Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Download manual as PDF

This documentation does not apply to the most recent version of CIM. Click here for the latest version.
Download topic as PDF

Vulnerabilities

The fields in the Vulnerabilities data model describe vulnerability detection data.

Tags used with the Vulnerabilities event objects

Object name Tag name
Vulnerabilities report
vulnerability

Fields for Vulnerabilities event objects

Object name Field name Data type Description Possible values
Vulnerabilities bugtraq string Corresponds to an identifier in the vulnerability database provided by the Security Focus website (searchable at http://www.securityfocus.com/).
Vulnerabilities category string The category of the discovered vulnerability, such as DoS.

Note: This field is a string. Please use a category_id field for fields that are integer data type. Keep in mind that the category_id field is optional and thus is not part of the CIM.
Vulnerabilities cert string Corresponds to an identifier in the vulnerability database provided by the US Computer Emergency Readiness Team (US-CERT, searchable at http://www.kb.cert.org/vuls/).
Vulnerabilities cve string Corresponds to an identifier provided in the Common Vulnerabilities and Exposures index (searchable at http://cve.mitre.org).
Vulnerabilities dest string The host with the discovered vulnerability. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
Vulnerabilities dest_bunit string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
Vulnerabilities dest_category string
Vulnerabilities dest_priority string
Vulnerabilities dvc string The system that discovered the vulnerability. May be aliased from more specific fields, such as dvc_host, dvc_ip, or dvc_name.
Vulnerabilities dvc_bunit string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
Vulnerabilities dvc_category string
Vulnerabilities dvc_priority string
Vulnerabilities msft string Corresponds to a Microsoft Security Advisory number (http://technet.microsoft.com/en-us/security/advisory/).
Vulnerabilities mskb string Corresponds to a Microsoft Knowledge Base article number (http://support.microsoft.com/kb/).
Vulnerabilities severity string The severity of the vulnerability detection event. Specific values are required. Use vendor_severity for the vendor's own human readable strings (such as Good, Bad, and Really Bad).

Note: This field is a string. Please use a severity_id field for severity ID fields that are integer data types. Keep in mind that the severity_id field is optional and thus is not part of the CIM.
critical, high, informational, low, medium, unknown
Vulnerabilities signature string The name of the vulnerability detected on the host, such as HPSBMU02785 SSRT100526 rev.2 - HP LoadRunner Running on Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS).

Note: This field has a string value. Please use signature_id for numeric indicators. Keep in mind that the signature_id field is optional and thus is not part of the CIM.
Vulnerabilities tag string A tag associated with the vulnerability.
Vulnerabilities user string The user that requested the HTTP resource.
Vulnerabilities user_bunit string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
Vulnerabilities user_category string
Vulnerabilities user_priority string
Vulnerabilities vendor_product string The vendor of the vulnerability detection product or service.
Vulnerabilities xref string A cross-reference identifier associated with the vulnerability. In most cases, the xref field contains both the short name of the database being cross-referenced and the unique identifier used in the external database.
PREVIOUS
Updates
  NEXT
Web

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters