From a892e9ca14069e9ac3aed279a1d23f3f62e10ac8 Mon Sep 17 00:00:00 2001 From: hire-vladimir Date: Wed, 21 Feb 2024 02:31:46 +0000 Subject: [PATCH 01/28] uba support initial --- default/data/models/UBA_Asset_Data.json | 572 +++++++++++ default/data/models/UBA_Authentication.json | 219 +++++ default/data/models/UBA_Badge.json | 215 ++++ default/data/models/UBA_Cloud_Storage.json | 283 ++++++ default/data/models/UBA_DHCP.json | 181 ++++ default/data/models/UBA_DLP.json | 439 +++++++++ default/data/models/UBA_DLP_Email.json | 439 +++++++++ default/data/models/UBA_DNS.json | 266 +++++ default/data/models/UBA_Database.json | 419 ++++++++ default/data/models/UBA_Email.json | 215 ++++ .../data/models/UBA_Endpoint_Filesystem.json | 538 ++++++++++ default/data/models/UBA_Endpoint_Port.json | 572 +++++++++++ .../data/models/UBA_Endpoint_Processes.json | 640 ++++++++++++ .../data/models/UBA_Endpoint_Registry.json | 555 +++++++++++ .../data/models/UBA_Endpoint_Services.json | 640 ++++++++++++ default/data/models/UBA_External_Alarm.json | 351 +++++++ default/data/models/UBA_Firewall.json | 470 +++++++++ default/data/models/UBA_HR_Data.json | 929 ++++++++++++++++++ default/data/models/UBA_Host_AV.json | 334 +++++++ default/data/models/UBA_IDS_IPS.json | 307 ++++++ default/data/models/UBA_Printer.json | 319 ++++++ default/data/models/UBA_VPN.json | 380 +++++++ default/data/models/UBA_Web_Proxy.json | 368 +++++++ default/data/ui/views/cim_dictionary.xml | 76 +- default/data/ui/views/cim_validator.xml | 15 +- default/datamodels.conf | 46 + default/macros.conf | 95 ++ default/transforms.conf | 3 - lookups/cim_dictionary.csv | 710 ------------- 29 files changed, 9859 insertions(+), 737 deletions(-) create mode 100644 default/data/models/UBA_Asset_Data.json create mode 100644 default/data/models/UBA_Authentication.json create mode 100644 default/data/models/UBA_Badge.json create mode 100644 default/data/models/UBA_Cloud_Storage.json create mode 100644 default/data/models/UBA_DHCP.json create mode 100644 default/data/models/UBA_DLP.json create mode 100644 default/data/models/UBA_DLP_Email.json create mode 100644 default/data/models/UBA_DNS.json create mode 100644 default/data/models/UBA_Database.json create mode 100644 default/data/models/UBA_Email.json create mode 100644 default/data/models/UBA_Endpoint_Filesystem.json create mode 100644 default/data/models/UBA_Endpoint_Port.json create mode 100644 default/data/models/UBA_Endpoint_Processes.json create mode 100644 default/data/models/UBA_Endpoint_Registry.json create mode 100644 default/data/models/UBA_Endpoint_Services.json create mode 100644 default/data/models/UBA_External_Alarm.json create mode 100644 default/data/models/UBA_Firewall.json create mode 100644 default/data/models/UBA_HR_Data.json create mode 100644 default/data/models/UBA_Host_AV.json create mode 100644 default/data/models/UBA_IDS_IPS.json create mode 100644 default/data/models/UBA_Printer.json create mode 100644 default/data/models/UBA_VPN.json create mode 100644 default/data/models/UBA_Web_Proxy.json create mode 100644 default/datamodels.conf create mode 100644 default/macros.conf delete mode 100644 lookups/cim_dictionary.csv diff --git a/default/data/models/UBA_Asset_Data.json b/default/data/models/UBA_Asset_Data.json new file mode 100644 index 0000000..c2fee16 --- /dev/null +++ b/default/data/models/UBA_Asset_Data.json @@ -0,0 +1,572 @@ +{ + "modelName": "UBA_Asset_Data", + "displayName": "UBA Asset Data", + "description": "", + "objectSummary": { + "Event-Based": 1, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "UBA_Asset_Data", + "displayName": "UBA_Asset_Data", + "parentName": "BaseEvent", + "comment": "", + "fields": [ + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The application name.", + "possible_values": "Database", + "recommended": false + }, + "fieldName": "app", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "app=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "app" + }, + { + "comment": { + "data_type": "string", + "description": "The asset ID on the physical asset tag such as a sticker that is typically placed on each device in your organization.", + "possible_values": "123456", + "recommended": false + }, + "fieldName": "asset_tag", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "asset_*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "asset_tag" + }, + { + "comment": { + "data_type": "string", + "description": "The business unit that the device belongs to.", + "possible_values": "EMEA, NorCal", + "recommended": false + }, + "fieldName": "bunit", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "bunit=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bunit" + }, + { + "comment": { + "data_type": "string", + "description": "The city where the device is located.", + "possible_values": "Chicago", + "recommended": false + }, + "fieldName": "city", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "city=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "city" + }, + { + "comment": { + "data_type": "string", + "description": "The cost center that the device belongs to.", + "possible_values": "SP01FIN", + "recommended": false + }, + "fieldName": "cost_center", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "cost_center=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cost_center" + }, + { + "comment": { + "data_type": "string", + "description": "The country where the device is located.", + "possible_values": "USA", + "recommended": false + }, + "fieldName": "country", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "country=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "country" + }, + { + "comment": { + "data_type": "string", + "description": "The name of the user who created the device in the system.", + "possible_values": "DevOps", + "recommended": false + }, + "fieldName": "created_by", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "created_by=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "created_by" + }, + { + "comment": { + "data_type": "boolean", + "description": "Recommended. Indicates whether or not any IP addresses are associated with the MAC address for this device. Set to\u00a0true\u00a0to prevent any IP addresses from being associated with the MAC address for this device. See\u00a0Exclude identity resolution for devices or users.", + "possible_values": "TRUE,FALSE", + "recommended": true + }, + "fieldName": "denyListDeviceIr", + "owner": "UBA_Asset_Data", + "type": "boolean", + "fieldSearch": "denyListDeviceIr=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "denyListDeviceIr" + }, + { + "comment": { + "data_type": "boolean", + "description": "Recommended. Indicates whether or not any users are associated with this device. Set to\u00a0true\u00a0to prevent any users from being associated with this device. See\u00a0Exclude identity resolution for devices or users.", + "possible_values": "TRUE,FALSE", + "recommended": true + }, + "fieldName": "denyListUserIr", + "owner": "UBA_Asset_Data", + "type": "boolean", + "fieldSearch": "denyListUserIr=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "denyListUserIr" + }, + { + "comment": { + "data_type": "string", + "description": "The department that the device belongs to.", + "possible_values": "Field Reps, ITS, Products, HR", + "recommended": false + }, + "fieldName": "department", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "department=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "department" + }, + { + "comment": { + "data_type": "string", + "description": "The type of device.", + "possible_values": "client", + "recommended": false + }, + "fieldName": "deviceType", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "deviceType=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "deviceType" + }, + { + "comment": { + "data_type": "string", + "description": "The FQDN of the device.", + "possible_values": "server1.corp1.acmetech.org", + "recommended": false + }, + "fieldName": "dns", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "dns=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dns" + }, + { + "comment": { + "data_type": "string", + "description": "The domain of the device.", + "possible_values": "www.acmetech.org", + "recommended": false + }, + "fieldName": "dns_domain", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "dns_domain=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dns_domain" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "Required. The hostname of the device.", + "possible_values": "server1", + "recommended": true + }, + "fieldName": "hostname", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "hostname=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "hostname" + }, + { + "comment": { + "data_type": "string", + "description": "The IP address of the device. The field may contain multiple values. See\u00a0Configure asset ingestion for multi-valued fields.", + "possible_values": "2.1.1.1", + "recommended": false + }, + "fieldName": "ip", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "ip" + }, + { + "comment": { + "data_type": "boolean", + "description": "Indicates whether or not this device is always expected. Alerts are generated if this device stops reporting events.", + "possible_values": "TRUE,FALSE", + "recommended": false + }, + "fieldName": "is_expected", + "owner": "UBA_Asset_Data", + "type": "boolean", + "fieldSearch": "is_expected=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "is_expected" + }, + { + "comment": { + "data_type": "string", + "description": "The latitude location of the device.", + "possible_values": "37.78008", + "recommended": false + }, + "fieldName": "latitude", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "latitude=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "latitude" + }, + { + "comment": { + "data_type": "string", + "description": "The longitude location of the device.", + "possible_values": "-122.42017", + "recommended": false + }, + "fieldName": "longitude", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "longitude=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "longitude" + }, + { + "comment": { + "data_type": "string", + "description": "The MAC address of the device. The field may contain multiple values. See\u00a0Configure asset ingestion for multi-valued fields.", + "possible_values": "00:50:ef:84:f1:21|00:50:ef:84:f1:20", + "recommended": false + }, + "fieldName": "mac", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "mac=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "mac" + }, + { + "comment": { + "data_type": "string", + "description": "The manager of the device.", + "possible_values": "admin", + "recommended": false + }, + "fieldName": "managed_by", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "managed_by=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "managed_by" + }, + { + "comment": { + "data_type": "string", + "description": "The operating system running on the device.", + "possible_values": "macOS, WIndows", + "recommended": false + }, + "fieldName": "os", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "os=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "os" + }, + { + "comment": { + "data_type": "string", + "description": "The OS domain of the device.", + "possible_values": "Windows", + "recommended": false + }, + "fieldName": "os_domain", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "os_domain=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "os_domain" + }, + { + "comment": { + "data_type": "string", + "description": "The owner of the device.", + "possible_values": "f.prefect@acmetech.org, DevOps, Bill", + "recommended": false + }, + "fieldName": "owner", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "owner=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "owner" + }, + { + "comment": { + "data_type": "string", + "description": "The PCI address domain of the device.", + "possible_values": "dmz, untrust", + "recommended": false + }, + "fieldName": "pci_domain", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "pci_domain=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pci_domain" + }, + { + "comment": { + "data_type": "string", + "description": "The serial number of the device.", + "possible_values": "AB1C24D5EFGH", + "recommended": false + }, + "fieldName": "serial", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "serial=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "serial" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The hexadecimal Windows status code for the device.", + "possible_values": "0XC0000234 (user is currently locked out)", + "recommended": false + }, + "fieldName": "status", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "status=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "status" + }, + { + "comment": { + "data_type": "string", + "description": "The hexadecimal sub-status code for the device.", + "possible_values": "0XC000006D (invalid username or authentication)", + "recommended": false + }, + "fieldName": "substatus", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "substatus=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "substatus" + }, + { + "comment": { + "data_type": "string", + "description": "The date and time stamp of when the device was first entered into the system. The format is\u00a0MM/DD/YYYY.", + "possible_values": "5/1/19", + "recommended": false + }, + "fieldName": "sys_created_on", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "sys_created_on=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sys_created_on" + }, + { + "comment": { + "data_type": "string", + "description": "The data and time stamp of the last time the device was updated. For example, a laptop may be assigned to a new owner. The format is\u00a0MM/DD/YYYY.", + "possible_values": "5/1/19", + "recommended": false + }, + "fieldName": "sys_updated_on", + "owner": "UBA_Asset_Data", + "type": "string", + "fieldSearch": "sys_updated_on=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sys_updated_on" + } + ], + "calculations": [], + "constraints": [ + { + "search": "index=main", + "owner": "UBA_Asset_Data" + } + ], + "lineage": "UBA_Asset_Data" + } + ], + "objectNameList": [ + "UBA_Asset_Data" + ] +} \ No newline at end of file diff --git a/default/data/models/UBA_Authentication.json b/default/data/models/UBA_Authentication.json new file mode 100644 index 0000000..d4f95af --- /dev/null +++ b/default/data/models/UBA_Authentication.json @@ -0,0 +1,219 @@ +{ + "modelName": "UBA_Authentication", + "displayName": "UBA Authentication", + "description": "Splunk UBA Authentication Data Model for CIM Validator App", + "objectSummary": { + "Event-Based": 1, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "comment": { + "tags": [ + "authentication" + ] + }, + "objectName": "UBA_Authentication", + "displayName": "UBA Authentication", + "parentName": "BaseEvent", + "fields": [ + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The action performed on the resource.", + "recommended": true, + "possible_values": "success, failure, unknown, added" + }, + "fieldName": "action", + "owner": "UBA_Authentication", + "type": "string", + "fieldSearch": "action=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action" + }, + { + "comment": { + "data_type": "string", + "description": "The application involved in the event.", + "recommended": false, + "possible_values": "ssh, splunk, win:local" + }, + "fieldName": "app", + "owner": "UBA_Authentication", + "type": "string", + "fieldSearch": "app=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "app" + }, + { + "comment": { + "data_type": "string", + "description": "The target involved in the authentication. You can alias this from more specific fields including\u00a0dest_ip\u00a0and\u00a0dest_host.", + "recommended": true, + "possible_values": "192.168.10.11, winhost1" + }, + "fieldName": "dest", + "owner": "UBA_Authentication", + "type": "string", + "fieldSearch": "dest=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest" + }, + { + "comment": { + "data_type": "integer", + "description": "The amount of time in seconds that it took to complete the authentication event.", + "recommended": false, + "possible_values": "2" + }, + "fieldName": "duration", + "owner": "UBA_Authentication", + "type": "number", + "fieldSearch": "duration=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "duration" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The source involved in the authentication. In the case of endpoint protection authentication the src is the client. You can alias this from more specific fields including\u00a0src_ip\u00a0and\u00a0src_host.", + "recommended": true, + "possible_values": "192.168.10.12, winhost2" + }, + "fieldName": "src", + "owner": "UBA_Authentication", + "type": "string", + "fieldSearch": "src=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src" + }, + { + "comment": { + "data_type": "string", + "description": "In privilege escalation events, src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation is not performed.", + "recommended": false, + "possible_values": "user1" + }, + "fieldName": "src_user", + "owner": "UBA_Authentication", + "type": "string", + "fieldSearch": "src_user=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_user" + }, + { + "comment": { + "data_type": "string", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "recommended": true, + "possible_values": "authentication" + }, + "fieldName": "tag", + "owner": "UBA_Authentication", + "type": "string", + "fieldSearch": "*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tag" + }, + { + "comment": { + "data_type": "string", + "description": "The name of the user for whom the authentication is being performed.", + "recommended": true, + "possible_values": "user2" + }, + "fieldName": "user", + "owner": "UBA_Authentication", + "type": "string", + "fieldSearch": "user=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user" + } + ], + "calculations": [], + "constraints": [ + { + "search": "`uba_cim_authentication_indexes` authentication", + "owner": "UBA_Authentication" + } + ], + "lineage": "UBA_Authentication" + } + ], + "objectNameList": [ + "UBA_Authentication" + ] +} diff --git a/default/data/models/UBA_Badge.json b/default/data/models/UBA_Badge.json new file mode 100644 index 0000000..1383a80 --- /dev/null +++ b/default/data/models/UBA_Badge.json @@ -0,0 +1,215 @@ +{ + "modelName": "UBA_Badge", + "displayName": "UBA Badge", + "description": "Splunk UBA Badge Data Model for CIM Validator App", + "objectSummary": { + "Event-Based": 1, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "UBA_Badge", + "displayName": "UBA_Badge", + "parentName": "BaseEvent", + "comment": "", + "fields": [ + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The category of the badge access event.", + "possible_values": "Failed Access", + "required": true + }, + "fieldName": "category", + "owner": "UBA_Badge", + "type": "string", + "fieldSearch": "category=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category" + }, + { + "comment": { + "data_type": "string", + "description": "The reason for the failed operation.", + "possible_values": "Unauthorized Access Attempt", + "required": false + }, + "fieldName": "failure_reason", + "owner": "UBA_Badge", + "type": "string", + "fieldSearch": "failure_reason=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "failure_reason" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The location in the building where the badge access was requested.", + "possible_values": "Mail Room", + "required": true + }, + "fieldName": "object_name", + "owner": "UBA_Badge", + "type": "string", + "fieldSearch": "object_name=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "object_name" + }, + { + "comment": { + "data_type": "string", + "description": "The type of device used in the badge access event.", + "possible_values": "ACCESS_POINT", + "required": true + }, + "fieldName": "object_type", + "owner": "UBA_Badge", + "type": "string", + "fieldSearch": "object_type=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "object_type" + }, + { + "comment": { + "data_type": "string", + "description": "The location of the building.", + "possible_values": "123 Main Street", + "required": false + }, + "fieldName": "site_name", + "owner": "UBA_Badge", + "type": "string", + "fieldSearch": "site_name=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "site_name" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "possible_values": "badge", + "required": true + }, + "fieldName": "tag", + "owner": "UBA_Badge", + "type": "string", + "fieldSearch": "*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tag" + }, + { + "comment": { + "data_type": "string", + "description": "The user involved in this badge access event.", + "possible_values": "cronaldo", + "required": false + }, + "fieldName": "user", + "owner": "UBA_Badge", + "type": "string", + "fieldSearch": "user=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user" + }, + { + "comment": { + "data_type": "string", + "description": "The vendor of the badge access solution.", + "possible_values": "brivo", + "required": false + }, + "fieldName": "vendor", + "owner": "UBA_Badge", + "type": "string", + "fieldSearch": "vendor=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "vendor" + } + ], + "calculations": [], + "constraints": [ + { + "search": "`uba_cim_badge_indexes` badge", + "owner": "UBA_Badge" + } + ], + "lineage": "UBA_Badge" + } + ], + "objectNameList": [ + "UBA_Badge" + ] +} \ No newline at end of file diff --git a/default/data/models/UBA_Cloud_Storage.json b/default/data/models/UBA_Cloud_Storage.json new file mode 100644 index 0000000..170c373 --- /dev/null +++ b/default/data/models/UBA_Cloud_Storage.json @@ -0,0 +1,283 @@ +{ + "modelName": "UBA_Cloud_Storage", + "displayName": "UBA Cloud Storage", + "description": "Splunk UBA Cloud Storage Data Model for CIM Validator App", + "objectSummary": { + "Event-Based": 1, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "UBA_Cloud_Storage", + "displayName": "UBA Cloud Storage", + "parentName": "BaseEvent", + "comment": "", + "fields": [ + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The application that is generating this event.", + "recommended": true, + "possible_values": "Box, Office365, Google Drive." + }, + "fieldName": "app", + "owner": "UBA_Cloud_Storage", + "type": "string", + "fieldSearch": "app=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "app" + }, + { + "comment": { + "data_type": "string", + "description": "The type of access.", + "recommended": true, + "possible_values": "Download, Preview, Delete, Create, Edit." + }, + "fieldName": "change_type", + "owner": "UBA_Cloud_Storage", + "type": "string", + "fieldSearch": "change_type=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "change_type" + }, + { + "comment": { + "data_type": "string", + "description": "The user targeted by this action. Usually this is linked to permission changes made by another user, such as when an admin change the privileges of a user in a file.", + "recommended": false, + "possible_values": "cronaldo" + }, + "fieldName": "dest_user", + "owner": "UBA_Cloud_Storage", + "type": "string", + "fieldSearch": "dest_user=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_user" + }, + { + "comment": { + "data_type": "integer", + "description": "The unique identifier of the resource. This should be assigned by the product, such as Box, Sharepoint, or Google Drive.", + "recommended": true, + "possible_values": "17283982137" + }, + "fieldName": "file_hash", + "owner": "UBA_Cloud_Storage", + "type": "number", + "fieldSearch": "file_hash=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_hash" + }, + { + "comment": { + "data_type": "integer", + "description": "The size in bytes of the resource associated to this event.", + "recommended": false, + "possible_values": "10280" + }, + "fieldName": "file_size", + "owner": "UBA_Cloud_Storage", + "type": "number", + "fieldSearch": "file_size=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_size" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The name of the file.", + "recommended": true, + "possible_values": "this_picture.png" + }, + "fieldName": "object", + "owner": "UBA_Cloud_Storage", + "type": "string", + "fieldSearch": "object=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "object" + }, + { + "comment": { + "data_type": "string", + "description": "The absolute or relative location of the resource.", + "recommended": true, + "possible_values": "/bpatinho/photos" + }, + "fieldName": "object_path", + "owner": "UBA_Cloud_Storage", + "type": "string", + "fieldSearch": "object_path=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "object_path" + }, + { + "comment": { + "data_type": "string", + "description": "The type of the file.", + "recommended": true, + "possible_values": "File, Folder, Document, Image, etc." + }, + "fieldName": "object_type", + "owner": "UBA_Cloud_Storage", + "type": "string", + "fieldSearch": "object_type=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "object_type" + }, + { + "comment": { + "data_type": "string", + "description": "The type of the parent resource.", + "recommended": false, + "possible_values": "Folder, Link, etc." + }, + "fieldName": "parent_category", + "owner": "UBA_Cloud_Storage", + "type": "string", + "fieldSearch": "parent_category=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "parent_category" + }, + { + "comment": { + "data_type": "integer", + "description": "The unique identifier of the parent resource. This should be assigned by the product, such as Box, Sharepoint, or Google Drive.", + "recommended": true, + "possible_values": "9864239674" + }, + "fieldName": "parent_hash", + "owner": "UBA_Cloud_Storage", + "type": "number", + "fieldSearch": "parent_hash=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "parent_hash" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The user creating this event.", + "recommended": true, + "possible_values": "user1" + }, + "fieldName": "src_user", + "owner": "UBA_Cloud_Storage", + "type": "string", + "fieldSearch": "src_user=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_user" + }, + { + "comment": { + "data_type": "string", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "recommended": true, + "possible_values": "cloud" + }, + "fieldName": "tag", + "owner": "UBA_Cloud_Storage Storage", + "type": "string", + "fieldSearch": "*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tag" + } + ], + "calculations": [], + "constraints": [ + { + "search": "`uba_cim_cloud_indexes` cloud", + "owner": "UBA_Cloud_Storage" + } + ], + "lineage": "UBA_Cloud_Storage" + } + ], + "objectNameList": [ + "UBA_Cloud_Storage" + ] +} diff --git a/default/data/models/UBA_DHCP.json b/default/data/models/UBA_DHCP.json new file mode 100644 index 0000000..1379322 --- /dev/null +++ b/default/data/models/UBA_DHCP.json @@ -0,0 +1,181 @@ +{ + "modelName": "UBA_DHCP", + "displayName": "UBA DHCP", + "description": "Splunk UBA DHCP Data Model for CIM Validator App", + "objectSummary": { + "Event-Based": 1, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "UBA_DHCP", + "displayName": "UBA DHCP", + "parentName": "BaseEvent", + "comment": "", + "fields": [ + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The host name of the machine to which the IP address is being assigned.", + "recommended": false, + "possible_values": "winhost1" + }, + "fieldName": "dest_host", + "owner": "UBA_DHCP", + "type": "string", + "fieldSearch": "dest_host=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_host" + }, + { + "comment": { + "data_type": "string", + "description": "The assigned IP address.", + "recommended": true, + "possible_values": "192.168.1.12" + }, + "fieldName": "dest_ip", + "owner": "UBA_DHCP", + "type": "string", + "fieldSearch": "dest_ip=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip" + }, + { + "comment": { + "data_type": "string", + "description": "The MAC address of the machine to which the IP address is being assigned.", + "recommended": true, + "possible_values": "ad:7b:3d:db:49:8b" + }, + "fieldName": "dest_mac", + "owner": "UBA_DHCP", + "type": "string", + "fieldSearch": "dest_mac=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_mac" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "comment": { + "data_type": "integer", + "description": "The duration in seconds of the Dynamic Host Configuration Protocol (DHCP) lease.", + "recommended": true, + "possible_values": "2000" + }, + "fieldName": "lease_duration", + "owner": "UBA_DHCP", + "type": "number", + "fieldSearch": "lease_duration=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "lease_duration" + }, + { + "comment": { + "data_type": "string", + "description": "An indication of the type of network session event.", + "recommended": true, + "possible_values": "DHCPACK, DHCPOFFER, DHCPREQUEST, DHCPINFORM, DHCPDISCOVER , DHCPNAK, DHCPDECLINE, DHCPRELEASE\r\n\"A new IP address was leased to a client\", \"Issued\", \"DHCP_GrantLease\",\r\n\"An IP address was found to be in use on the network\"\r\n\"A lease was renewed by a client\", \"Fixed\", \"Renewed\", \"DHCP_RenewLease\"\r\n\"A lease was released by a client\", \"DHCP Release\", \"Freed\"\r\n\"No DHCP lease available to offer from subnet\"" + }, + "fieldName": "signature", + "owner": "UBA_DHCP", + "type": "string", + "fieldSearch": "signature=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "signature" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "recommended": true, + "possible_values": "network,session,dhcp" + }, + "fieldName": "tag", + "owner": "UBA_DHCP", + "type": "string", + "fieldSearch": "*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tag" + } + ], + "calculations": [], + "constraints": [ + { + "search": "`uba_cim_dhcp_indexes` network session dhcp", + "owner": "UBA_DHCP" + } + ], + "lineage": "UBA_DHCP" + } + ], + "objectNameList": [ + "UBA_DHCP" + ] +} diff --git a/default/data/models/UBA_DLP.json b/default/data/models/UBA_DLP.json new file mode 100644 index 0000000..0687e72 --- /dev/null +++ b/default/data/models/UBA_DLP.json @@ -0,0 +1,439 @@ +{ + "modelName": "UBA_DLP", + "displayName": "UBA DLP", + "description": "", + "objectSummary": { + "Event-Based": 1, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "UBA_DLP", + "displayName": "UBA_DLP", + "parentName": "BaseEvent", + "comment": "", + "fields": [ + { + "fieldName": "action", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "action=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action", + "comment": "" + }, + { + "fieldName": "category", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "category=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category", + "comment": "" + }, + { + "fieldName": "severity", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "severity=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "severity", + "comment": "" + }, + { + "fieldName": "signature", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "signature=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "signature", + "comment": "" + }, + { + "fieldName": "app", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "app", + "comment": "" + }, + { + "fieldName": "dest_ip", + "owner": "UBA_DLP", + "type": "ipv4", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip", + "comment": "" + }, + { + "fieldName": "dest_host", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_host", + "comment": "" + }, + { + "fieldName": "dest_file", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_file", + "comment": "" + }, + { + "fieldName": "dest_path", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_path", + "comment": "" + }, + { + "fieldName": "dest_user", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_user", + "comment": "" + }, + { + "fieldName": "device_id", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "device_id", + "comment": "" + }, + { + "fieldName": "dlp_status", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dlp_status", + "comment": "" + }, + { + "fieldName": "event_type_id", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "event_type_id", + "comment": "" + }, + { + "fieldName": "file_size", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_size", + "comment": "" + }, + { + "fieldName": "match_count", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "match_count", + "comment": "" + }, + { + "fieldName": "policy", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "policy", + "comment": "" + }, + { + "fieldName": "prevention_status", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "prevention_status", + "comment": "" + }, + { + "fieldName": "recipient", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "recipient", + "comment": "" + }, + { + "fieldName": "restricted", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "restricted", + "comment": "" + }, + { + "fieldName": "sender", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sender", + "comment": "" + }, + { + "fieldName": "serial_number", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "serial_number", + "comment": "" + }, + { + "fieldName": "src_file", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_file", + "comment": "" + }, + { + "fieldName": "src_host", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_host", + "comment": "" + }, + { + "fieldName": "src_ip", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip", + "comment": "" + }, + { + "fieldName": "src_path", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_path", + "comment": "" + }, + { + "fieldName": "src_user", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_user", + "comment": "" + }, + { + "fieldName": "subject", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "subject", + "comment": "" + }, + { + "fieldName": "user_department", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user_department", + "comment": "" + }, + { + "fieldName": "vendor", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "vendor", + "comment": "" + }, + { + "fieldName": "tag", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tag", + "comment": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + } + ], + "calculations": [], + "constraints": [ + { + "search": "index=main", + "owner": "UBA_DLP" + } + ], + "lineage": "UBA_DLP" + } + ], + "objectNameList": [ + "UBA_DLP" + ] +} diff --git a/default/data/models/UBA_DLP_Email.json b/default/data/models/UBA_DLP_Email.json new file mode 100644 index 0000000..912b6f4 --- /dev/null +++ b/default/data/models/UBA_DLP_Email.json @@ -0,0 +1,439 @@ +{ + "modelName": "UBA_DLP_Email", + "displayName": "UBA DLP Email", + "description": "", + "objectSummary": { + "Event-Based": 1, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "UBA_DLP", + "displayName": "UBA_DLP_Email", + "parentName": "BaseEvent", + "comment": "", + "fields": [ + { + "fieldName": "action", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "action=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action", + "comment": "" + }, + { + "fieldName": "category", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "category=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category", + "comment": "" + }, + { + "fieldName": "severity", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "severity=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "severity", + "comment": "" + }, + { + "fieldName": "signature", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "signature=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "signature", + "comment": "" + }, + { + "fieldName": "app", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "app", + "comment": "" + }, + { + "fieldName": "dest_ip", + "owner": "UBA_DLP", + "type": "ipv4", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip", + "comment": "" + }, + { + "fieldName": "dest_host", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_host", + "comment": "" + }, + { + "fieldName": "dest_file", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_file", + "comment": "" + }, + { + "fieldName": "dest_path", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_path", + "comment": "" + }, + { + "fieldName": "dest_user", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_user", + "comment": "" + }, + { + "fieldName": "device_id", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "device_id", + "comment": "" + }, + { + "fieldName": "dlp_status", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dlp_status", + "comment": "" + }, + { + "fieldName": "event_type_id", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "event_type_id", + "comment": "" + }, + { + "fieldName": "file_size", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_size", + "comment": "" + }, + { + "fieldName": "match_count", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "match_count", + "comment": "" + }, + { + "fieldName": "policy", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "policy", + "comment": "" + }, + { + "fieldName": "prevention_status", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "prevention_status", + "comment": "" + }, + { + "fieldName": "recipient", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "recipient", + "comment": "" + }, + { + "fieldName": "restricted", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "restricted", + "comment": "" + }, + { + "fieldName": "sender", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sender", + "comment": "" + }, + { + "fieldName": "serial_number", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "serial_number", + "comment": "" + }, + { + "fieldName": "src_file", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_file", + "comment": "" + }, + { + "fieldName": "src_host", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_host", + "comment": "" + }, + { + "fieldName": "src_ip", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip", + "comment": "" + }, + { + "fieldName": "src_path", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_path", + "comment": "" + }, + { + "fieldName": "src_user", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_user", + "comment": "" + }, + { + "fieldName": "subject", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "subject", + "comment": "" + }, + { + "fieldName": "user_department", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user_department", + "comment": "" + }, + { + "fieldName": "vendor", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "vendor", + "comment": "" + }, + { + "fieldName": "tag", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tag", + "comment": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + } + ], + "calculations": [], + "constraints": [ + { + "search": "index=*", + "owner": "UBA_DLP" + } + ], + "lineage": "UBA_DLP" + } + ], + "objectNameList": [ + "UBA_DLP" + ] +} diff --git a/default/data/models/UBA_DNS.json b/default/data/models/UBA_DNS.json new file mode 100644 index 0000000..15c340e --- /dev/null +++ b/default/data/models/UBA_DNS.json @@ -0,0 +1,266 @@ +{ + "modelName": "UBA_DNS", + "displayName": "UBA DNS", + "description": "Splunk UBA DNS Data Model for CIM Validator App", + "objectSummary": { + "Event-Based": 1, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "UBA_DNS", + "displayName": "UBA DNS", + "parentName": "BaseEvent", + "comment": "", + "fields": [ + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The resolved address for the query.", + "recommended": true, + "possible_values": "12.13.14.15" + }, + "fieldName": "answer", + "owner": "UBA_DNS", + "type": "string", + "fieldSearch": "answer=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "answer" + }, + { + "comment": { + "data_type": "string", + "description": "The destination IP address of the network resolution event.", + "recommended": false, + "possible_values": "192.168.1.14" + }, + "fieldName": "dest_ip", + "owner": "UBA_DNS", + "type": "string", + "fieldSearch": "dest_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip" + }, + { + "comment": { + "data_type": "integer", + "description": "The amount of time in seconds taken by the network resolution event.", + "recommended": false, + "possible_values": "1" + }, + "fieldName": "duration", + "owner": "UBA_DNS", + "type": "number", + "fieldSearch": "duration=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "duration" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The type of DNS message.", + "recommended": true, + "possible_values": "Query, Response" + }, + "fieldName": "message_type", + "owner": "UBA_DNS", + "type": "string", + "fieldSearch": "message_type=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "message_type" + }, + { + "comment": { + "data_type": "string", + "description": "The domain that needs to be resolved.", + "recommended": true, + "possible_values": "www.google.com" + }, + "fieldName": "query", + "owner": "UBA_DNS", + "type": "string", + "fieldSearch": "query=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "query" + }, + { + "comment": { + "data_type": "string", + "description": "The field may contain DNS OpCodes or Resource Record Type codes.", + "recommended": true, + "possible_values": "Query, IQuery, Status, Notify, Update, unknown, A, MX, NS, PTR" + }, + "fieldName": "query_type", + "owner": "UBA_DNS", + "type": "string", + "fieldSearch": "query_type=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "query_type" + }, + { + "comment": { + "data_type": "string", + "description": "The DNS resource record type.", + "recommended": false, + "possible_values": "A, DNAME, MX, NS, PTR" + }, + "fieldName": "record_type", + "owner": "UBA_DNS", + "type": "string", + "fieldSearch": "record_type=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "record_type" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The source IP address of the network resolution event.", + "recommended": true, + "possible_values": "192.168.1.11" + }, + "fieldName": "src_ip", + "owner": "UBA_DNS", + "type": "string", + "fieldSearch": "src_ip=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip" + }, + { + "comment": { + "data_type": "integer", + "description": "The source port of the network resolution event.", + "recommended": false, + "possible_values": "3022" + }, + "fieldName": "src_port", + "owner": "UBA_DNS", + "type": "number", + "fieldSearch": "src_port=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_port" + }, + { + "comment": { + "data_type": "string", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "recommended": true, + "possible_values": "network,resolution,dns" + }, + "fieldName": "tag", + "owner": "UBA_DNS", + "type": "string", + "fieldSearch": "*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tag" + }, + { + "comment": { + "data_type": "integer", + "description": "The time-to-live of the network resolution event.", + "recommended": false, + "possible_values": "2000" + }, + "fieldName": "ttl", + "owner": "UBA_DNS", + "type": "number", + "fieldSearch": "ttl=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "ttl" + } + ], + "calculations": [], + "constraints": [ + { + "search": "`uba_cim_dns_indexes` network resolution dns", + "owner": "UBA_DNS" + } + ], + "lineage": "UBA_DNS" + } + ], + "objectNameList": [ + "UBA_DNS" + ] +} diff --git a/default/data/models/UBA_Database.json b/default/data/models/UBA_Database.json new file mode 100644 index 0000000..a739eec --- /dev/null +++ b/default/data/models/UBA_Database.json @@ -0,0 +1,419 @@ +{ + "modelName": "UBA_Database", + "displayName": "UBA Database", + "description": "Splunk UBA Database Data Model for CIM Validator App", + "objectSummary": { + "Event-Based": 1, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "UBA_Database", + "displayName": "UBA Database", + "parentName": "BaseEvent", + "comment": "", + "fields": [ + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The action performed by the user.", + "recommended": false, + "possible_values": "LOGON, LOGOFF, CREATE FUNCTION" + }, + "fieldName": "action_name", + "owner": "UBA_Database", + "type": "string", + "fieldSearch": "action_name=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action_name" + }, + { + "comment": { + "data_type": "string", + "description": "The SQL query command.", + "recommended": false, + "possible_values": "select, locktable, insert, delete" + }, + "fieldName": "command_name", + "owner": "UBA_Database", + "type": "string", + "fieldSearch": "command_name=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "command_name" + }, + { + "comment": { + "data_type": "integer", + "description": "The number of commits per second performed by the user associated with the session.", + "recommended": false, + "possible_values": "5" + }, + "fieldName": "commits", + "owner": "UBA_Database", + "type": "number", + "fieldSearch": "commits=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "commits" + }, + { + "comment": { + "data_type": "integer", + "description": "The number of CPU centiseconds used by the session. Divide this value by 100 to get the CPU seconds.", + "recommended": false, + "possible_values": "1" + }, + "fieldName": "cpu_used", + "owner": "UBA_Database", + "type": "number", + "fieldSearch": "cpu_used=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cpu_used" + }, + { + "comment": { + "data_type": "string", + "description": "The host name of the destination.", + "recommended": false, + "possible_values": "winhost2" + }, + "fieldName": "dest_host", + "owner": "UBA_Database", + "type": "string", + "fieldSearch": "dest_host=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_host" + }, + { + "comment": { + "data_type": "string", + "description": "The IP address of the destination.", + "recommended": false, + "possible_values": "2.2.2.2" + }, + "fieldName": "dest_ip", + "owner": "UBA_Database", + "type": "string", + "fieldSearch": "dest_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip" + }, + { + "comment": { + "data_type": "integer", + "description": "The duration in seconds of the database connection.", + "recommended": false, + "possible_values": "241" + }, + "fieldName": "duration", + "owner": "UBA_Database", + "type": "number", + "fieldSearch": "duration=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "duration" + }, + { + "comment": { + "data_type": "integer", + "description": "The total amount of time in seconds that elapsed since the user started the session by logging into the database server.", + "recommended": false, + "possible_values": "10" + }, + "fieldName": "elapsed_time", + "owner": "UBA_Database", + "type": "number", + "fieldSearch": "elapsed_time=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "elapsed_time" + }, + { + "comment": { + "data_type": "string", + "description": "The type of event.", + "recommended": true, + "possible_values": "oracle_auth, oracle_session" + }, + "fieldName": "eventtype", + "owner": "UBA_Database", + "type": "string", + "fieldSearch": "eventtype=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "eventtype" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The name of the database instance.", + "recommended": true, + "possible_values": "myinstance" + }, + "fieldName": "instance_name", + "owner": "UBA_Database", + "type": "string", + "fieldSearch": "instance_name=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "instance_name" + }, + { + "comment": { + "data_type": "string", + "description": "The name of the database object.", + "recommended": false, + "possible_values": "view1, index1" + }, + "fieldName": "object", + "owner": "UBA_Database", + "type": "string", + "fieldSearch": "object=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "object" + }, + { + "comment": { + "data_type": "string", + "description": "The full database query.", + "recommended": false, + "possible_values": "select * from my_table" + }, + "fieldName": "query", + "owner": "UBA_Database", + "type": "string", + "fieldSearch": "query=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "query" + }, + { + "comment": { + "data_type": "integer", + "description": "The number of records affected by the database query.", + "recommended": false, + "possible_values": "1" + }, + "fieldName": "records_affected", + "owner": "UBA_Database", + "type": "number", + "fieldSearch": "records_affected=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "records_affected" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The domain name of the source server of the database event.", + "recommended": false, + "possible_values": "winhost1" + }, + "fieldName": "src_host", + "owner": "UBA_Database", + "type": "string", + "fieldSearch": "src_host=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_host" + }, + { + "comment": { + "data_type": "string", + "description": "The IP address of the source server of the database event.", + "recommended": false, + "possible_values": "10.10.10.12" + }, + "fieldName": "src_ip", + "owner": "UBA_Database", + "type": "string", + "fieldSearch": "src_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip" + }, + { + "comment": { + "data_type": "string", + "description": "The names of the tables hit by the query.", + "recommended": false, + "possible_values": "table1, table2" + }, + "fieldName": "tables_hit", + "owner": "UBA_Database", + "type": "string", + "fieldSearch": "tables_hit=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tables_hit" + }, + { + "comment": { + "data_type": "string", + "description": "The name of the tablespace.", + "recommended": false, + "possible_values": "my table space" + }, + "fieldName": "tablespace_name", + "owner": "UBA_Database", + "type": "string", + "fieldSearch": "tablespace_name=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tablespace_name" + }, + { + "comment": { + "data_type": "string", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "recommended": true, + "possible_values": "database" + }, + "fieldName": "tag", + "owner": "UBA_Database", + "type": "string", + "fieldSearch": "*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tag" + }, + { + "comment": { + "data_type": "string", + "description": "The name of the database process user.", + "recommended": true, + "possible_values": "cronaldo" + }, + "fieldName": "user", + "owner": "UBA_Database", + "type": "string", + "fieldSearch": "user=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user" + }, + { + "comment": { + "data_type": "string", + "description": "The vendor and product name of the database system. This field can be automatically populated by vendor and product fields in your data.", + "recommended": false, + "possible_values": "oracle" + }, + "fieldName": "vendor", + "owner": "UBA_Database", + "type": "string", + "fieldSearch": "vendor=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "vendor" + } + ], + "calculations": [], + "constraints": [ + { + "search": "`uba_cim_database_indexes` database", + "owner": "UBA_Database" + } + ], + "lineage": "UBA_Database" + } + ], + "objectNameList": [ + "UBA_Database" + ] +} diff --git a/default/data/models/UBA_Email.json b/default/data/models/UBA_Email.json new file mode 100644 index 0000000..20a6d06 --- /dev/null +++ b/default/data/models/UBA_Email.json @@ -0,0 +1,215 @@ +{ + "modelName": "UBA_Email", + "displayName": "UBA Email", + "description": "Splunk UBA Email Data Model for CIM Validator App", + "objectSummary": { + "Event-Based": 1, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "UBA_Email", + "displayName": "UBA Email", + "parentName": "BaseEvent", + "comment": "", + "fields": [ + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The action taken by the reporting device.", + "recommended": false, + "possible_values": "delivered, blocked, quarantined, deleted, unknown" + }, + "fieldName": "action", + "owner": "UBA_Email", + "type": "string", + "fieldSearch": "action=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action" + }, + { + "comment": { + "data_type": "string", + "description": "The names of the files attached to the message, if any.", + "recommended": false, + "possible_values": "example.txt" + }, + "fieldName": "file_name", + "owner": "UBA_Email", + "type": "string", + "fieldSearch": "file_name=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_name" + }, + { + "comment": { + "data_type": "integer", + "description": "The size of the file attached to the message, if any. If the message has multiple attachments, the sum value of all attachments as a single integer.", + "recommended": false, + "possible_values": "10280" + }, + "fieldName": "file_size", + "owner": "UBA_Email", + "type": "number", + "fieldSearch": "file_size=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_size" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "A field listing individual recipient email addresses.", + "recommended": true, + "possible_values": "abc@example.com, bcd@example.com" + }, + "fieldName": "recipient", + "owner": "UBA_Email", + "type": "string", + "fieldSearch": "recipient=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "recipient" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The system that sent the message. You can alias this from more specific fields, such as\u00a0src_host,\u00a0src_ip, or\u00a0src_name.", + "recommended": false, + "possible_values": "11.12.13.14" + }, + "fieldName": "src", + "owner": "UBA_Email", + "type": "string", + "fieldSearch": "src=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src" + }, + { + "comment": { + "data_type": "string", + "description": "The email address of the message sender.", + "recommended": false, + "possible_values": "tony@stark.co" + }, + "fieldName": "src_user", + "owner": "UBA_Email", + "type": "string", + "fieldSearch": "src_user=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_user" + }, + { + "comment": { + "data_type": "string", + "description": "The subject of the email message.", + "recommended": true, + "possible_values": "Important Message, Meeting Agenda Update" + }, + "fieldName": "subject", + "owner": "UBA_Email", + "type": "string", + "fieldSearch": "subject=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "subject" + }, + { + "comment": { + "data_type": "string", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "recommended": true, + "possible_values": "email" + }, + "fieldName": "tag", + "owner": "UBA_Email", + "type": "string", + "fieldSearch": "*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tag" + } + ], + "calculations": [], + "constraints": [ + { + "search": "`uba_cim_email_indexes` email", + "owner": "UBA_Email" + } + ], + "lineage": "UBA_Email" + } + ], + "objectNameList": [ + "UBA_Email" + ] +} diff --git a/default/data/models/UBA_Endpoint_Filesystem.json b/default/data/models/UBA_Endpoint_Filesystem.json new file mode 100644 index 0000000..27732d7 --- /dev/null +++ b/default/data/models/UBA_Endpoint_Filesystem.json @@ -0,0 +1,538 @@ +{ + "modelName": "UBA_Endpoint_Filesystem", + "displayName": "UBA Endpoint Filesystem", + "description": "Splunk UBA Endpoint Filesystem Data Model for CIM Validator App. \n- An entity is required in order to generate anomalies mapped to Lateral Movement threats.\n- Splunk UBA requires the following tag combinations to process endpoint category events:\nTo properly parse port data, Splunk UBA requires listening, port.\nTo properly parse process data, Splunk UBA requires process, report.\nTo properly parse service data, Splunk UBA requires tag=service, tag=report.\nTo properly parse filesystem data, Splunk UBA requires tag=endpoint, tag=filesystem.\nTo properly parse registry data, Splunk UBA requires tag=endpoint, tag=registry.\n- The Endpoint category contains multiple datasets. Some fields have the same names across multiple datasets.", + "objectSummary": { + "Event-Based": 1, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "UBA_Endpoint_Filesystem", + "displayName": "UBA Endpoint Filesystem", + "parentName": "BaseEvent", + "comment": "", + "fields": [ + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The action taken by the endpoint.", + "recommended": true, + "possible_values": "allowed, blocked" + }, + "fieldName": "action", + "owner": "UBA_Endpoint_Filesystem", + "type": "string", + "fieldSearch": "action=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action" + }, + { + "comment": { + "data_type": "string", + "description": "The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in\u00a0Filter the anomaly table.", + "recommended": false, + "possible_values": "Exfiltration" + }, + "fieldName": "alarmCategories", + "owner": "UBA_Endpoint_Filesystem", + "type": "string", + "fieldSearch": "alarmCategories=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "alarmCategories" + }, + { + "comment": { + "data_type": "string", + "description": "The event category, if applicable.", + "recommended": false, + "possible_values": "malware, watchlist.hit.ingress.process" + }, + "fieldName": "category", + "owner": "UBA_Endpoint_Filesystem", + "type": "string", + "fieldSearch": "category=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category" + }, + { + "comment": { + "data_type": "string", + "description": "The host name of the endpoint.", + "recommended": true, + "possible_values": "winhost1" + }, + "fieldName": "dest_host", + "owner": "UBA_Endpoint_Filesystem", + "type": "string", + "fieldSearch": "dest_host=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_host" + }, + { + "comment": { + "data_type": "string", + "description": "IP address of the endpoint where the activity happened.", + "recommended": false, + "possible_values": "1.1.1.1" + }, + "fieldName": "dest_ip", + "owner": "UBA_Endpoint_Filesystem", + "type": "string", + "fieldSearch": "dest_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip" + }, + { + "comment": { + "data_type": "string", + "description": "The NT domain of the endpoint, if applicable.", + "recommended": false, + "possible_values": "acme" + }, + "fieldName": "dest_nt_domain", + "owner": "UBA_Endpoint_Filesystem", + "type": "string", + "fieldSearch": "dest_nt_domain=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_nt_domain" + }, + { + "comment": { + "data_type": "string", + "description": "The host name of the endpoint.", + "recommended": true, + "possible_values": "winhost1" + }, + "fieldName": "endpoint_dns", + "owner": "UBA_Endpoint_Filesystem", + "type": "string", + "fieldSearch": "endpoint_dns=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "endpoint_dns" + }, + { + "comment": { + "data_type": "string", + "description": "IP address of the endpoint where the activity happened.", + "recommended": false, + "possible_values": "1.1.1.1" + }, + "fieldName": "endpoint_ip", + "owner": "UBA_Endpoint_Filesystem", + "type": "string", + "fieldSearch": "endpoint_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "endpoint_ip" + }, + { + "comment": { + "data_type": "string", + "description": "The NT domain of the endpoint, if applicable.", + "recommended": false, + "possible_values": "acme" + }, + "fieldName": "endpoint_nt_domain", + "owner": "UBA_Endpoint_Filesystem", + "type": "string", + "fieldSearch": "endpoint_nt_domain=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "endpoint_nt_domain" + }, + { + "comment": { + "data_type": "integer", + "description": "Network port listening on the endpoint.", + "recommended": false, + "possible_values": "53" + }, + "fieldName": "endpoint_port", + "owner": "UBA_Endpoint_Filesystem", + "type": "number", + "fieldSearch": "endpoint_port=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "endpoint_port" + }, + { + "comment": { + "data_type": "integer", + "description": "The event ID or code for the activity.", + "recommended": false, + "possible_values": "7045" + }, + "fieldName": "event_id", + "owner": "UBA_Endpoint_Filesystem", + "type": "number", + "fieldSearch": "event_id=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "event_id" + }, + { + "comment": { + "data_type": "string", + "description": "The type of the event.", + "recommended": true, + "possible_values": "symantec_ep_risk_alert_virus, A service was installed in the system" + }, + "fieldName": "eventtype", + "owner": "UBA_Endpoint_Filesystem", + "type": "string", + "fieldSearch": "eventtype=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "eventtype" + }, + { + "comment": { + "data_type": "integer", + "description": "The epoch time that the file (the object of the event) was accessed.", + "recommended": true, + "possible_values": "1547749588" + }, + "fieldName": "file_access_time", + "owner": "UBA_Endpoint_Filesystem", + "type": "number", + "fieldSearch": "file_access_time=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_access_time" + }, + { + "comment": { + "data_type": "string", + "description": "Access controls associated with the file affected by the event.", + "recommended": true, + "possible_values": "readonly" + }, + "fieldName": "file_acl", + "owner": "UBA_Endpoint_Filesystem", + "type": "string", + "fieldSearch": "file_acl=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_acl" + }, + { + "comment": { + "data_type": "integer", + "description": "The epoch time that the file (the object of the event) was created.", + "recommended": true, + "possible_values": "1547749588" + }, + "fieldName": "file_create_time", + "owner": "UBA_Endpoint_Filesystem", + "type": "number", + "fieldSearch": "file_create_time=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_create_time" + }, + { + "comment": { + "data_type": "integer", + "description": "The epoch time that the file (the object of the event) was altered.", + "recommended": true, + "possible_values": "1547749588" + }, + "fieldName": "file_modify_time", + "owner": "UBA_Endpoint_Filesystem", + "type": "number", + "fieldSearch": "file_modify_time=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_modify_time" + }, + { + "comment": { + "data_type": "string", + "description": "The name of the file.", + "recommended": true, + "possible_values": "notepad.exe" + }, + "fieldName": "file_name", + "owner": "UBA_Endpoint_Filesystem", + "type": "string", + "fieldSearch": "file_name=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_name" + }, + { + "comment": { + "data_type": "string", + "description": "The path of the file.", + "recommended": true, + "possible_values": "C:\\Windows\\System32\\notepad.exe" + }, + "fieldName": "file_path", + "owner": "UBA_Endpoint_Filesystem", + "type": "string", + "fieldSearch": "file_path=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_path" + }, + { + "comment": { + "data_type": "integer", + "description": "The size in kilobytes of the file that is the object of the event.", + "recommended": true, + "possible_values": "5346" + }, + "fieldName": "file_size", + "owner": "UBA_Endpoint_Filesystem", + "type": "number", + "fieldSearch": "file_size=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_size" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The severity of the endpoint event.", + "recommended": false, + "possible_values": "informational, unknown, low, medium, high, critical" + }, + "fieldName": "severity", + "owner": "UBA_Endpoint_Filesystem", + "type": "string", + "fieldSearch": "severity=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "severity" + }, + { + "comment": { + "data_type": "string", + "description": "The sub-category or signature of the event, if applicable.", + "recommended": false, + "possible_values": "process_blocking" + }, + "fieldName": "signature", + "owner": "UBA_Endpoint_Filesystem", + "type": "string", + "fieldSearch": "signature=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "signature" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The hostname of the \"remote\" system connected to the listening port (if applicable)", + "recommended": false, + "possible_values": "acmehost1" + }, + "fieldName": "src_dns", + "owner": "UBA_Endpoint_Filesystem", + "type": "string", + "fieldSearch": "src_dns=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_dns" + }, + { + "comment": { + "data_type": "string", + "description": "The hostname of the \"remote\" system connected to the listening port (if applicable)", + "recommended": false, + "possible_values": "acmehost1" + }, + "fieldName": "src_host", + "owner": "UBA_Endpoint_Filesystem", + "type": "string", + "fieldSearch": "src_host=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_host" + }, + { + "comment": { + "data_type": "string", + "description": "The IP address of the \"remote\" system connected to the listening port (if applicable).", + "recommended": false, + "possible_values": "2.2.2.2" + }, + "fieldName": "src_ip", + "owner": "UBA_Endpoint_Filesystem", + "type": "string", + "fieldSearch": "src_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip" + }, + { + "comment": { + "data_type": "integer", + "description": "The \"remote\" port connected to the listening port (if applicable).", + "recommended": false, + "possible_values": "53" + }, + "fieldName": "src_port", + "owner": "UBA_Endpoint_Filesystem", + "type": "number", + "fieldSearch": "src_port=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_port" + }, + { + "comment": { + "data_type": "string", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "recommended": true, + "possible_values": "endpoint,filesystem" + }, + "fieldName": "tag", + "owner": "UBA_Endpoint_Filesystem", + "type": "string", + "fieldSearch": "*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tag" + }, + { + "comment": { + "data_type": "string", + "description": "The user account associated with the service or the filesystem access, or the registry access.", + "recommended": true, + "possible_values": "cronaldo" + }, + "fieldName": "user", + "owner": "UBA_Endpoint_Filesystem", + "type": "string", + "fieldSearch": "user=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user" + } + ], + "calculations": [], + "constraints": [ + { + "search": "`uba_cim_endpoint_indexes` endpoint filesystem", + "owner": "UBA_Endpoint_Filesystem" + } + ], + "lineage": "UBA_Endpoint_Filesystem" + } + ], + "objectNameList": [ + "UBA_Endpoint_Filesystem" + ] +} diff --git a/default/data/models/UBA_Endpoint_Port.json b/default/data/models/UBA_Endpoint_Port.json new file mode 100644 index 0000000..3249675 --- /dev/null +++ b/default/data/models/UBA_Endpoint_Port.json @@ -0,0 +1,572 @@ +{ + "modelName": "UBA_Endpoint_Port", + "displayName": "UBA Endpoint Port", + "description": "Splunk UBA Endpoint Port Data Model for CIM Validator App. \n- An entity is required in order to generate anomalies mapped to Lateral Movement threats.\n- Splunk UBA requires the following tag combinations to process endpoint category events:\nTo properly parse port data, Splunk UBA requires listening, port.\nTo properly parse process data, Splunk UBA requires process, report.\nTo properly parse service data, Splunk UBA requires tag=service, tag=report.\nTo properly parse filesystem data, Splunk UBA requires tag=endpoint, tag=filesystem.\nTo properly parse registry data, Splunk UBA requires tag=endpoint, tag=registry.\n- The Endpoint category contains multiple datasets. Some fields have the same names across multiple datasets.", + "objectSummary": { + "Event-Based": 1, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "UBA_Endpoint_Port", + "displayName": "UBA Endpoint Port", + "parentName": "BaseEvent", + "comment": "", + "fields": [ + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The action taken by the endpoint.", + "recommended": true, + "possible_values": "allowed, blocked" + }, + "fieldName": "action", + "owner": "UBA_Endpoint_Port", + "type": "string", + "fieldSearch": "action=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action" + }, + { + "comment": { + "data_type": "string", + "description": "The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in\u00a0Filter the anomaly table.", + "recommended": false, + "possible_values": "Exfiltration" + }, + "fieldName": "alarmCategories", + "owner": "UBA_Endpoint_Port", + "type": "string", + "fieldSearch": "alarmCategories=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "alarmCategories" + }, + { + "comment": { + "data_type": "string", + "description": "The event category, if applicable.", + "recommended": false, + "possible_values": "malware, watchlist.hit.ingress.process" + }, + "fieldName": "category", + "owner": "UBA_Endpoint_Port", + "type": "string", + "fieldSearch": "category=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category" + }, + { + "comment": { + "data_type": "integer", + "description": "CPU load consumed by the process (in percent)", + "recommended": false, + "possible_values": "85" + }, + "fieldName": "cpu_load_percent", + "owner": "UBA_Endpoint_Port", + "type": "number", + "fieldSearch": "cpu_load_percent=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cpu_load_percent" + }, + { + "comment": { + "data_type": "integer", + "description": "The epoch time at which the network port started listening on the endpoint.", + "recommended": false, + "possible_values": "1547749588" + }, + "fieldName": "creation_time", + "owner": "UBA_Endpoint_Port", + "type": "number", + "fieldSearch": "creation_time=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "creation_time" + }, + { + "comment": { + "data_type": "string", + "description": "The host name of the endpoint.", + "recommended": true, + "possible_values": "winhost1" + }, + "fieldName": "dest_host", + "owner": "UBA_Endpoint_Port", + "type": "string", + "fieldSearch": "dest_host=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_host" + }, + { + "comment": { + "data_type": "string", + "description": "IP address of the endpoint where the activity happened.", + "recommended": false, + "possible_values": "1.1.1.1" + }, + "fieldName": "dest_ip", + "owner": "UBA_Endpoint_Port", + "type": "string", + "fieldSearch": "dest_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip" + }, + { + "comment": { + "data_type": "string", + "description": "The NT domain of the endpoint, if applicable.", + "recommended": false, + "possible_values": "acme" + }, + "fieldName": "dest_nt_domain", + "owner": "UBA_Endpoint_Port", + "type": "string", + "fieldSearch": "dest_nt_domain=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_nt_domain" + }, + { + "comment": { + "data_type": "integer", + "description": "The network port listening on the endpoint.", + "recommended": true, + "possible_values": "53" + }, + "fieldName": "dest_port", + "owner": "UBA_Endpoint_Port", + "type": "number", + "fieldSearch": "dest_port=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_port" + }, + { + "comment": { + "data_type": "string", + "description": "The host name of the endpoint.", + "recommended": true, + "possible_values": "winhost1" + }, + "fieldName": "endpoint_dns", + "owner": "UBA_Endpoint_Port", + "type": "string", + "fieldSearch": "endpoint_dns=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "endpoint_dns" + }, + { + "comment": { + "data_type": "string", + "description": "IP address of the endpoint where the activity happened.", + "recommended": false, + "possible_values": "1.1.1.1" + }, + "fieldName": "endpoint_ip", + "owner": "UBA_Endpoint_Port", + "type": "string", + "fieldSearch": "endpoint_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "endpoint_ip" + }, + { + "comment": { + "data_type": "string", + "description": "The NT domain of the endpoint, if applicable.", + "recommended": false, + "possible_values": "acme" + }, + "fieldName": "endpoint_nt_domain", + "owner": "UBA_Endpoint_Port", + "type": "string", + "fieldSearch": "endpoint_nt_domain=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "endpoint_nt_domain" + }, + { + "comment": { + "data_type": "integer", + "description": "Network port listening on the endpoint.", + "recommended": false, + "possible_values": "53" + }, + "fieldName": "endpoint_port", + "owner": "UBA_Endpoint_Port", + "type": "number", + "fieldSearch": "endpoint_port=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "endpoint_port" + }, + { + "comment": { + "data_type": "integer", + "description": "The event ID or code for the activity.", + "recommended": false, + "possible_values": "7045" + }, + "fieldName": "event_id", + "owner": "UBA_Endpoint_Port", + "type": "number", + "fieldSearch": "event_id=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "event_id" + }, + { + "comment": { + "data_type": "string", + "description": "The type of the event.", + "recommended": true, + "possible_values": "symantec_ep_risk_alert_virus, A service was installed in the system" + }, + "fieldName": "eventtype", + "owner": "UBA_Endpoint_Port", + "type": "string", + "fieldSearch": "eventtype=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "eventtype" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "comment": { + "data_type": "integer", + "description": "Memory in bytes used by the process.", + "recommended": false, + "possible_values": "12345" + }, + "fieldName": "mem_used", + "owner": "UBA_Endpoint_Port", + "type": "number", + "fieldSearch": "mem_used=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "mem_used" + }, + { + "comment": { + "data_type": "string", + "description": "The operating system of the resource.", + "recommended": false, + "possible_values": "Microsoft Windows Server 2008r2" + }, + "fieldName": "os", + "owner": "UBA_Endpoint_Port", + "type": "string", + "fieldSearch": "os=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "os" + }, + { + "comment": { + "data_type": "integer", + "description": "The numeric identifier of the process assigned by the operating system.", + "recommended": false, + "possible_values": "12345" + }, + "fieldName": "process_id", + "owner": "UBA_Endpoint_Port", + "type": "number", + "fieldSearch": "process_id=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "process_id" + }, + { + "comment": { + "data_type": "string", + "description": "The severity of the endpoint event.", + "recommended": false, + "possible_values": "informational, unknown, low, medium, high, critical" + }, + "fieldName": "severity", + "owner": "UBA_Endpoint_Port", + "type": "string", + "fieldSearch": "severity=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "severity" + }, + { + "comment": { + "data_type": "string", + "description": "The sub-category or signature of the event, if applicable.", + "recommended": false, + "possible_values": "process_blocking" + }, + "fieldName": "signature", + "owner": "UBA_Endpoint_Port", + "type": "string", + "fieldSearch": "signature=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "signature" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The hostname of the \"remote\" system connected to the listening port (if applicable)", + "recommended": true, + "possible_values": "acmehost1" + }, + "fieldName": "src_dns", + "owner": "UBA_Endpoint_Port", + "type": "string", + "fieldSearch": "src_dns=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_dns" + }, + { + "comment": { + "data_type": "string", + "description": "The hostname of the \"remote\" system connected to the listening port (if applicable)", + "recommended": true, + "possible_values": "acmehost1" + }, + "fieldName": "src_host", + "owner": "UBA_Endpoint_Port", + "type": "string", + "fieldSearch": "src_host=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_host" + }, + { + "comment": { + "data_type": "string", + "description": "The IP address of the \"remote\" system connected to the listening port (if applicable).", + "recommended": false, + "possible_values": "2.2.2.2" + }, + "fieldName": "src_ip", + "owner": "UBA_Endpoint_Port", + "type": "string", + "fieldSearch": "src_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip" + }, + { + "comment": { + "data_type": "integer", + "description": "The \"remote\" port connected to the listening port (if applicable).", + "recommended": true, + "possible_values": "53" + }, + "fieldName": "src_port", + "owner": "UBA_Endpoint_Port", + "type": "number", + "fieldSearch": "src_port=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_port" + }, + { + "comment": { + "data_type": "string", + "description": "The status of the listening port.", + "recommended": true, + "possible_values": "established, listening" + }, + "fieldName": "state", + "owner": "UBA_Endpoint_Port", + "type": "string", + "fieldSearch": "state=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "state" + }, + { + "comment": { + "data_type": "string", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "recommended": true, + "possible_values": "listening,port" + }, + "fieldName": "tag", + "owner": "UBA_Endpoint_Port", + "type": "string", + "fieldSearch": "*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tag" + }, + { + "comment": { + "data_type": "string", + "description": "The network transport protocol associated with the listening port.", + "recommended": true, + "possible_values": "tcp, udp" + }, + "fieldName": "transport", + "owner": "UBA_Endpoint_Port", + "type": "string", + "fieldSearch": "transport=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "transport" + }, + { + "comment": { + "data_type": "string", + "description": "The user account that spawned the process.", + "recommended": true, + "possible_values": "cronaldo" + }, + "fieldName": "user", + "owner": "UBA_Endpoint_Port", + "type": "string", + "fieldSearch": "user=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user" + }, + { + "comment": { + "data_type": "string", + "description": "The vendor and product name of the Endpoint solution that reported the event.", + "recommended": false, + "possible_values": "Carbon Black Cb Response" + }, + "fieldName": "vendor_product", + "owner": "UBA_Endpoint_Port", + "type": "string", + "fieldSearch": "vendor_product=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "vendor_product" + } + ], + "calculations": [], + "constraints": [ + { + "search": "`uba_cim_endpoint_indexes` listening port", + "owner": "UBA_Endpoint_Port" + } + ], + "lineage": "UBA_Endpoint_Port" + } + ], + "objectNameList": [ + "UBA_Endpoint_Port" + ] +} diff --git a/default/data/models/UBA_Endpoint_Processes.json b/default/data/models/UBA_Endpoint_Processes.json new file mode 100644 index 0000000..6967bbf --- /dev/null +++ b/default/data/models/UBA_Endpoint_Processes.json @@ -0,0 +1,640 @@ +{ + "modelName": "UBA_Endpoint_Processes", + "displayName": "UBA Endpoint Processes", + "description": "Splunk UBA Endpoint Processes Data Model for CIM Validator App. \n- An entity is required in order to generate anomalies mapped to Lateral Movement threats.\n- Splunk UBA requires the following tag combinations to process endpoint category events:\nTo properly parse port data, Splunk UBA requires listening, port.\nTo properly parse process data, Splunk UBA requires process, report.\nTo properly parse service data, Splunk UBA requires tag=service, tag=report.\nTo properly parse filesystem data, Splunk UBA requires tag=endpoint, tag=filesystem.\nTo properly parse registry data, Splunk UBA requires tag=endpoint, tag=registry.