Change Field Mapping
The following shows an example of how change events map differently from various cloud providers to CIM data model field names.
See the Change data model for full field descriptions.
Update user example
The update user event from Amazon Web Services (AWS) and Azure is a good way to see a common event and how each cloud provider maps to CIM data model field names. An example case is where an admin creates or updates an IAMUser. The admin is the source user and source type.
AWS update user
A sample AWS update user action follows:
Click expand or collapse to show or hide the example.
{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", /** ----- user_type, src_user_type "principalId": "AIDA3HRA7T6MUVQJRHPKV", /** ----- user, user_id "arn": "arn:aws:iam::772089552793:user/example_name", "accountId": "772089552793", /** ----- vendor_account "accessKeyId": "AKIA3HRA7T6MVC4EBVOG", "userName": "example_name" /** ----- user_name }, "eventTime": "2020-06-25T16:56:12Z", "eventSource": "iam.amazonaws.com", /** ----- app, dest "eventName": "UpdateUser", /** ----- action, command "awsRegion": "us-east-1", "sourceIPAddress": "72.83.94.230", /** ----- src, src_ip "userAgent": "aws-cli/2.0.0 Python/3.7.4 Darwin/19.5.0 botocore/2.0.0dev4", /** ----- user_agent "requestParameters": { /** ----- object, object_attrs, object_category, object_id, object_path "userName": "user_change_dm", "newUserName": "user_change" }, "responseElements": null, "requestID": "7e371c54-8df7-4f1f-b3b8-03d1298a52fd", "eventID": "74f66cee-7fe3-48f1-97ee-9c59efc40a5f", "eventType": "AwsApiCall", "recipientAccountId": "772089552793" }
Azure update user
A sample Azure update user action follows:
Click expand or collapse to show or hide the example.
{ "id": "Directory_5c4d6b97-3e18-4565-ad44-3c20ee2c70ab_1CKOF_99617149", "category": "UserManagement", /** ----- object_category "correlationId": "5c4d6b97-3e18-4565-ad44-3c20ee2c70ab", "result": "success", /** ----- status "resultReason": "", /** ----- result "activityDisplayName": "Disable Strong Authentication", /** ----- command "activityDateTime": "2020-06-11T23:07:51.971036Z", "loggedByService": "Core Directory", /** ----- dvc "operationType": "Update", /** ----- action "initiatedBy": { "app": null, "user": { "id": "df22f023-9e0f-4d78-bdd5-d496688af11e", "displayName": null, "userPrincipalName": "admin@a830edad9050849NDA3079.onmicrosoft.com", /** ----- src_user "ipAddress": null, "userType": null } }, "targetResources": [ { "id": "93a565f6-d0fc-4ac3-9d2a-8c1de9aeed3c", /** ----- object_id "displayName": null, "type": "User", /** ----- change_type, object_category "userPrincipalName": "es_csm_change_model@a830edad9050849nda3079.onmicrosoft.com", /** ----- user, user_id "groupType": null, "modifiedProperties": [ { "displayName": "StrongAuthenticationRequirement", "oldValue": "[{\"RelyingParty\":\"*\",\"State\":1,\"RememberDevicesNotIssuedBefore\":\"2020-06-11T23:07:35+00:00\"}]", "newValue": "[]" }, { "displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"StrongAuthenticationRequirement\"" /** ----- object_attrs } ] } ], "additionalDetails": [] }
User update field mapping
Using the user update from AWS as a base sample, and comparing it to a similar event from Azure is a good way to see the similarities and differences per common CIM field names.
User example data | Provider field name | CIM field name |
---|---|---|
AWS
|
userIdentity.principalId |
|
Azure
|
targetResources.userPrincipalName |
|
Destination example data | Provider field name | CIM field name |
AWS
|
eventSource |
|
Azure
|
loggedByService |
|
Action example data | Provider field name | CIM field name |
AWS
|
eventName |
|
Azure
|
operationType | action |
Object example data | Provider field name | CIM field name |
AWS"requestParameters": { "userName": "user_change_dm", "newUserName": "user_change" }, |
requestParameters |
|
Azure
|
category | object_category |
Azure
|
targetResources.id | object_id |
Azure
|
targetResources.modifiedProperties | object_attrs |
Reboot example
The login success event from Amazon Web Services (AWS) and Azure is a good way to see a common event and how each cloud provider maps to CIM data model field names.
AWS EC2 instance reboot
A sample AWS EC2 instance reboot action follows:
Click expand or collapse to show or hide the example.
{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", /** ----- user_type, src_user_type "principalId": "AIDA3HRA7T6MRJYJZSGXO", /** ----- user, user_id "arn": "arn:aws:iam::772089552793:user/example_name", "accountId": "772089552793", /** ----- vendor_account "accessKeyId": "ASIA3HRA7T6MR2NXOREA", "userName": "example_name", /** ----- user_name "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2020-06-08T21:51:29Z" } } }, "eventTime": "2020-06-09T01:05:55Z", "eventSource": "ec2.amazonaws.com", /** ----- app, dest "eventName": "RebootInstances", /** ----- action, command "awsRegion": "us-east-2", /** ----- vendor_region "sourceIPAddress": "73.162.147.20", /** ----- src, src_ip "userAgent": "console.ec2.amazonaws.com", /** ----- user_agent "requestParameters": { /** ----- object, object_attrs, object_category, object_id, object_path "instancesSet": { "items": [ { "instanceId": "i-09b1f332093983cc1" } ] } }, "responseElements": { "requestId": "b09c7d96-645e-45db-aa6f-e09c32ad076e", "_return": true }, "requestID": "b09c7d96-645e-45db-aa6f-e09c32ad076e", "eventID": "43a8628d-5fc7-42f7-8666-b71664cefbac", "eventType": "AwsApiCall", "recipientAccountId": "772089552793" }
Azure virtual machine reboot
A sample Azure virtual machine reboot action follows:
Click expand or collapse to show or hide the example.
{ "time": "2020-06-18T22:31:41.7234475Z", "resourceId": "/SUBSCRIPTIONS/AE4AB7C9-DCDF-4427-9729-48E8C7551BE9/RESOURCEGROUPS/ES_CSM_CHANGE_MODEL/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/ES-CSM-CHNAGE-VM-1", /** ----- object_id, object, app, object_category, dest "operationName": "MICROSOFT.COMPUTE/VIRTUALMACHINES/RESTART/ACTION", /** ----- app "category": "Administrative", "resultType": "Success", "resultSignature": "Succeeded.", /** ----- status "durationMs": 0, "callerIpAddress": "174.62.106.48", "correlationId": "3cdcca7c-a98c-46b6-b3f9-9ce2d27c5fe4", "identity": { "authorization": { "scope": "/subscriptions/ae4ab7c9-dcdf-4427-9729-48e8c7551be9/resourceGroups/es_csm_change_model/providers/Microsoft.Compute/virtualMachines/es-csm-chnage-vm-1", "action": "Microsoft.Compute/virtualMachines/restart/action", /** ----- action, command "evidence": { "role": "Contributor", "roleAssignmentScope": "/subscriptions/ae4ab7c9-dcdf-4427-9729-48e8c7551be9", "roleAssignmentId": "8eb22423e5cc461592fda56f5b5dc2aa", "roleDefinitionId": "b24988ac618042a0ab8820f7382dd24c", "principalId": "149ec7a11f3a4878a1d558f4a1e67655", "principalType": "User" } }, "claims": { "aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/2ed28a74-1f6f-4829-8530-fe359c77d35c/", "iat": "1592517408", "nbf": "1592517408", "exp": "1592521308", "http://schemas.microsoft.com/claims/authnclassreference": "1", "aio": "ATQAy/8PAAAAtikpFkPjCTjg0x5DI7ch1Ki6e2TVeKzmZrn2OnJ5GchOOfM/PN7RfBss5uGIecXp", "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd", "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appidacr": "2", "ipaddr": "174.62.106.48", /** ----- src, src_ip "name": "Example_Name", "http://schemas.microsoft.com/identity/claims/objectidentifier": "149ec7a1-1f3a-4878-a1d5-58f4a1e67655", "puid": "10032000C9954D8E", "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "nZAgSAB9HehKWTDa3J1iIqTLWNzipERZJYScR7qzot4", "http://schemas.microsoft.com/identity/claims/tenantid": "2ed28a74-1f6f-4829-8530-fe359c77d35c", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "admin@a830edad9050849nda3079.onmicrosoft.com", /** ----- user_id "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "admin@a830edad9050849nda3079.onmicrosoft.com", "uti": "Ka0FzSYrf02er9SWaHN9AA", "ver": "1.0" } }, "level": "Information", "properties": { "category": "Administrative" } }
Reboot field mapping
Using the reboot from AWS as a base sample, and comparing it to a similar event from Azure is a good way to see the similarities and differences per common CIM field names.
User example data | Provider field name | CIM field name |
---|---|---|
AWS
|
userIdentity.principalId | user, user_id |
Azure
|
identity.claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
|
User type example data | Provider field name | CIM field name |
AWS
|
userIdentity.type |
|
Azure
|
n/a | na/ |
Destination example data | Provider field name | CIM field name |
AWS
|
eventSource |
|
Azure
|
operationName |
|
Azure
|
Subscription ID extracted from resourceID | dest |
Action example data | Provider field name | CIM field name |
AWS
|
eventName |
|
Azure
|
operationName |
|
Source example data | Provider field name | CIM field name |
AWS
|
sourceIPAddress |
|
Azure
|
claims.ipaddr |
|
Object example data | Provider field name | CIM field name |
AWS"requestParameters": { "force": false, "instancesSet": { "items": [{ "instanceId": "i-c103dcc9" }] } }, |
requestParameters |
|
Azure
|
resourceId |
|
You must assign requestParameters
to different object_*
fields in CIM. The CIM field object_*
is the object of change, which implies that it is the specific resource object that is reported as changed by the event.
In the AWS examples provided for the UpdateUser
event, the object of the change is the user, who is listed in requestParameters
. Therefore, the CIM field object
maps to requestParameters.newUserName
. The value for newUserName
is user_change
. Additionally, the values for both object_category
and object_attr
is the user because there are no known user attributes in the sample. The object_id
is user_change
because there no other user ID exists in the example other than the userName
. The field object_path
is not mapped because no path exists in the sample.
In the AWS examples provided for the RebootInstances
event, the object of the change is the instance. Therefore, the CIM field object
maps to requestParameters.instancesSet.items.instanceId
. The value for instanceId
is i-09b1f332093983cc1
. Additionally, the values for both object_category
and object_attr
is the instance because no known instance attributes exist in the example. The field object_id
is i-09b1f332093983cc1
and the field object_path
is not mapped because no instance path exists in the example.
Authentication Field Mapping | Network Traffic Field Mapping |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.1, 5.3.2, 6.0.0
Feedback submitted, thanks!