Splunk® User Behavior Analytics

Get Data into Splunk User Behavior Analytics

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Splunk UBA category to Splunk CIM field mapping reference

When adding CIM-compliant data to Splunk UBA, the field names from the data source must match the field names expected by Splunk UBA. Mapping the data source field names to the field names expected by Splunk UBA happens automatically when possible, but is not always possible. In those cases, you can use these tables to map the fields in Splunk UBA. See Use connectors to add data from the Splunk platform to Splunk UBA.

Do not make changes to the tags, eventtypes, or data in the Splunk platform.

Splunk UBA categories and corresponding CIM data models

Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.

The tags in the table have an implied AND and are evaluated as follows:

  • Categories that require a single tag such as Authentication will evaluate based on that tag. For example, authentication events must have tag=authentication to be parsed by Splunk UBA. Splunk UBA generates error messages when the percentage of valid events drops below a specific threshold.
  • Categories with multiple tags such as DHCP have an implied AND among the tags, and are evaluated using a combination of all tags. For example, DHCP events must have all three of tag=network, tag=session, tag=dhcp to be parsed by Splunk UBA. Splunk UBA generates error messages when the combined percentage of valid events falls below a specific threshold.
Splunk UBA category Tags required by Splunk UBA CIM data model Example data source types
Authentication tag=authentication Authentication Source type for the Splunk Add-on for Cisco ISE
Badge tag=badge N/A Brivo TA
Cloud Storage tag=cloud N/A Splunk Add-on for Box
Database tag=database Databases Splunk Add-on for Oracle Database
DHCP tag=network
tag=session
tag=dhcp
The DHCP dataset of the Network Sessions data model Source types for the Splunk Add-on for Infoblox
DNS tag=network
tag=resolution
tag=dns
Network Resolution (DNS) Source types for ISC BIND
DLP tag=dlp
tag=incident
tag=email
(tag=email is needed only for email DLP events)
Data Loss Prevention Source types for the Splunk Add-on for Symantec DLP
Email tag=email Email Overview of TA-Exchange-Mailbox included with the Splunk Add-ons for Microsoft Exchange
Endpoint See Endpoint category for specific combinations. Endpoint Source types for the Splunk Add-on for Bit9 Carbon Black
External Alarm tag=attack Intrusion Detection Palo Alto Networks Add-on for Splunk
Firewall tag=network
tag=communicate
Network Traffic Palo Alto Networks Add-on for Splunk
Host AV tag=malware
tag=attack
tag=operations
The Malware_Operations dataset and the Malware_Attacks dataset of the Malware data model Source types for the Splunk Add-on for Symantec Endpoint Protection
IDS/IPS tag=ids
tag=attack
Intrusion Detection Source types for the Splunk Add-on for Bit9 Carbon Black
Source types for the Splunk Add-on for Cisco FireSIGHT
Printer tag=printer N/A View printer information in Splunk Add-on for Microsoft Windows.
VPN See VPN category for specific combinations. The VPN dataset of the Network Sessions data model Source types for the Splunk Add-on for Juniper
Web Proxy tag=web
tag=proxy
The Proxy dataset of the Web data model Source types for the Splunk Add-on for Squid Proxy

Authentication category

The Authentication category for Splunk UBA maps to the Authentication data model.

Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.

Splunk CIM field name Required Field description Example values
action Y The action performed on the resource. success, failure, unknown, added
app N The application involved in the event. ssh, splunk, win:local
dest_ip Y The destination IP address involved in the authentication. 192.168.10.11
dest_host N The host name of the destination involved in the authentication. winhost1
duration N The amount of time in seconds that it took to complete the authentication event. 2
src_ip Y The source IP address involved in the authentication. 192.168.10.12
src_host N The host name of the source involved in the authentication. winhost2
src_user N In privilege escalation events, src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation is not performed. user1
user Y The name of the user for whom the authentication is being performed. user2
protocol Y The protocol used for the authentication. TACACS
eventtype Y The type of the event. acs_authentication_success
Any custom field name, such as authType or loginType N The authentication login type. The default is Network. If specified, the value must be one of the categories in Filter the anomaly table. Exfiltration

Badge category

Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.

Splunk CIM field name Required Field description Example values
vendor N The vendor of the badge access solution. brivo
category Y The category of the badge access event. Failed Access
user Y The user involved in this badge access event. cronaldo
site_name Y The location of the building. 123 Main Street
object_type N The type of device used in the badge access event. ACCESS_POINT
object_name N The location in the building where the badge access was requested. Mail Room
failure_reason N The reason for the failed operation. Unauthorized Access Attempt

Cloud Storage category

Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.

Splunk CIM field name Required Field description Example values
file_size N The size in bytes of the resource associated to this event. 10280
object Y The name of the file. this_picture.png
object_type Y The type of the file. File, Folder, Document, Image, etc.
file_hash Y The unique identifier of the resource. This should be assigned by the product, such as Box, Sharepoint, or Google Drive. 17283982137
object_path Y The absolute or relative location of the resource. /bpatinho/photos
parent_category N The type of the parent resource. Folder, Link, etc.
parent_hash Y The unique identifier of the parent resource. This should be assigned by the product, such as Box, Sharepoint, or Google Drive. 9864239674
src_user Y The user creating this event. user1
change_type Y The type of access. Download, Preview, Delete, Create, Edit.
app Y The application that is generating this event. Box, Office365, Google Drive.
dest_user N The user targeted by this action. Usually this is linked to permission changes made by another user, such as when an admin change the privileges of a user in a file. cronaldo

Data Loss Prevention category

The Data Loss Prevention (DLP) category for Splunk UBA maps to the Data Loss Prevention data model.

Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.

Splunk CIM field name Required Field description Example values
severity Y The severity of the network protection event. informational, unknown, low, medium, high, critical
action Y The action taken by the DLP device. allowed, blocked
app N The application involved in the event. Symantec DLP
src_ip N The source of the network traffic (the client requesting the connection). 10.10.10.12
src_host N The host name of the source. winhost1
dest_ip N The IP address of the destination. 2.2.2.2
dest_host N The host name of the destination. winhost2
user_department N The department of the user involved in the activity reported by DLP. Finance
category Y The category of the DLP event. malware, keylogger, ad-supported program
recipient N The individual email addresses of the message recipients. a@b.com,c@b.com
sender N The email address of the message sender. d@b.com
subject N The subject of the email message. Important Message, Open Now!
policy N The policy that triggered the DLP alarm. Social Security Number
signature Y The type of the event. HTTP Incident
dlp_status N The DLP incident status. Working
prevention_status N The DLP incident prevention status. 9, Blocked
event_type_id N The event type ID. 13
vendor N The USB vendor. FUJITSU
serial_number N The serial number of USB device. 1234567890
device_id N The ID of the USB device. 987654
src_user N The source user involved in the activity reported by DLP. cronaldo
dest_user N The destination user involved in the activity reported by DLP. cronaldo
src_file N The name of the source file involved. creditcards.xls
src_path N The path of the source file involved. c:\documents
dest_file N The name of the destination file involved. creditcards.xls
dest_path N The path of the destination file involved. c:\documents
file_size N The size in bytes of the file transferred 10000
restricted N Is it a sensitive or restricted file? no,yes
match_count N The number of unique matches of the DLP signature. 1,10,1040

Database category

The Database category for Splunk UBA maps to the Databases data model.

Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.

Splunk CIM field name Required Field description Example values
dest_ip N The IP address of the destination. 2.2.2.2
dest_host N The host name of the destination. winhost2
command_name N The SQL query command. select, locktable, insert, delete
query N The full database query. select * from my_table
action_name N The action performed by the user. LOGON, LOGOFF, CREATE FUNCTION
instance_name Y The name of the database instance. myinstance
object N The name of the database object. view1, index1
tablespace_name N The name of the tablespace. my table space
commits N The number of commits per second performed by the user associated with the session. 5
cpu_used N The number of CPU centiseconds used by the session. Divide this value by 100 to get the CPU seconds. 1
elapsed_time N The total amount of time in seconds that elapsed since the user started the session by logging into the database server. 10
records_affected N The number of records affected by the database query. 1
tables_hit N The names of the tables hit by the query. table1, table2
vendor N The vendor and product name of the database system. This field can be automatically populated by vendor and product fields in your data. oracle
user Y The name of the database process user. cronaldo
eventtype Y The type of event. oracle_auth, oracle_session
duration N The duration in seconds of the database connection. 241
src_ip N The IP address of the source server of the database event. 10.10.10.12
src_host N The domain name of the source server of the database event. winhost1

DHCP category

The DHCP category for Splunk UBA maps to the DHCP dataset of the Network Sessions data model.

Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.

Splunk CIM field name Required Field description Example values
lease_duration Y The duration in seconds of the Dynamic Host Configuration Protocol (DHCP) lease. 2000
dest_ip Y The assigned IP address. 192.168.1.12
dest_nt_host N The host name of the machine to which the IP address is being assigned. winhost1
dest_mac Y The MAC address of the machine to which the IP address is being assigned. ad:7b:3d:db:49:8b
signature Y An indication of the type of network session event. DHCPACK, DHCPOFFER, DHCPREQUEST, DHCPINFORM, DHCPDISCOVER , DHCPNAK, DHCPDECLINE, DHCPRELEASE

DNS category

The DNS category for Splunk UBA maps to the Network Resolution (DNS) data model.

Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.

Splunk CIM field name Required Field description Example values
src_ip Y The source IP address of the network resolution event. 192.168.1.11
src_port N The source port of the network resolution event. 3022
dest_ip N The destination IP address of the network resolution event. 192.168.1.14
query Y The domain that needs to be resolved. www.google.com
answer Y The resolved address for the query. 12.13.14.15
query_type Y The field may contain DNS OpCodes or Resource Record Type codes. Query, IQuery, Status, Notify, Update, unknown, A, MX, NS, PTR
duration N The amount of time in seconds taken by the network resolution event. 1
ttl N The time-to-live of the network resolution event. 2000
record_type N The DNS resource record type. A, DNAME, MX, NS, PTR
message_type Y The type of DNS message. Query, Response

Email category

The Email category for Splunk UBA maps to the Email data model.

Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.

Splunk CIM field name Required Field description Example values
direction Y The email direction, based on the sender.
  • If the sender is an internal employee, then the email is considered outbound.
  • If the sender is not an internal employee, then the email is considered inbound.
inbound, outbound
action N The action taken by the reporting device. delivered, blocked, quarantined, deleted, unknown
file_size N The size of the files attached the message, if any. 10280
file_name N The names of the files attached to the message, if any. example.txt
recipient Y A field listing individual recipient email addresses. abc@example.com, bcd@example.com
sender Y The email address of the email sender. sender@example.com
subject Y The subject of the email message. Important Message, Open Now!
eventtype Y The type of the event. stream_email(email)
src_ip N The source IP address of the system that sent the message. 11.12.13.14
src_user N The source user involved in the email exchange. cronaldo

Endpoint category

The Endpoint category for Splunk UBA maps to the Endpoint data model.

Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping. Splunk UBA requires the following tag combinations to process endpoint category events:

  • To properly parse port data, Splunk UBA requires tag=listening, tag=port.
  • To properly parse process data, Splunk UBA requires tag=process, tag=report.
  • To properly parse service data, Splunk UBA requires tag=service, tag=report.
  • To properly parse filesystem data, Splunk UBA requires tag=endpoint, tag=filesystem.
  • To properly parse registry data, Splunk UBA requires tag=endpoint, tag=registry.

The Endpoint category contains multiple datasets. Some fields have the same names across multiple datasets.

