Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Download manual as PDF

This documentation does not apply to the most recent version of CIM. Click here for the latest version.
Download topic as PDF

Authentication

The fields and tags in the Authentication data model describe login activities from any data source.

Tags used with Authentication event objects

Object name Tag name
Authentication authentication
|____ Default_Authentication
default
|____ Insecure_Authentication
cleartext OR insecure
|____ Privileged_Authentication
privileged

Fields for Authentication event objects

Object name Field name Data type Description Expected values
Authentication action string The action performed on the resource. success, failure, unknown
Authentication app string The application involved in the event (such as ssh, splunk, win:local).
Authentication dest string The target involved in the authentication. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_nt_host.
Authentication dest_bunit string The business unit of the authentication target.

This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.
Authentication dest_category string The category of the authentication target, such as email_server or SOX-compliant.

This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.
Authentication dest_nt_domain string The name of the Active Directory used by the authentication target, if applicable.
Authentication dest_priority string The priority of the authentication target.
Authentication resp_time string The response time for the LDAP query in the authentication, if applicable.
Authentication src string The source involved in the authentication. In the case of endpoint protection authentication the src is the client. May be aliased from more specific fields, such as src_host, src_ip, or src_nt_host.

Note: Do not confuse src with the event source or sourcetype fields.
Authentication src_bunit string The business unit of the authentication source.

This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.
Authentication src_category string The category of the authentication source, such as email_server or SOX-compliant.

This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.
Authentication src_nt_domain string The name of the Active Directory used by the authentication source, if applicable.
Authentication src_priority string The priority of the authentication source.
Authentication src_user string In privilege escalation events, src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.
Authentication src_user_bunit string The business unit of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.
Authentication src_user_category string The category of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.
Authentication src_user_priority string The priority of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.
Authentication tag string A tag associated with the authentication event.
Authentication user string The name of the user involved in the event, or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation.
Authentication user_bunit string The business unit of the user involved in the event, or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation.
Authentication user_category string The category of the user involved in the event, or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation.
Authentication user_priority string The priority of the user involved in the event, or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation.
PREVIOUS
Application State
  NEXT
Change Analysis

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters