This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on.
For documentation on the most recent version, go to the latest release.
Authentication
The fields and tags in the Authentication data model describe login activities from any data source.
Tags used with Authentication event objects
| Object name | Tag name |
|---|---|
| Authentication | authentication |
|
default |
|
cleartext OR insecure |
|
privileged |
Fields for Authentication event objects
| Object name | Field name | Data type | Description | Expected values |
|---|---|---|---|---|
| Authentication | action
|
string | The action performed on the resource. | success, failure, unknown
|
| Authentication | app
|
string | The application involved in the event (such as ssh, splunk, win:local).
|
|
| Authentication | dest
|
string | The target involved in the authentication. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_nt_host.
|
|
| Authentication | dest_bunit
|
string | The business unit of the authentication target. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security. |
|
| Authentication | dest_category
|
string | The category of the authentication target, such as email_server or SOX-compliant.This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security. |
|
| Authentication | dest_nt_domain
|
string | The name of the Active Directory used by the authentication target, if applicable. | |
| Authentication | dest_priority
|
string | The priority of the authentication target. | |
| Authentication | resp_time
|
string | The response time for the LDAP query in the authentication, if applicable. | |
| Authentication | src
|
string | The source involved in the authentication. In the case of endpoint protection authentication the src is the client. May be aliased from more specific fields, such as src_host, src_ip, or src_nt_host.Note: Do not confuse src with the event source or sourcetype fields.
|
|
| Authentication | src_bunit
|
string | The business unit of the authentication source. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security. |
|
| Authentication | src_category
|
string | The category of the authentication source, such as email_server or SOX-compliant.This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security. |
|
| Authentication | src_nt_domain
|
string | The name of the Active Directory used by the authentication source, if applicable. | |
| Authentication | src_priority
|
string | The priority of the authentication source. | |
| Authentication | src_user
|
string | In privilege escalation events, src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.
|
|
| Authentication | src_user_bunit
|
string | The business unit of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed. | |
| Authentication | src_user_category
|
string | The category of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed. | |
| Authentication | src_user_priority
|
string | The priority of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed. | |
| Authentication | tag
|
string | A tag associated with the authentication event. | |
| Authentication | user
|
string | The name of the user involved in the event, or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation. | |
| Authentication | user_bunit
|
string | The business unit of the user involved in the event, or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation. | |
| Authentication | user_category
|
string | The category of the user involved in the event, or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation. | |
| Authentication | user_priority
|
string | The priority of the user involved in the event, or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation. |
Last modified on 08 February, 2017
| Application State | Change Analysis |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.0.0
Download manual
Feedback submitted, thanks!