This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on.
For documentation on the most recent version, go to the latest release.
Change Analysis
The fields in the Change Analysis data model and event category describe Create, Read, Update, and Delete activities from any data source.
Tags used with the Change Analysis event category
| Object name(s) | Tag name | Required? |
|---|---|---|
| All_Changes | change | YES |
| All_Changes Endpoint_Changes |
endpoint | YES |
| All_Changes Network |
network | YES |
| All_Changes Account_Management |
account | YES |
Fields for the Change Analysis event category
| Object name(s) | Field name | Data type | Description | Expected values |
|---|---|---|---|---|
| Account_Management | src_user_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
| Account_Management | src_user_category
|
string | ||
| Account_Management | dest_nt_domain
|
string | The NT domain of the destination, if applicable. | |
| All_Changes | action
|
string | The action performed on the resource. | created, read, modified, deleted, acl_modified, unknown
|
| All_Changes | change_type
|
string | The type of change, such as filesystem or AAA.
|
|
| All_Changes | command
|
string | The command that initiated the change. | |
| All_Changes | dest
|
string | The resource where change occurred. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
|
|
| All_Changes | dest_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
| All_Changes | dest_category
|
string | ||
| All_Changes | dvc
|
string | The device that reported the change, if applicable, such as a FIP or CIM server. May be aliased from more specific fields, such as dvc_host, dvc_ip, or dvc_name.
|
|
| All_Changes | object
|
string | Name of the affected object on the resource (such as a router interface, user account, or server volume). | |
| All_Changes | object_attrs
|
MV string | The attributes that were updated on the updated resource object, if applicable. | |
| All_Changes | object_id
|
string | The unique updated resource object ID as presented to the system, if applicable (for instance, a SID, UUID, or GUID value). | |
| All_Changes | object_path
|
string | The path of the modified resource object, if applicable (such as a file, directory, or volume). | |
| All_Changes | product
|
string | The product or service that detected the vulnerability. This field is used to automatically produce the vendor_product field used by data models.
|
|
| All_Changes | result
|
string | The vendor-specific result of a change, or clarification of an action status. For instance, status=failure may be accompanied by result=blocked by policy or result=disk full. Note: result is a string. Please use a msg_severity_id field for severity ID fields that are integer data types.
|
|
| All_Changes | result_id
|
string | A numeric result indicator for an action status.
|
|
| All_Changes | src
|
string | The resource where the change was originated. May be aliased from more specific fields, such as src_host |
|
| All_Changes | src_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
| All_Changes | src_category
|
string | ||
| All_Changes | status
|
string | Status of the update. | success, failure, unknown
|
| All_Changes | tag
|
string | This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it. | |
| All_Changes | user
|
string | The user or entity performing the change (can be UID or PID). | |
| All_Changes | vendor
|
string | The vendor of the device that detected the change, such as Splunk, IBM, or Tripwire. This field is used to automatically produce the vendor_product field used by data models.
|
|
| Filesystem_Changes | file_access_time
|
timestamp | The time the file (the object of the event) was accessed. | |
| Filesystem_Changes | file_acl
|
string | Access controls associated with the file affected by the event. | |
| Filesystem_Changes | file_create_time
|
timestamp | The time the file (the object of the event) was created. | |
| Filesystem_Changes | file_hash
|
string | A cryptographic identifier assigned to the file object affected by the event. | |
| Filesystem_Changes | file_modify_time
|
timestamp | The time the file (the object of the event) was altered. | |
| Filesystem_Changes | file_name
|
string | The name of the file that is the object of the event (without location information related to local file or directory structure). | |
| Filesystem_Changes | file_path
|
string | The location of the file that is the object of the event, in local file and directory structure terms. | |
| Filesystem_Changes | file_size
|
int | The size of the file that is the object of the event, in kilobytes. | |
| Registry_Changes | object_category
|
string | Generic name for the class of the updated resource object. Expected values may be specific to an App. | directory, file, group, object, registry, unknown, user
|
Last modified on 18 October, 2013
| Authentication | Inventory |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 3.0, 3.0.1, 3.0.2
Download manual
Feedback submitted, thanks!