This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on.
For documentation on the most recent version, go to the latest release.
Vulnerabilities
The fields in the Vulnerabilities data model describe vulnerability detection data.
Tags used with the Vulnerabilities event objects
| Object name | Tag name |
|---|---|
| Vulnerabilities | report |
| vulnerability |
Fields for Vulnerabilities event objects
| Object name | Field name | Data type | Description | Possible values |
|---|---|---|---|---|
| Vulnerabilities | bugtraq
|
string | Corresponds to an identifier in the vulnerability database provided by the Security Focus website (searchable at http://www.securityfocus.com/). | |
| Vulnerabilities | category
|
string | The category of the discovered vulnerability, such as DoS.Note: This field is a string. Please use a category_id field for fields that are integer data type. Keep in mind that the category_id field is optional and thus is not part of the CIM.
|
|
| Vulnerabilities | cert
|
string | Corresponds to an identifier in the vulnerability database provided by the US Computer Emergency Readiness Team (US-CERT, searchable at http://www.kb.cert.org/vuls/). | |
| Vulnerabilities | cve
|
string | Corresponds to an identifier provided in the Common Vulnerabilities and Exposures index (searchable at http://cve.mitre.org). | |
| Vulnerabilities | dest
|
string | The host with the discovered vulnerability. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
|
|
| Vulnerabilities | dest_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
| Vulnerabilities | dest_category
|
string | ||
| Vulnerabilities | dest_priority
|
string | ||
| Vulnerabilities | dvc
|
string | The system that discovered the vulnerability. May be aliased from more specific fields, such as dvc_host, dvc_ip, or dvc_name.
|
|
| Vulnerabilities | dvc_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
| Vulnerabilities | dvc_category
|
string | ||
| Vulnerabilities | dvc_priority
|
string | ||
| Vulnerabilities | msft
|
string | Corresponds to a Microsoft Security Advisory number (http://technet.microsoft.com/en-us/security/advisory/). | |
| Vulnerabilities | mskb
|
string | Corresponds to a Microsoft Knowledge Base article number (http://support.microsoft.com/kb/). | |
| Vulnerabilities | severity
|
string | The severity of the vulnerability detection event. Specific values are required. Use vendor_severity for the vendor's own human readable strings (such as Good, Bad, and Really Bad).Note: This field is a string. Please use a severity_id field for severity ID fields that are integer data types. Keep in mind that the severity_id field is optional and thus is not part of the CIM.
|
critical, high, informational, low, medium, unknown
|
| Vulnerabilities | signature
|
string | The name of the vulnerability detected on the host, such as HPSBMU02785 SSRT100526 rev.2 - HP LoadRunner Running on Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS).Note: This field has a string value. Please use signature_id for numeric indicators. Keep in mind that the signature_id field is optional and thus is not part of the CIM.
|
|
| Vulnerabilities | tag
|
string | A tag associated with the vulnerability. | |
| Vulnerabilities | user
|
string | The user that requested the HTTP resource. | |
| Vulnerabilities | user_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
| Vulnerabilities | user_category
|
string | ||
| Vulnerabilities | user_priority
|
string | ||
| Vulnerabilities | vendor_product
|
string | The vendor of the vulnerability detection product or service. | |
| Vulnerabilities | xref
|
string | A cross-reference identifier associated with the vulnerability. In most cases, the xref field contains both the short name of the database being cross-referenced and the unique identifier used in the external database.
|
|
Last modified on 12 November, 2014
| Updates | Web |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.0.0
Download manual
Feedback submitted, thanks!