Splunk® User Behavior Analytics

Get Data into Splunk User Behavior Analytics

Non-CIM complaint mapping for cloud storage data

Use the following table to map the Splunk CIM field name to the non-CIM field name for cloud storage data. You can use the impala field names to validate the mapping values. The SPL examples show how to adjust field names and values to get cloud storage data into Splunk UBA correctly:

Splunk CIM field name Non-CIM field name example Impala table field (fileaccess_s) Example values ((Field_name, Filed_value) SPL example
file_size FILE_SIZE_BYTE resourcesize (FILE_SIZE_BYTE: 10280) rename FILE_SIZE_BYTE as file_size
object SOURCE_FILE_NAME resourcename (SOURCE_FILE_NAME,'this_picture.png') rename SOURCE_FILE_NAME as object
object_type ITEM_TYPE resourcetype ITEM_TYPE, 'File')
(ITEM_TYPE, 'Folder')
(ITEM_TYPE, 'Document')
(ITEM_TYPE, 'Image')
rename ITEM_TYPE as object_type
file_hash ITEM_UNIQUE_ID resourceid (ITEM_UNIQUE_ID, '17283982137') rename ITEM_UNIQUE_ID as file_hash
object_path FILE_PATH source (FILE_PATH, '/bpatinho/photos') rename FilePath as object_path
parent_category PARENT_RS_TYPE parentpathtype (PARENT_RS_TYPE, 'Folder')
rename PARENT_RS_TYPE as parent_category
parent_hash PARENT_HASH_ID parentpathid (PARENT_HASH_ID, '9864239674') rename PARENT_HASH_ID as parent_hash
src_user SRC_USER source (SRC_USER, 'user1')
rename SRC_USER as src_user
change_type OPERATION evcls (Operation,' FileDownload')


| eval change_type=case(match(lower(change_type),
match(lower(change_type)," FileDownload"),
match(lower(change_type), "FILECOPIED"),"create",
match(lower(change_type)," FILEPREVIEW"),"preview",
match(lower(change_type), "FILEEDIT"),"edit")
app APP_NAME servicename (APP_NAME,'Box')
(APP_NAME,' Office365')
(APP_NAME,' Google Drive')
rename APP_NAME as app
dest_user DEST_USER destinationusername (DEST_USER, 'Cronaldo') rename DEST_USER as dest_user
Last modified on 09 February, 2023
Configure the VirusTotal script to see VirusTotal anomalies in Splunk UBA   Verify that you successfully added the data source

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.2.0, 5.2.1, 5.3.0, 5.4.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters