This documentation does not apply to the most recent version of Splunk® User Behavior Analytics.
For documentation on the most recent version, go to the latest release.
Splunk UBA category to Splunk CIM field mapping reference
When adding CIM-compliant data to Splunk UBA, the field names from the data source must match the field names expected by Splunk UBA. Mapping the data source field names to the field names expected by Splunk UBA happens automatically when possible, but is not always possible. In those cases, you can use these tables to map the fields in Splunk UBA. See Use connectors to add data from the Splunk platform to Splunk UBA.
Do not make changes to the tags, eventtypes, or data in the Splunk platform.
Splunk UBA categories and corresponding CIM data models
Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.
The tags in the table have an implied AND and are evaluated as follows:
- Categories that require a single tag such as Authentication will evaluate based on that tag. For example, authentication events must have
tag=authenticationto be parsed by Splunk UBA. Splunk UBA generates error messages when the percentage of valid events drops below a specific threshold. - Categories with multiple tags such as DHCP have an implied AND among the tags, and are evaluated using a combination of all tags. For example, DHCP events must have all three of
tag=network, tag=session, tag=dhcpto be parsed by Splunk UBA. Splunk UBA generates error messages when the combined percentage of valid events falls below a specific threshold.
Authentication category
The Authentication category for Splunk UBA maps to the Authentication data model.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| action | Y | The action performed on the resource. | success, failure, unknown, added |
| app | N | The application involved in the event. | ssh, splunk, win:local |
| dest | Y | The target involved in the authentication. You can alias this from more specific fields including dest_ip and dest_host. | 192.168.10.11, winhost1 |
| duration | N | The amount of time in seconds that it took to complete the authentication event. | 2 |
| src_ip | Y | The source IP address involved in the authentication. | 192.168.10.12 |
| src_host | N | The host name of the source involved in the authentication. | winhost2 |
| src_user | N | In privilege escalation events, src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation is not performed. | user1 |
| user | Y | The name of the user for whom the authentication is being performed. | user2 |
| protocol | Y | The protocol used for the authentication. | TACACS |
| eventtype | Y | The type of the event. | acs_authentication_success |
| Any custom field name, such as authType or loginType | N | The authentication login type. The default is Network. If specified, the value must be one of the categories in Filter the anomaly table. | Exfiltration |
Badge category
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| vendor | N | The vendor of the badge access solution. | brivo |
| category | Y | The category of the badge access event. | Failed Access |
| user | Y | The user involved in this badge access event. | cronaldo |
| site_name | Y | The location of the building. | 123 Main Street |
| object_type | N | The type of device used in the badge access event. | ACCESS_POINT |
| object_name | N | The location in the building where the badge access was requested. | Mail Room |
| failure_reason | N | The reason for the failed operation. | Unauthorized Access Attempt |
Cloud Storage category
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| file_size | N | The size in bytes of the resource associated to this event. | 10280 |
| object | Y | The name of the file. | this_picture.png |
| object_type | Y | The type of the file. | File, Folder, Document, Image, etc. |
| file_hash | Y | The unique identifier of the resource. This should be assigned by the product, such as Box, Sharepoint, or Google Drive. | 17283982137 |
| object_path | Y | The absolute or relative location of the resource. | /bpatinho/photos |
| parent_category | N | The type of the parent resource. | Folder, Link, etc. |
| parent_hash | Y | The unique identifier of the parent resource. This should be assigned by the product, such as Box, Sharepoint, or Google Drive. | 9864239674 |
| src_user | Y | The user creating this event. | user1 |
| change_type | Y | The type of access. | Download, Preview, Delete, Create, Edit. |
| app | Y | The application that is generating this event. | Box, Office365, Google Drive. |
| dest_user | N | The user targeted by this action. Usually this is linked to permission changes made by another user, such as when an admin change the privileges of a user in a file. | cronaldo |
Data Loss Prevention category
The Data Loss Prevention (DLP) category for Splunk UBA maps to the Data Loss Prevention data model.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| severity | Y | The severity of the network protection event. | informational, unknown, low, medium, high, critical |
| action | Y | The action taken by the DLP device. | allowed, blocked |
| app | N | The application involved in the event. | Symantec DLP |
| src_ip | N | The source of the network traffic (the client requesting the connection). | 10.10.10.12 |
| src_host | N | The host name of the source. | winhost1 |
| dest_ip | N | The IP address of the destination. | 2.2.2.2 |
| dest_host | N | The host name of the destination. | winhost2 |
| user_department | N | The department of the user involved in the activity reported by DLP. | Finance |
| category | Y | The category of the DLP event. | malware, keylogger, ad-supported program |
| recipient | N | The individual email addresses of the message recipients. | a@b.com,c@b.com |
| sender | N | The email address of the message sender. | d@b.com |
| subject | N | The subject of the email message. | Important Message, Open Now! |
| policy | N | The policy that triggered the DLP alarm. | Social Security Number |
| signature | Y | The type of the event. | HTTP Incident |
| dlp_status | N | The DLP incident status. | Working |
| prevention_status | N | The DLP incident prevention status. | 9, Blocked |
| event_type_id | N | The event type ID. | 13 |
| vendor | N | The USB vendor. | FUJITSU |
| serial_number | N | The serial number of USB device. | 1234567890 |
| device_id | N | The ID of the USB device. | 987654 |
| src_user | N | The source user involved in the activity reported by DLP. | cronaldo |
| dest_user | N | The destination user involved in the activity reported by DLP. | cronaldo |
| src_file | N | The name of the source file involved. | creditcards.xls |
| src_path | N | The path of the source file involved. | c:\documents |
| dest_file | N | The name of the destination file involved. | creditcards.xls |
| dest_path | N | The path of the destination file involved. | c:\documents |
| file_size | N | The size in bytes of the file transferred | 10000 |
| restricted | N | Is it a sensitive or restricted file? | no,yes |
| match_count | N | The number of unique matches of the DLP signature. | 1,10,1040 |
Database category
The Database category for Splunk UBA maps to the Databases data model.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| dest_ip | N | The IP address of the destination. | 2.2.2.2 |
| dest_host | N | The host name of the destination. | winhost2 |
| command_name | N | The SQL query command. | select, locktable, insert, delete |
| query | N | The full database query. | select * from my_table |
| action_name | N | The action performed by the user. | LOGON, LOGOFF, CREATE FUNCTION |
| instance_name | Y | The name of the database instance. | myinstance |
| object | N | The name of the database object. | view1, index1 |
| tablespace_name | N | The name of the tablespace. | my table space |
| commits | N | The number of commits per second performed by the user associated with the session. | 5 |
| cpu_used | N | The number of CPU centiseconds used by the session. Divide this value by 100 to get the CPU seconds. | 1 |
| elapsed_time | N | The total amount of time in seconds that elapsed since the user started the session by logging into the database server. | 10 |
| records_affected | N | The number of records affected by the database query. | 1 |
| tables_hit | N | The names of the tables hit by the query. | table1, table2 |
| vendor | N | The vendor and product name of the database system. This field can be automatically populated by vendor and product fields in your data. | oracle |
| user | Y | The name of the database process user. | cronaldo |
