Related Answers
Download topic as PDF
Data Access
The Data Access data model is for monitoring shared data access user activity. It helps you detect a user's unauthorized data access, misuse, exfiltration, and more. It applies to events about users accessing data on servers that are shared by many other users, such as: The "file abc" on the "server xyz" was accessed (read, created, modified, shared, and so on) by a "user Bob".
Note: A dataset is a component of a data model. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.
Tags used with Data Access event datasets
The following tags act as constraints to identify your events as being relevant to this data model. For more information, see How to use these reference tables.
| Dataset name | Tag name |
|---|---|
| Data_Access | data |
| access |
Fields for Data Access event datasets
The key for using the column titled "Abbreviated list of example values" follows:
- Recommended: Add-on developers make their best effort attempts to map these event fields. If these fields are not populated, then the event is not very useful.
- Required: Add-on developers must map these event fields when using the pytest-splunk-addon to test for CIM compatibility. See pytest-splunk-addon documentation.
- Prescribed values: Permitted values that can populate the fields, which Splunk is using for a particular purpose. Other valid values exist, but Splunk is not relying on them.
- Other values: Other example values that you might see.
For even more examples, see Data Access Field Mapping.
| Dataset name | Field name | Data type | Description | Notes |
|---|---|---|---|---|
| Data_Access | action |
string | The data access action taken by the user. |
|
| Data_Access | app |
string | The application involved in the event. | recommended |
| Data_Access | app_id |
string | Application ID as defined by the vendor. | |
| Data_Access | dest |
string | The destination where the data resides or where it is being accessed, such as the product or application. You can alias this from more specific fields not included in this data model, such as dest_host, dest_ip, dest_url, or dest_name. |
recommended |
| Data_Access | dest_name |
string | Name of the destination as defined by the vendor. | |
| Data_Access | dest_url |
string | Url of the product, application, or object. | |
| Data_Access | dvc |
string | The device that reported the data access event. | |
| Data_Access | email |
string | The email address of the user involved in the event, or who initiated the event. | |
| Data_Access | object |
string | Resource object name on which the action was performed by a user. | recommended |
| Data_Access | object_attrs |
string | The object's attributes and their values. The attributes and values can be those that are updated on a resource object, or those that are not updated but are essential attributes. | recommended |
| Data_Access | object_category |
string | Generic name for the class of the updated resource object. Expected values may be specific to an app. For example, collaboration, file, folder, comment, task, note, and so on.
|
recommended |
| Data_Access | object_id |
string | The unique updated resource object ID as presented to the system, if applicable. For example, a source_folder_id, doc_id. | recommended |
| Data_Access | object_path |
string | The path of the modified resource object, if applicable, such as a file, directory, or volume. | |
| Data_Access | object_size |
string | The size of the modified resource object. | recommended |
| Data_Access | owner |
string | Resource owner. | |
| Data_Access | owner_email |
string | Email of the resource owner. | |
| Data_Access | owner_id |
string | ID of the owner as defined by the vendor. | |
| Data_Access | parent_object |
string | Parent of the object name on which the action was performed by a user. | |
| Data_Access | parent_object_id |
string | Parent object ID | |
| Data_Access | parent_object_category |
string | Object category of the parent object on which action was performed by a user. | |
| Data_Access | signature |
string | A human-readable signature name. | |
| Data_Access | signature_id |
string | The unique identifier or event code of the event signature. | optional |
| Data_Access | src |
string | The endpoint client host. | recommended |
| Data_Access | vendor_account |
string | Account associated with the event. The account represents the organization, or a Cloud customer or a Cloud account. | recommended |
| Data_Access | user |
string | The user involved in the event, or who initiated the event. | recommended |
| Data_Access | user_agent |
string | The user agent through which the request was made, such as Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) or aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4 | recommended |
| Data_Access | user_group |
string | The group of the user involved in the event, or who initiated the event. | |
| Data_Access | user_id |
string | The unique id of the user involved in the event. For authentication privilege escalation events, this should represent the user targeted by the escalation. | optional |
| Data_Access | user_name |
string | The user name of the user or entity performing the change. For account changes, this is the account that was changed (see src_user_name). Use this field for a friendlier name, for example, with AWS events if you do not have Assets and Identities configured in Enterprise Security and are not getting a friendly name from user. | recommended |
| Data_Access | user_email |
string | The email address of the user or entity involved in the event. | optional |
| Data_Access | user_role |
string | The role of the user involved in the event, or who initiated the event. | |
| Data_Access | user_type |
string | The type of the user involved in the event or who initiated the event, such as IAMUser, Admin, or System. For account management events, this should represent the type of the user changed by the request. | optional |
| Data_Access | vendor_product |
string | The vendor and product name of the vendor. | recommended |
| Data_Access | vendor_product_id |
string | The vendor and product name ID as defined by the vendor. | |
| Data_Access | vendor_region |
string | The data center region where the change occurred, such as us-west-2. | optional |
Last modified on 30 May, 2023
|
PREVIOUS Change Analysis (deprecated) |
NEXT Databases |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 5.0.1, 5.0.2, 5.1.0, 5.1.1
Feedback submitted, thanks!