Data Access Field Mapping
The following shows an example of how data access events map differently from various cloud providers to CIM data model field names.
See the Data Access data model for full field descriptions.
File upload success example
The file upload success event from Google Drive and Box is a good way to see a common event and how each cloud provider maps to CIM data model field names.
Google Drive upload success
A sample Google Drive user successfully uploading a file follows:
Click expand or collapse to show or hide the example.
{
"kind": "admin#reports#activity",
"id": {
"time": "2021-01-27T20:55:22.553Z",
"uniqueQualifier": "-5126288301746458201",
"applicationName": "drive", /** ----- app, dest_name, vendor_product, dvc
"customerId": "C01yel9ht" /** ----- tenant_id
},
"etag": "\"fhmPGI5aiiS0KGD55zBI3n4f0Di-XQVRRMmqt75xUJc/Qtt_cFE351_xxWrZD43B_hFtj7I\"",
"actor": {
"email": "name@example.com", /** ----- email, user
"profileId": "110778908138668363959" /** ----- user_id
},
"ipAddress": "96.231.134.130", /** ----- src
"events": [
{
"type": "access",
"name": "upload", /** ----- action
"parameters": [
{
"name": "primary_event",
"boolValue": true
},
{
"name": "billable",
"boolValue": true
},
{
"name": "doc_id", /** ----- object_id
"value": "1s2ww0PVPGuuKXAzdjg6jGgmZtcxGchH7"
},
{
"name": "doc_type", /** ----- object_type
"value": "unknown"
},
{
"name": "doc_title", /** ----- object
"value": "quickstart.py"
},
{
"name": "visibility",
"value": "private"
},
{
"name": "originating_app_id",
"value": "691301496089"
},
{
"name": "actor_is_collaborator_account", /** ----- user_role
"boolValue": false
},
{
"name": "owner", /** ----- owner
"value": "name@example.com"
},
{
"name": "owner_is_shared_drive",
"boolValue": false
},
{
"name": "owner_is_team_drive",
"boolValue": false
}
]
}
]
}
]
}
Box upload success
A sample Box user successfully uploading a file follows:
Click expand or collapse to show or hide the example.
source_item_type="file", /** ----- object_type
source_item_id="782729174962", /** ----- object_id
source_item_name="Consolidated Quarter-VII-IV Schedule -
Participants.xlsx", /** ----- object
source_parent_type="folder",
source_parent_name="Test",
source_parent_id="132755355986",
source_owned_by_type="user",
source_owned_by_id="15230886095", /** ----- owner_id
source_owned_by_name="Example Name", /** ----- owner
source_owned_by_login="name@example.com", /** ----- owner_email
created_by_type="user",
created_by_id="15230886095", /** ----- user_id
created_by_name="Example Name", /** ----- user
created_by_login="name@example.com", /** ----- email
action_by="",
created_at="2021-03-03T10:10:40-08:00",
event_id="30fe6b3e-41ea-40a5-894d-38c575c0be5f",
event_type="UPLOAD", /** ----- action
ip_address="103.226.185.0", /** ----- src
type="event",
session_id="",
additional_details_size="22564", /** ----- object_size
additional_details_ekm_id="b03b4375-03c9-4c03-9559-9cedddab801d",
additional_details_version_id="836198952562",
additional_details_service_id="231318",
additional_details_service_name="Multiput Uploads",
account_id=15230886095 /** ----- user_id
Upload field mapping
Using the file upload success from Google Drive as a base sample, and comparing it to a similar event from Box is a good way to see the similarities and differences per common CIM field names.
| Source example data | Provider field name | CIM field name |
|---|---|---|
| Google Drive
|
actor.email |
|
| Box
|
created_by_login | |
| Device example data | Provider field name | CIM field name |
| Google Drive
|
actor.email |
|
| Box
|
created_by_name | user |
| Device example data | Provider field name | CIM field name |
| Google Drive
|
actor. profileId | user_id |
| Box
|
|
user_id |
| Device example data | Provider field name | CIM field name |
| Google Drive
|
ipAddress | src |
| Box
|
ip_address | src |
| Device example data | Provider field name | CIM field name |
| Google Drive
|
name | action |
| Box
|
event_type | action |
| Device example data | Provider field name | CIM field name |
| Google Drive
|
"name": "doc_id" | object_id |
| Box
|
source_item_id | object_id |
| Device example data | Provider field name | CIM field name |
| Google Drive
|
"name": "doc_type" | object_type |
| Box
|
source_item_type | object_type |
| Device example data | Provider field name | CIM field name |
| Google Drive
|
"name": "doc_title" | object |
| Box
|
source_item_name | object |
| Device example data | Provider field name | CIM field name |
| Google Drive
|
"name": "owner" | owner |
| Box
|
source_owned_by_name | owner |
| Network Traffic Field Mapping | ITSI Normalization |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.1, 5.3.2, 6.0.0
Download manual
Feedback submitted, thanks!