| eventtype | Y | The type of event. | oracle_auth, oracle_session |
| duration | N | The duration in seconds of the database connection. | 241 |
| src_ip | N | The IP address of the source server of the database event. | 10.10.10.12 |
| src_host | N | The domain name of the source server of the database event. | winhost1 |
DHCP category
The DHCP category for Splunk UBA maps to the DHCP dataset of the Network Sessions data model.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| lease_duration | Y | The duration in seconds of the Dynamic Host Configuration Protocol (DHCP) lease. | 2000 |
| dest_ip | Y | The assigned IP address. | 192.168.1.12 |
| dest_host | N | The host name of the machine to which the IP address is being assigned. | winhost1 |
| dest_mac | Y | The MAC address of the machine to which the IP address is being assigned. | ad:7b:3d:db:49:8b |
| signature | Y | An indication of the type of network session event. |
Some example signatures from Linux DHCP include: DHCPACK, DHCPOFFER, DHCPREQUEST, DHCPINFORM, DHCPDISCOVER , DHCPNAK, DHCPDECLINE, DHCPRELEASE Some example signatures from Windows DHCP include: "A new IP address was leased to a client", "Issued", "DHCP_GrantLease", "An IP address was found to be in use on the network" "A lease was renewed by a client", "Fixed", "Renewed", "DHCP_RenewLease" "A lease was released by a client", "DHCP Release", "Freed" "No DHCP lease available to offer from subnet" |
DNS category
The DNS category for Splunk UBA maps to the Network Resolution (DNS) data model.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| src_ip | Y | The source IP address of the network resolution event. | 192.168.1.11 |
| src_port | N | The source port of the network resolution event. | 3022 |
| dest_ip | N | The destination IP address of the network resolution event. | 192.168.1.14 |
| query | Y | The domain that needs to be resolved. | www.google.com |
| answer | Y | The resolved address for the query. | 12.13.14.15 |
| query_type | Y | The field may contain DNS OpCodes or Resource Record Type codes. | Query, IQuery, Status, Notify, Update, unknown, A, MX, NS, PTR |
| duration | N | The amount of time in seconds taken by the network resolution event. | 1 |
| ttl | N | The time-to-live of the network resolution event. | 2000 |
| record_type | N | The DNS resource record type. | A, DNAME, MX, NS, PTR |
| message_type | Y | The type of DNS message. | Query, Response |
Email category
The Email category for Splunk UBA maps to the Email data model.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| direction | Y | The email direction, based on the sender.
|
inbound, outbound |
| action | N | The action taken by the reporting device. | delivered, blocked, quarantined, deleted, unknown |
| file_size | N | The size of the file attached to the message, if any. If the message has multiple attachments, the sum value of all attachments as a single integer. | 10280 |
| file_name | N | The names of the files attached to the message, if any. | example.txt |
| recipient | Y | A field listing individual recipient email addresses. | abc@example.com, bcd@example.com |
| sender | Y | The email address of the email sender. | sender@example.com |
| subject | Y | The subject of the email message. | Important Message, Open Now! |
| eventtype | Y | The type of the event. | stream_email(email) |
| src_ip | N | The source IP address of the system that sent the message. | 11.12.13.14 |
| src_user | N | The source user involved in the email exchange. | cronaldo |
Endpoint category
The Endpoint category for Splunk UBA maps to the Endpoint data model.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping. Splunk UBA requires the following tag combinations to process endpoint category events:
- To properly parse port data, Splunk UBA requires
tag=listening, tag=port. - To properly parse process data, Splunk UBA requires
tag=process, tag=report. - To properly parse service data, Splunk UBA requires
tag=service, tag=report. - To properly parse filesystem data, Splunk UBA requires
tag=endpoint, tag=filesystem. - To properly parse registry data, Splunk UBA requires
tag=endpoint, tag=registry.
The Endpoint category contains multiple datasets. Some fields have the same names across multiple datasets.
- The
statusfield exists in the Registry and Service datasets. - The
userfield exists in the Ports, Processes, Services, Registry, and Filesystem datasets. - The
actionfield exists in the Endpoint category as well as the Ports dataset of the Endpoint category.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| endpoint_ip, dest_ip | N | IP address of the endpoint where the activity happened. | 1.1.1.1 |
| endpoint_dns, dest_host | N | The host name of the endpoint. | winhost1 |
| endpoint_nt_domain, dest_nt_domain | N | The NT domain of the endpoint, if applicable. | acme |
| endpoint_port | N | Network port listening on the endpoint. | 53 |
| eventtype | Y | The type of the event. | symantec_ep_risk_alert_virus, A service was installed in the system |
| event_id | N | The event ID or code for the activity. | 7045 |
| category | N | The event category, if applicable. | malware, watchlist.hit.ingress.process |
| signature | N | The sub-category or signature of the event, if applicable. | process_blocking |
| Any custom field name, such as alarmCategories or endpointCategory. | N | The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in Filter the anomaly table. | Exfiltration |
| severity | N | The severity of the endpoint event. | informational, unknown, low, medium, high, critical |
| action | Y | The action taken by the endpoint. | allowed, blocked |
| src_ip | N | The IP address of the "remote" system connected to the listening port (if applicable). | 2.2.2.2 |
| src_port | N | The "remote" port connected to the listening port (if applicable). | 53 |
| src_host, src_dns | N | The hostname of the "remote" system connected to the listening port (if applicable) | acmehost1 |
| Ports dataset | |||
| creation_time | N | The epoch time at which the network port started listening on the endpoint. | 1547749588 |
| dest_port | N | The network port listening on the endpoint. | 53 |
| process_id | N | The numeric identifier of the process assigned by the operating system. | 12345 |
| state | N | The status of the listening port. | established, listening |
| transport | N | The network transport protocol associated with the listening port. | tcp, udp |
| user | N | The user account that spawned the process. | cronaldo |
| vendor_product | N | The vendor and product name of the Endpoint solution that reported the event. | Carbon Black Cb Response |
| action | N | The action performed on the resource. | acl_modified, created, deleted, modified, read |
| cpu_load_percent | N | CPU load consumed by the process (in percent) | 85 |
| mem_used | N | Memory in bytes used by the process. | 12345 |
| os | N | The operating system of the resource. | Microsoft Windows Server 2008r2 |
| Processes dataset | |||
| parent_process_path | N | The full command string of the parent process. | C:\\WINDOWS\\system32\\cmd.exe \/c \"\"C:\\Program Files\\SplunkUniversalForwarder\\etc\\system\\bin\\powershell.cmd\" --scheme |
| parent_process_exec | N | The executable name of the parent process. | notepad.exe |
| parent_process_guid | N | The globally unique identifier of the parent process assigned by the vendor_product. | 0dd879c-ee2f-11db-8314-0800200c9a66 |
| parent_process_id | N | The numeric identifier of the parent process assigned by the operating system. | 12345 |
| parent_process_name | N | The friendly name of the parent process. | notepad.exe |
| process_id | N | The numeric identifier of the process assigned by the operating system. | 12345 |
| process | N | The full command string of the spawned process. | C:\\WINDOWS\\system32\\cmd.exe \/c \"\"C:\\Program Files\\SplunkUniversalForwarder\\etc\\system\\bin\\powershell.cmd\" --scheme |
| process_current_directory | N | The current working directory used to spawn the process. | /usr/bin/ |
| process_exec | N | The executable name of the process. | notepad.exe |
| process_guid. | N | The globally unique identifier of the process assigned by the vendor_product. | example_guid, example_id |
| process_hash | N | The digests of the parent process. | <md5>, <sha1> |
| process_integrity_level | N | The Windows integrity level of the process. | System, Medium |
| process_path | N | The file path of the process. | C:\Windows\System32\notepad.exe |
| user | N | The unique identifier of the user account which spawned the process. | example_user |
| Services dataset | |||
| description | N | The description of the service. | Example description |
| service_dll | N | The dynamic link library associated with the service. | Svc.exe |
| service_dll_hash | N | The digests of the dynamic link library associated with the service. | <md5>, <sha1> |
| service_dll_path | N | The file path to the dynamic link library associated with the service. | C:\Windows\System32\comdlg32.dll |
| service_dll_signature_exists | N | Whether or not the dynamic link library associated with the service has a digitally signed signature. | true |
| service_dll_signature_verified | N | Whether or not the dynamic link library associated with the service has had its digitally signed signature verified. | true |
| service_exec | N | The executable name of the service. | svchost.exe |
| service_hash | N | The digests of the service. | <md5>, <sha1> |
| service_id | N | The unique identifier of the service assigned by the operating system. | 12345 |
| service_name | N | The friendly service name. | example_name |
| service_path | N | The file path of the service. | C:\WINDOWS\system32\svchost.exe |
| start_mode | N | The start mode for the service. | example_mode |
| status | N | The status of the service or registry. | critical, started, stopped, warning, failure, success |
| user | N | The user account associated with the service or the filesystem access, or the registry access. | cronaldo |
| Filesystem dataset | |||
| file_access_time | N | The epoch time that the file (the object of the event) was accessed. | 1547749588 |
| file_create_time | N | The epoch time that the file (the object of the event) was created. | 1547749588 |
| file_modify_time | N | The epoch time that the file (the object of the event) was altered. | 1547749588 |
| file_acl | N | Access controls associated with the file affected by the event. | readonly |
| file_name | N | The name of the file. | notepad.exe |
| file_path | N | The path of the file. | C:\Windows\System32\notepad.exe |
| file_size | N | The size in kilobytes of the file that is the object of the event. | 5346 |
| user | N | The user account associated with the service or the filesystem access, or the registry access. | cronaldo |
| Registry dataset | |||
| registry_hive | N | The logical grouping of registry keys, subkeys, and values. | HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER |
| registry_key_name | N | The name of the registry key. | PrinterDriverData |
| registry_path | N | The path to the registry value. | \win\directory\directory2\{676235CD-B656-42D5-B737-49856E97D072}\PrinterDriverData |
| registry_value_data | N | The unaltered registry value. | example_value |
| registry_value_name | N | The name of the registry value. | example_name |
| registry_value_text | N | The textual representation of registry_value_data (if applicable). | example_text |
| registry_value_type | N | The type of the registry value. | REG_BINARY, REG_DWORD, REG_DWORD_LITTLE_ENDIAN, REG_DWORD_BIG_ENDIAN, REG_EXPAND_SZ, REG_LINK, REG_MULTI_SZ, REG_NONE, REG_QWORD, REG_QWORD_LITTLE_ENDIAN, REG_SZ |
| status | N | The status of the service or registry. | failure, success |
| user | N | The user account associated with the service or the filesystem access, or the registry access. | cronaldo |
External Alarm category
The External Alarm category for Splunk UBA maps to the Intrusion Detection data model.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| Any custom field name, such as alarmCategories or alarmType | Y | The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in Filter the anomaly table. | Exfiltration |
| category | N | The category of the event, if applicable. | malware, watchlist.hit.ingress.process |
| severity | N | The severity of the external alarm. | informational, unknown, low, medium, high, critical |
| action | N | The action taken by the external device. | allowed, blocked, deferred |
| app | N | The application involved in the event. | ssl |
| src_ip | N | The source of the network traffic, such as the client requesting the connection. | 10.10.10.12 |
| src_host | N | The host name of the source. | winhost1 |
| src_zone | N | The source zone. | contractor |
| dest_ip | N | The IP address of the destination. | 2.2.2.2 |
| dest_host | N | The host name of the destination. | winhost2 |
| dest_zone | N | The destination zone. | PCI |
| user | N | The user involved in the activity reported. | cronaldo |
| url | N | The URL accessed in the request. | http://subdomain.acme.com/index.html |
| signature or eventtype | Y | The type of the event. | URL Filtering |
Firewall category
The Firewall category for Splunk UBA maps to the Network Traffic data model and the additional firewall tag.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| action | Y | The action taken by the firewall. | allowed, blocked |
| app | N | The application protocol of the traffic. | SSL |
| bytes_in | Y | The number of inbound bytes transferred. | 1028 |
| packets_in | N | The number of inbound packets transferred. | 5 |
| bytes_out | Y | The number of outbound bytes transferred. | 140 |
| packets_out | N | The number of outbound packets transferred. | 6 |
| bytes | N | The total number of bytes transferred (bytes_in + bytes_out). | 1168 |
| protocol | Y | The OSI layer 3 (network) protocol of the traffic observed, in lowercase. | ip, appletalk, ipx |
| src_ip | Y | The source of the network traffic, such as the client requesting the connection. | 10.10.10.12 |
| src_host | N | The host name of the source. | winhost1 |
| src_port | N | The port number of the source. | 12345 |
| src_zone | N | The source zone. | contractor |
| src_translated_ip | N | The NATed IPv4 or IPv6 address from which a packet is sent. | 192.168.1.11 |
| dest_ip | Y | The IP address of the destination. | 2.2.2.2 |
| dest_host | N | The host name of the destination. | winhost2 |
| dest_port | N | The port number of the destination. | 1234 |
| dest_zone | N | The destination zone. | PCI |
| dest_translated_ip | N | The NATed IPv4 or IPv6 address to which a packet is sent. | 192.168.1.12 |
| user | N | The user who requested the traffic flow. | cronaldo |
| url | N | The URL accessed in the request. | http://subdomain.acme.com/index.html |
| duration | N | The amount of time in seconds for the completion of the network event. | 241 |
| vendor_action | Y | The type of the event. | Teardown TCP, Built inbound connection |
Host Antivirus category
The Host Antivirus (AV) category for Splunk UBA maps to the Malware_Operations dataset and the Malware_Attacks dataset of the Malware data model. Host AV refers to endpoint antivirus products.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| Any custom field name, such as alarmCategories or avCategory. | N | The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in Filter the anomaly table. | Exfiltration |
| category | N | The category of the event, if applicable. | malware, watchlist.hit.ingress.process |
| signature | N | The subcategory or signature of the event, if applicable. | process_blocking |
| severity | Y | The severity of the network protection event. | informational, unknown, low, medium, high, critical |
| action | Y | The action taken by the AV. | allowed, blocked |
| dest_ip | Y | The IP address of the system that was affected by the malware event. | 2.2.2.2 |
| dest_host | N | The host name of the system that was affected by the malware event. | winhost2 |
| dest_nt_domain | N | The NT domain of the destination, if applicable. | acme |
| duration | N | The amount of time in seconds for the completion of the activity reported by AV. | 241 |
| user | N | The user involved in the activity reported by AV. | cronaldo |
| url | N | A URL containing more information about the vulnerability. | http://www.mydomain.com/a.html |
| file_name | N | Name of the file involved. | creditcards.xls |
| file_path | N | The path of the file involved. | c:\documents |
| eventtype | Y | The type of the event. | symantec_ep_risk_alert_virus |
Intrusion Detection System and Intrusion Prevention System category
The Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) category for Splunk UBA maps to the Intrusion Detection data model.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| Any custom field name, such as alarmCategories or idsCategory | Y | The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in Filter the anomaly table. | Exfiltration |
| category | N | The category of the event, if applicable. | malware, watchlist.hit.ingress.process |
| signature | Y | The sub-category or signature of the event, if applicable. | process_blocking |
| severity | Y | The severity of the network protection event. | informational, unknown, low, medium, high, critical |
| action | Y | The action taken by the IDS. | allowed, blocked |
| bytes_in | N | The number of inbound bytes transferred. | 1028 |
| bytes_out | N | The number of outbound bytes transferred. | 140 |
| bytes | N | The total number of bytes transferred (bytes_in + bytes_out). | 1168 |
| src_ip | Y | The source of the network traffic (the client requesting the connection). | 10.10.10.12 |
| src_host | N | The host name of the source. | winhost1 |
| src_port | N | The port number of the source. | 12345 |
| dest_ip | Y | The IP address of the destination. | 2.2.2.2 |
| dest_host | N | The host name of the destination. | winhost2 |
| dest_port | N | The port number of the destination. | 1234 |
| duration | N | The amount of time in seconds for the completion of the activity reported by IDS. | 241 |
| user | N | The user involved in the activity reported by IDS. | cronaldo |
| ids_type | N | The type of IDS that generated the event. | network, host, application |
| eventtype | Y | The type of the event. | cisco_ips_vulnerable |
Printer category
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| file_name | Y | The name of the file that was printed. | LIN111757BPAM08-04Laboratory17-10-15-12104.pdf |
| user | Y | The user involved in the activity reported. | cronaldo |
| printer | N | The printer identifier. | acmeprinter1 |
| driver_process | N | The name of the driver. | HP LaserJet M3035 mfp PCL6 |
| type | N | The type or log. | PrintJob |
| operation | N | The printer operation. | add |
| file_size | N | The size of the file being printed. | 10280 |
| job_id | N | The print ID of the job. | 35 |
| data_type | N | The data type of the file that was printed. | NT EMF 1.008 |
| print_processor | N | The print processor. | hpzppwn7 |
| parameters | N | The print parameters. | |
| status | N | The status of print job. | printing |
| priority | N | The priority of the print job. | 1 |
| total_pages | N | The total number of pages printed. | 10 |
| page_printed | N | The page that was printed. | 7 |
| submitted_time | N | The time that the print job was submitted. The format must be either MM/dd/yyyy HH:mm:ss.SSS or MM/dd/yyyy. |
05/22/2019 13:10:44:001 |
| src_ip | N | The IP address of the device that submitted the printer job. | 10.11.12.13 |
| src_host | N | The host name of the device that submitted the printer job. | acmehost1 |
| signature | Y | The type of the event. | Microsoft-Windows-PrintService:812 |
VPN category
The VPN category for Splunk UBA maps to the VPN dataset of the Network Sessions data model, and to the Network Traffic data model.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping. Splunk UBA requires the following tag combinations to process VPN category events:
- To properly parse when VPN connections are initiated, Splunk UBA requires
tag=network, tag=session, tag=vpn, tag=start. - To properly parse traffic flow in a VPN connection, Splunk UBA requires
tag=network, tag=session, tag=vpn. - To properly parse when VPN connections are terminated, Splunk UBA requires
tag=network, tag=session, tag=vpn, tag=end.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| bytes_in | N | The number of bytes received by the device corresponding to the src_ip (downloads). |
1028 |
| bytes_out | N | The number of bytes sent out by the device corresponding to the src_ip (uploads). |
140 |
| bytes | N | The total number of bytes transferred by the device corresponding to the src_ip (bytes_in + bytes_out). |
1168 |
| duration | N | The duration in seconds of the VPN session. This field is expected when an end tag is present. |
2000 |
| user | Y | The name of the user for whom the authentication is being performed. | user2 |
| src_ip | Y | The IP address of the originator of the request. | 11.12.13.14 |
| dest_ip | N | The IP address of the destination device. | 192.168.1.2 |
Web Proxy category
The Web Proxy category for Splunk UBA maps to the Proxy dataset of the Web data model.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| action | Y | The action taken by the server or proxy. If this value is not present, it can be derived from the status field. | allowed, blocked |
| bytes_in | Y | The number of inbound bytes transferred. | 1028 |
| bytes_out | Y | The number of outbound bytes transferred. | 140 |
| bytes | N | The total number of bytes transferred (bytes_in + bytes_out). | 1168 |
| category | N | The category of traffic provided by the proxy server. | entertainment |
| dest_ip | N | The IP address of the remote host. | 2.2.2.2 |
| http_content_type | Y | The content-type of the requested HTTP resource. | image/gif |
| http_method | Y | The HTTP method used in the request. | GET |
| http_referrer | N | The HTTP referrer used in the request. | referrer.acme.com |
| http_user_agent | Y | The user agent used in the request. | Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) |
| response_time | N | The amount of time it took to receive a response, if applicable, in milliseconds. | 200 |
| src_ip | Y | The source of the network traffic, such as the client requesting the connection. | 10.10.10.12 |
| status | Y | The HTTP response code indicating the status of the proxy request. | 200 |
| user | N | The user that requested the HTTP resource. | cronaldo |
| url | Y | The URL accessed in the request. | http://subdomain.acme.com/index.html |
| duration | N | The time in milliseconds taken by the proxy event. | 241 |
Last modified on 30 August, 2023
| Send data from the Splunk platform directly to Kafka | Send notable events from Splunk Enterprise Security to Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1
Download manual
Feedback submitted, thanks!