Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Download manual as PDF

This documentation does not apply to the most recent version of CIM. Click here for the latest version.
Download topic as PDF

Endpoint

The Endpoint data model replaces the Application State data model, which is deprecated as of software version 4.12.0.

The fields and tags in the Endpoint data model describe service or process inventory and state, such as Unix daemons, Windows services, running processes on any OS, or similar systems.

Note: A dataset is a component of a data model. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.


Dataset name Tag name
Endpoint
|____ Ports
listening
port
|____ Processes
process
report
|____ Services
service
report
|____ Filesystem
endpoint
filesystem
|____ Registry
endpoint
registry

The following table lists the extracted and calculated fields for the event datasets in the model. Note that it does not include any inherited fields. For more information, see How to use these reference tables.

Ports

Dataset name Field name Data type Description Expected values
Ports creation_time timestamp The time at which the network port started listening on the endpoint.
Ports dest_bunit string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Ports dest_category string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Ports dest_port number Network port listening on the endpoint, such as 53.
Ports dest_priority string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Ports dest_requires_av boolean This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Ports dest_should_timesync boolean This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Ports dest_should_update boolean This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Ports src_bunit string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Ports process_id string The numeric identifier of the process assigned by the operating system.
Ports src_category string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Ports src_priority string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Ports src_requires_av boolean This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Ports src_should_timesync boolean This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Ports src_should_update boolean This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Ports state string The status of the listening port, such as established, listening, etc.
Ports tag string This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.
Ports transport string The network transport protocol associated with the listening port, such as tcp, udp, etc."
Ports transport_dest_port string Calculated as transport/dest_port, such as tcp/53.
Ports user_bunit string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Ports user_category string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Ports user_priority string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.

Processes

Dataset name Field name Data type Description Expected values
Processes action string The action taken by the endpoint, such as allowed, blocked, deferred.
Processes cpu_load_percent number CPU load consumed by the process (in percent).
Processes dest_bunit string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Processes dest_category string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Processes dest_is_expected boolean This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Processes dest_priority string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Processes dest_requires_av boolean This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Processes dest_should_timesync boolean This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Processes dest_should_update boolean This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Processes mem_used number Memory used by the process (in bytes).
Processes os string The operating system of the resource, such as Microsoft Windows Server 2008r2.
Processes parent_process_exec string The executable name of the parent process.
Processes parent_process_id number The numeric identifier of the parent process assigned by the operating system.
Processes parent_process_guid string The globally unique identifer of the parent process assigned by the vendor_product.
Processes parent_process_path string The file path of the parent process, such as C:\Windows\System32\notepad.exe.
Processes process_current_directory string The current working directory used to spawn the process.
Processes process_exec string The executable name of the process.
Processes process_hash string The digests of the parent process, such as <md5>, <sha1>, etc.
Processes process_guid string The globally unique identifer of the process assigned by the vendor_product.
Processes process_id number The numeric identifier of the process assigned by the operating system.
Processes process_integrity_level string The Windows integrity level of the process. system, high, medium, low, untrusted
Processes process_path string The file path of the process, such as C:\Windows\System32\notepad.exe.
Processes tag string This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.
Processes user_id string The unique identifier of the user account which spawned the process.
Processes user_bunit string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Processes user_category string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Processes user_priority string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.

Services

Dataset name Field name Data type Description Expected values
Services description string The description of the service.
Services dest_bunit string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Services dest_category string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Services dest_is_expected boolean This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Services dest_priority string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Services dest_requires_av boolean This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Services dest_should_timesync boolean This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Services dest_should_update boolean This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Services process_id string The numeric identifier of the process assigned by the operating system.
Services service_dll string The dynamic link library associated with the service.
Services service_dll_path string The file path to the dynamic link library assocatied with the service, such as C:\Windows\System32\comdlg32.dll.
Services service_dll_hash string The digests of the dynamic link library associated with the service, such as <md5>, <sha1>, etc.
Services service_dll_signature_exists boolean Whether or not the dynamic link library associated with the service has a digitally signed signature.
Services service_dll_signature_verified boolean Whether or not the dynamic link library associated with the service has had its digitally signed signature verified.
Services service_exec string The executable name of the service.
Services service_hash string The digest(s) of the service, such as <md5>, <sha1>, etc.
Services service_path string The file path of the service, such as C:\WINDOWS\system32\svchost.exe.
Services service_signature_exists boolean Whether or not the service has a digitally signed signature.
Services service_signature_verified boolean Whether or not the service has had its digitally signed signature verified.
Services tag string This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.
Services user_bunit string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Services user_category string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Services user_priority string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.

Filesystem

Dataset name Field name Data type Description Expected values
Filesystem dest_bunit string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Filesystem dest_category string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Filesystem dest_priority string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Filesystem dest_requires_av boolean This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Filesystem dest_should_timesync boolean This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Filesystem dest_should_update boolean This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Filesystem file_access_time timestamp The time that the file (the object of the event) was accessed.
Filesystem file_create_time timestamp The time that the file (the object of the event) was created.
Filesystem file_modify_time timestamp The time that the file (the object of the event) was altered.
Filesystem process_id string The numeric identifier of the process assigned by the operating system.
Filesystem tag string This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.
Filesystem user_bunit string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Filesystem user_category string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Filesystem user_priority string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.

Registry

Dataset name Field name Data type Description Expected values
Registry dest_bunit string This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.
Registry dest_category string This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.
Registry dest_priority string This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.
Registry dest_requires_av boolean This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.
Registry dest_should_timesync boolean This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.
Registry dest_should_update boolean This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.
Registry process_id string The numeric identifier of the process assigned by the operating system.
Registry registry_hive string The logical grouping of registry keys, subkeys, and values. HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE\\SAM, HKEY_LOCAL_MACHINE\\Security, HKEY_LOCAL_MACHINE\\Software, HKEY_LOCAL_MACHINE\\System, HKEY_USERS\\.DEFAULT
Registry registry_value_text string The textual representation of registry_value_data (if applicable).
Registry status string The outcome of the registry action. failure, success
Registry tag string This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.
Registry user_bunit string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Registry user_category string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Registry user_priority string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.

Calculations

Calculation ID Field name Data type Description Expression
Endpoint_Ports_
fillnull_src
src string The "remote" system connected to the listening port (if applicable). if(isnull(src) OR src=\"\",\"unknown\",src)
Endpoint_Ports_
fillnull_src_port
src_port number The "remote" port connected to the listening port (if applicable). if(isnum(src_port),src_port,0)
Endpoint_Ports_
fillnull_dest
dest string The endpoint on which the port is listening. if(isnull(dest) OR dest=\"\",\"unknown\",dest)
Endpoint_Ports_
fillnull_user
user string The user account associated with the listening port. if(isnull(user) OR user=\"\",\"unknown\",user)
Endpoint_Ports_
vendor_product
vendor_product string The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data. case(isnotnull(vendor_product),vendor_product,
isnotnull(vendor) AND vendor!=\"unknown\" AND isnotnull(product) AND product!=\"unknown\",vendor.\" \".product,isnotnull(vendor) AND vendor!=\"unknown\" AND (isnull(product) OR product=\"unknown\"),vendor.\" unknown\",(isnull(vendor) OR vendor=\"unknown\") AND isnotnull(product) AND product!=\"unknown\",\"unknown \".product,isnotnull(sourcetype),sourcetype,
1=1,\"unknown\")"
Endpoint_Processes_
fillnull_dest
dest string The endpoint for which the process was spawned. if(isnull(dest) OR dest=\"\",\"unknown\",dest)
Endpoint_Processes_
fillnull_parent_process
parent_process string The full command string of the parent process. if(isnull(parent_process) OR parent_process=\"\",\"unknown\",parent_process)
Endpoint_Processes_
fillnull_parent_
process_name
parent_process_name string The friendly name of the parent process, such as notepad.exe. case(isnotnull(parent_process_name) AND parent_process_name!=\"\",parent_process_name,
isnotnull(parent_process) AND parent_process!=\"\",replace(parent_process,
\"^\\s*([^\\s]+).*\",\"\\1\"),1=1,\"unknown\")"
Endpoint_Processes_
fillnull_process
process string The full command string of the spawned process. Such as C:\\WINDOWS\\system32\\cmd.exe \/c \"\"C:\\Program Files\\SplunkUniversalForwarder\\etc\\system\\bin\\powershell.cmd\" --scheme\"". if(isnull(process) OR process=\"\",\"unknown\",process)
Endpoint_Processes_
fillnull_process_name
process_name string The friendly name of the process, such as notepad.exe. case(isnotnull(process_name) AND process_name!=\"\",process_name,isnotnull(process) AND process!=\"\",replace(process,\"^\\s*([^\\s]+).*\",\"\\1\"),1=1,\"unknown\")
Endpoint_Processes_
fillnull_user
user string The user account that spawned the process. if(isnull(user) OR user=\"\",\"unknown\",user)
Endpoint_Processes_
vendor_product
vendor_product string The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." case(isnotnull(vendor_product),vendor_product,
isnotnull(vendor) AND vendor!=\"unknown\" AND isnotnull(product) AND product!=\"unknown\",vendor.\" \".product,isnotnull(vendor) AND vendor!=\"unknown\" AND (isnull(product) OR product=\"unknown\"),vendor.\" unknown\",(isnull(vendor) OR vendor=\"unknown\") AND isnotnull(product) AND product!=\"unknown\",\"unknown \".product,isnotnull(sourcetype),sourcetype,
1=1,\"unknown\")
Endpoint_Services_
fillnull_dest
dest string The endpoint for which the service is installed." if(isnull(dest) OR dest=\"\",\"unknown\",dest)
Endpoint_Services_
fillnull_service
service string The full service name." if(isnull(service) OR service=\"\",\"unknown\",service)
Endpoint_Services_
fillnull_service_name
service_name string The friendly service name." if(isnull(service_name) OR service_name=\"\",\"unknown\",service_name)
Endpoint_Services_
fillnull_service_id
service_id string The unique identifier of the service assigned by the operating system." if(isnull(service_id) OR service_id=\"\",\"unknown\",service_id)
Endpoint_Services_
fillnull_start_mode
start_mode string The start mode for the service." if(isnull(start_mode) OR start_mode=\"\",\"unknown\",start_mode)
Endpoint_Services_
fillnull_status
status string The status of the service. Expected values: critical, started", stopped, warning if(isnull(status) OR status=\"\",\"unknown\",status)
Endpoint_Services_
fillnull_user
user string The user account associated with the service. if(isnull(user) OR user=\"\",\"unknown\",user)
Endpoint_Services_
vendor_product
vendor_product string The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data. case(isnotnull(vendor_product),vendor_product,
isnotnull(vendor) AND vendor!=\"unknown\" AND isnotnull(product) AND product!=\"unknown\",vendor.\" \".product,isnotnull(vendor) AND vendor!=\"unknown\" AND (isnull(product) OR product=\"unknown\"),vendor.\" unknown\",(isnull(vendor) OR vendor=\"unknown\") AND isnotnull(product) AND product!=\"unknown\",\"unknown \".product,isnotnull(sourcetype),sourcetype,
1=1,\"unknown\")
Endpoint_Filesystem_
fillnull_action
action string The action performed on the resource. Expected values: acl_modified, created, deleted, modified, read if(isnull(action) OR action=\"\",\"unknown\",action)
Endpoint_Filesystem_
fillnull_dest
dest string The endpoint pertaining to the filesystem activity. if(isnull(dest) OR dest=\"\",\"unknown\",dest)
Endpoint_Filesystem_
eval_file_hash
file_hash string A cryptographic identifier assigned to the file object affected by the event. if(isnull(file_hash) OR file_hash=\"\",\"unknown\",file_hash)
Endpoint_Filesystem_
eval_file_name
file_name string The name of the file, such as notepad.exe. if(isnull(file_name) OR file_name=\"\",\"unknown\",file_name
Endpoint_Filesystem_
eval_file_path
file_path string The path of the file, such as C:\Windows\System32\notepad.exe. if(isnull(file_path) OR file_path=\"\",\"unknown\",file_path)
Endpoint_Filesystem_
eval_file_acl
file_acl string Access controls associated with the file affected by the event. if(isnull(file_acl) OR file_acl=\"\",\"unknown\",file_acl)
Endpoint_Filesystem_
eval_file_size
file_size number The size of the file that is the object of the event, in kilobytes. if(isnum(file_size),file_size,null())
Endpoint_Filesystem_
fillnull_user
user string The user account associated with the filesystem access. if(isnull(user) OR user=\"\",\"unknown\",user)
Endpoint_Filesystem_
vendor_product
vendor_product string The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data. case(isnotnull(vendor_product),vendor_product,
isnotnull(vendor) AND vendor!=\"unknown\" AND isnotnull(product) AND product!=\"unknown\",vendor.\" \".product,isnotnull(vendor) AND vendor!=\"unknown\" AND (isnull(product) OR product=\"unknown\"),vendor.\" unknown\",(isnull(vendor) OR vendor=\"unknown\") AND isnotnull(product) AND product!=\"unknown\",\"unknown \".product,isnotnull(sourcetype),sourcetype,
1=1,\"unknown\")
Endpoint_Registry_
fillnull_action
action string The action performed on the resource. Expected values: created, deleted, modified, read" if(isnull(action) OR action=\"\",\"unknown\",action)
Endpoint_Registry_
fillnull_dest
dest string The endpoint pertaining to the registry events. if(isnull(dest) OR dest=\"\",\"unknown\",dest)
Endpoint_Registry_
fillnull_registry_path
registry_path string The path to the registry value, such as \win\directory\directory2\{676235CD-B656-42D5-B737-49856E97D072}\PrinterDriverData. if(isnull(registry_path) OR registry_path=\"\",\"unknown\",registry_path)
Endpoint_Registry_
fillnull_registry_
key_name
registry_key_name string The name of the registry key, such as PrinterDriverData. if(isnull(registry_key_name) OR registry_key_name=\"\",\"unknown\",
registry_key_name)
Endpoint_Registry_
fillnull_registry_
value_data
registry_value_data string The unaltered registry value. if(isnull(registry_value_data) OR registry_value_data=\"\",\"unknown\",
registry_value_data)
Endpoint_Registry_
fillnull_registry_
value_name
registry_value_name string The name of the registry value. if(isnull(registry_value_name) OR registry_value_name=\"\",\"unknown\",
registry_value_name)
Endpoint_Registry_
fillnull_registry_
value_type
registry_value_type string The type of the registry value. Expected values: REG_BINARY, REG_DWORD, REG_DWORD_LITTLE_ENDIAN, REG_DWORD_BIG_ENDIAN, REG_EXPAND_SZ, REG_LINK, REG_MULTI_SZ, REG_NONE, REG_QWORD, REG_QWORD_LITTLE_ENDIAN, REG_SZ" if(isnull(registry_value_type) OR registry_value_type=\"\",\"unknown\",
registry_value_type)
Endpoint_Registry_
fillnull_user
user string The user account associated with the registry access. if(isnull(user) OR user=\"\",\"unknown\",user)
Endpoint_Registry_
vendor_product
vendor_product string The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data. case(isnotnull(vendor_product),vendor_product,
isnotnull(vendor) AND vendor!=\"unknown\" AND isnotnull(product) AND product!=\"unknown\",vendor.\" \".product,isnotnull(vendor) AND vendor!=\"unknown\" AND (isnull(product) OR product=\"unknown\"),vendor.\" unknown\",(isnull(vendor) OR vendor=\"unknown\") AND isnotnull(product) AND product!=\"unknown\",\"unknown \".product,isnotnull(sourcetype),sourcetype,
1=1,\"unknown\")

Search Example

The architecture of this data model is different than those it replaces. Each data set is directly searchable as DataModel.DataSet rather than by node name. An example follows for the new versus old search for summary count of ports by destination port:

Endpoint

| tstats `summariesonly` count from datamodel=Endpoint.Ports by Ports.dest

Application State

| tstats count from datamodel=Application_State.All_Application_State where nodename="All_Application_State.Ports" by All_Application_State.dest

PREVIOUS
Email
  NEXT
Interprocess Messaging

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.12.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters