The HTTP response code indicating the status of the proxy request (404, 302, 500, etc.)
src string The source of the network traffic (the client requesting the connection)
dest string The destination of the network traffic (the remote host)
http_content_type string The content-type of the resource requested.
http_refer string The HTTP referrer used in requesting the HTTP resource.
http_user_agent string The user agent used when requesting the HTTP resource.
http_method string The HTTP method used in requested the resource (GET, POST, DELETE, and so on)
user string The user that requested the HTTP resource
url string The URL of the requested HTTP resource
vendor string The vendor technology of the generating Network Protection data; required for this entire Enterprise Security domain. (for example, IDP, Proventia, ASA)
product string The product name of the vendor technology generating Network Protection data; required for this entire Enterprise Security domain. (for example, IDP, Proventia, ASA)

Traffic

Field Name Data Type Explanation
action string The action of the network traffic
bytes int Total count of bytes handled by this device/interface (bytes_in + bytes_out).
bytes_in int How many bytes this device/interface received.
bytes_out int How many bytes this device/interface transmitted.
transport string The transport protocol of the traffic observed (tcp, udp, icmp).
dvc string The name of the packet filtering device. (one of: dvc_host, dvc_ip, dvc_nt_host)
src string The source of the network traffic. (one of: src_host, src_ip, src_ipv6, src_nt_host)
dest string The destination of the network traffic. (one of: dest_host, dest_ip, dest_ipv6, dest_nt_host)
src_port int The source port of the network traffic
dest_port int The destination port of the network traffic
vendor string The vendor technology of the generating Network Protection data; required for this entire Enterprise Security domain. (for example, IDP, Proventia, ASA)
product string The product name of the vendor technology generating Network Protection data; required for this entire Enterprise Security domain. (for example, IDP, Proventia, ASA)

Malware

Field Name Data Type Explanation
product string The product name of the vendor technology generating NetworkProtection data; required for this entire Enterprise Security domain. (for example, IDP,Proventia,ASA)
severity string The severity of the NetworkProtection event. (i.e., critical,high,medium,low,informational).

Note: This field is a string. Please use the "severity_id" field for numbers.

vendor string The vendor technology generating NetworkProtection data; required for this entire Enterprise Security domain. (e.g., Juniper,ISS,Cisco)

Intrusion Detection

Field Name Data Type Explanation
signature string The name of the intrusion detected on the client (the "src")(for example, PlugAndPlay_BO, JavaScript_Obfuscation_Fre).

Note: This field is a string. Use the "signature_id" field for numbers.

dvc string The device that detected the event
category string The category of the signature triggered
severity string The severity of the Network Protection event. (for example, critical, high, medium, low, informational).

Note: This field is a string. Use the "severity_id" field for numbers.

src string The source involved in attack detected by the IDS. (one of: src_host, src_ip, src_ipv6, src_nt_host)
dest string The destination of the attack detected by the IDS. (one of: dest_host, dest_ip, dest_ipv6, dest_nt_host)
user string The user involved with the attack detected by the IDS
vendor string The vendor technology of the generating Network Protection data (for example, IDP, Proventia, ASA.)

Required for this entire Enterprise Security domain.

product string The product name of the vendor technology generating Network Protection data (for example, IDP, Proventia, ASA)

Required for this entire Enterprise Security domain.

ids_type string The type of IDS (intrusion detection system) that generated the events. Must be one of "wireless", "network", "host",or "application"; use with the ids and attack tags to indicate the event is related to an attack detected by an IDS.

Vulnerability

Field Name Data Type Explanation
signature string The name of the vulnerability detected on the client (the "src" field).
For example, SuSE Security Update: cups security update.
os string The operating system of the host containing the vulnerability detected on the client (the "src" field).
For example, SuSE Security Update: cups security update.
category string The category of the vulnerability discovered.
severity string The severity of the vulnerability discovered.
dest string The host that has the vulnerability discovered
For example one of:

dest_host,dest_ip,dest_ipv6,dest_nt_host).

cve Corresponds to an identifier provided in the Common Vulnerabilities and Exposures index, http://cve.mitre.org For example: cve: CVE-1999-0002

Description: Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems.

bugtraq Corresponds to an identifier in the publicly available Bugtraq vulnerability database (searchable at http://www.securityfocus.com/bid/) For example: bugtraq: 52379

Description: Expat XML Parsing Multiple Remote Denial of Service Vulnerability

cert Corresponds to an identifier in the vulnerability database provided by the US Computer Emergency Readiness Team (US-CERT), http://www.kb.cert.org/vuls/ For example: cert: VU#636312

Description: Oracle Java JRE 1.7 Expression.execute() and SunToolkit.getField() fail to restrict access to privileged code

msft Corresponds to a Microsoft Security Advisory number (http://technet.microsoft.com/en-us/security/advisory/) For example: msft: 2743314

Description: Unencapsulated MS-CHAP v2 Authentication Could Allow Information Disclosure

mskb Corresponds to a Microsoft Knowledge Base article number (http://support.microsoft.com/kb/) For example: mskb: 2744850

Description: Implementing PEAP-MS-CHAP v2 authentication for Microsoft PPTP VPNs (http://support.microsoft.com/kb/2744850)

xref A cross-reference identifier associated with the vulnerability. In most cases, the xref field will contain both a short name of the database being cross-referenced in addition to the unique identifier used in the external database. In the following example "OSVDB" refers to the Open Source Vulnerability Database (http://osvdb.org). For example: xref: OSVDB:299

Description: Microsoft Windows NetBIOS Shares Access Control Weakness

This documentation applies to the following versions of ES: 2.0 , 2.2 , 2.2.1 , 2.4 , 2.4.1 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!