Splunk UBA category to Splunk CIM field reference
When adding CIM-compliant data to Splunk UBA, the field names from the data source must match the field names expected by Splunk UBA. Mapping the data source field names to the field names expected by Splunk UBA happens automatically when possible, but is not always possible. In those cases, you can use these tables to map the fields in Splunk UBA. See Use connectors to add data from the Splunk platform to Splunk UBA.
Do not make changes to the tags, eventtypes, or data in the Splunk platform.
Splunk UBA categories and corresponding CIM data models
Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.
The tags in the table have an implied AND and are evaluated as follows:
- Categories that require a single tag such as Authentication will evaluate based on that tag. For example, authentication events must have
tag=authenticationto be parsed by Splunk UBA. Splunk UBA generates error messages when the percentage of valid events drops below a specific threshold. - Categories with multiple tags such as DHCP have an implied AND among the tags, and are evaluated using a combination of all tags. For example, DHCP events must have all three of
tag=network, tag=session, tag=dhcpto be parsed by Splunk UBA. Splunk UBA generates error messages when the combined percentage of valid events falls below a specific threshold.
Authentication category
The Authentication category for Splunk UBA maps to the Authentication data model.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| action | Y | The action performed on the resource. | success, failure, unknown, added |
| app | N | The application involved in the event. | ssh, splunk, win:local |
| dest | Y | The target involved in the authentication. You can alias this from more specific fields including dest_ip and dest_host. |
192.168.10.11, winhost1 |
| duration | N | The amount of time in seconds that it took to complete the authentication event. | 2 |
| eventtype | Y | The type of event. | acs_authentication_success |
| protocol | Y | The protocol of the traffic observed. | TACACS |
| src | Y | The source involved in the authentication. In the case of endpoint protection authentication the src is the client. You can alias this from more specific fields including src_ip and src_host. |
192.168.10.12, winhost2 |
| src_user | N | In privilege escalation events, src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation is not performed. | user1 |
| tag | Y | The category of data model mapping. | authentication |
| user | Y | The name of the user for whom the authentication is being performed. | user2 |
Badge category
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| vendor | N | The vendor of the badge access solution. | brivo |
| category | Y | The category of the badge access event. | Failed Access |
| user | Y | The user involved in this badge access event. | cronaldo |
| site_name | Y | The location of the building. | 123 Main Street |
| object_type | N | The type of device used in the badge access event. | ACCESS_POINT |
| object_name | N | The location in the building where the badge access was requested. | Mail Room |
| failure_reason | N | The reason for the failed operation. | Unauthorized Access Attempt |
Cloud Storage category
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping. For non-CIM compliant data mapping for cloud storage data, see Non-CIM complaint mapping for cloud storage data.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| file_size | N | The size in bytes of the resource associated to this event. | 10280 |
| object | Y | The name of the file. | this_picture.png |
| object_type | Y | The type of the file. | File, Folder, Document, Image, etc. |
| file_hash | Y | The unique identifier of the resource. This should be assigned by the product, such as Box, Sharepoint, or Google Drive. | 17283982137 |
| object_path | Y | The absolute or relative location of the resource. | /bpatinho/photos |
| parent_category | N | The type of the parent resource. | Folder, Link, etc. |
| parent_hash | Y | The unique identifier of the parent resource. This should be assigned by the product, such as Box, Sharepoint, or Google Drive. | 9864239674 |
| src_user | Y | The user creating this event. | user1 |
| change_type | Y | The type of access. | Download, Preview, Delete, Create, Edit. |
| app | Y | The application that is generating this event. | Box, Office365, Google Drive. |
| dest_user | N | The user targeted by this action. Usually this is linked to permission changes made by another user, such as when an admin change the privileges of a user in a file. | cronaldo |
Data Loss Prevention category
The Data Loss Prevention (DLP) category for Splunk UBA maps to the Data Loss Prevention data model.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| action | Y | The action taken by the DLP device. | allowed, blocked |
| app | N | The application involved in the event. | Symantec DLP |
| category | Y | The category of the DLP event. | malware, keylogger, ad-supported program |
| dest_ip | N | The IP address of the destination. | 2.2.2.2 |
| dest_host | N | The host name of the destination. | winhost2 |
| dest_file | N | The name of the destination file involved. | creditcards.xls |
| dest_path | N | The path of the destination file involved. | c:\documents |
| dest_user | N | The destination user involved in the activity reported by DLP. | cronaldo |
| device_id | N | The ID of the USB device. | 987654 |
| dlp_status | N | The DLP incident status. | Working |
| event_type_id | N | The event type ID. | 13 |
| file_size | N | The size in bytes of the file transferred | 10000 |
| match_count | N | The number of unique matches of the DLP signature. | 1,10,1040 |
| policy | N | The policy that triggered the DLP alarm. | Social Security Number |
| prevention_status | N | The DLP incident prevention status. | 9, Blocked |
| recipient | N | The individual email addresses of the message recipients. | a@b.com,c@b.com |
| restricted | N | Is it a sensitive or restricted file? | no,yes |
| sender | N | The email address of the message sender. | d@b.com |
| serial_number | N | The serial number of USB device. | 1234567890 |
| severity | Y | The severity of the network protection event. | informational, unknown, low, medium, high, critical |
| signature | Y | The type of the event. | HTTP Incident |
| src_file | N | The name of the source file involved. | creditcards.xls |
| src_host | N | The host name of the source. | winhost1 |
| src_ip | N | The source of the network traffic (the client requesting the connection). | 10.10.10.12 |
| src_path | N | The path of the source file involved. | c:\documents |
| src_user | N | The source user involved in the activity reported by DLP. | cronaldo |
| subject | N | The subject of the email message. | Important Message, Open Now! |
| user_department | N | The department of the user involved in the activity reported by DLP. | Finance |
| vendor | N | The USB vendor. | FUJITSU |
Database category
The Database category for Splunk UBA maps to the Databases data model.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| action_name | N | The action performed by the user. | LOGON, LOGOFF, CREATE FUNCTION |
| command_name | N | The SQL query command. | select, locktable, insert, delete |
| commits | N | The number of commits per second performed by the user associated with the session. | 5 |
| cpu_used | N | The number of CPU centiseconds used by the session. Divide this value by 100 to get the CPU seconds. | 1 |
| dest_ip | N | The IP address of the destination. | 2.2.2.2 |
| dest_host | N | The host name of the destination. | winhost2 |
| duration | N | The duration in seconds of the database connection. | 241 |
| elapsed_time | N | The total amount of time in seconds that elapsed since the user started the session by logging into the database server. | 10 |
| eventtype | Y | The type of event. | oracle_auth, oracle_session |
| instance_name | Y | The name of the database instance. | myinstance |
| object | N | The name of the database object. | view1, index1 |
| query | N | The full database query. | select * from my_table |
| records_affected | N | The number of records affected by the database query. | 1 |
| src_host | N | The domain name of the source server of the database event. | winhost1 |
| src_ip | N | The IP address of the source server of the database event. | 10.10.10.12 |
| tables_hit | N | The names of the tables hit by the query. | table1, table2 |
| tablespace_name | N | The name of the tablespace. | my table space |
| user | Y | The name of the database process user. | cronaldo |
| vendor | N | The vendor and product name of the database system. This field can be automatically populated by vendor and product fields in your data. | oracle |
DHCP category
The DHCP category for Splunk UBA maps to the DHCP dataset of the Network Sessions data model.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| dest_host | N | The host name of the machine to which the IP address is being assigned. | winhost1 |
| dest_ip | Y | The assigned IP address. | 192.168.1.12 |
| dest_mac | Y | The MAC address of the machine to which the IP address is being assigned. | ad:7b:3d:db:49:8b |
| lease_duration | Y | The duration in seconds of the Dynamic Host Configuration Protocol (DHCP) lease. | 2000 |
| signature | Y | An indication of the type of network session event. |
Some example signatures from Linux DHCP include: DHCPACK, DHCPOFFER, DHCPREQUEST, DHCPINFORM, DHCPDISCOVER , DHCPNAK, DHCPDECLINE, DHCPRELEASE Some example signatures from Windows DHCP include: "A new IP address was leased to a client", "Issued", "DHCP_GrantLease", "An IP address was found to be in use on the network" "A lease was renewed by a client", "Fixed", "Renewed", "DHCP_RenewLease" "A lease was released by a client", "DHCP Release", "Freed" "No DHCP lease available to offer from subnet" |
DNS category
The DNS category for Splunk UBA maps to the Network Resolution (DNS) data model.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| answer | Y | The resolved address for the query. | 12.13.14.15 |
| dest_ip | N | The destination IP address of the network resolution event. | 192.168.1.14 |
| duration | N | The amount of time in seconds taken by the network resolution event. | 1 |
| message_type | Y | The type of DNS message. | Query, Response |
| query | Y | The domain that needs to be resolved. | www.google.com |
| query_type | Y | The field might contain DNS OpCodes or Resource Record Type codes. | Query, IQuery, Status, Notify, Update, unknown, A, MX, NS, PTR |
| record_type | N | The DNS resource record type. | A, DNAME, MX, NS, PTR |
| src_ip | Y | The source IP address of the network resolution event. | 192.168.1.11 |
| src_port | N | The source port of the network resolution event. | 3022 |
| ttl | N | The time-to-live of the network resolution event. | 2000 |
Email category
The Email category for Splunk UBA maps to the Email data model.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| action | N | The action taken by the reporting device. | delivered, blocked, quarantined, deleted, unknown |
| direction | Y | The email direction, based on the sender.
|
inbound, outbound |
| eventtype | Y | The type of the event. | stream_email(email) |
| file_name | N | The names of the files attached to the message, if any. | example.txt |
| file_size | N | The size of the file attached to the message, if any. If the message has multiple attachments, the sum value of all attachments as a single integer. | 10280 |
| recipient | Y | A field listing individual recipient email addresses. | abc@example.com, bcd@example.com |
| sender | Y | The email address of the email sender. | sender@example.com |
| src | N | The system that sent the message. You can alias this from more specific fields, such as src_host, src_ip, or src_name. |
11.12.13.14 |
| src_user | N | The email address of the message sender. | acme@example.com |
| subject | Y | The subject of the email message. | Important Message, Meeting Agenda Update |
Endpoint category
The Endpoint category for Splunk UBA maps to the Endpoint data model.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping. Splunk UBA requires the following tag combinations to process endpoint category events:
- To properly parse port data, Splunk UBA requires
tag=listening, tag=port. - To properly parse process data, Splunk UBA requires
tag=process, tag=report. - To properly parse service data, Splunk UBA requires
tag=service, tag=report. - To properly parse filesystem data, Splunk UBA requires
tag=endpoint, tag=filesystem. - To properly parse registry data, Splunk UBA requires
tag=endpoint, tag=registry.
The Endpoint category contains multiple datasets. Some fields have the same names across multiple datasets.
- The
statusfield exists in the Registry and Service datasets. - The
userfield exists in the Ports, Processes, Services, Registry, and Filesystem datasets. - The
actionfield exists in the Endpoint category as well as the Ports dataset of the Endpoint category.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| Any custom field name, such as alarmCategories or endpointCategory. | N | The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in Filter the anomaly table. | Exfiltration |
| action | Y | The action taken by the endpoint. | allowed, blocked |
| category | N | The event category, if applicable. | malware, watchlist.hit.ingress.process |
| endpoint_dns, dest_host | N | The host name of the endpoint. | winhost1 |
| endpoint_ip, dest_ip | N | IP address of the endpoint where the activity happened. | 1.1.1.1 |
| endpoint_nt_domain, dest_nt_domain | N | The NT domain of the endpoint, if applicable. | acme |
| endpoint_port | N | Network port listening on the endpoint. | 53 |
| event_id | N | The event ID or code for the activity. | 7045 |
| eventtype | Y | The type of the event. | symantec_ep_risk_alert_virus, A service was installed in the system |
| signature | N | The sub-category or signature of the event, if applicable. | process_blocking |
| severity | N | The severity of the endpoint event. | informational, unknown, low, medium, high, critical |
| src_ip | N | The IP address of the "remote" system connected to the listening port (if applicable). | 2.2.2.2 |
| src_port | N | The "remote" port connected to the listening port (if applicable). | 53 |
| src_host, src_dns | N | The hostname of the "remote" system connected to the listening port (if applicable) | acmehost1 |
| Ports dataset | |||
| action | N | The action performed on the resource. | acl_modified, created, deleted, modified, read |
| cpu_load_percent | N | CPU load consumed by the process (in percent) | 85 |
| creation_time | N | The epoch time at which the network port started listening on the endpoint. | 1547749588 |
| dest_port | N | The network port listening on the endpoint. | 53 |
| mem_used | N | Memory in bytes used by the process. | 12345 |
| os | N | The operating system of the resource. | Microsoft Windows Server 2008r2 |
| process_id | N | The numeric identifier of the process assigned by the operating system. | 12345 |
| state | N | The status of the listening port. | established, listening |
| transport | N | The network transport protocol associated with the listening port. | tcp, udp |
| user | N | The user account that spawned the process. | cronaldo |
| vendor_product | N | The vendor and product name of the Endpoint solution that reported the event. | Carbon Black Cb Response |
| Processes dataset | |||
| parent_process_path | N | The full command string of the parent process. | C:\\WINDOWS\\system32\\cmd.exe \/c \"\"C:\\Program Files\\SplunkUniversalForwarder\\etc\\system\\bin\\powershell.cmd\" --scheme |
| parent_process_exec | N | The executable name of the parent process. | notepad.exe |
| parent_process_guid | N | The globally unique identifier of the parent process assigned by the vendor_product. | 0dd879c-ee2f-11db-8314-0800200c9a66 |
| parent_process_id | N | The numeric identifier of the parent process assigned by the operating system. | 12345 |
| parent_process_name | N | The friendly name of the parent process. | notepad.exe |
| process_id | N | The numeric identifier of the process assigned by the operating system. | 12345 |
| process | N | The full command string of the spawned process. | C:\\WINDOWS\\system32\\cmd.exe \/c \"\"C:\\Program Files\\SplunkUniversalForwarder\\etc\\system\\bin\\powershell.cmd\" --scheme |
| process_current_directory | N | The current working directory used to spawn the process. | /usr/bin/ |
| process_exec | N | The executable name of the process. | notepad.exe |
| process_guid. | N | The globally unique identifier of the process assigned by the vendor_product. | example_guid, example_id |
| process_hash | N | The digests of the parent process. | <md5>, <sha1> |
| process_integrity_level | N | The Windows integrity level of the process. | System, Medium |
| process_path | N | The file path of the process. | C:\Windows\System32\notepad.exe |
| user | N | The unique identifier of the user account which spawned the process. | example_user |
| Services dataset | |||
| description | N | The description of the service. | Example description |
| service_dll | N | The dynamic link library associated with the service. | Svc.exe |
| service_dll_hash | N | The digests of the dynamic link library associated with the service. | <md5>, <sha1> |
| service_dll_path | N | The file path to the dynamic link library associated with the service. | C:\Windows\System32\comdlg32.dll |
| service_dll_signature_exists | N | Whether or not the dynamic link library associated with the service has a digitally signed signature. | true |
| service_dll_signature_verified | N | Whether or not the dynamic link library associated with the service has had its digitally signed signature verified. | true |
| service_exec | N | The executable name of the service. | svchost.exe |
| service_hash | N | The digests of the service. | <md5>, <sha1> |
| service_id | N | The unique identifier of the service assigned by the operating system. | 12345 |
| service_name | N | The friendly service name. | example_name |
| service_path | N | The file path of the service. | C:\WINDOWS\system32\svchost.exe |
| start_mode | N | The start mode for the service. | example_mode |
| status | N | The status of the service or registry. | critical, started, stopped, warning, failure, success |
| user | N | The user account associated with the service or the filesystem access, or the registry access. | cronaldo |
| Filesystem dataset | |||
| file_access_time | N | The epoch time that the file (the object of the event) was accessed. | 1547749588 |
| file_create_time | N | The epoch time that the file (the object of the event) was created. | 1547749588 |
| file_modify_time | N | The epoch time that the file (the object of the event) was altered. | 1547749588 |
| file_acl | N | Access controls associated with the file affected by the event. | readonly |
| file_name | N | The name of the file. | notepad.exe |
| file_path | N | The path of the file. | C:\Windows\System32\notepad.exe |
| file_size | N | The size in kilobytes of the file that is the object of the event. | 5346 |
| user | N | The user account associated with the service or the filesystem access, or the registry access. | cronaldo |
| Registry dataset | |||
| registry_hive | N | The logical grouping of registry keys, subkeys, and values. | HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER |
| registry_key_name | N | The name of the registry key. | PrinterDriverData |
| registry_path | N | The path to the registry value. | \win\directory\directory2\{676235CD-B656-42D5-B737-49856E97D072}\PrinterDriverData |
| registry_value_data | N | The unaltered registry value. | example_value |
| registry_value_name | N | The name of the registry value. | example_name |
| registry_value_text | N | The textual representation of registry_value_data (if applicable). | example_text |
| registry_value_type | N | The type of the registry value. | REG_BINARY, REG_DWORD, REG_DWORD_LITTLE_ENDIAN, REG_DWORD_BIG_ENDIAN, REG_EXPAND_SZ, REG_LINK, REG_MULTI_SZ, REG_NONE, REG_QWORD, REG_QWORD_LITTLE_ENDIAN, REG_SZ |
| status | N | The status of the service or registry. | failure, success |
| user | N | The user account associated with the service or the filesystem access, or the registry access. | cronaldo |
External Alarm category
The External Alarm category for Splunk UBA maps to the Intrusion Detection data model.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| Any custom field name, such as alarmCategories or alarmType | Y | The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in Filter the anomaly table. | Exfiltration |
| action | N | The action taken by the external device. | allowed, blocked, deferred |
| app | N | The application involved in the event. | ssl |
| category | N | The category of the event, if applicable. | malware, watchlist.hit.ingress.proces |
| dest_host | N | The host name of the destination. | winhost2 |
| dest_ip | N | The IP address of the destination. | 2.2.2.2 |
| dest_zone | N | The destination zone. | PCI |
| severity | N | The severity of the external alarm. | informational, unknown, low, medium, high, critical |
| signature or eventtype | Y | The type of the event. | URL Filtering |
| src_host | N | The host name of the source. | winhost1 |
| src_ip | N | The source of the network traffic, such as the client requesting the connection. | 10.10.10.12 |
| src_zone | N | The source zone. | contractor |
| user | N | The user involved in the activity reported. | cronaldo |
| url | N | The URL accessed in the request. | http://subdomain.acme.com/index.html |
Firewall category
The Firewall category for Splunk UBA maps to the Network Traffic data model and the additional firewall tag.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| action | Y | The action taken by the firewall. | allowed, blocked |
| app | N | The application protocol of the traffic. | SSL |
| bytes | N | The total number of bytes transferred (bytes_in + bytes_out). | 1168 |
| bytes_in | Y | The number of inbound bytes transferred. | 1028 |
| bytes_out | Y | The number of outbound bytes transferred. | 140 |
| dest_host | N | The host name of the destination. | winhost2 |
| dest_ip | Y | The IP address of the destination. | 2.2.2.2 |
| dest_port | N | The port number of the destination. | 123 |
| dest_translated_ip | N | The NATed IPv4 or IPv6 address to which a packet is sent. | 192.168.1.12 |
| dest_zone | N | The destination zone. | PCI |
| duration | N | The amount of time in seconds for the completion of the network event. | 241 |
| packets_in | N | The number of inbound packets transferred. | 5 |
| packets_out | N | The number of outbound packets transferred. | 6 |
| protocol | Y | The OSI layer 3 (network) protocol of the traffic observed, in lowercase. | ip, appletalk, ipx |
| src_host | N | The host name of the source. | winhost1 |
| src_ip | Y | The source of the network traffic, such as the client requesting the connection. | 10.10.10.12 |
| src_port | N | The port number of the source. | 12345 |
| src_translated_ip | N | The NATed IPv4 or IPv6 address from which a packet is sent. | 192.168.1.11 |
| src_zone | N | The source zone. | contractor |
| url | N | The URL accessed in the request. | http://subdomain.acme.com/index.html |
| user | N | The user who requested the traffic flow. | cronaldo |
| vendor_action | Y | The type of the event. | Teardown TCP, Built inbound connection |
Host Antivirus category
The Host Antivirus (AV) category for Splunk UBA maps to the Malware_Operations dataset and the Malware_Attacks dataset of the Malware data model. Host AV refers to endpoint antivirus products.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| Any custom field name, such as alarmCategories or avCategory. | N | The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in Filter the anomaly table. | Exfiltration |
| action | Y | The action taken by the AV. | allowed, blocked |
| category | N | The category of the event, if applicable. | malware, watchlist.hit.ingress.process |
| dest_host | N | The host name of the system that was affected by the malware event. | winhost2 |
| dest_ip | Y | The IP address of the system that was affected by the malware event. | 2.2.2.2 |
| dest_nt_domain | N | The NT domain of the destination, if applicable. | acme |
| duration | N | The amount of time in seconds for the completion of the activity reported by AV. | 241 |
| eventtype | Y | The type of the event. | symantec_ep_risk_alert_virus |
| file_name | N | Name of the file involved. | creditcards.xls |
| file_path | N | The path of the file involved. | c:\documents |
| severity | Y | The severity of the network protection event. | informational, unknown, low, medium, high, critical |
| signature | N | The subcategory or signature of the event, if applicable. | process_blockin |
| url | N | A URL containing more information about the vulnerability. | http://www.mydomain.com/a.html |
| user | N | The user involved in the activity reported by AV. | cronaldo |
Intrusion Detection System and Intrusion Prevention System category
The Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) category for Splunk UBA maps to the Intrusion Detection data model.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| Any custom field name, such as alarmCategories or idsCategory | Y | The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in Filter the anomaly table. | Exfiltration |
| action | Y | The action taken by the IDS. | allowed, blocked |
| bytes_in | N | The number of inbound bytes transferred. | 1028 |
| bytes_out | N | The number of outbound bytes transferred. | 140 |
| bytes | N | The total number of bytes transferred (bytes_in + bytes_out). | 1168 |
| category | N | The category of the event, if applicable. | malware, watchlist.hit.ingress.process |
| dest_host | N | The host name of the destination. | winhost2 |
| dest_ip | Y | The IP address of the destination. | 2.2.2.2 |
| dest_port | N | The port number of the destination. | 1234 |
| duration | N | The amount of time in seconds for the completion of the activity reported by IDS. | 241 |
| eventtype | Y | The type of the event. | cisco_ips_vulnerable |
| ids_type | N | The type of IDS that generated the event. | network, host, application |
| severity | Y | The severity of the network protection event. | informational, unknown, low, medium, high, critical |
| signature | Y | The sub-category or signature of the event, if applicable. | process_blocking |
| src_host | N | The host name of the source. | winhost1 |
| src_ip | Y | The source of the network traffic (the client requesting the connection). | 10.10.10.12 |
| src_port | N | The port number of the source. | 12345 |
| user | N | The user involved in the activity reported by IDS. | cronaldo |
Printer category
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| data_type | N | The data type of the file that was printed. | NT EMF 1.008 |
| driver_process | N | The name of the driver. | HP LaserJet M3035 mfp PCL6 |
| file_name | Y | The name of the file that was printed. | LIN111757BPAM08-04Laboratory17-10-15-12104.pdf |
| file_size | N | The size of the file being printed. | 10280 |
| job_id | N | The print ID of the job. | 35 |
| operation | N | The printer operation. | add |
| page_printed | N | The page that was printed. | 7 |
| parameters | N | The print parameters. | |
| print_processor | N | The print processor. | hpzppwn7 |
| printer | N | The printer identifier. | acmeprinter1 |
| priority | N | The priority of the print job. | 1 |
| signature | Y | The type of the event. | Microsoft-Windows-PrintService:812 |
| src_host | N | The host name of the device that submitted the printer job. | acmehost1 |
| src_ip | N | The IP address of the device that submitted the printer job. | 10.11.12.13 |
| status | N | The status of print job. | printing |
| submitted_time | N | The time that the print job was submitted.
The format must be either |
05/22/2019 13:10:44:001 |
| total_pages | N | The total number of pages printed. | 10 |
| type | N | The type or log. | PrintJob |
| user | Y | The user involved in the activity reported. | cronaldo |
VPN category
The VPN category for Splunk UBA maps to the VPN dataset of the Network Sessions data model, and to the Network Traffic data model.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping. Splunk UBA requires the following tag combinations to process VPN category events:
- To properly parse when VPN connections are initiated, Splunk UBA requires
tag=network, tag=session, tag=vpn, tag=start. - To properly parse traffic flow in a VPN connection, Splunk UBA requires
tag=network, tag=session, tag=vpn. - To properly parse when VPN connections are terminated, Splunk UBA requires
tag=network, tag=session, tag=vpn, tag=end.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| bytes | N | The total number of bytes transferred by the device corresponding to the src_ip (bytes_in + bytes_out). |
1168 |
| bytes_in | N | The number of bytes received by the device corresponding to the src_ip (downloads). |
1028 |
| bytes_out | N | The number of bytes sent out by the device corresponding to the src_ip (uploads). |
140 |
| dest_ip | N | The IP address of the destination device. | 192.168.1.2 |
| duration | N | The duration in seconds of the VPN session. This field is expected when an end tag is present. |
2000 |
| src_ip | Y | The IP address of the originator of the request. | 11.12.13.14 |
| user | Y | The name of the user for whom the authentication is being performed. | user2 |
Web Proxy category
The Web Proxy category for Splunk UBA maps to the Proxy dataset of the Web data model.
Every category requires a tag field. All CIM-compliant data contains at least one tag field that indicates the data model mapping.
| Splunk CIM field name | Required | Field description | Example values |
|---|---|---|---|
| action | Y | The action taken by the server or proxy. If this value is not present, it can be derived from the status field. | allowed, blocked |
| bytes | N | The total number of bytes transferred (bytes_in + bytes_out). | 1168 |
| bytes_in | Y | The number of inbound bytes transferred. | 1028 |
| bytes_out | Y | The number of outbound bytes transferred. | 140 |
| category | N | The category of traffic provided by the proxy server. | entertainment |
| dest_ip | N | The IP address of the remote host. | 2.2.2.2 |
| duration | N | The time in milliseconds taken by the proxy event. | 241 |
| http_content_type | Y | The content-type of the requested HTTP resource. | image/gif |
| http_method | Y | The HTTP method used in the request. | GET |
| http_referrer | N | The HTTP referrer used in the request. | referrer.acme.com |
| http_user_agent | Y | The user agent used in the request. | Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) |
| response_time | N | The amount of time it took to receive a response, if applicable, in milliseconds. | 200 |
| src_ip | Y | The source of the network traffic, such as the client requesting the connection. | 10.10.10.12 |
| status | Y | The HTTP response code indicating the status of the proxy request. | 200 |
| user | N | The user that requested the HTTP resource. | cronaldo |
| url | Y | The URL accessed in the request. | http://subdomain.acme.com/index.html |
Last modified on 06 September, 2024
| Send data from the Splunk platform directly to Kafka | Send notable events from Splunk Enterprise Security to Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1
Download manual
Feedback submitted, thanks!