Change
The Change data model replaces the Change Analysis data model, which is deprecated as of software version 4.12.0.
Change.Endpoint is for administrative and policy types of changes to infrastructure security devices, servers, and endpoint detection and response (EDR) systems. The Endpoint data model is for monitoring endpoint clients including, but not limited to, end user machines, laptops, and bring your own devices (BYOD). If an event is about an endpoint process, service, file, port, and so on, see the Endpoint data model.
The fields in the Change data model describe Create
, Read
, Update
, and Delete
activities from any data source.
Note: A dataset is a component of a data model. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.
Tags used with Change event datasets
The following tags act as constraints to identify your events as being relevant to this data model. For more information, see How to use these reference tables.
Dataset name | Tag name |
---|---|
All_Changes | change |
|
audit |
|
endpoint |
|
network |
|
account |
|
instance |
Fields for Change event datasets
The key for using the column titled "Notes" or "Abbreviated list of example values" is as follows:
- Recommended: Add-on developers make their best effort attempts to map these event fields. If these fields are not populated, then the event is not very useful.
- Required: Add-on developers must map these event fields when using the pytest-splunk-addon to test for CIM compatibility. See pytest-splunk-addon documentation.
- Prescribed values: Permitted values that can populate the fields, which Splunk is using for a particular purpose. Other valid values exist, but Splunk is not relying on them.
- Other values: Other example values that you might see.
For even more examples, see Change Field Mapping.
Dataset name | Field name | Data type | Description | Abbreviated list of example values | |
---|---|---|---|---|---|
All_Changes | action
|
string | The action attempted on the resource, regardless of success or failure. |
| |
All_Changes | change_type
|
string | The type of change, such as filesystem or AAA (authentication, authorization, and accounting).
|
| |
All_Changes | command
|
string | The command that initiated the change. |
| |
All_Changes | dest
|
string | The resource where change occurred. You can alias this from more specific fields not included in this data model, such as dest_host , dest_ip , or dest_name .
|
| |
All_Changes | dest_bunit
|
string | These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons. | ||
All_Changes | dest_category
|
string | |||
All_Changes | dest_priority
|
string | |||
All_Changes | dvc
|
string | The device that reported the change, if applicable, such as a FIP or CIM server. You can alias this from more specific fields not included in this data model, such as dvc_host , dvc_ip , or dvc_name .
|
| |
All_Changes | object
|
string | Name of the affected object on the resource (such as a router interface, user account, or server volume). |
| |
All_Changes | object_attrs
|
string | The object's attributes and their values. The attributes and values can be those that are updated on a resource object, or those that are not updated but are essential attributes. |
| |
All_Changes | object_category
|
string | Generic name for the class of the updated resource object. Expected values may be specific to an app, for example: registry, directory, file, group, user, bucket, instance. |
| |
All_Changes | object_id
|
string | The unique updated resource object ID as presented to the system, if applicable (for instance, a SID, UUID, or GUID value). |
| |
All_Changes | object_path
|
string | The path of the modified resource object, if applicable (such as a file, directory, or volume). |
| |
All_Changes | result
|
string | The vendor-specific result of a change, or clarification of an action status. For instance, status=failure may be accompanied by result=blocked by policy or result=disk full . result is a string. Please use a msg_severity_id field (not included in the data model) for severity ID fields that are integer data types.
|
| |
All_Changes | result_id
|
string | A result indicator for an action status.
|
recommended | |
All_Changes | src
|
string | The resource where the change was originated. You can alias this from more specific fields not included in the data model, such as src_host , src_ip , or src_name .
|
recommended | |
All_Changes | src_bunit
|
string | These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons. | ||
All_Changes | src_category
|
string | |||
All_Changes | src_priority
|
string | |||
All_Changes | status
|
string | Status of the update. |
| |
All_Changes | tag
|
string | This automatically generated field is used to access tags from within datamodels. Do not define extractions for this field when writing add-ons. | ||
All_Changes | user
|
string | The user or entity performing the change. For account changes, this is the account that was changed. See src_user for user or entity performing the change. Fill out and normalize first to user & src_user , for example when using Assets and Identities in Enterprise Security.
|
| |
All_Changes | user_agent
|
string | The user agent through which the request was made, such as Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) or aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4 .
|
||
All_Changes | user_name
|
string | The user name of the user or entity performing the change. For account changes, this is the account that was changed (see src_user_name ). Use this field for a friendlier name, for example, with AWS events if you do not have Assets and Identities configured in Enterprise Security and are not getting a friendly name from user .
|
||
All_Changes | user_type
|
string | The type of the user involved in the event or who initiated the event, such as IAMUser, Admin, or System. For account management events, this should represent the type of the user changed by the request. | ||
All_Changes | vendor_account
|
string | The account that manages the user that initiated the request. | ||
All_Changes | vendor_product
|
string | The vendor and product or service that detected the change. This field can be automatically populated by vendor and product fields in your data.
|
| |
All_Changes | vendor_region
|
string | The data center region where the change occurred, such as us-west-2. | ||
Account_Management | dest_nt_domain
|
string | The NT domain of the destination, if applicable. | recommended | |
Account_Management | src_nt_domain
|
string | The NT domain of the source, if applicable. | recommended | |
Account_Management | src_user
|
string | For account changes, the user or entity performing the change. Fill out and normalize first to user & src_user , for example when using Assets and Identities in Enterprise Security.
|
recommended | |
Account_Management | src_user_bunit
|
string | These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. | ||
Account_Management | src_user_category
|
string | |||
Account_Management | src_user_priority
|
string | |||
Account_Management | src_user_name
|
string | For account changes, the user name of the user or entity performing the change. Use this field for a friendlier name, for example, with AWS events if you do not have Assets and Identities configured in Enterprise Security and are not getting a friendly name from src_user .
| ||
Account_Management | src_user_type
|
string | For account management events, this should represent the type of the user changed by the request. | ||
Instance_Changes | image_id
|
string | For create instance events, this field represents the image ID used for creating the instance such as the OS, applications, installed libraries, and more. | recommended | |
Instance_Changes | instance_type
|
string | For create instance events, this field represents the type of instance to build such as the combination of CPU, memory, storage, and network capacity. | recommended | |
Network_Changes | dest_ip_range
|
string | For network events, the outgoing traffic for a specific destination IP address range. Specify a single IP address or an IP address range in CIDR notation. For example, 203.0.113.5 or 203.0.113.5/32. | ||
Network_Changes | dest_port_range
|
string | For network events, this field represents destination port or range. For example, 80 or 8000 - 8080 or 80,443. | ||
Network_Changes | direction
|
string | For network events, this field represents whether the traffic is inbound or outbound. | ||
Network_Changes | protocol
|
string | This field represents the protocol for the network event rule. | ||
Network_Changes | rule_action
|
string | For network events, this field represents whether to allow or deny traffic. | ||
Network_Changes | src_ip_range
|
string | For network events, this field represents the incoming traffic from a specific source IP address or range. Specify a single IP address or an IP address range in CIDR notation. For example, 203.0.113.5 or 203.0.113.5/32. | ||
Network_Changes | src_port_range
|
string | For network events, this field represents source port or range. For example, 80 or 8000 - 8080 or 80,443. |
Certificates | Change Analysis (deprecated) |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.19.0, 4.20.0, 4.20.2
Feedback submitted, thanks!