Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Download manual as PDF

This documentation does not apply to the most recent version of CIM. Click here for the latest version.
Download topic as PDF

Change Analysis

The fields in the Change Analysis data model describe Create, Read, Update, and Delete activities from any data source.

Tags used with Change Analysis event objects

Object name Tag name
All_Changes change
|____ Auditing_Changes
audit
|____ Endpoint_Changes
endpoint
|____ Network_Changes
network
|____ Account_Management
account

Fields for Change Analysis event objects

Object name Field name Data type Description Expected values
All_Changes action string The action performed on the resource. created, read, modified, deleted, acl_modified, unknown
All_Changes change_type string The type of change, such as filesystem or AAA.
All_Changes command string The command that initiated the change.
All_Changes dest string The resource where change occurred. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
All_Changes dest_bunit string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
All_Changes dest_category string
All_Changes dest_priority string
All_Changes dvc string The device that reported the change, if applicable, such as a FIP or CIM server. May be aliased from more specific fields, such as dvc_host, dvc_ip, or dvc_name.
All_Changes object string Name of the affected object on the resource (such as a router interface, user account, or server volume).
All_Changes object_attrs string The attributes that were updated on the updated resource object, if applicable.
All_Changes object_category string Generic name for the class of the updated resource object. Expected values may be specific to an App. directory, file, group, object, registry, unknown, user
All_Changes object_id string The unique updated resource object ID as presented to the system, if applicable (for instance, a SID, UUID, or GUID value).
All_Changes object_path string The path of the modified resource object, if applicable (such as a file, directory, or volume).
All_Changes result string The vendor-specific result of a change, or clarification of an action status. For instance, status=failure may be accompanied by result=blocked by policy or result=disk full. Note: result is a string. Please use a msg_severity_id field for severity ID fields that are integer data types.
All_Changes result_id number A numeric result indicator for an action status.
All_Changes src string The resource where the change was originated. May be aliased from more specific fields, such as src_host<code>, <code>src_ip, or src_name.
All_Changes src_bunit string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
All_Changes src_category string
All_Changes src_priority string
All_Changes status string Status of the update. success, failure, unknown
All_Changes tag string This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it.
All_Changes user string The user or entity performing the change. For account changes, this is the account that was changed (see src_user for user or entity performing the change).
All_Changes vendor_product string The product or service that detected the vulnerability.
Account_Management dest_nt_domain string The NT domain of the destination, if applicable.
Account_Management src_nt_domain string The NT domain of the source, if applicable.
Account_Management src_user string For account changes, the user or entity performing the change.
Account_Management src_user_bunit string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
Account_Management src_user_category string
Account_Management src_user_priority string
Filesystem_Changes file_access_time time The time the file (the object of the event) was accessed.
Filesystem_Changes file_acl string Access controls associated with the file affected by the event.
Filesystem_Changes file_create_time time The time the file (the object of the event) was created.
Filesystem_Changes file_hash string A cryptographic identifier assigned to the file object affected by the event.
Filesystem_Changes file_modify_time time The time the file (the object of the event) was altered.
Filesystem_Changes file_name string The name of the file that is the object of the event (without location information related to local file or directory structure).
Filesystem_Changes file_path string The location of the file that is the object of the event, in local file and directory structure terms.
Filesystem_Changes file_size number The size of the file that is the object of the event, in kilobytes.
PREVIOUS
Authentication
  NEXT
Databases

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters