Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Download manual as PDF

This documentation does not apply to the most recent version of CIM. Click here for the latest version.
Download topic as PDF

Network Sessions

The fields in the Network Sessions data model describe DHCP and DNS traffic (whether server:server or client:server) and network infrastructure inventory and topology.

Tags used with Network Session event objects

Object name Tag name
All_Sessions network
session
|____ Session_Start
start
|____ Session_End
end
|____ DHCP
dhcp
|____ VPN
vpn

Fields for Network Sessions event objects

Object name Field name Data type Description Possible values
All_Sessions action string The action taken by the reporting device. added, blocked, unknown
All_Sessions dest_ip string The IP address of the system reporting a network session event. If the system is a Dynamic Host Configuration Protocol (DHCP) server, this is the lease IP for that server.

This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.
All_Sessions dest_mac string The MAC address of the system reporting a network session event.

This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.
All_Sessions dest_nt_host string The name of the Active Directory for the system reporting a network session event, if applicable.

This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.
All_Sessions dest_dns string The domain name server for the system reporting a network session event.

This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.
All_Sessions signature string An indication of the type of network session event.
All_Sessions src_dns string The domain name server of the originator of a Dynamic Host Configuration Protocol (DHCP) or DNS event .

This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.
All_Sessions src_ip string The IP address of the originator of a Dynamic Host Configuration Protocol (DHCP) or DNS event.

This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.
All_Sessions src_mac string The MAC address of the originator of a Dynamic Host Configuration Protocol (DHCP) or DNS event .

This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.
All_Sessions src_nt_host string The Active Directory name of the originator of a Dynamic Host Configuration Protocol (DHCP) or DNS event .

This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.
All_Sessions tag string This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it.
All_Sessions user string The user in a network session event, where applicable. For instance, a VPN session or an authenticated DHCP event.
All_Sessions vendor_product string The full name of the Dynamic Host Configuration Protocol (DHCP) or DNS server involved in this event including vendor and product name, such as Microsoft DHCP or ISC BIND. This field is generated by combining the values of the vendor and product fields.
DHCP lease_duration number The duration of the Dynamic Host Configuration Protocol (DHCP) lease, in seconds.
DHCP lease_scope string The consecutive range of possible IP addresses that the Dynamic Host Configuration Protocol (DHCP) server can lease to clients on a subnet. A lease_scope typically defines a single physical subnet on your network to which DHCP services are offered.
PREVIOUS
Malware
  NEXT
Network Traffic

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters