Data source field mapping reference
In Splunk Asset and Risk Intelligence, data sources must have a common set of field mappings across each of the inventories. Splunk Asset and Risk Intelligence automatically maps the fields in known data sources to the relevant inventories. However, you must map certain fields in custom data sources to the appropriate inventories.
For custom batched data sources, you can map fields within the event search. For custom real-time data sources, you can map fields using field aliases, calculated fields, or field extractions.
Each inventory contains a different set of fields, but some inventories also share fields. The following list includes the inventories that you can map data sources to:
- Network
- IP
- MAC
- User
- Software
- Vulnerability
You don't need to map all of the fields in a data source. To see a reference list of the fields you can map for each inventory, see the following:
- Network inventory field mapping
- IP inventory field mapping
- MAC inventory field mapping
- User inventory field mapping
- Software inventory field mapping
- Vulnerability inventory field mapping
Some event searches for batched data sources contain a mapped field called ari_lastdetect
, which indicates when the record was last updated. If the ari_lastdetect
field is present, Splunk Asset and Risk Intelligence uses this field as the last detection date for the data source event. If there is no ari_lastdetect
field, then Splunk Asset and Risk Intelligence uses the _time
field from when the batched event search runs.
Network inventory field mapping
The network inventory contains the most data about an individual asset. Data sources mapped to this inventory must contain the ari_nt_host
field.
The following table lists all of the fields that you can map to the network inventory:
Input field | Description |
---|---|
ari_nt_host | Hostname of the asset. |
ari_vendor | Vendor of the asset. |
ari_user_id | Any user ID in the event. |
ari_dns | The FQDN of the asset. |
ari_ip | IP address of the asset. |
ari_ip_zone | IP zone address of the asset. If left blank, the value becomes default .
|
ari_ip_translated | Translated IP address of the asset. For example, an external IP of a VPN asset. |
ari_lastdetect | The last detection date of the source. If there is no ari_lastdetect date, then Splunk Asset and Risk Intelligence uses _time .
|
ari_mac | MAC address of the asset. |
ari_product | Product name of the asset. |
ari_product_version | Product version of the asset. |
ari_category | Category of the asset. For example, "Domain controller". |
asset_class | The class of the asset. For example, "Desktop". |
asset_type | The type of asset. For example, "Server" or "Workstation". |
av_version | The product version of AV used. |
business | Business name of the asset. |
bunit | Business unit of the asset. |
city | City location of the asset. |
classification | Data classification of the asset. For example, "Internal" or "Restricted". |
country | Country location of the asset in a 2-digit country code format. |
cpu_cores | Number of CPU cores. |
cpu_count | Number of CPUs. |
cpu_mhz | Megahertz value of the CPU. |
criticality | Criticality of the asset. For example, "Critical" or "Low". |
environment | Field used to collect environment information. For example, "Prod" or "Dev". |
fde_encrypted | Numeric indicator of whether full disk encryption is active. This is typically set to 1 or null, where 1 means it is encrypted. |
location_id | Any identifying location code. |
mem | Amount of RAM. |
os | Operating system. For example, "Windows 7". |
os_version | Full version of the operating system. For example, "10.3.4.23". |
primary_host | The primary host that this host runs on if it's virtual. |
priority | Priority of the asset. For example, "Critical" or "Low". |
provider | The asset provider. For example, "Amazon". |
region | Region of the asset. For example, "AMER". |
sensitivity | Sensitivity of the asset. For example, "Critical" or "Low". |
serial | Serial number of the asset. |
status | Status of the asset. For example, "Active" or "Decommissioned". |
IP inventory field mapping
The IP inventory captures all IP addresses associated with network assets. Data sources mapped to this inventory must contain the ari_ip
field.
The following table lists all of the fields that you can map to the IP inventory:
Input field | Description |
---|---|
ari_ip | IP address of the asset. |
business | Business name of the asset. |
bunit | Business unit of the asset. |
ari_ip_zone | IP zone address of the asset. If left blank, the value becomes default .
|
ari_ip_translated | Translated IP address of the asset, For example, an external IP of a VPN asset. |
ip_type | The type of IP address. For example, "VPN". |
location_id | Any identifying location code. |
ari_nt_host | Hostname of the asset. |
ari_user_id | User ID of the asset. |
ari_mac | MAC address of the asset. |
ari_lastdetect | The last detection date of the source. If there is no ari_lastdetect date, then Splunk Asset and Risk Intelligence uses _time .
|
MAC inventory field mapping
The MAC inventory captures all MAC addresses associated with network assets. Data sources mapped to this inventory must contain the ari_mac
field.
MAC addresses going into Splunk Asset and Risk Intelligence automatically have dashes or colons removed.
The following table lists all of the fields that you can map to the MAC inventory:
Input field | Description |
---|---|
ari_mac | MAC address of the asset. |
business | Business name of the asset. |
bunit | Business unit of the asset. |
location_id | Any identifying location code. |
ari_nt_host | Hostname of the asset. |
ari_user_id | User ID of the asset. |
ari_ip | IP address of the asset. |
ari_ip_zone | IP zone address of the asset. If left blank, the value becomes default .
|
ari_lastdetect | The last detection date of the source. If there is no ari_lastdetect date, then Splunk Asset and Risk Intelligence uses _time .
|
mac_product | The product associated with the MAC address. |
mac_vendor | The vendor associated with the MAC address. |
User inventory field mapping
The user inventory captures all users associated with network assets. Data sources mapped to this inventory must contain the ari_user_id
field.
The following table lists all of the fields that you can map to the user inventory:
Input field | Description |
---|---|
ari_user_id | User ID of the asset. |
business | Business name of the asset. |
bunit | Business unit of the asset. |
ari_ip | IP address of the asset. |
ari_ip_zone | IP zone address of the asset. If left blank, the value becomes default .
|
ari_nt_host | Hostname of the asset. |
ari_mac | MAC address of the asset. |
ari_domain | AD user domain information. |
ari_lastdetect | The last detection date of the source. If there is no ari_lastdetect date, then Splunk Asset and Risk Intelligence uses _time .
|
Software inventory field mapping
The software inventory captures all software products associated with network assets. Data sources mapped to this inventory must contain the ari_software_product
field and the ari_nt_host
field.
The following table lists all of the fields that you can map to the software inventory:
Input field | Description |
---|---|
ari_nt_host | Hostname of the asset. |
ari_software_product | Software product name. |
ari_software_version | Software product version. |
ari_software_vendor | Software product vendor name. |
business | Business name of the asset. |
ari_lastdetect | The last detection date of the source. If there is no ari_lastdetect date, then Splunk Asset and Risk Intelligence uses _time .
|
Vulnerability inventory field mapping
The vulnerability inventory captures all vulnerabilities associated with network assets. Data sources mapped to this inventory must contain the signature
field and the ari_nt_host
field.
The following table lists all of the fields that you can map to the vulnerability inventory:
Input field | Description |
---|---|
signature | Signature of the vulnerability. |
ari_nt_host | Hostname of the asset. |
ari_user_id | User ID of the asset. |
agentuuid | UUID of vulnerable agent. |
assetuuid | UUID of vulnerable asset. |
business | Business name of the asset. |
bunit | Business unit of the asset. |
category | The category of the discovered vulnerability. For example, "DoS". |
cert | The identifier in the vulnerability database provided by the United States Computer Emergency Readiness Team. |
cve | The identifier provided in the Common Vulnerabilities and Exposures index. |
cvss | The numeric indicator of the common vulnerability scoring system. |
msft | The Microsoft Security Advisory number. |
mskb | The Microsoft Knowledge Base article number. |
os | Operating system of the asset. |
plugin_id | Vulnerability plugin ID, which you can use to pull back the description, solution, references, and other data for that plugin ID. |
protocol | Protocol linked to the vulnerability. For example, "https". |
scan_type | The type of scan. |
scan_uuid | Unique identifier of the scan. |
service | Any services linked to the vulnerability. |
severity | Severity of the vulnerability. |
severity_id | Severity ID of the vulnerability. |
signature_id | The unique identifier or event code of the event signature. |
state | The current state of the vulnerability. |
url | The URL involved in the discovered vulnerability. |
xref | A cross-reference identifier associated with the vulnerability. In most cases, the xref field contains both the short name of the cross-referenced database and the unique identifier used in the external database.
|
port | Port used by the vulnerability. |
ari_lastdetect | The last detection date of the source. If there is no ari_lastdetect date, then Splunk Asset and Risk Intelligence uses _time .
|
ari_firstdetect | The first detection date of the source. If there is no ari_firstdetect date, then Splunk Asset and Risk Intelligence uses ari_lastdetect .
|
vendor_product | Software product vendor name. |
Activate data sources in Splunk Asset and Risk Intelligence | Add a custom field in Splunk Asset and Risk Intelligence |
This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2
Feedback submitted, thanks!