  • The status field exists in the Registry and Service datasets.
  • The user field exists in the Ports, Processes, Services, Registry, and Filesystem datasets.
  • The action field exists in the Endpoint category as well as the Ports dataset of the Endpoint category.
Splunk CIM field name Required Field description Example values
endpoint_ip, dest_ip N IP address of the endpoint where the activity happened. 1.1.1.1
endpoint_dns, dest_host N The host name of the endpoint. winhost1
endpoint_nt_domain, dest_nt_domain N The NT domain of the endpoint, if applicable. acme
endpoint_port N Network port listening on the endpoint. 53
eventtype Y The type of the event. symantec_ep_risk_alert_virus, A service was installed in the system
event_id N The event ID or code for the activity. 7045
category N The event category, if applicable. malware, watchlist.hit.ingress.process
signature N The sub-category or signature of the event, if applicable. process_blocking
Any custom field name, such as alarmCategory or endpointCategory. N The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in Filter the anomaly table. Exfiltration
severity N The severity of the endpoint event. informational, unknown, low, medium, high, critical
action Y The action taken by the endpoint. allowed, blocked
src_ip N The IP address of the "remote" system connected to the listening port (if applicable). 2.2.2.2
src_port N The "remote" port connected to the listening port (if applicable). 53
src_host, src_dns N The hostname of the "remote" system connected to the listening port (if applicable) acmehost1
Ports dataset
creation_time N The epoch time at which the network port started listening on the endpoint. 1547749588
dest_port N The network port listening on the endpoint. 53
process_id N The numeric identifier of the process assigned by the operating system. 12345
state N The status of the listening port. established, listening
transport N The network transport protocol associated with the listening port. tcp, udp
user N The user account that spawned the process. cronaldo
vendor_product N The vendor and product name of the Endpoint solution that reported the event. Carbon Black Cb Response
action N The action performed on the resource. acl_modified, created, deleted, modified, read
cpu_load_percent N CPU load consumed by the process (in percent) 85
mem_used N Memory in bytes used by the process. 12345
os N The operating system of the resource. Microsoft Windows Server 2008r2
Processes dataset
parent_process_path N The full command string of the parent process. C:\\WINDOWS\\system32\\cmd.exe \/c \"\"C:\\Program Files\\SplunkUniversalForwarder\\etc\\system\\bin\\powershell.cmd\" --scheme
parent_process_exec N The executable name of the parent process. notepad.exe
parent_process_guid N The globally unique identifier of the parent process assigned by the vendor_product. 0dd879c-ee2f-11db-8314-0800200c9a66
parent_process_id N The numeric identifier of the parent process assigned by the operating system. 12345
parent_process_name N The friendly name of the parent process. notepad.exe
process_id N The numeric identifier of the process assigned by the operating system. 12345
process N The full command string of the spawned process. C:\\WINDOWS\\system32\\cmd.exe \/c \"\"C:\\Program Files\\SplunkUniversalForwarder\\etc\\system\\bin\\powershell.cmd\" --scheme
process_current_directory N The current working directory used to spawn the process. /usr/bin/
process_exec N The executable name of the process. notepad.exe
process_guid. N The globally unique identifier of the process assigned by the vendor_product. example_guid, example_id
process_hash N The digests of the parent process. <md5>, <sha1>
process_integrity_level N The Windows integrity level of the process. System, Medium
process_path N The file path of the process. C:\Windows\System32\notepad.exe
user N The unique identifier of the user account which spawned the process. example_user
Services dataset
description N The description of the service. Example description
service_dll N The dynamic link library associated with the service. Svc.exe
service_dll_hash N The digests of the dynamic link library associated with the service. <md5>, <sha1>
service_dll_path N The file path to the dynamic link library associated with the service. C:\Windows\System32\comdlg32.dll
service_dll_signature_exists N Whether or not the dynamic link library associated with the service has a digitally signed signature. true
service_dll_signature_verified N Whether or not the dynamic link library associated with the service has had its digitally signed signature verified. true
service_exec N The executable name of the service. svchost.exe
service_hash N The digests of the service. <md5>, <sha1>
service_id N The unique identifier of the service assigned by the operating system. 12345
service_name N The friendly service name. example_name
service_path N The file path of the service. C:\WINDOWS\system32\svchost.exe
start_mode N The start mode for the service. example_mode
status N The status of the service or registry. critical, started, stopped, warning, failure, success
user N The user account associated with the service or the filesystem access, or the registry access. cronaldo
Filesystem dataset
file_access_time N The epoch time that the file (the object of the event) was accessed. 1547749588
file_create_time N The epoch time that the file (the object of the event) was created. 1547749588
file_modify_time N The epoch time that the file (the object of the event) was altered. 1547749588
file_acl N Access controls associated with the file affected by the event. readonly
file_name N The name of the file. notepad.exe
file_path N The path of the file. C:\Windows\System32\notepad.exe
file_size N The size in kilobytes of the file that is the object of the event. 5346
user N The user account associated with the service or the filesystem access, or the registry access. cronaldo
Registry dataset
registry_hive N The logical grouping of registry keys, subkeys, and values. HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER
registry_key_name N The name of the registry key. PrinterDriverData
registry_path N The path to the registry value. \win\directory\directory2\{676235CD-B656-42D5-B737-49856E97D072}\PrinterDriverData
registry_value_data N The unaltered registry value. example_value
registry_value_name N The name of the registry value. example_name
registry_value_text N The textual representation of registry_value_data (if applicable). example_text
registry_value_type N The type of the registry value. REG_BINARY, REG_DWORD, REG_DWORD_LITTLE_ENDIAN, REG_DWORD_BIG_ENDIAN, REG_EXPAND_SZ, REG_LINK, REG_MULTI_SZ, REG_NONE, REG_QWORD, REG_QWORD_LITTLE_ENDIAN, REG_SZ
status N The status of the service or registry. failure, success
user N The user account associated with the service or the filesystem access, or the registry access. cronaldo

External Alarm category

The External Alarm category for Splunk UBA maps to the Intrusion Detection data model.

Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.

Splunk CIM field name Required Field description Example values
Any custom field name, such as alarmCategory or alarmType Y The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in Filter the anomaly table. Exfiltration
category N The category of the event, if applicable. malware, watchlist.hit.ingress.process
severity N The severity of the external alarm. informational, unknown, low, medium, high, critical
action N The action taken by the external device. allowed, blocked, deferred
app N The application involved in the event. ssl
src_ip N The source of the network traffic, such as the client requesting the connection. 10.10.10.12
src_host N The host name of the source. winhost1
src_zone N The source zone. contractor
dest_ip N The IP address of the destination. 2.2.2.2
dest_host N The host name of the destination. winhost2
dest_zone N The destination zone. PCI
user N The user involved in the activity reported. cronaldo
url N The URL accessed in the request. http://subdomain.acme.com/index.html
signature or eventtype Y The type of the event. URL Filtering

Firewall category

The Firewall category for Splunk UBA maps to the Network Traffic data model and the additional firewall tag.

Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.

Splunk CIM field name Required Field description Example values
action Y The action taken by the firewall. allowed, blocked
app N The application protocol of the traffic. SSL
bytes_in Y The number of inbound bytes transferred. 1028
packets_in N The number of inbound packets transferred. 5
bytes_out Y The number of outbound bytes transferred. 140
packets_out N The number of outbound packets transferred. 6
bytes N The total number of bytes transferred (bytes_in + bytes_out). 1168
protocol Y The OSI layer 3 (network) protocol of the traffic observed, in lowercase. ip, appletalk, ipx
src_ip Y The source of the network traffic, such as the client requesting the connection. 10.10.10.12
src_host N The host name of the source. winhost1
src_port N The port number of the source. 12345
src_zone N The source zone. contractor
src_translated_ip N The NATed IPv4 or IPv6 address from which a packet is sent. 192.168.1.11
dest_ip Y The IP address of the destination. 2.2.2.2
dest_host N The host name of the destination. winhost2
dest_port N The port number of the destination. 1234
dest_zone N The destination zone. PCI
dest_translated_ip N The NATed IPv4 or IPv6 address to which a packet is sent. 192.168.1.12
user N The user who requested the traffic flow. cronaldo
url N The URL accessed in the request. http://subdomain.acme.com/index.html
duration N The amount of time in seconds for the completion of the network event. 241
vendor_action Y The type of the event. Teardown TCP, Built inbound connection

Host Antivirus category

The Host Antivirus (AV) category for Splunk UBA maps to the Malware_Operations dataset and the Malware_Attacks dataset of the Malware data model. Host AV refers to endpoint antivirus products.

Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.

Splunk CIM field name Required Field description Example values
Any custom field name, such as alarmCategory or avCategory. Y The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in Filter the anomaly table. Exfiltration
category N The category of the event, if applicable. malware, watchlist.hit.ingress.process
signature Y The subcategory or signature of the event, if applicable. process_blocking
severity N The severity of the network protection event. informational, unknown, low, medium, high, critical
action Y The action taken by the AV. allowed, blocked
dest_ip Y The IP address of the system that was affected by the malware event. 2.2.2.2
dest_host N The host name of the system that was affected by the malware event. winhost2
dest_nt_domain N The NT domain of the destination, if applicable. acme
duration N The amount of time in seconds for the completion of the activity reported by AV. 241
user N The user involved in the activity reported by AV. cronaldo
url N A URL containing more information about the vulnerability. http://www.mydomain.com/a.html
file_name N Name of the file involved. creditcards.xls
file_path N The path of the file involved. c:\documents
eventtype Y The type of the event. symantec_ep_risk_alert_virus

Intrusion Detection System and Intrusion Prevention System category

The Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) category for Splunk UBA maps to the Intrusion Detection data model.

Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.

