Network Traffic Field Mapping
The following shows an example of how network traffic events map differently from various cloud providers to CIM data model field names.
See the Network Traffic data model for full field descriptions.
Source flow example
The source flow event from Google Cloud Platform (GCP) and Amazon Web Services (AWS) is a good way to see a common event and how each cloud provider maps to CIM data model field names.
GCP source flow
A sample GCP source flow follows:
Click expand or collapse to show or hide the example.
{ "resource":{ "labels":{ "subnetwork_id":"4884528796030499819", "subnetwork_name":"default", "location":"us-central1-c", "project_id":"gsa-project-151018" }, "type":"gce_subnetwork" }, "timestamp":"2020-05-13T18:10:27.15490124Z", "jsonPayload":{ "src_vpc":{ "subnetwork_name":"default", "vpc_name":"default", "project_id":"gsa-project-151018" }, "dest_location":{ "country":"usa",gce_subnetwork "asn":15169, "continent":"America" }, "src_instance":{ "region":"us-central1", "vm_name":"gke-cluster-1-default-pool-cc3d3622-09nt", "zone":"us-central1-c", "project_id":"gsa-project-151018" /** ----- vendor_account }, "start_time":"2020-05-13T18:10:22.594437852Z", /** ----- duration start time "rtt_msec":"0", /** ----- response_time "bytes_sent":"5300", /** ----- bytes_out, bytes_in, bytes "reporter":"SRC", /** ----- direction "packets_sent":"40", /** ----- packets_out, packets_in, packets "end_time":"2020-05-13T18:10:22.614528620Z", /** ----- duration end time "connection":{ "protocol":6, /** ----- transport "src_port":44114, /** ----- src_port "dest_ip":"173.255.116.127", /** ----- dest_ip, dest, dvc "src_ip":"10.128.15.212", /** ----- src_ip, src, dvc "dest_port":443 /** ----- dest_port } }, "insertId":"atlo5sg16t94yf", "logName":"projects/gsa-project-151018/logs/compute.googleapis.com%2Fvpc_flows", "receiveTimestamp":"2020-05-13T18:10:27.15490124Z" }
AWS source flow
A sample AWS source flow follows:
Click expand or collapse to show or hide the example.
2 772089552793 /** ----- account-id eni-099b0af8dd18f05bd /** ----- dvc 103.137.144.25 /** ----- src_ip, src 103.137.144.26 /** ----- dest_ip, dest 443 /** ----- src_port 22271 /** ----- dest_port 6 /** ----- transport 19 /** ----- packets 10984 /** ----- bytes 1589294114 /** ----- duration 1589294114 /** ----- duration ACCEPT OK
Source flow field mapping
Using the login success from GCP as a base sample, and comparing it to a similar event from AWS is a good way to see the similarities and differences per common CIM field names.
Source example data | Provider field name | CIM field name |
---|---|---|
GCP
|
data.jsonPayload.connection.src_ip |
|
AWS
|
srcaddr |
|
Device example data | Provider field name | CIM field name |
GCP
|
data.jsonPayload.connection.src_ip | dvc if reporter=SRC |
AWS
|
interface-id | dvc |
Source port example data | Provider field name | CIM field name |
GCP
|
data.jsonPayload.connection.src_port | src_port |
AWS
|
srcport | src_port |
Destination example data | Provider field name | CIM field name |
GCP
|
data.jsonPayload.connection.dest_ip |
|
AWS
|
dstaddr |
|
Destination port example data | Provider field name | CIM field name |
GCP
|
data.jsonPayload.connection.dest_port | dest_port |
AWS
|
dstport | dest_port |
Transport example data | Provider field name | CIM field name |
GCP
|
data.jsonPayload.connection.protocol | transport |
AWS
|
protocol | transport |
Duration start time example data | Provider field name | CIM field name |
GCP
|
data.jsonPayload.start_time | duration, calculated from start_time and end_time |
AWS
|
start | duration, calculated from start_time and end_time |
Duration end time example data | Provider field name | CIM field name |
GCP
|
data.jsonPayload.end_time | duration, calculated from start_time and end_time |
AWS
|
end | duration, calculated from start_time and end_time |
Bytes example data | Provider field name | CIM field name |
GCP
|
data.jsonPayload.bytes_sent |
|
AWS
|
bytes | bytes |
Packets example data | Provider field name | CIM field name |
GCP
|
data.jsonPayload.packets_sent |
|
AWS
|
packets | packets |
Direction example data | Provider field name | CIM field name |
GCP
|
data.jsonPayload.reporter | direction |
AWS n/a |
n/a | n/a |
Vendor account example data | Provider field name | CIM field name |
GCP
|
data.jsonPayload.src_instance.project_id | vendor_account if reporter=SRC |
AWS
|
account-id | vendor_account |
Change Field Mapping |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.17.0, 4.18.0, 4.18.1, 4.19.0, 4.20.0, 4.20.2
Feedback submitted, thanks!