This documentation does not apply to the most recent version of Splunk® Enterprise Security.
For documentation on the most recent version, go to the latest release.
Data models
The Splunk App for Enterprise Security uses a number of data models to populate its dashboards. Base searches have been deprecated in favor of data models.
| Data model | Objects | Tags | Notes | Replaces base search |
|---|---|---|---|---|
| Alerts | tag=alert_messages | N/A | ||
| Application State | (tag=listening tag=port) OR (tag=process tag=report) OR (tag=service tag=report) | Can be accelerated | ||
| Ports | inherited tags from Application State and tag=listening tag=port | |||
| Processes | inherited tags from Application State and tag=process tag=report | |||
| Services | inherited tags from Application State and tag=service tag=report | |||
| Assets and Identities | N/A | |||
| Authentication | tag=authentication NOT (action=success user=*$) | Can be accelerated | "Access - All Authentication - Base" | |
| Change Analysis | tag=change (there are sub-sets of change beyond this) | Can be accelerated | ||
| Compute Inventory | N/A (includes Network Fabric and Storage Fabric data) | |||
| Domain Analysis | index=whois sourcetype=Whois:* | Can be accelerated | ||
| Incident Management | Can be accelerated | index=notable | ||
| Intrusion Detection | tag=ids tag=attack | Can be accelerated | "Network - All IDS Attacks - Base" | |
| JVM | Can be accelerated | "Network - All IDS Attacks - Base" | ||
| Malware | tag=malware tag=attack | Can be accelerated | "Endpoint - All Malware - Base" | |
| Network Sessions | Can be accelerated | |||
| Network Traffic | Can be accelerated | "Network - All Communication - Base" | ||
| Performance | N/A | |||
| Splunk Audit Logs | Can be accelerated | index=_internal sourcetype=splunk_web_access method=GET status=200 | ||
| Threat Lists | auto extracted | N/A | | `threatlists` | |
| Updates | tag=update tag=status | Can be accelerated | "Endpoint - System Update Tracker - TSIDX Gen" | |
| Vulnerabilities | tag=vulnerability tag=report | Can be accelerated | ||
| Web | tag=web | Can be accelerated |
Specialized data models
In addition to the data models available as part of the Common Information Model add-on, these data models are included with the Splunk App for Enterprise Security.
Domain Analysis
The Domain Analysis data model is available as part of the SA-NetworkProtection add-on, included with the Splunk App for Enterprise Security. Domain Analysis data model search searches for index=whois sourcetype=Whois:*.
The fields and tags in the Domain Analysis data model describe the domain information in your deployment.
Tags used with the Domain Analysis data model
| Object name(s) | Tag name | Required? |
|---|---|---|
| All_Domains | index=whois sourcetype=Whois:* | YES |
Fields for the Domain Analysis data model and event category
| Object name(s) | Field name | Data type | Description | Expected values |
|---|---|---|---|---|
| All_Domains | domain | string | name of the domain | |
| All_Domains | nameservers | string | name of the server associates with this domain | |
| All_Domains | registrant | string | ||
| All_Domains | registrar | string | ||
| All_Domains | resolved_domain | string | resolved domain name |
Incident Management
The Incident Management data model is available as part of the SA-ThreatIntelligence add-on, included with the Splunk App for Enterprise Security. This data model reads from index=notable.
The fields in the Incident Management event category describe events gathered by network monitoring devices and apps.
Tags used with the Incident Management event category
| Object name(s) | Tag name or constraint | Required? |
|---|---|---|
| Notable_Events (Metatdata only) | index=notable | YES |
Fields for the Incident Management data model
| Object name(s) | Field name | Data type | Description | Possible values |
|---|---|---|---|---|
| Notable_Events_Meta | tag | string | ||
| Notable_Events_Meta | rule_id | string | ||
| Notable_Events_Meta | decoration | string | ||
| Correlation_Searches | control | string | ||
| Correlation_Searches | default_owner | string | ||
| Correlation_Searches | default_status | string | ||
| Correlation_Searches | description | string | ||
| Correlation_Searches | governance | string | ||
| Correlation_Searches | rule_name | string | ||
| Correlation_Searches | saved_search | string | ||
| Correlation_Searches | security_domain | string | ||
| Correlation_Searches | severity | string | ||
| Incident Review | comment | string | ||
| Incident Review | owner | string | ||
| Incident Review | reviewer | string | ||
| Incident Review | rule_id | string | ||
| Incident Review | security_domain | string | ||
| Incident Review | status_group | string | ||
| Incident Review | status_label | string | ||
| Incident Review | tag | string | ||
| Incident Review | urgency | string | ||
| Notable_Events | dest | string | ||
| Notable_Events | owner | string | ||
| Notable_Events | owner_realname | string | ||
| Notable_Events | rule_name | string | ||
| Notable_Events | security_domain | string | ||
| Notable_Events | source | string | ||
| Notable_Events | src | string | ||
| Notable_Events | status_label | string | ||
| Notable_Events | status_group | string | ||
| Notable_Events | tag | string | ||
| Notable_Events | urgency | string | ||
| Notable_Owners | owner | string | ||
| Notable_Owners | owner_realname | string | ||
| Review_Statuses | default | boolean | ||
| Review_Statuses | end | boolean | ||
| Review_Statuses | hidden | boolean | ||
| Review_Statuses | status | string | ||
| Review_Statuses | status_description | string | ||
| Review_Statuses | status_label | string | ||
| Security_Domains | is_enabled | boolean | ||
| Security_Domains | is_expected | boolean | ||
| Security_Domains | is_ignored | boolean | ||
| Security_Domains | security_domain_label | string | ||
| Suppression_Audit | action | string | ||
| Suppression_Audit | signature | string | ||
| Suppression_Audit | status | string | ||
| Suppression_Audit | suppression | string | ||
| Suppression_Audit | user | string | ||
| Suppression_Audit_Expired | suppression | string | ||
| Suppression_Eventtypes | description | string | ||
| Suppression_Eventtypes | disabled | boolean | ||
| Suppression_Eventtypes | end_time | timestamp | ||
| Suppression_Eventtypes | search | string | ||
| Suppression_Eventtypes | suppression | string | ||
| Suppression_Eventtypes | start_time | timestamp | ||
| Suppressed_Notable_Events | dest | string | ||
| Suppressed_Notable_Events | rule_name | string | ||
| Suppressed_Notable_Events | security_domain | string | ||
| Suppressed_Notable_Events | signature | string | ||
| Suppressed_Notable_Events | source | string | ||
| Suppressed_Notable_Events | suppression | string | ||
| Suppressed_Notable_Events | tag | string | ||
| Suppressed_Notable_Events | urgency | string | ||
| Urgencies | priority | string | ||
| Urgencies | severity | string | ||
| Urgencies | urgency | string |
Threat Lists
The Threat Lists data model is available as part of the SA-ThreatIntelligence add-on, included with the Splunk App for Enterprise Security.
The fields and tags in the Threat Lists data model describe potential threats both inside and outside of your deployment.
See the Common Information Model Add-on Manual for more about data models.
Tags used with the Threat Lists data model
| Object name(s) | Tag name or constraint | Required? |
|---|---|---|
| All_Threat_Lists | `threatlists` | YES |
Fields for the Threat Lists data model and event category
| Object name(s) | Field name | Data type | Description | Expected values |
|---|---|---|---|---|
| All_Threat_Lists | category | string | Category of the threat | proxy, spyware, network, malicious |
| All_Threat_Lists | description | string | Description of the threat, source, how it was detected, etc. | |
| All_Threat_Lists | ip_count | string | Count of ip values associated with a specific threat | 512, 32, 16, 256 |
| All_Threat_Lists | ip | string | IP address associated with the threat | 99.250.24.32 |
| All_Threat_Lists | name | string | Name of the lookup that detected the threat | sans, iblocklist_tor |
| All_Threat_Lists | subnet | int | Subnet on which the threat was detected | 23, 32, 24,27 |
Assets And Identities
The fields in the Assets And Identities data model, and the Asset and Identity event categories, describe both asset inventory and individual account holders that should be made available across multiple Splunk application contexts.
Note: Any field in the All_Assets event category can be optionally pre-pended with dest_, dvc_, host_, orig_host_, or src_ for enrichment purposes. These fields are not required, but are often used in Apps alongside dest, dvc, host, orig_host, or src if they are available.
Tags are not applicable to the Asset And Identities data model and event category.
Fields for the Asset And Identities data model and event category
| Object name(s) | Field name | Data type | Description | Expected values |
|---|---|---|---|---|
| All_Assets | asset_id
|
string | an identifier for the asset, such as an asset tag or serial number. | |
| All_Assets | city
|
string | The city where the asset is located, such as San Francisco.
|
|
| All_Assets | bunit
|
string | The business unit of the asset, such as Marketing. | |
| All_Assets | category
|
MV string | The category of the asset, such as email_server or SOX-compliant.
|
|
| All_Assets | country
|
string | The country where the asset is located, such as USA.
|
|
| All_Assets | dns
|
MV string | A fully qualified domain name (FQDN) associated with the asset, such as server42.splunk.com.
|
|
| All_Assets | ip
|
MV string | An IP address (either v4 or v6) associated with the asset, such as 192.168.4.2. Note: Please remove zero-padding on this field.
|
|
| All_Assets | is_expected
|
boolean | A flag indicating whether the asset is expected to continually send data to Splunk. Note: Some apps may alert if is_expected is set to Y for an asset that is not sending data.
|
true, false
|
| All_Assets | lat
|
string | The latitude of an asset's location. | |
| All_Assets | location
|
string | The physical location of an asset. | |
| All_Assets | long
|
string | The longitude of an asset's location. | |
| All_Assets | mac
|
MV string | A MAC address associated with the asset, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.
|
|
| All_Assets | nt_host
|
string | The cross-platform short name or NetBIOS name of the asset, such as server42. Note: Always force lower case on this field.
|
|
| All_Assets | owner
|
MV string | The owner of the asset, such as jdoe.
|
|
| All_Assets | priority
|
string | The priority of the asset. | critical, high, medium, low, informational, unknown
|
| All_Assets | requires_av
|
boolean | Flag that indicates whether the asset is expected to use a local antivirus or endpoint protection tool. Note that some apps may alert if requires_av is set to true for an asset that is not running an antivirus service and/or does not have event types properly configured for that service.
|
true, false
|
| All_Assets | should_timesync
|
boolean | Flag that indicates whether the asset is expected to maintain time synchronization. Note that some apps may alert if should_timesync is set to true for an asset that is not running a time synchronization service and/or does not have event types properly configured for that service.
|
true, false
|
| All_Assets | should_update
|
boolean | Flag that indicates whether the asset is expected to regularly apply patches. Note that some apps may alert if should_update is set to true for an asset that is not running a patching service and/or does not have event types properly configured for that service.
|
true, false
|
| All_Identities | bunit
|
string | The business unit of the identity, such as Sales.
|
|
| All_Identities | category
|
MV string | The category of the identity, such as sales or customer_facing.
|
|
| All_Identities | city
|
string | The city where the identity is based, such as San Francisco.
|
|
| All_Identities | country
|
string | The country where the identity is based, such as USA.
|
|
| All_Identities | email
|
MV string | The email address (or addresses) associated with the identity is based. Note that this is a multivalue field. | |
| All_Identities | end_date
|
timestamp | The end date of the identity, leave blank if not applicable. Note that presence of an end_date in the past may cause some Apps to create alerts from events involving this identity.
|
|
| All_Identities | first
|
string | A first name for the identity, such as Jane.
|
|
| All_Identities | identity
|
MV string | Account names and numbers associated with the identity. Note that this is a multivalue field. | |
| All_Identities | last
|
string | A last name for the identity, such as Doe.
|
|
| All_Identities | lat
|
string | The latitude of the identity's base location. | |
| All_Identities | location
|
string | The base location for the identity, such as an office name. | |
| All_Identities | long
|
string | The longitude of the identity's base location. | |
| All_Identities | managed_by
|
MV string | The manager(s) of the identity such as jdoe. Note that this is a multivalue field and should use account names or numbers from the identity field.
|
|
| All_Identities | nick
|
string | A nickname for the identity, such as Moerex.
|
|
| All_Identities | phone
|
MV string | A phone number (or set of phone numbers) for the identity. Note that this is a multivalue field. | |
| All_Identities | phone2
|
MV string | A phone number (or set of phone numbers) for the identity. Note that this is a multivalue field. | |
| All_Identities | prefix
|
string | A prefix for the identity, such as Mr..
|
|
| All_Identities | priority
|
string | The priority of the identity. | critical, high, medium, low, informational, unknown
|
| All_Identities | start_date
|
timestamp | The start date of the identity. | |
| All_Identities | suffix
|
string | A suffix for the identity, such as Jr.
|
|
| All_Identities | watchlist
|
boolean | Flag if the identity is on a watchlist. Note that some apps may create alerts for events that involve this identity if this flag is set. | true, false
|
Last modified on 12 June, 2014
| Dashboards | Reports |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1
Download manual
Feedback submitted, thanks!