Splunk CIM field name Required Field description Example values
Any custom field name, such as alarmCategory or idsCategory Y The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in Filter the anomaly table. Exfiltration
category N The category of the event, if applicable. malware, watchlist.hit.ingress.process
signature Y The sub-category or signature of the event, if applicable. process_blocking
severity Y The severity of the network protection event. informational, unknown, low, medium, high, critical
action Y The action taken by the IDS. allowed, blocked
bytes_in N The number of inbound bytes transferred. 1028
bytes_out N The number of outbound bytes transferred. 140
bytes N The total number of bytes transferred (bytes_in + bytes_out). 1168
src_ip Y The source of the network traffic (the client requesting the connection). 10.10.10.12
src_host N The host name of the source. winhost1
src_port N The port number of the source. 12345
dest_ip Y The IP address of the destination. 2.2.2.2
dest_host N The host name of the destination. winhost2
dest_port N The port number of the destination. 1234
duration N The amount of time in seconds for the completion of the activity reported by IDS. 241
user N The user involved in the activity reported by IDS. cronaldo
ids_type N The type of IDS that generated the event. network, host, application
eventtype Y The type of the event. cisco_ips_vulnerable

Printer category

Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.

Splunk CIM field name Required Field description Example values
file_name Y The name of the file that was printed. LIN111757BPAM08-04Laboratory17-10-15-12104.pdf
user Y The user involved in the activity reported. cronaldo
printer N The printer identifier. acmeprinter1
driver_process N The name of the driver. HP LaserJet M3035 mfp PCL6
type N The type or log. PrintJob
operation N The printer operation. add
file_size N The size of the file being printed. 10280
job_id N The print ID of the job. 35
data_type N The data type of the file that was printed. NT EMF 1.008
print_processor N The print processor. hpzppwn7
parameters N The print parameters.
status N The status of print job. printing
priority N The priority of the print job. 1
total_pages N The total number of pages printed. 10
page_printed N The page that was printed. 7
submitted_time N The time that the print job was submitted. The format must be either MM/dd/yyyy HH:mm:ss.SSS or MM/dd/yyyy. 05/22/2019 13:10:44:001
src_ip N The IP address of the device that submitted the printer job. 10.11.12.13
src_host N The host name of the device that submitted the printer job. acmehost1
signature Y The type of the event. Microsoft-Windows-PrintService:812

VPN category

The VPN category for Splunk UBA maps to the VPN dataset of the Network Sessions data model, and to the Network Traffic data model.

Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping. Splunk UBA requires the following tag combinations to process VPN category events:

  • To properly parse when VPN connections are initiated, Splunk UBA requires tag=network, tag=session, tag=vpn, tag=start.
  • To properly parse traffic flow in a VPN connection, Splunk UBA requires tag=network, tag=session, tag=vpn.
  • To properly parse when VPN connections are terminated, Splunk UBA requires tag=network, tag=session, tag=vpn, tag=end.
Splunk CIM field name Required Field description Example values
bytes_in N The number of bytes received by the device corresponding to the src_ip (downloads). 1028
bytes_out N The number of bytes sent out by the device corresponding to the src_ip (uploads). 140
bytes N The total number of bytes transferred by the device corresponding to the src_ip (bytes_in + bytes_out). 1168
duration N The duration in seconds of the VPN session. This field is expected when an end tag is present. 2000
user Y The name of the user for whom the authentication is being performed. user2
src_ip Y The IP address of the originator of the request. 11.12.13.14
dest_ip N The IP address of the destination device. 192.168.1.2

Web Proxy category

The Web Proxy category for Splunk UBA maps to the Proxy dataset of the Web data model.

Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.

Splunk CIM field name Required Field description Example values
action Y The action taken by the server or proxy. If this value is not present, it can be derived from the status field. allowed, blocked
bytes_in Y The number of inbound bytes transferred. 1028
bytes_out Y The number of outbound bytes transferred. 140
bytes N The total number of bytes transferred (bytes_in + bytes_out). 1168
category N The category of traffic provided by the proxy server. entertainment
dest_ip N The IP address of the remote host. 2.2.2.2
http_content_type Y The content-type of the requested HTTP resource. image/gif
http_method Y The HTTP method used in the request. GET
http_referrer N The HTTP referrer used in the request. referrer.acme.com
http_user_agent Y The user agent used in the request. Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
response_time N The amount of time it took to receive a response, if applicable, in milliseconds. 200
src_ip Y The source of the network traffic, such as the client requesting the connection. 10.10.10.12
status Y The HTTP response code indicating the status of the proxy request. 200
user N The user that requested the HTTP resource. cronaldo
url Y The URL accessed in the request. http://subdomain.acme.com/index.html
duration N The time in milliseconds taken by the proxy event. 241
Last modified on 10 July, 2020
PREVIOUS
Send data from Splunk Enterprise directly to Kafka
  NEXT
Send notable events from Splunk Enterprise Security to Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 4.3.1, 4.3.2, 4.3.3, 4.3.4, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters