Common Information Model field reference
Contents
Common Information Model field reference
The tables below define the fields used in the Common Information Model. The Data Type column describes the type of data expected and the Description provides information about what the value of the field should represent and which values are allowed (if the field is restricted to a defined set of potential values).
Access Protection
The Access Protection domain provides information about authentication attempts and access control related events (login, logout, access allowed, access failure, use of default accounts, and so on).
Account Management
| Field Name | Data Type | Explanation |
|---|---|---|
| signature | string | Description of the change performed |
| src_nt_domain | string | The domain that contains the user that generated the account management event |
| dest_nt_domain | string | The domain that contains the user that is affected by the account management event |
Authentication
| Field Name | Data Type | Explanation |
|---|---|---|
| action | string | Must be either "success" or "failure". |
| app | string | The application involved in authentication. (for example, ssh, splunk, win:local). |
| dest | string | The target involved in authentication. (one of: dest_host,dest_ip,dest_ipv6,dest_nt_host) |
| src | string | The source involved in authentication. (one of: src_host,src_ip,src_ipv6,src_nt_host) |
| src_user | string | Privilege escalation events must include this field to represent the user who initiated the privilege escalation. |
| user | string | The user involved in authentication. For privilege escalation events this should represent the user targeted by the escalation. |
Endpoint Protection
The Endpoint Protection domain includes information about endpoints such as malware infections, system configuration, system state (CPU usage, open ports, uptime, etc.), system update history (which updates have been applied), and time synchronization information.
Authentication
| Field Name | Data Type | Explanation |
|---|---|---|
| src | string | The client. Required for this entire Enterprise Security domain. (one of: src_host, src_ip, src_nt_host) |
Change Analysis
| Field Name | Data Type | Explanation |
|---|---|---|
| dest | string | The host that was affected by the change (one of: dest_host, dest_ip, dest_ipv6, dest_nt_host) |
| change_type | string | The type of change discovered |
| action | string | The action performed on the resource |
| path | string | The path of the resource that was changed |
| isdir | Boolean | Indicates whether or not the resource changed is a directory |
| size | int | The size of the object changed |
| gid | int | The group ID of the item changed |
| uid | int | The user ID of the item changed |
| modtime | string | The modification time of the modified resource |
| mode | int | The permissions mode of the modified resource |
| hash | string | The hash signature of the modified resource. |
Update
| Field Name | Data Type | Explanation |
|---|---|---|
| package | string | Name of the update that was installed |
Malware
| Field Name | Data Type | Explanation |
|---|---|---|
| action | string | The outcome of the infection; must be one of "allowed", "blocked", or "deferred". |
| product | string | The product name of the vendor technology (the "vendor" field) generating malware data. (for example, Antivirus, EPO) |
| signature | string | The name of the malware infection detected on the client (the "src"), (for example, Trojan.Vundo, Spyware.Gaobot, W32.Nimbda).
Note: This field is a string. Please use the "signature_id" field for numbers. |
| dest | string | The target affected or infected by the malware (for example, dest_host, dest_ip, dest_ipv6, dest_nt_host). |
| dest_nt_domain | string | The NT domain of the destination (the "dest_bestmatch"). |
| src_nt_domain | string | The NT domain of the source (the "src") |
| vendor | string | The name of the vendor technology generating malware data. (for example, Symantec, McAfee) |
| file_path | string | The path of the file in the event (such as the infected or malicious file) |
| file_hash | string | The cryptographic hash of the file associated with the event (such as the infected or malicious file). |
| user | string | The user involved in a malware event |
| file_name | string | The name of the file in the event (such as the infected or malicious file) |
| product_version | string | The product version number of the vendor technology installed on the client (for example,. 10.4.3, 11.0.2) |
| signature_version | string | The current signature set (a.k.a. definitions) running on the client. (for example, 11hsvx) |
System Center
| Field Name | Data Type | Explanation |
|---|---|---|
| TotalMBytes | int | The amount of memory available on the system (the "src" field). |
| UsedMBytes | int | The amount of memory used on the system (the "src" field). |
| FreeMBytes | int | The amount of disk space available per drive or mount (the "mount" field) on the system (the "src" field). |
| mount | string | The drive or mount reporting available disk space (the "FreeMegabytes" field) on the system (the "src" field). |
| PercentProcessorTime | int | The percentage of processor utilization. |
| src_port | int | The TCP/UDP source port on the system |
| app | string | The running application or service (e.g., explorer.exe, sshd) on the system (the "src" field). |
| user | string | The User Account present on the system (the "src" field). |
| shell | string | The shell provided to the User Account (the "user" field) upon logging into the system (the "src" field). |
| setlocaldefs | int | The setlocaldefs setting from the SE Linux configuration |
| Startmode | string | The start mode of the given service (disabled, enabled, or auto). |
| sshd_protocol | string | The version of the sshd protocol. |
| selinux | string | Values from the selinux configuration file (disabled or enforcing) |
| selinuxtype | string | The SE Linux type (such as targeted) |
| updates | int | The number of updates the system (the "src" field) is missing. |
| SystemUptime | int | The number of seconds since the system (the "src") has been "up". |
| label | string | Human-readable version of the system uptime. |
| os | string | The name of the operating system installed on the host (the "src"). (for example, Microsoft Windows Server 2003, GNU/Linux) |
| kernel_release | string | The version of operating system installed on the host (the "src"). (for example, 6.0.1.4, 2.6.27.30-170.2.82.fc10.x86_64) |
Network Protection
Network Protection includes information about network traffic provided from devices such as firewalls, routers, and network based intrusion detection systems.
Change Analysis
| Field Name | Data Type | Explanation |
|---|---|---|
| dvc | string | The device that is directly affected by the change |
| action | string | The type of change observed. |
| user | string | The user that initiated the given change |
| command | string | The command that initiated the given change |
Proxy
| Field Name | Data Type | Explanation |
|---|---|---|
| action | string | The action taken by the proxy. |
| status | int | The HTTP response code indicating the status of the proxy request (404, 302, 500, etc.) |
| src | string | The source of the network traffic (the client requesting the connection) |
| dest | string | The destination of the network traffic (the remote host) |
| http_content_type | string | The content-type of the resource requested. |
| http_refer | string | The HTTP referrer used in requesting the HTTP resource. |
| http_user_agent | string | The user agent used when requesting the HTTP resource. |
| http_method | string | The HTTP method used in requested the resource (GET, POST, DELETE, and so on) |
| user | string | The user that requested the HTTP resource |
| url | string | The URL of the requested HTTP resource |
| vendor | string | The vendor technology of the generating Network Protection data; required for this entire Enterprise Security domain. (for example, IDP, Proventia, ASA) |
| product | string | The product name of the vendor technology generating Network Protection data; required for this entire Enterprise Security domain. (for example, IDP, Proventia, ASA) |
Traffic
| Field Name | Data Type | Explanation |
|---|---|---|
| action | string | The action of the network traffic |
| bytes | int | Total count of bytes handled by this device/interface (bytes_in + bytes_out).
|
| bytes_in | int | How many bytes this device/interface received. |
| bytes_out | int | How many bytes this device/interface transmitted. |
| transport | string | The transport protocol of the traffic observed (tcp, udp, icmp). |
| dvc | string | The name of the packet filtering device. (one of: dvc_host, dvc_ip, dvc_nt_host) |
| src | string | The source of the network traffic. (one of: src_host, src_ip, src_ipv6, src_nt_host) |
| dest | string | The destination of the network traffic. (one of: dest_host, dest_ip, dest_ipv6, dest_nt_host) |
| src_port | int | The source port of the network traffic |
| dest_port | int | The destination port of the network traffic |
| vendor | string | The vendor technology of the generating Network Protection data; required for this entire Enterprise Security domain. (for example, IDP, Proventia, ASA) |
| product | string | The product name of the vendor technology generating Network Protection data; required for this entire Enterprise Security domain. (for example, IDP, Proventia, ASA) |
Malware
| Field Name | Data Type | Explanation |
|---|---|---|
| product | string | The product name of the vendor technology generating NetworkProtection data; required for this entire Enterprise Security domain. (for example, IDP,Proventia,ASA) |
| severity | string | The severity of the NetworkProtection event. (i.e., critical,high,medium,low,informational).
Note: This field is a string. Please use the "severity_id" field for numbers. |
| vendor | string | The vendor technology generating NetworkProtection data; required for this entire Enterprise Security domain. (e.g., Juniper,ISS,Cisco) |
Intrusion Detection
| Field Name | Data Type | Explanation |
|---|---|---|
| signature | string | The name of the intrusion detected on the client (the "src")(for example, PlugAndPlay_BO, JavaScript_Obfuscation_Fre).
Note: This field is a string. Use the "signature_id" field for numbers. |
| dvc | string | The device that detected the event |
| category | string | The category of the signature triggered |
| severity | string | The severity of the Network Protection event. (for example, critical, high, medium, low, informational).
Note: This field is a string. Use the "severity_id" field for numbers. |
| src | string | The source involved in attack detected by the IDS. (one of: src_host, src_ip, src_ipv6, src_nt_host) |
| dest | string | The destination of the attack detected by the IDS. (one of: dest_host, dest_ip, dest_ipv6, dest_nt_host) |
| user | string | The user involved with the attack detected by the IDS |
| vendor | string | The vendor technology of the generating Network Protection data (for example, IDP, Proventia, ASA.)
Required for this entire Enterprise Security domain. |
| product | string | The product name of the vendor technology generating Network Protection data (for example, IDP, Proventia, ASA)
Required for this entire Enterprise Security domain. |
| ids_type | string | The type of IDS (intrusion detection system) that generated the events. Must be one of "wireless", "network", "host",or "application"; use with the ids and attack tags to indicate the event is related to an attack detected by an IDS. |
Vulnerability
| Field Name | Data Type | Explanation |
|---|---|---|
| signature | string | The name of the vulnerability detected on the client (the "src" field). For example, SuSE Security Update: cups security update. |
| os | string | The operating system of the host containing the vulnerability detected on the client (the "src" field). For example, SuSE Security Update: cups security update. |
| category | string | The category of the vulnerability discovered. |
| severity | string | The severity of the vulnerability discovered. |
| dest | string | The host that has the vulnerability discovered For example one of: dest_host,dest_ip,dest_ipv6,dest_nt_host). |
| cve | Corresponds to an identifier provided in the Common Vulnerabilities and Exposures index, http://cve.mitre.org | For example: cve: CVE-1999-0002 Description: Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems. |
| bugtraq | Corresponds to an identifier in the publicly available Bugtraq vulnerability database (searchable at http://www.securityfocus.com/bid/) | For example: bugtraq: 52379 Description: Expat XML Parsing Multiple Remote Denial of Service Vulnerability |
| cert | Corresponds to an identifier in the vulnerability database provided by the US Computer Emergency Readiness Team (US-CERT), http://www.kb.cert.org/vuls/ | For example: cert: VU#636312 Description: Oracle Java JRE 1.7 |
| msft | Corresponds to a Microsoft Security Advisory number (http://technet.microsoft.com/en-us/security/advisory/) | For example: msft: 2743314 Description: Unencapsulated MS-CHAP v2 Authentication Could Allow Information Disclosure |
| mskb | Corresponds to a Microsoft Knowledge Base article number (http://support.microsoft.com/kb/) | For example: mskb: 2744850 Description: Implementing PEAP-MS-CHAP v2 authentication for Microsoft PPTP VPNs (http://support.microsoft.com/kb/2744850) |
| xref | A cross-reference identifier associated with the vulnerability. In most cases, the xref field will contain both a short name of the database being cross-referenced in addition to the unique identifier used in the external database. In the following example "OSVDB" refers to the Open Source Vulnerability Database (http://osvdb.org). | For example: xref: OSVDB:299 Description: Microsoft Windows NetBIOS Shares Access Control Weakness |
This documentation applies to the following versions of ES: 2.0 , 2.2 , 2.2.1 , 2.4 View the Article History for its revisions.