Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Alerts

The fields and tags in the Alerts data model describe the alerts produced by alerting systems, such as Nagios or NetCool, for use in Splunk correlation searches or dashboards. They are not to be used to describe Splunk Alerts or Notable Events, which are already modeled in other contexts.

Note: A dataset is a component of a data model. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.

Tags used with the Alerts event dataset

The following tag acts as constraint to identify your events as being relevant to this data model. For more information, see How to use these reference tables.

Dataset name Tag name
Alerts alert

Fields for the Alerts event dataset

The following table lists the extracted and calculated fields for the event dataset in the model. The table does not include any inherited fields. For more information, see How to use these reference tables.

The key for using the column titled "Abbreviated list of example values" follows:

  • Recommended: Add-on developers make their best effort attempts to map these event fields. If these fields are not populated, then the event is not very useful.
  • Required: Add-on developers must map these event fields when using the pytest-splunk-addon to test for CIM compatibility. See pytest-splunk-addon documentation.
  • Prescribed fields: Permitted values that can populate the fields, which Splunk is using for a particular purpose. Other valid values exist, but Splunk is not relying on them.
  • Other values: Other example values that you might see.
Dataset name Field name Data type Description Abbreviated list of example values
Alerts app string The system, service, or application that generated the alert event. Examples include, but are not limited to the following: GuardDuty, SecurityCenter, 3rd party services, win:app:trendmicro, vmware, nagios.
  • recommended
  • required for pytest-splunk-addon
Alerts body string The body of a message. This field is deprecated in favor of description. required for pytest-splunk-addon
Alerts description string The description of the alert event.
Alerts dest string The object that is the target of the alert event. Examples include an email address, SNMP trap, or virtual machine id. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.
  • recommended
  • required for pytest-splunk-addon
Alerts dest_bunit string The business unit associated with the destination.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Alerts dest_category string The category of the destination.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Alerts dest_priority string The priority of the destination.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Alerts dest_type string The type of the destination object, such as instance, storage, firewall.
Alerts id string The unique identifier of the alert event. required for pytest-splunk-addon
Alerts mitre_technique_id string The MITRE ATT&CK technique ID of the alert event, searchable at https://attack.mitre.org/techniques.
Alerts severity string The severity of the alert event.

Note: This field is a string. Specific values are required. Use the severity_id field for severity ID fields that are integer data types. Specific values are required. Use vendor_severity for the vendor's own human-readable strings (such as Good, Bad, Really Bad, and so on).
  • recommended
  • required for pytest-splunk-addon
  • prescribed fields:
    critical, high, medium, low, informational, unknown
Alerts severity_id string The numeric or vendor specific severity indicator corresponding to the event severity.
Alerts signature string The human-friendly title of the alert event, such as 'API GetAccountPasswordPolicy was invoked using root credentials.' Split by signature_id when aggregating alert events by types.
Alerts signature_id string The vendor specific policy or rule that generated the alert event, such as 'Policy:IAMUser/RootCredentialUsage.' recommended
Alerts src string The object that is the actor of the alert event. You can alias this from more specific fields, such as src_host, src_ip, or src_name. recommended
Alerts src_bunit string The business unit associated with the source.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Alerts src_category string The category of the source.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Alerts src_priority string The priority of the source.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Alerts src_type string The type of the source object, such as instance, storage, firewall.
Alerts subject string The message subject. This field is deprecated in favor of signature.
Alerts tag string This automatically generated field is used to access tags from within data models. Do not define extractions for this field when writing add-ons.
Alerts type string The alert event type.
  • recommended
  • required for pytest-splunk-addon
  • prescribed fields:
    alarm, alert, event, task, warning, unknown
Alerts user string The user involved in the alert event. recommended
Alerts user_bunit string The business unit of the user involved in the alert event.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Alerts user_category string The category of the user involved in the alert event.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Alerts user_name string The name of the user involved in the alert event.
Alerts user_priority string The priority of the user involved in the alert event.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Alerts vendor_account string The account associated with the alert event.
Alerts vendor_region string The data center region involved in the alert event, such as us-west-2.
Last modified on 03 February, 2021
PREVIOUS
CIM fields per associated data model
  NEXT
Application State (deprecated)

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.19.0 Cloud only


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters