Data source field mapping reference

In Splunk Asset and Risk Intelligence, data sources must have a common set of field mappings across each of the inventories. Splunk Asset and Risk Intelligence automatically maps the fields in known data sources to the relevant inventories. However, you must map certain fields in custom data sources to the appropriate inventories.

For custom batched data sources, you can map fields within the event search. For custom real-time data sources, you can map fields using field aliases, calculated fields, or field extractions.

Each inventory contains a different set of fields, but some inventories also share fields. The following list includes the inventories that you can map data sources to:

Network
IP
MAC
User
Software
Vulnerability

You don't need to map all of the fields in a data source. To see a reference list of the fields you can map for each inventory, see the following:

Some event searches for batched data sources contain a mapped field called ari_lastdetect, which indicates when the record was last updated. If the ari_lastdetect field is present, Splunk Asset and Risk Intelligence uses this field as the last detection date for the data source event. If there is no ari_lastdetect field, then Splunk Asset and Risk Intelligence uses the _time field from when the batched event search runs.

Network inventory field mapping

The network inventory contains the most data about an individual asset. Data sources mapped to this inventory must contain the ari_nt_host field.

The following table lists all of the fields that you can map to the network inventory:

Input field	Description
ari_nt_host	Hostname of the asset.
ari_vendor	Vendor of the asset.
ari_user_id	Any user ID in the event.
ari_dns	The FQDN of the asset.
ari_ip	IP address of the asset.
ari_ip_zone	IP zone address of the asset. If left blank, the value becomes `default`.
ari_ip_translated	Translated IP address of the asset. For example, an external IP of a VPN asset.
ari_lastdetect	The last detection date of the source. If there is no `ari_lastdetect` date, then Splunk Asset and Risk Intelligence uses `_time`.
ari_mac	MAC address of the asset.
ari_product	Product name of the asset.
ari_product_version	Product version of the asset.
ari_category	Category of the asset. For example, "Domain controller".
asset_class	The class of the asset. For example, "Desktop".
asset_type	The type of asset. For example, "Server" or "Workstation".
av_version	The product version of AV used.
business	Business name of the asset.
bunit	Business unit of the asset.
city	City location of the asset.
classification	Data classification of the asset. For example, "Internal" or "Restricted".
country	Country location of the asset in a 2-digit country code format.
cpu_cores	Number of CPU cores.
cpu_count	Number of CPUs.
cpu_mhz	Megahertz value of the CPU.
criticality	Criticality of the asset. For example, "Critical" or "Low".
environment	Field used to collect environment information. For example, "Prod" or "Dev".
fde_encrypted	Numeric indicator of whether full disk encryption is active. This is typically set to 1 or null, where 1 means it is encrypted.
location_id	Any identifying location code.
mem	Amount of RAM.
os	Operating system. For example, "Windows 7".
os_version	Full version of the operating system. For example, "10.3.4.23".
primary_host	The primary host that this host runs on if it's virtual.
priority	Priority of the asset. For example, "Critical" or "Low".
provider	The asset provider. For example, "Amazon".
region	Region of the asset. For example, "AMER".
sensitivity	Sensitivity of the asset. For example, "Critical" or "Low".
serial	Serial number of the asset.
status	Status of the asset. For example, "Active" or "Decommissioned".

IP inventory field mapping

The IP inventory captures all IP addresses associated with network assets. Data sources mapped to this inventory must contain the ari_ip field.

The following table lists all of the fields that you can map to the IP inventory:

Input field	Description
ari_ip	IP address of the asset.
business	Business name of the asset.
bunit	Business unit of the asset.
ari_ip_zone	IP zone address of the asset. If left blank, the value becomes `default`.
ari_ip_translated	Translated IP address of the asset, For example, an external IP of a VPN asset.
ip_type	The type of IP address. For example, "VPN".
location_id	Any identifying location code.
ari_nt_host	Hostname of the asset.
ari_user_id	User ID of the asset.
ari_mac	MAC address of the asset.
ari_lastdetect	The last detection date of the source. If there is no `ari_lastdetect` date, then Splunk Asset and Risk Intelligence uses `_time`.

MAC inventory field mapping

The MAC inventory captures all MAC addresses associated with network assets. Data sources mapped to this inventory must contain the ari_mac field.

MAC addresses going into Splunk Asset and Risk Intelligence automatically have dashes or colons removed.

The following table lists all of the fields that you can map to the MAC inventory:

Input field	Description
ari_mac	MAC address of the asset.
business	Business name of the asset.
bunit	Business unit of the asset.
location_id	Any identifying location code.
ari_nt_host	Hostname of the asset.
ari_user_id	User ID of the asset.
ari_ip	IP address of the asset.
ari_ip_zone	IP zone address of the asset. If left blank, the value becomes `default`.
ari_lastdetect	The last detection date of the source. If there is no `ari_lastdetect` date, then Splunk Asset and Risk Intelligence uses `_time`.
mac_product	The product associated with the MAC address.
mac_vendor	The vendor associated with the MAC address.

User inventory field mapping

The user inventory captures all users associated with network assets. Data sources mapped to this inventory must contain the ari_user_id field.

The following table lists all of the fields that you can map to the user inventory:

Input field	Description
ari_user_id	User ID of the asset.
business	Business name of the asset.
bunit	Business unit of the asset.
ari_ip	IP address of the asset.
ari_ip_zone	IP zone address of the asset. If left blank, the value becomes `default`.
ari_nt_host	Hostname of the asset.
ari_mac	MAC address of the asset.
ari_domain	AD user domain information.
ari_lastdetect	The last detection date of the source. If there is no `ari_lastdetect` date, then Splunk Asset and Risk Intelligence uses `_time`.

Software inventory field mapping

The software inventory captures all software products associated with network assets. Data sources mapped to this inventory must contain the ari_software_product field and the ari_nt_host field.

The following table lists all of the fields that you can map to the software inventory:

Input field	Description
ari_nt_host	Hostname of the asset.
ari_software_product	Software product name.
ari_software_version	Software product version.
ari_software_vendor	Software product vendor name.
business	Business name of the asset.
ari_lastdetect	The last detection date of the source. If there is no `ari_lastdetect` date, then Splunk Asset and Risk Intelligence uses `_time`.

Vulnerability inventory field mapping

The vulnerability inventory captures all vulnerabilities associated with network assets. Data sources mapped to this inventory must contain the signature field and the ari_nt_host field.

The following table lists all of the fields that you can map to the vulnerability inventory:

Input field	Description
signature	Signature of the vulnerability.
ari_nt_host	Hostname of the asset.
ari_user_id	User ID of the asset.
agentuuid	UUID of vulnerable agent.
assetuuid	UUID of vulnerable asset.
business	Business name of the asset.
bunit	Business unit of the asset.
category	The category of the discovered vulnerability. For example, "DoS".
cert	The identifier in the vulnerability database provided by the United States Computer Emergency Readiness Team.
cve	The identifier provided in the Common Vulnerabilities and Exposures index.
cvss	The numeric indicator of the common vulnerability scoring system.
msft	The Microsoft Security Advisory number.
mskb	The Microsoft Knowledge Base article number.
os	Operating system of the asset.
plugin_id	Vulnerability plugin ID, which you can use to pull back the description, solution, references, and other data for that plugin ID.
protocol	Protocol linked to the vulnerability. For example, "https".
scan_type	The type of scan.
scan_uuid	Unique identifier of the scan.
service	Any services linked to the vulnerability.
severity	Severity of the vulnerability.
severity_id	Severity ID of the vulnerability.
signature_id	The unique identifier or event code of the event signature.
state	The current state of the vulnerability.
url	The URL involved in the discovered vulnerability.
xref	A cross-reference identifier associated with the vulnerability. In most cases, the `xref` field contains both the short name of the cross-referenced database and the unique identifier used in the external database.
port	Port used by the vulnerability.
ari_lastdetect	The last detection date of the source. If there is no `ari_lastdetect` date, then Splunk Asset and Risk Intelligence uses `_time`.
ari_firstdetect	The first detection date of the source. If there is no `ari_firstdetect` date, then Splunk Asset and Risk Intelligence uses `ari_lastdetect`.
vendor_product	Software product vendor name.

Related answers from Splunk Community

Data source field mapping reference

Network inventory field mapping

IP inventory field mapping

MAC inventory field mapping

User inventory field mapping

Software inventory field mapping

Vulnerability inventory field mapping

Comments

Data source field mapping reference

Was this topic useful?