Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Authentication

The fields and tags in the Authentication data model describe login activities from any data source.

Note: A dataset is a component of a data model. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.

Tags used with Authentication event datasets

The following tags act as constraints to identify your events as being relevant to this data model. For more information, see How to use these reference tables.

Dataset name Tag name
Authentication authentication
|____ Default_Authentication
default
|____ Insecure_Authentication
cleartext OR insecure
|____ Privileged_Authentication
privileged

Fields for Authentication event datasets

The following table lists the extracted and calculated fields for the event datasets in the model. The table does not include any inherited fields. For more information, see How to use these reference tables.

The key for using the column titled "Abbreviated list of example values" follows:

  • Recommended are fields derived from the "recommended=true" JSON parameter that the TA developers need to make best efforts to map
  • Prescribed fields are the permitted values that can populate the fields, which are derived from the "expected_values" JSON parameter
  • Other values are other example values that you might see
Dataset name Field name Data type Description Abbreviated list of example values
Authentication action string The action performed on the resource.
  • recommended
  • prescribed fields:
    success, failure
Authentication app string The application involved in the event.
  • recommended
  • other:
    ssh, splunk, win:local
Authentication dest string The target involved in the authentication. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_nt_host. recommended
Authentication dest_bunit string The business unit of the authentication target.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Authentication dest_category string The category of the authentication target, such as email_server or SOX-compliant.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Authentication dest_nt_domain string The name of the Active Directory used by the authentication target, if applicable.
Authentication dest_priority string The priority of the authentication target.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Authentication duration number The amount of time for the completion of the authentication event, in seconds.
Authentication response_time number The amount of time it took to receive a response in the authentication event, in seconds.
Authentication signature string A human-readable signature name.
Authentication signature_id string The unique identifier or event code of the event signature.
Authentication src string The source involved in the authentication. In the case of endpoint protection authentication the src is the client. You can alias this from more specific fields, such as src_host, src_ip, or src_nt_host.

Do not confuse src with the event source or sourcetype fields.
recommended
Authentication src_bunit string The business unit of the authentication source.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Authentication src_category string The category of the authentication source, such as email_server or SOX-compliant.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Authentication src_nt_domain string The name of the Active Directory used by the authentication source, if applicable.
Authentication src_priority string The priority of the authentication source.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Authentication src_user string In privilege escalation events, src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed. recommended
Authentication src_user_bunit string The business unit of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Authentication src_user_category string The category of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Authentication src_user_priority string The priority of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Authentication tag string This automatically-generated field is used to access tags from within data models. Do not define extractions for this field when writing add-ons.
Authentication user string The name of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation. recommended
Authentication user_bunit string The business unit of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Authentication user_category string The category of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Authentication user_priority string The priority of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Last modified on 07 May, 2020
Application State (deprecated)   Certificates

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.7.0, 4.8.0, 4.9.0, 4.9.1, 4.10.0, 4.11.0, 4.12.0, 4.13.0, 4.14.0, 4.15.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters