Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Vulnerabilities

The fields in the Vulnerabilities data model describe vulnerability detection data.

Note: A dataset is a component of a data model. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.

Tags used with the Vulnerabilities event datasets

The following tags act as constraints to identify your events as being relevant to this data model. For more information, see How to use these reference tables.

Dataset name Tag name
Vulnerabilities report
vulnerability

Fields for Vulnerabilities event datasets

The following table lists the extracted and calculated fields for the event datasets in the model. Note that it does not include any inherited fields. For more information, see How to use these reference tables.

The key for using the column titled "Abbreviated list of example values" follows:

  • Recommended are fields derived from the "recommended=true" JSON parameter that the TA developers need to make best efforts to map
  • Prescribed fields are the permitted values that can populate the fields, which are derived from the "expected_values" JSON parameter
  • Other values are other example values that you might see
Dataset name Field name Data type Description Abbreviated list of example values
Vulnerabilities bugtraq string Corresponds to an identifier in the vulnerability database provided by the Security Focus website (searchable at http://www.securityfocus.com/).
Vulnerabilities category string The category of the discovered vulnerability, such as DoS.

Note: This field is a string. Use category_id for numeric values. The category_id field is optional and thus is not included in the data model.
recommended
Vulnerabilities cert string Corresponds to an identifier in the vulnerability database provided by the US Computer Emergency Readiness Team (US-CERT, searchable at http://www.kb.cert.org/vuls/).
Vulnerabilities cve string Corresponds to an identifier provided in the Common Vulnerabilities and Exposures index (searchable at http://cve.mitre.org). recommended
Vulnerabilities cvss number Numeric indicator of the common vulnerability scoring system.
Vulnerabilities dest string The host with the discovered vulnerability. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name. recommended
Vulnerabilities dest_bunit string These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons.
Vulnerabilities dest_category string
Vulnerabilities dest_priority string
Vulnerabilities dvc string The system that discovered the vulnerability. You can alias this from more specific fields, such as dvc_host, dvc_ip, or dvc_name. recommended
Vulnerabilities dvc_bunit string These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons.
Vulnerabilities dvc_category string
Vulnerabilities dvc_priority string
Vulnerabilities msft string Corresponds to a Microsoft Security Advisory number (http://technet.microsoft.com/en-us/security/advisory/).
Vulnerabilities mskb string Corresponds to a Microsoft Knowledge Base article number (http://support.microsoft.com/kb/).
Vulnerabilities severity string The severity of the vulnerability detection event. Specific values are required. Use vendor_severity for the vendor's own human readable strings (such as Good, Bad, and Really Bad).

Note: This field is a string. Use severity_id for numeric data types. The severity_id field is optional and not included in the data model.
  • recommended
  • prescribed fields:
    critical, high, medium, informational, low
Vulnerabilities signature string The name of the vulnerability detected on the host, such as HPSBMU02785 SSRT100526 rev.2 - HP LoadRunner Running on Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS).

Note: This field has a string value. Use signature_id for numeric indicators. The signature_id field is optional and is not included in the data model.
recommended
Vulnerabilities tag string This automatically generated field is used to access tags from within data models. Do not define extractions for this field when writing add-ons.
Vulnerabilities url string The URL involved in the discovered vulnerability.
Vulnerabilities user string The user involved in the discovered vulnerability.
Vulnerabilities user_bunit string These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons.
Vulnerabilities user_category string
Vulnerabilities user_priority string
Vulnerabilities vendor_product string The vendor and product that detected the vulnerability. This field can be automatically populated by vendor and product fields in your data. recommended
Vulnerabilities xref string A cross-reference identifier associated with the vulnerability. In most cases, the xref field contains both the short name of the database being cross-referenced and the unique identifier used in the external database.
Last modified on 14 August, 2020
Updates   Web

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.16.0, 4.17.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters