Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Malware

The fields in the Malware data model and event category describe malware detection and endpoint protection management.

Tags used with objects in the Malware data model and event category

Object name(s) Tag name Required?
Malware_Attacks

Malware_Operations

malware YES
Malware_Attacks attack YES
Malware_Operations operations YES

Fields for the Malware data model and event category

Object name(s) Field name Data type Description Possible values
Malware_Attacks action string The action taken by the reporting device. allowed, blocked, deferred, unknown
Malware_Attacks category string The category of the malware event, such as keylogger or ad-supported program.

Note: This is a string value. Use a category_id field for category ID fields that are integer data types (category_id fields are optional, so they are not included in this table).
Malware_Attacks dest string The system that was affected by the malware event. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
Malware_Attacks dest_bunit string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
Malware_Attacks dest_category string
Malware_Attacks dest_nt_domain string The NT domain of the destination, if applicable.
Malware_Attacks dest_requires_av boolean This is a derived field provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. It should be left blank when writing add-ons.
Malware_Attacks file_hash string The hash of the file with suspected malware.
Malware_Attacks file_name string The name of the file with suspected malware.
Malware_Attacks file_path string The full file path of the file with suspected malware.
Malware_Attacks product string The product name of the endpoint protection system, such as AntiVirus or Server Protect. This field is used to automatically produce the vendor_product field used by data models.
product_version string The product version number of the vendor technology installed on the client, such as 10.4.3 or 11.0.2.
Malware_Attacks signature string The name of the malware infection detected on the client (the src), such as Trojan.Vundo, Spyware.Gaobot, and W32.Nimbda.

Note: This is a string value. Use a signature_id field for signature ID fields that are integer data types (signature_id fields are optional, so they are not included in this table).
signature_version string The current signature set (a.k.a. definitions or DAT file) running on the client, such as 11hsvx.
src string The source of the endpoint event, such as a DAT file relay server. May be aliased from more specific fields, such as src_host, src_ip, or src_name.
src_nt_domain string The NT domain of the src, if applicable.
Malware_Attacks tag string This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it.
Malware_Attacks user string The user involved in the malware event.
Malware_Attacks user_bunit string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
Malware_Attacks user_category string
Malware_Attacks vendor string The name of the endpoint protection vendor, such as Symantec or TrendMicro. This field is used to automatically produce the vendor_product field used by data models.
Malware_Operations dest string The system where the malware operations event occurred.
Malware_Operations dest_bunit string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
Malware_Operations dest_category string
Malware_Operations dest_nt_domain string The NT domain of the dest system, if applicable.
Malware_Operations dest_requires_av boolean This is a derived field provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. It should be left blank when writing add-ons.
Malware_Operations product_version string The product version of the malware operations product.
Malware_Operations signature_version string The version of the malware signature bundle in a signature update operations event.
Malware_Operations tag string
Last modified on 12 March, 2014
Java Virtual Machines (JVM)   Network Sessions

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 3.0, 3.0.1, 3.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters