Splunk® Enterprise Security

Installation and Upgrade Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Data models

The Splunk App for Enterprise Security uses a number of data models to populate its dashboards. Base searches have been deprecated in favor of data models.

Data model Objects Tags Notes Replaces base search
Alerts tag=alert_messages N/A
Application State (tag=listening tag=port) OR (tag=process tag=report) OR (tag=service tag=report) Can be accelerated
Ports inherited tags from Application State and tag=listening tag=port
Processes inherited tags from Application State and tag=process tag=report
Services inherited tags from Application State and tag=service tag=report
Assets and Identities N/A
Authentication tag=authentication NOT (action=success user=*$) Can be accelerated "Access - All Authentication - Base"
Change Analysis tag=change (there are sub-sets of change beyond this) Can be accelerated
Compute Inventory N/A (includes Network Fabric and Storage Fabric data)
Domain Analysis index=whois sourcetype=Whois:* Can be accelerated
Email
Incident Management Can be accelerated index=notable
Intrusion Detection tag=ids tag=attack Can be accelerated "Network - All IDS Attacks - Base"
JVM Can be accelerated "Network - All IDS Attacks - Base"
Malware tag=malware tag=attack Can be accelerated "Endpoint - All Malware - Base"
Network Sessions Can be accelerated
Network Traffic Can be accelerated "Network - All Communication - Base"
Performance N/A
Splunk Audit Logs Can be accelerated index=_internal sourcetype=splunk_web_access method=GET status=200
Threat Lists auto extracted N/A | `threatlists`
Updates tag=update tag=status Can be accelerated "Endpoint - System Update Tracker - TSIDX Gen"
Vulnerabilities tag=vulnerability tag=report Can be accelerated
Web tag=web Can be accelerated


Specialized data models

In addition to the data models available as part of the Common Information Model add-on, these data models are included with the Splunk App for Enterprise Security.

Domain Analysis

The Domain Analysis data model is available as part of the SA-NetworkProtection add-on, included with the Splunk App for Enterprise Security. Domain Analysis data model search searches for index=whois sourcetype=Whois:*.

The fields and tags in the Domain Analysis data model describe the domain information in your deployment.

Tags used with the Domain Analysis data model

Object name(s) Tag name Required?
All_Domains index=whois sourcetype=Whois:* YES

Fields for the Domain Analysis data model and event category

Object name(s) Field name Data type Description Expected values
All_Domains domain string name of the domain
All_Domains nameservers string name of the server associates with this domain
All_Domains registrant string
All_Domains registrar string
All_Domains resolved_domain string resolved domain name

Incident Management

The Incident Management data model is available as part of the SA-ThreatIntelligence add-on, included with the Splunk App for Enterprise Security. This data model reads from index=notable.

The fields in the Incident Management event category describe events gathered by network monitoring devices and apps.

Tags used with the Incident Management event category

Object name(s) Tag name or constraint Required?
Notable_Events (Metatdata only) index=notable YES

Fields for the Incident Management data model

Object name(s) Field name Data type Description Possible values
Notable_Events_Meta tag string
Notable_Events_Meta rule_id string
Notable_Events_Meta decoration string
Correlation_Searches control string
Correlation_Searches default_owner string
Correlation_Searches default_status string
Correlation_Searches description string
Correlation_Searches governance string
Correlation_Searches rule_name string
Correlation_Searches saved_search string
Correlation_Searches security_domain string
Correlation_Searches severity string
Incident Review comment string
Incident Review owner string
Incident Review reviewer string
Incident Review rule_id string
Incident Review security_domain string
Incident Review status_group string
Incident Review status_label string
Incident Review tag string
Incident Review urgency string
Notable_Events dest string
Notable_Events owner string
Notable_Events owner_realname string
Notable_Events rule_name string
Notable_Events security_domain string
Notable_Events source string
Notable_Events src string
Notable_Events status_label string
Notable_Events status_group string
Notable_Events tag string
Notable_Events urgency string
Notable_Owners owner string
Notable_Owners owner_realname string
Review_Statuses default boolean
Review_Statuses end boolean
Review_Statuses hidden boolean
Review_Statuses status string
Review_Statuses status_description string
Review_Statuses status_label string
Security_Domains is_enabled boolean
Security_Domains is_expected boolean
Security_Domains is_ignored boolean
Security_Domains security_domain_label string
Suppression_Audit action string
Suppression_Audit signature string
Suppression_Audit status string
Suppression_Audit suppression string
Suppression_Audit user string
Suppression_Audit_Expired suppression string
Suppression_Eventtypes description string
Suppression_Eventtypes disabled boolean
Suppression_Eventtypes end_time timestamp
Suppression_Eventtypes search string
Suppression_Eventtypes suppression string
Suppression_Eventtypes start_time timestamp
Suppressed_Notable_Events dest string
Suppressed_Notable_Events rule_name string
Suppressed_Notable_Events security_domain string
Suppressed_Notable_Events signature string
Suppressed_Notable_Events source string
Suppressed_Notable_Events suppression string
Suppressed_Notable_Events tag string
Suppressed_Notable_Events urgency string
Urgencies priority string
Urgencies severity string
Urgencies urgency string

Threat Lists

The Threat Lists data model is available as part of the SA-ThreatIntelligence add-on, included with the Splunk App for Enterprise Security.

The fields and tags in the Threat Lists data model describe potential threats both inside and outside of your deployment.

See the Common Information Model Add-on Manual for more about data models.

Tags used with the Threat Lists data model

Object name(s) Tag name or constraint Required?
All_Threat_Lists `threatlists` YES

Fields for the Threat Lists data model and event category

Object name(s) Field name Data type Description Expected values
All_Threat_Lists category string Category of the threat proxy, spyware, network, malicious
All_Threat_Lists description string Description of the threat, source, how it was detected, etc.
All_Threat_Lists ip_count string Count of ip values associated with a specific threat 512, 32, 16, 256
All_Threat_Lists ip string IP address associated with the threat 99.250.24.32
All_Threat_Lists name string Name of the lookup that detected the threat sans, iblocklist_tor
All_Threat_Lists subnet int Subnet on which the threat was detected 23, 32, 24,27

Assets And Identities

The fields in the Assets And Identities data model, and the Asset and Identity event categories, describe both asset inventory and individual account holders that should be made available across multiple Splunk application contexts.

Note: Any field in the All_Assets event category can be optionally pre-pended with dest_, dvc_, host_, orig_host_, or src_ for enrichment purposes. These fields are not required, but are often used in Apps alongside dest, dvc, host, orig_host, or src if they are available.

Tags are not applicable to the Asset And Identities data model and event category.

Fields for the Asset And Identities data model and event category

Object name(s) Field name Data type Description Expected values
All_Assets asset_id string an identifier for the asset, such as an asset tag or serial number.
All_Assets city string The city where the asset is located, such as San Francisco.
All_Assets bunit string The business unit of the asset, such as Marketing.
All_Assets category MV string The category of the asset, such as email_server or SOX-compliant.
All_Assets country string The country where the asset is located, such as USA.
All_Assets dns MV string A fully qualified domain name (FQDN) associated with the asset, such as server42.splunk.com.
All_Assets ip MV string An IP address (either v4 or v6) associated with the asset, such as 192.168.4.2. Note: Please remove zero-padding on this field.
All_Assets is_expected boolean A flag indicating whether the asset is expected to continually send data to Splunk. Note: Some apps may alert if is_expected is set to Y for an asset that is not sending data. true, false
All_Assets lat string The latitude of an asset's location.
All_Assets location string The physical location of an asset.
All_Assets long string The longitude of an asset's location.
All_Assets mac MV string A MAC address associated with the asset, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.
All_Assets nt_host string The cross-platform short name or NetBIOS name of the asset, such as server42. Note: Always force lower case on this field.
All_Assets owner MV string The owner of the asset, such as jdoe.
All_Assets priority string The priority of the asset. critical, high, medium, low, informational, unknown
All_Assets requires_av boolean Flag that indicates whether the asset is expected to use a local antivirus or endpoint protection tool. Note that some apps may alert if requires_av is set to true for an asset that is not running an antivirus service and/or does not have event types properly configured for that service. true, false
All_Assets should_timesync boolean Flag that indicates whether the asset is expected to maintain time synchronization. Note that some apps may alert if should_timesync is set to true for an asset that is not running a time synchronization service and/or does not have event types properly configured for that service. true, false
All_Assets should_update boolean Flag that indicates whether the asset is expected to regularly apply patches. Note that some apps may alert if should_update is set to true for an asset that is not running a patching service and/or does not have event types properly configured for that service. true, false
All_Identities bunit string The business unit of the identity, such as Sales.
All_Identities category MV string The category of the identity, such as sales or customer_facing.
All_Identities city string The city where the identity is based, such as San Francisco.
All_Identities country string The country where the identity is based, such as USA.
All_Identities email MV string The email address (or addresses) associated with the identity is based. Note that this is a multivalue field.
All_Identities end_date timestamp The end date of the identity, leave blank if not applicable. Note that presence of an end_date in the past may cause some Apps to create alerts from events involving this identity.
All_Identities first string A first name for the identity, such as Jane.
All_Identities identity MV string Account names and numbers associated with the identity. Note that this is a multivalue field.
All_Identities last string A last name for the identity, such as Doe.
All_Identities lat string The latitude of the identity's base location.
All_Identities location string The base location for the identity, such as an office name.
All_Identities long string The longitude of the identity's base location.
All_Identities managed_by MV string The manager(s) of the identity such as jdoe. Note that this is a multivalue field and should use account names or numbers from the identity field.
All_Identities nick string A nickname for the identity, such as Moerex.
All_Identities phone MV string A phone number (or set of phone numbers) for the identity. Note that this is a multivalue field.
All_Identities phone2 MV string A phone number (or set of phone numbers) for the identity. Note that this is a multivalue field.
All_Identities prefix string A prefix for the identity, such as Mr..
All_Identities priority string The priority of the identity. critical, high, medium, low, informational, unknown
All_Identities start_date timestamp The start date of the identity.
All_Identities suffix string A suffix for the identity, such as Jr.
All_Identities watchlist boolean Flag if the identity is on a watchlist. Note that some apps may create alerts for events that involve this identity if this flag is set. true, false
Last modified on 12 June, 2014
PREVIOUS
Dashboards
  NEXT
Reports

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters