Related Answers
This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on.
For documentation on the most recent version, go to the latest release.
Download topic as PDF
Malware
The fields in the Malware data model and event category describe malware detection and endpoint protection management.
Tags used with objects in the Malware data model and event category
| Object name(s) | Tag name | Required? |
|---|---|---|
| Malware_Attacks
Malware_Operations |
malware | YES |
| Malware_Attacks | attack | YES |
| Malware_Operations | operations | YES |
Fields for the Malware data model and event category
| Object name(s) | Field name | Data type | Description | Possible values |
|---|---|---|---|---|
| Malware_Attacks | action
|
string | The action taken by the reporting device. | allowed, blocked, deferred, unknown
|
| Malware_Attacks | category
|
string | The category of the malware event, such as keylogger or ad-supported program.Note: This is a string value. Use a category_id field for category ID fields that are integer data types (category_id fields are optional, so they are not included in this table).
|
|
| Malware_Attacks | dest
|
string | The system that was affected by the malware event. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
|
|
| Malware_Attacks | dest_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
| Malware_Attacks | dest_category
|
string | ||
| Malware_Attacks | dest_nt_domain
|
string | The NT domain of the destination, if applicable. | |
| Malware_Attacks | dest_requires_av
|
boolean | This is a derived field provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. It should be left blank when writing add-ons. | |
| Malware_Attacks | file_hash
|
string | The hash of the file with suspected malware. | |
| Malware_Attacks | file_name
|
string | The name of the file with suspected malware. | |
| Malware_Attacks | file_path
|
string | The full file path of the file with suspected malware. | |
| Malware_Attacks | product
|
string | The product name of the endpoint protection system, such as AntiVirus or Server Protect. This field is used to automatically produce the vendor_product field used by data models.
|
|
product_version
|
string | The product version number of the vendor technology installed on the client, such as 10.4.3 or 11.0.2.
|
||
| Malware_Attacks | signature
|
string | The name of the malware infection detected on the client (the src), such as Trojan.Vundo, Spyware.Gaobot, and W32.Nimbda.Note: This is a string value. Use a signature_id field for signature ID fields that are integer data types (signature_id fields are optional, so they are not included in this table).
|
|
signature_version
|
string | The current signature set (a.k.a. definitions or DAT file) running on the client, such as 11hsvx.
| ||
src
|
string | The source of the endpoint event, such as a DAT file relay server. May be aliased from more specific fields, such as src_host, src_ip, or src_name.
|
||
src_nt_domain
|
string | The NT domain of the src, if applicable.
|
||
| Malware_Attacks | tag
|
string | This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it. | |
| Malware_Attacks | user
|
string | The user involved in the malware event. | |
| Malware_Attacks | user_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
| Malware_Attacks | user_category
|
string | ||
| Malware_Attacks | vendor
|
string | The name of the endpoint protection vendor, such as Symantec or TrendMicro. This field is used to automatically produce the vendor_product field used by data models.
|
|
| Malware_Operations | dest
|
string | The system where the malware operations event occurred. | |
| Malware_Operations | dest_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
| Malware_Operations | dest_category
|
string | ||
| Malware_Operations | dest_nt_domain
|
string | The NT domain of the dest system, if applicable.
|
|
| Malware_Operations | dest_requires_av
|
boolean | This is a derived field provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. It should be left blank when writing add-ons. | |
| Malware_Operations | product_version
|
string | The product version of the malware operations product. | |
| Malware_Operations | signature_version
|
string | The version of the malware signature bundle in a signature update operations event. | |
| Malware_Operations | tag
|
string | ||
Last modified on 12 March, 2014
|
PREVIOUS Java Virtual Machines (JVM) |
NEXT Network Sessions |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 3.0, 3.0.1, 3.0.2
Feedback submitted, thanks!