This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on.
For documentation on the most recent version, go to the latest release.
Vulnerabilities
The fields in the Vulnerabilities data model and Vulnerability event category describe vulnerability detection data.
Tags used with the Vulnerabilities data model and event category
| Object name(s) | Tag name | Required? |
|---|---|---|
| Vulnerabilities | report | YES |
| Vulnerabilities | vulnerability | YES |
Fields for the Vulnerabilities data model and event category
| Object name(s) | Field name | Data type | Description | Possible values |
|---|---|---|---|---|
| Vulnerabilities | bugtraq
|
string | Corresponds to an identifier in the vulnerability database provided by the Security Focus website (searchable at http://www.securityfocus.com/). | |
| Vulnerabilities | category
|
string | The category of the discovered vulnerability, such as DoS.Note: This field is a string. Please use a category_id field for fields that are integer data type. Keep in mind that the category_id field is optional and thus is not part of the CIM.
|
|
| Vulnerabilities | cert
|
string | Corresponds to an identifier in the vulnerability database provided by the US Computer Emergency Readiness Team (US-CERT, searchable at http://www.kb.cert.org/vuls/). | |
| Vulnerabilities | cve
|
string | Corresponds to an identifier provided in the Common Vulnerabilities and Exposures index (searchable at http://cve.mitre.org). | |
| Vulnerabilities | dest
|
string | The host with the discovered vulnerability. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
|
|
| Vulnerabilities | dvc
|
string | The system that discovered the vulnerability. May be aliased from more specific fields, such as dvc_host, dvc_ip, or dvc_name.
|
|
| Vulnerabilities | msft
|
string | Corresponds to a Microsoft Security Advisory number (http://technet.microsoft.com/en-us/security/advisory/). | |
| Vulnerabilities | mskb
|
string | Corresponds to a Microsoft Knowledge Base article number (http://support.microsoft.com/kb/). | |
| Vulnerabilities | product
|
string | The product or service that detected the vulnerability. This field is used to automatically produce the vendor_product field used by data models.
|
|
| Vulnerabilities | severity
|
string | The severity of the vulnerability detection event. Specific values are required. Use vendor_severity for the vendor's own human readable strings (such as Good, Bad, and Really Bad).Note: This field is a string. Please use a severity_id field for severity ID fields that are integer data types. Keep in mind that the severity_id field is optional and thus is not part of the CIM.
|
critical, high, informational, low, medium, unknown
|
| Vulnerabilities | signature
|
string | The name of the vulnerability detected on the host, such as HPSBMU02785 SSRT100526 rev.2 - HP LoadRunner Running on Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS).Note: This field has a string value. Please use signature_id for numeric indicators. Keep in mind that the signature_id field is optional and thus is not part of the CIM.
|
|
| Vulnerabilities | vendor
|
string | The vendor of the vulnerability detection product or service. This field is used to automatically produce the vendor_product field used by data models.
|
|
| Vulnerabilities | xref
|
string | A cross-reference identifier associated with the vulnerability. In most cases, the xref field contains both the short name of the database being cross-referenced and the unique identifier used in the external database.
|
Last modified on 16 October, 2013
| Updates | Web |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 3.0, 3.0.1, 3.0.2
Download manual
Feedback submitted, thanks!