\n- The Endpoint category contains multiple datasets. Some fields have the same names across multiple datasets.", + "objectSummary": { + "Event-Based": 1, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "UBA_Endpoint_Processes", + "displayName": "UBA Endpoint Processes", + "parentName": "BaseEvent", + "comment": "", + "fields": [ + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The action taken by the endpoint.", + "recommended": true, + "possible_values": "allowed, blocked" + }, + "fieldName": "action", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "action=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action" + }, + { + "comment": { + "data_type": "string", + "description": "The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in\u00a0Filter the anomaly table.", + "recommended": false, + "possible_values": "Exfiltration" + }, + "fieldName": "alarmCategories", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "alarmCategories=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "alarmCategories" + }, + { + "comment": { + "data_type": "string", + "description": "The event category, if applicable.", + "recommended": false, + "possible_values": "malware, watchlist.hit.ingress.process" + }, + "fieldName": "category", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "category=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category" + }, + { + "comment": { + "data_type": "string", + "description": "The host name of the endpoint.", + "recommended": false, + "possible_values": "winhost1" + }, + "fieldName": "dest_host", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "dest_host=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_host" + }, + { + "comment": { + "data_type": "string", + "description": "IP address of the endpoint where the activity happened.", + "recommended": false, + "possible_values": "1.1.1.1" + }, + "fieldName": "dest_ip", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "dest_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip" + }, + { + "comment": { + "data_type": "string", + "description": "The NT domain of the endpoint, if applicable.", + "recommended": false, + "possible_values": "acme" + }, + "fieldName": "dest_nt_domain", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "dest_nt_domain=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_nt_domain" + }, + { + "comment": { + "data_type": "string", + "description": "The host name of the endpoint.", + "recommended": false, + "possible_values": "winhost1" + }, + "fieldName": "endpoint_dns", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "endpoint_dns=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "endpoint_dns" + }, + { + "comment": { + "data_type": "string", + "description": "IP address of the endpoint where the activity happened.", + "recommended": false, + "possible_values": "1.1.1.1" + }, + "fieldName": "endpoint_ip", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "endpoint_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "endpoint_ip" + }, + { + "comment": { + "data_type": "string", + "description": "The NT domain of the endpoint, if applicable.", + "recommended": false, + "possible_values": "acme" + }, + "fieldName": "endpoint_nt_domain", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "endpoint_nt_domain=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "endpoint_nt_domain" + }, + { + "comment": { + "data_type": "integer", + "description": "Network port listening on the endpoint.", + "recommended": false, + "possible_values": "53" + }, + "fieldName": "endpoint_port", + "owner": "UBA_Endpoint_Processes", + "type": "number", + "fieldSearch": "endpoint_port=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "endpoint_port" + }, + { + "comment": { + "data_type": "integer", + "description": "The event ID or code for the activity.", + "recommended": false, + "possible_values": "7045" + }, + "fieldName": "event_id", + "owner": "UBA_Endpoint_Processes", + "type": "number", + "fieldSearch": "event_id=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "event_id" + }, + { + "comment": { + "data_type": "string", + "description": "The type of the event.", + "recommended": true, + "possible_values": "symantec_ep_risk_alert_virus, A service was installed in the system" + }, + "fieldName": "eventtype", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "eventtype=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "eventtype" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The executable name of the parent process.", + "recommended": true, + "possible_values": "notepad.exe" + }, + "fieldName": "parent_process_exec", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "parent_process_exec=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "parent_process_exec" + }, + { + "comment": { + "data_type": "string", + "description": "The globally unique identifier of the parent process assigned by the vendor_product.", + "recommended": false, + "possible_values": "0dd879c-ee2f-11db-8314-0800200c9a66" + }, + "fieldName": "parent_process_guid", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "parent_process_guid=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "parent_process_guid" + }, + { + "comment": { + "data_type": "integer", + "description": "The numeric identifier of the parent process assigned by the operating system.", + "recommended": false, + "possible_values": "12345" + }, + "fieldName": "parent_process_id", + "owner": "UBA_Endpoint_Processes", + "type": "number", + "fieldSearch": "parent_process_id=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "parent_process_id" + }, + { + "comment": { + "data_type": "string", + "description": "The friendly name of the parent process.", + "recommended": true, + "possible_values": "notepad.exe" + }, + "fieldName": "parent_process_name", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "parent_process_name=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "parent_process_name" + }, + { + "comment": { + "data_type": "string", + "description": "The full command string of the parent process.", + "recommended": false, + "possible_values": "C:\\\\WINDOWS\\\\system32\\\\cmd.exe \\/c \\\"\\\"C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\etc\\\\system\\\\bin\\\\powershell.cmd\\\" --scheme" + }, + "fieldName": "parent_process_path", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "parent_process_path=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "parent_process_path" + }, + { + "comment": { + "data_type": "string", + "description": "The full command string of the spawned process.", + "recommended": true, + "possible_values": "C:\\\\WINDOWS\\\\system32\\\\cmd.exe \\/c \\\"\\\"C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\etc\\\\system\\\\bin\\\\powershell.cmd\\\" --scheme" + }, + "fieldName": "process", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "process=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "process" + }, + { + "comment": { + "data_type": "string", + "description": "The current working directory used to spawn the process.", + "recommended": false, + "possible_values": "/usr/bin/" + }, + "fieldName": "process_current_directory", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "process_current_directory=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "process_current_directory" + }, + { + "comment": { + "data_type": "string", + "description": "The executable name of the process.", + "recommended": false, + "possible_values": "notepad.exe" + }, + "fieldName": "process_exec", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "process_exec=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "process_exec" + }, + { + "comment": { + "data_type": "string", + "description": "The globally unique identifier of the process assigned by the vendor_product.", + "recommended": false, + "possible_values": "example_guid, example_id" + }, + "fieldName": "process_guid.", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "process_guid.=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "process_guid." + }, + { + "comment": { + "data_type": "string", + "description": "The digests of the parent process.", + "recommended": false, + "possible_values": ", " + }, + "fieldName": "process_hash", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "process_hash=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "process_hash" + }, + { + "comment": { + "data_type": "integer", + "description": "The numeric identifier of the process assigned by the operating system.", + "recommended": false, + "possible_values": "12345" + }, + "fieldName": "process_id", + "owner": "UBA_Endpoint_Processes", + "type": "number", + "fieldSearch": "process_id=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "process_id" + }, + { + "comment": { + "data_type": "string", + "description": "The Windows integrity level of the process.", + "recommended": false, + "possible_values": "System, Medium" + }, + "fieldName": "process_integrity_level", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "process_integrity_level=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "process_integrity_level" + }, + { + "comment": { + "data_type": "string", + "description": "The file path of the process.", + "recommended": true, + "possible_values": "C:\\Windows\\System32\\notepad.exe" + }, + "fieldName": "process_path", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "process_path=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "process_path" + }, + { + "comment": { + "data_type": "string", + "description": "The severity of the endpoint event.", + "recommended": false, + "possible_values": "informational, unknown, low, medium, high, critical" + }, + "fieldName": "severity", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "severity=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "severity" + }, + { + "comment": { + "data_type": "string", + "description": "The sub-category or signature of the event, if applicable.", + "recommended": false, + "possible_values": "process_blocking" + }, + "fieldName": "signature", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "signature=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "signature" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The hostname of the \"remote\" system connected to the listening port (if applicable)", + "recommended": false, + "possible_values": "acmehost1" + }, + "fieldName": "src_dns", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "src_dns=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_dns" + }, + { + "comment": { + "data_type": "string", + "description": "The hostname of the \"remote\" system connected to the listening port (if applicable)", + "recommended": false, + "possible_values": "acmehost1" + }, + "fieldName": "src_host", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "src_host=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_host" + }, + { + "comment": { + "data_type": "string", + "description": "The IP address of the \"remote\" system connected to the listening port (if applicable).", + "recommended": false, + "possible_values": "2.2.2.2" + }, + "fieldName": "src_ip", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "src_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip" + }, + { + "comment": { + "data_type": "integer", + "description": "The \"remote\" port connected to the listening port (if applicable).", + "recommended": false, + "possible_values": "53" + }, + "fieldName": "src_port", + "owner": "UBA_Endpoint_Processes", + "type": "number", + "fieldSearch": "src_port=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_port" + }, + { + "comment": { + "data_type": "string", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "recommended": true, + "possible_values": "process,report" + }, + "fieldName": "tag", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tag" + }, + { + "comment": { + "data_type": "string", + "description": "The unique identifier of the user account which spawned the process.", + "recommended": true, + "possible_values": "example_user" + }, + "fieldName": "user", + "owner": "UBA_Endpoint_Processes", + "type": "string", + "fieldSearch": "user=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user" + } + ], + "calculations": [], + "constraints": [ + { + "search": "`uba_cim_endpoint_indexes` process report", + "owner": "UBA_Endpoint_Processes" + } + ], + "lineage": "UBA_Endpoint_Processes" + } + ], + "objectNameList": [ + "UBA_Endpoint_Processes" + ] +} diff --git a/default/data/models/UBA_Endpoint_Registry.json b/default/data/models/UBA_Endpoint_Registry.json new file mode 100644 index 0000000..cc0dea2 --- /dev/null +++ b/default/data/models/UBA_Endpoint_Registry.json @@ -0,0 +1,555 @@ +{ + "modelName": "UBA_Endpoint_Registry", + "displayName": "UBA Endpoint Registry", + "description": "Splunk UBA Endpoint Registry Data Model for CIM Validator App. \n- An entity is required in order to generate anomalies mapped to Lateral Movement threats.\n- Splunk UBA requires the following tag combinations to process endpoint category events:\nTo properly parse port data, Splunk UBA requires listening, port.\nTo properly parse process data, Splunk UBA requires process, report.\nTo properly parse service data, Splunk UBA requires tag=service, tag=report.\nTo properly parse filesystem data, Splunk UBA requires tag=endpoint, tag=filesystem.\nTo properly parse registry data, Splunk UBA requires tag=endpoint, tag=registry.\n- The Endpoint category contains multiple datasets. Some fields have the same names across multiple datasets.", + "objectSummary": { + "Event-Based": 1, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "UBA_Endpoint_Registry", + "displayName": "UBA Endpoint Registry", + "parentName": "BaseEvent", + "comment": "", + "fields": [ + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The action taken by the endpoint.", + "recommended": true, + "possible_values": "allowed, blocked" + }, + "fieldName": "action", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "action=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action" + }, + { + "comment": { + "data_type": "string", + "description": "The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in\u00a0Filter the anomaly table.", + "recommended": false, + "possible_values": "Exfiltration" + }, + "fieldName": "alarmCategories", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "alarmCategories=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "alarmCategories" + }, + { + "comment": { + "data_type": "string", + "description": "The event category, if applicable.", + "recommended": false, + "possible_values": "malware, watchlist.hit.ingress.process" + }, + "fieldName": "category", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "category=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category" + }, + { + "comment": { + "data_type": "string", + "description": "The host name of the endpoint.", + "recommended": true, + "possible_values": "winhost1" + }, + "fieldName": "dest_host", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "dest_host=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_host" + }, + { + "comment": { + "data_type": "string", + "description": "IP address of the endpoint where the activity happened.", + "recommended": false, + "possible_values": "1.1.1.1" + }, + "fieldName": "dest_ip", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "dest_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip" + }, + { + "comment": { + "data_type": "string", + "description": "The NT domain of the endpoint, if applicable.", + "recommended": false, + "possible_values": "acme" + }, + "fieldName": "dest_nt_domain", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "dest_nt_domain=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_nt_domain" + }, + { + "comment": { + "data_type": "string", + "description": "The host name of the endpoint.", + "recommended": true, + "possible_values": "winhost1" + }, + "fieldName": "endpoint_dns", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "endpoint_dns=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "endpoint_dns" + }, + { + "comment": { + "data_type": "string", + "description": "IP address of the endpoint where the activity happened.", + "recommended": false, + "possible_values": "1.1.1.1" + }, + "fieldName": "endpoint_ip", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "endpoint_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "endpoint_ip" + }, + { + "comment": { + "data_type": "string", + "description": "The NT domain of the endpoint, if applicable.", + "recommended": false, + "possible_values": "acme" + }, + "fieldName": "endpoint_nt_domain", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "endpoint_nt_domain=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "endpoint_nt_domain" + }, + { + "comment": { + "data_type": "integer", + "description": "Network port listening on the endpoint.", + "recommended": false, + "possible_values": "53" + }, + "fieldName": "endpoint_port", + "owner": "UBA_Endpoint_Registry", + "type": "number", + "fieldSearch": "endpoint_port=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "endpoint_port" + }, + { + "comment": { + "data_type": "integer", + "description": "The event ID or code for the activity.", + "recommended": false, + "possible_values": "7045" + }, + "fieldName": "event_id", + "owner": "UBA_Endpoint_Registry", + "type": "number", + "fieldSearch": "event_id=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "event_id" + }, + { + "comment": { + "data_type": "string", + "description": "The type of the event.", + "recommended": true, + "possible_values": "symantec_ep_risk_alert_virus, A service was installed in the system" + }, + "fieldName": "eventtype", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "eventtype=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "eventtype" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The logical grouping of registry keys, subkeys, and values.", + "recommended": false, + "possible_values": "HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER" + }, + "fieldName": "registry_hive", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "registry_hive=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "registry_hive" + }, + { + "comment": { + "data_type": "string", + "description": "The name of the registry key.", + "recommended": true, + "possible_values": "PrinterDriverData" + }, + "fieldName": "registry_key_name", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "registry_key_name=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "registry_key_name" + }, + { + "comment": { + "data_type": "string", + "description": "The path to the registry value.", + "recommended": true, + "possible_values": "\\win\\directory\\directory2\\{676235CD-B656-42D5-B737-49856E97D072}\\PrinterDriverData" + }, + "fieldName": "registry_path", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "registry_path=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "registry_path" + }, + { + "comment": { + "data_type": "string", + "description": "The unaltered registry value.", + "recommended": true, + "possible_values": "example_value" + }, + "fieldName": "registry_value_data", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "registry_value_data=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "registry_value_data" + }, + { + "comment": { + "data_type": "string", + "description": "The name of the registry value.", + "recommended": true, + "possible_values": "example_name" + }, + "fieldName": "registry_value_name", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "registry_value_name=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "registry_value_name" + }, + { + "comment": { + "data_type": "string", + "description": "The textual representation of registry_value_data (if applicable).", + "recommended": false, + "possible_values": "example_text" + }, + "fieldName": "registry_value_text", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "registry_value_text=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "registry_value_text" + }, + { + "comment": { + "data_type": "string", + "description": "The type of the registry value.", + "recommended": true, + "possible_values": "REG_BINARY, REG_DWORD, REG_DWORD_LITTLE_ENDIAN, REG_DWORD_BIG_ENDIAN, REG_EXPAND_SZ, REG_LINK, REG_MULTI_SZ, REG_NONE, REG_QWORD, REG_QWORD_LITTLE_ENDIAN, REG_SZ" + }, + "fieldName": "registry_value_type", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "registry_value_type=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "registry_value_type" + }, + { + "comment": { + "data_type": "string", + "description": "The severity of the endpoint event.", + "recommended": false, + "possible_values": "informational, unknown, low, medium, high, critical" + }, + "fieldName": "severity", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "severity=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "severity" + }, + { + "comment": { + "data_type": "string", + "description": "The sub-category or signature of the event, if applicable.", + "recommended": false, + "possible_values": "process_blocking" + }, + "fieldName": "signature", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "signature=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "signature" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The hostname of the \"remote\" system connected to the listening port (if applicable)", + "recommended": false, + "possible_values": "acmehost1" + }, + "fieldName": "src_dns", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "src_dns=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_dns" + }, + { + "comment": { + "data_type": "string", + "description": "The hostname of the \"remote\" system connected to the listening port (if applicable)", + "recommended": false, + "possible_values": "acmehost1" + }, + "fieldName": "src_host", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "src_host=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_host" + }, + { + "comment": { + "data_type": "string", + "description": "The IP address of the \"remote\" system connected to the listening port (if applicable).", + "recommended": false, + "possible_values": "2.2.2.2" + }, + "fieldName": "src_ip", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "src_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip" + }, + { + "comment": { + "data_type": "integer", + "description": "The \"remote\" port connected to the listening port (if applicable).", + "recommended": false, + "possible_values": "53" + }, + "fieldName": "src_port", + "owner": "UBA_Endpoint_Registry", + "type": "number", + "fieldSearch": "src_port=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_port" + }, + { + "comment": { + "data_type": "string", + "description": "The status of the service or registry.", + "recommended": false, + "possible_values": "failure, success" + }, + "fieldName": "status", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "status=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "status" + }, + { + "comment": { + "data_type": "string", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "recommended": true, + "possible_values": "endpoint,registry" + }, + "fieldName": "tag", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tag" + }, + { + "comment": { + "data_type": "string", + "description": "The user account associated with the service or the filesystem access, or the registry access.", + "recommended": true, + "possible_values": "cronaldo" + }, + "fieldName": "user", + "owner": "UBA_Endpoint_Registry", + "type": "string", + "fieldSearch": "user=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user" + } + ], + "calculations": [], + "constraints": [ + { + "search": "`uba_cim_endpoint_indexes` endpoint registry", + "owner": "UBA_Endpoint_Registry" + } + ], + "lineage": "UBA_Endpoint_Registry" + } + ], + "objectNameList": [ + "UBA_Endpoint_Registry" + ] +} diff --git a/default/data/models/UBA_Endpoint_Services.json b/default/data/models/UBA_Endpoint_Services.json new file mode 100644 index 0000000..85d6077 --- /dev/null +++ b/default/data/models/UBA_Endpoint_Services.json @@ -0,0 +1,640 @@ +{ + "modelName": "UBA_Endpoint_Services", + "displayName": "UBA Endpoint Services", + "description": "Splunk UBA Endpoint Services Data Model for CIM Validator App. \n- An entity is required in order to generate anomalies mapped to Lateral Movement threats.\n- Splunk UBA requires the following tag combinations to process endpoint category events:\nTo properly parse port data, Splunk UBA requires listening, port.\nTo properly parse process data, Splunk UBA requires process, report.\nTo properly parse service data, Splunk UBA requires tag=service, tag=report.\nTo properly parse filesystem data, Splunk UBA requires tag=endpoint, tag=filesystem.\nTo properly parse registry data, Splunk UBA requires tag=endpoint, tag=registry.\n- The Endpoint category contains multiple datasets. Some fields have the same names across multiple datasets.", + "objectSummary": { + "Event-Based": 1, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "UBA_Endpoint_Services", + "displayName": "UBA Endpoint Services", + "parentName": "BaseEvent", + "comment": "", + "fields": [ + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The action taken by the endpoint.", + "recommended": true, + "possible_values": "allowed, blocked" + }, + "fieldName": "action", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "action=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action" + }, + { + "comment": { + "data_type": "string", + "description": "The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in\u00a0Filter the anomaly table.", + "recommended": false, + "possible_values": "Exfiltration" + }, + "fieldName": "alarmCategories", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "alarmCategories=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "alarmCategories" + }, + { + "comment": { + "data_type": "string", + "description": "The event category, if applicable.", + "recommended": false, + "possible_values": "malware, watchlist.hit.ingress.process" + }, + "fieldName": "category", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "category=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category" + }, + { + "comment": { + "data_type": "string", + "description": "The description of the service.", + "recommended": false, + "possible_values": "Example description" + }, + "fieldName": "description", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "description=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "description" + }, + { + "comment": { + "data_type": "string", + "description": "The host name of the endpoint.", + "recommended": true, + "possible_values": "winhost1" + }, + "fieldName": "dest_host", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "dest_host=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_host" + }, + { + "comment": { + "data_type": "string", + "description": "IP address of the endpoint where the activity happened.", + "recommended": false, + "possible_values": "1.1.1.1" + }, + "fieldName": "dest_ip", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "dest_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip" + }, + { + "comment": { + "data_type": "string", + "description": "The NT domain of the endpoint, if applicable.", + "recommended": false, + "possible_values": "acme" + }, + "fieldName": "dest_nt_domain", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "dest_nt_domain=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_nt_domain" + }, + { + "comment": { + "data_type": "string", + "description": "The host name of the endpoint.", + "recommended": true, + "possible_values": "winhost1" + }, + "fieldName": "endpoint_dns", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "endpoint_dns=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "endpoint_dns" + }, + { + "comment": { + "data_type": "string", + "description": "IP address of the endpoint where the activity happened.", + "recommended": false, + "possible_values": "1.1.1.1" + }, + "fieldName": "endpoint_ip", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "endpoint_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "endpoint_ip" + }, + { + "comment": { + "data_type": "string", + "description": "The NT domain of the endpoint, if applicable.", + "recommended": false, + "possible_values": "acme" + }, + "fieldName": "endpoint_nt_domain", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "endpoint_nt_domain=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "endpoint_nt_domain" + }, + { + "comment": { + "data_type": "integer", + "description": "Network port listening on the endpoint.", + "recommended": false, + "possible_values": "53" + }, + "fieldName": "endpoint_port", + "owner": "UBA_Endpoint_Services", + "type": "number", + "fieldSearch": "endpoint_port=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "endpoint_port" + }, + { + "comment": { + "data_type": "integer", + "description": "The event ID or code for the activity.", + "recommended": false, + "possible_values": "7045" + }, + "fieldName": "event_id", + "owner": "UBA_Endpoint_Services", + "type": "number", + "fieldSearch": "event_id=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "event_id" + }, + { + "comment": { + "data_type": "string", + "description": "The type of the event.", + "recommended": true, + "possible_values": "symantec_ep_risk_alert_virus, A service was installed in the system" + }, + "fieldName": "eventtype", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "eventtype=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "eventtype" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The dynamic link library associated with the service.", + "recommended": false, + "possible_values": "Svc.exe" + }, + "fieldName": "service_dll", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "service_dll=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "service_dll" + }, + { + "comment": { + "data_type": "string", + "description": "The digests of the dynamic link library associated with the service.", + "recommended": false, + "possible_values": ", " + }, + "fieldName": "service_dll_hash", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "service_dll_hash=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "service_dll_hash" + }, + { + "comment": { + "data_type": "string", + "description": "The file path to the dynamic link library associated with the service.", + "recommended": false, + "possible_values": "C:\\Windows\\System32\\comdlg32.dll" + }, + "fieldName": "service_dll_path", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "service_dll_path=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "service_dll_path" + }, + { + "comment": { + "data_type": "string", + "description": "Whether or not the dynamic link library associated with the service has a digitally signed signature.", + "recommended": false, + "possible_values": "TRUE" + }, + "fieldName": "service_dll_signature_exists", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "service_dll_signature_exists=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "service_dll_signature_exists" + }, + { + "comment": { + "data_type": "string", + "description": "Whether or not the dynamic link library associated with the service has had its digitally signed signature verified.", + "recommended": false, + "possible_values": "TRUE" + }, + "fieldName": "service_dll_signature_verified", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "service_dll_signature_verified=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "service_dll_signature_verified" + }, + { + "comment": { + "data_type": "string", + "description": "The executable name of the service.", + "recommended": false, + "possible_values": "svchost.exe" + }, + "fieldName": "service_exec", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "service_exec=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "service_exec" + }, + { + "comment": { + "data_type": "string", + "description": "The digests of the service.", + "recommended": true, + "possible_values": ", " + }, + "fieldName": "service_hash", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "service_hash=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "service_hash" + }, + { + "comment": { + "data_type": "integer", + "description": "The unique identifier of the service assigned by the operating system.", + "recommended": true, + "possible_values": "12345" + }, + "fieldName": "service_id", + "owner": "UBA_Endpoint_Services", + "type": "number", + "fieldSearch": "service_id=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "service_id" + }, + { + "comment": { + "data_type": "string", + "description": "The friendly service name.", + "recommended": false, + "possible_values": "example_name" + }, + "fieldName": "service_name", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "service_name=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "service_name" + }, + { + "comment": { + "data_type": "string", + "description": "The file path of the service.", + "recommended": false, + "possible_values": "C:\\WINDOWS\\system32\\svchost.exe" + }, + "fieldName": "service_path", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "service_path=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "service_path" + }, + { + "comment": { + "data_type": "string", + "description": "The severity of the endpoint event.", + "recommended": false, + "possible_values": "informational, unknown, low, medium, high, critical" + }, + "fieldName": "severity", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "severity=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "severity" + }, + { + "comment": { + "data_type": "string", + "description": "The sub-category or signature of the event, if applicable.", + "recommended": false, + "possible_values": "process_blocking" + }, + "fieldName": "signature", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "signature=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "signature" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The hostname of the \"remote\" system connected to the listening port (if applicable)", + "recommended": false, + "possible_values": "acmehost1" + }, + "fieldName": "src_dns", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "src_dns=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_dns" + }, + { + "comment": { + "data_type": "string", + "description": "The hostname of the \"remote\" system connected to the listening port (if applicable)", + "recommended": false, + "possible_values": "acmehost1" + }, + "fieldName": "src_host", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "src_host=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_host" + }, + { + "comment": { + "data_type": "string", + "description": "The IP address of the \"remote\" system connected to the listening port (if applicable).", + "recommended": false, + "possible_values": "2.2.2.2" + }, + "fieldName": "src_ip", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "src_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip" + }, + { + "comment": { + "data_type": "integer", + "description": "The \"remote\" port connected to the listening port (if applicable).", + "recommended": false, + "possible_values": "53" + }, + "fieldName": "src_port", + "owner": "UBA_Endpoint_Services", + "type": "number", + "fieldSearch": "src_port=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_port" + }, + { + "comment": { + "data_type": "string", + "description": "The start mode for the service.", + "recommended": false, + "possible_values": "example_mode" + }, + "fieldName": "start_mode", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "start_mode=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "start_mode" + }, + { + "comment": { + "data_type": "string", + "description": "The status of the service or registry.", + "recommended": true, + "possible_values": "critical, started, stopped, warning, failure, success" + }, + "fieldName": "status", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "status=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "status" + }, + { + "comment": { + "data_type": "string", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "recommended": true, + "possible_values": "service,report" + }, + "fieldName": "tag", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tag" + }, + { + "comment": { + "data_type": "string", + "description": "The user account associated with the service or the filesystem access, or the registry access.", + "recommended": true, + "possible_values": "cronaldo" + }, + "fieldName": "user", + "owner": "UBA_Endpoint_Services", + "type": "string", + "fieldSearch": "user=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user" + } + ], + "calculations": [], + "constraints": [ + { + "search": "`uba_cim_endpoint_indexes` service report", + "owner": "UBA_Endpoint_Services" + } + ], + "lineage": "UBA_Endpoint_Services" + } + ], + "objectNameList": [ + "UBA_Endpoint_Services" + ] +} diff --git a/default/data/models/UBA_External_Alarm.json b/default/data/models/UBA_External_Alarm.json new file mode 100644 index 0000000..3b2e8a5 --- /dev/null +++ b/default/data/models/UBA_External_Alarm.json @@ -0,0 +1,351 @@ +{ + "modelName": "UBA_External_Alarm", + "displayName": "UBA External Alarm", + "description": "Splunk UBA External Alarm Data Model for CIM Validator App", + "objectSummary": { + "Event-Based": 1, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "UBA_External_Alarm", + "displayName": "UBA External Alarm", + "parentName": "BaseEvent", + "comment": "", + "fields": [ + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The action taken by the external device.", + "recommended": false, + "possible_values": "allowed, blocked, deferred" + }, + "fieldName": "action", + "owner": "UBA_External_Alarm", + "type": "string", + "fieldSearch": "action=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action" + }, + { + "comment": { + "data_type": "string", + "description": "The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in\u00a0Filter the anomaly table.", + "recommended": true, + "possible_values": "Exfiltration" + }, + "fieldName": "alarmCategories", + "owner": "UBA_External_Alarm", + "type": "string", + "fieldSearch": "alarmCategories=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "alarmCategories" + }, + { + "comment": { + "data_type": "string", + "description": "The application involved in the event.", + "recommended": false, + "possible_values": "ssl" + }, + "fieldName": "app", + "owner": "UBA_External_Alarm", + "type": "string", + "fieldSearch": "app=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "app" + }, + { + "comment": { + "data_type": "string", + "description": "The category of the event, if applicable.", + "recommended": false, + "possible_values": "malware, watchlist.hit.ingress.proces" + }, + "fieldName": "category", + "owner": "UBA_External_Alarm", + "type": "string", + "fieldSearch": "category=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category" + }, + { + "comment": { + "data_type": "string", + "description": "The host name of the destination.", + "recommended": false, + "possible_values": "winhost2" + }, + "fieldName": "dest_host", + "owner": "UBA_External_Alarm", + "type": "string", + "fieldSearch": "dest_host=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_host" + }, + { + "comment": { + "data_type": "string", + "description": "The IP address of the destination.", + "recommended": false, + "possible_values": "2.2.2.2" + }, + "fieldName": "dest_ip", + "owner": "UBA_External_Alarm", + "type": "string", + "fieldSearch": "dest_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip" + }, + { + "comment": { + "data_type": "string", + "description": "The destination zone.", + "recommended": false, + "possible_values": "PCI" + }, + "fieldName": "dest_zone", + "owner": "UBA_External_Alarm", + "type": "string", + "fieldSearch": "dest_zone=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_zone" + }, + { + "comment": { + "data_type": "string", + "description": "The type of the event.", + "recommended": true, + "possible_values": "URL Filtering" + }, + "fieldName": "eventtype", + "owner": "UBA_External_Alarm", + "type": "string", + "fieldSearch": "eventtype=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "eventtype" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The severity of the external alarm.", + "recommended": false, + "possible_values": "informational, unknown, low, medium, high, critical" + }, + "fieldName": "severity", + "owner": "UBA_External_Alarm", + "type": "string", + "fieldSearch": "severity=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "severity" + }, + { + "comment": { + "data_type": "string", + "description": "The type of the event.", + "recommended": true, + "possible_values": "URL Filtering" + }, + "fieldName": "signature", + "owner": "UBA_External_Alarm", + "type": "string", + "fieldSearch": "signature=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "signature" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The host name of the source.", + "recommended": false, + "possible_values": "winhost1" + }, + "fieldName": "src_host", + "owner": "UBA_External_Alarm", + "type": "string", + "fieldSearch": "src_host=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_host" + }, + { + "comment": { + "data_type": "string", + "description": "The source of the network traffic, such as the client requesting the connection.", + "recommended": false, + "possible_values": "10.10.10.12" + }, + "fieldName": "src_ip", + "owner": "UBA_External_Alarm", + "type": "string", + "fieldSearch": "src_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip" + }, + { + "comment": { + "data_type": "string", + "description": "The source zone.", + "recommended": false, + "possible_values": "contractor" + }, + "fieldName": "src_zone", + "owner": "UBA_External_Alarm", + "type": "string", + "fieldSearch": "src_zone=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_zone" + }, + { + "comment": { + "data_type": "string", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "recommended": true, + "possible_values": "attack" + }, + "fieldName": "tag", + "owner": "UBA_External_Alarm", + "type": "string", + "fieldSearch": "*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tag" + }, + { + "comment": { + "data_type": "string", + "description": "The URL accessed in the request.", + "recommended": false, + "possible_values": "http://subdomain.acme.com/index.html" + }, + "fieldName": "url", + "owner": "UBA_External_Alarm", + "type": "string", + "fieldSearch": "url=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url" + }, + { + "comment": { + "data_type": "string", + "description": "The user involved in the activity reported.", + "recommended": false, + "possible_values": "cronaldo" + }, + "fieldName": "user", + "owner": "UBA_External_Alarm", + "type": "string", + "fieldSearch": "user=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user" + } + ], + "calculations": [], + "constraints": [ + { + "search": "`uba_cim_external_alarm_indexes` attack", + "owner": "UBA_External_Alarm" + } + ], + "lineage": "UBA_External_Alarm" + } + ], + "objectNameList": [ + "UBA_External_Alarm" + ] +} diff --git a/default/data/models/UBA_Firewall.json b/default/data/models/UBA_Firewall.json new file mode 100644 index 0000000..1c27863 --- /dev/null +++ b/default/data/models/UBA_Firewall.json @@ -0,0 +1,470 @@ +{ + "modelName": "UBA_Firewall", + "displayName": "UBA Firewall", + "description": "Splunk UBA Firewall Data Model for CIM Validator App", + "objectSummary": { + "Event-Based": 1, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "UBA_Firewall", + "displayName": "UBA Firewall", + "parentName": "BaseEvent", + "comment": "", + "fields": [ + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The action taken by the firewall.", + "recommended": true, + "possible_values": "allowed, blocked" + }, + "fieldName": "action", + "owner": "UBA_Firewall", + "type": "string", + "fieldSearch": "action=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action" + }, + { + "comment": { + "data_type": "string", + "description": "The application protocol of the traffic.", + "recommended": false, + "possible_values": "SSL" + }, + "fieldName": "app", + "owner": "UBA_Firewall", + "type": "string", + "fieldSearch": "app=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "app" + }, + { + "comment": { + "data_type": "integer", + "description": "The total number of bytes transferred (bytes_in + bytes_out).", + "recommended": false, + "possible_values": "1168" + }, + "fieldName": "bytes", + "owner": "UBA_Firewall", + "type": "number", + "fieldSearch": "bytes=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bytes" + }, + { + "comment": { + "data_type": "integer", + "description": "The number of inbound bytes transferred.", + "recommended": true, + "possible_values": "1028" + }, + "fieldName": "bytes_in", + "owner": "UBA_Firewall", + "type": "number", + "fieldSearch": "bytes_in=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bytes_in" + }, + { + "comment": { + "data_type": "integer", + "description": "The number of outbound bytes transferred.", + "recommended": true, + "possible_values": "140" + }, + "fieldName": "bytes_out", + "owner": "UBA_Firewall", + "type": "number", + "fieldSearch": "bytes_out=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bytes_out" + }, + { + "comment": { + "data_type": "string", + "description": "The host name of the destination.", + "recommended": false, + "possible_values": "winhost2" + }, + "fieldName": "dest_host", + "owner": "UBA_Firewall", + "type": "string", + "fieldSearch": "dest_host=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_host" + }, + { + "comment": { + "data_type": "string", + "description": "The IP address of the destination.", + "recommended": true, + "possible_values": "2.2.2.2" + }, + "fieldName": "dest_ip", + "owner": "UBA_Firewall", + "type": "string", + "fieldSearch": "dest_ip=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip" + }, + { + "comment": { + "data_type": "integer", + "description": "The port number of the destination.", + "recommended": false, + "possible_values": "123" + }, + "fieldName": "dest_port", + "owner": "UBA_Firewall", + "type": "number", + "fieldSearch": "dest_port=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_port" + }, + { + "comment": { + "data_type": "string", + "description": "The NATed IPv4 or IPv6 address to which a packet is sent.", + "recommended": false, + "possible_values": "192.168.1.12" + }, + "fieldName": "dest_translated_ip", + "owner": "UBA_Firewall", + "type": "string", + "fieldSearch": "dest_translated_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_translated_ip" + }, + { + "comment": { + "data_type": "string", + "description": "The destination zone.", + "recommended": false, + "possible_values": "PCI" + }, + "fieldName": "dest_zone", + "owner": "UBA_Firewall", + "type": "string", + "fieldSearch": "dest_zone=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_zone" + }, + { + "comment": { + "data_type": "integer", + "description": "The amount of time in seconds for the completion of the network event.", + "recommended": false, + "possible_values": "241" + }, + "fieldName": "duration", + "owner": "UBA_Firewall", + "type": "number", + "fieldSearch": "duration=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "duration" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "comment": { + "data_type": "integer", + "description": "The number of inbound packets transferred.", + "recommended": false, + "possible_values": "5" + }, + "fieldName": "packets_in", + "owner": "UBA_Firewall", + "type": "number", + "fieldSearch": "packets_in=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "packets_in" + }, + { + "comment": { + "data_type": "integer", + "description": "The number of outbound packets transferred.", + "recommended": false, + "possible_values": "6" + }, + "fieldName": "packets_out", + "owner": "UBA_Firewall", + "type": "number", + "fieldSearch": "packets_out=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "packets_out" + }, + { + "comment": { + "data_type": "string", + "description": "The OSI layer 3 (network) protocol of the traffic observed, in lowercase.", + "recommended": true, + "possible_values": "ip, appletalk, ipx" + }, + "fieldName": "protocol", + "owner": "UBA_Firewall", + "type": "string", + "fieldSearch": "protocol=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "protocol" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The host name of the source.", + "recommended": false, + "possible_values": "winhost1" + }, + "fieldName": "src_host", + "owner": "UBA_Firewall", + "type": "string", + "fieldSearch": "src_host=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_host" + }, + { + "comment": { + "data_type": "string", + "description": "The source of the network traffic, such as the client requesting the connection.", + "recommended": true, + "possible_values": "10.10.10.12" + }, + "fieldName": "src_ip", + "owner": "UBA_Firewall", + "type": "string", + "fieldSearch": "src_ip=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip" + }, + { + "comment": { + "data_type": "integer", + "description": "The port number of the source.", + "recommended": false, + "possible_values": "12345" + }, + "fieldName": "src_port", + "owner": "UBA_Firewall", + "type": "number", + "fieldSearch": "src_port=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_port" + }, + { + "comment": { + "data_type": "string", + "description": "The NATed IPv4 or IPv6 address from which a packet is sent.", + "recommended": false, + "possible_values": "192.168.1.11" + }, + "fieldName": "src_translated_ip", + "owner": "UBA_Firewall", + "type": "string", + "fieldSearch": "src_translated_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_translated_ip" + }, + { + "comment": { + "data_type": "string", + "description": "The source zone.", + "recommended": false, + "possible_values": "contractor" + }, + "fieldName": "src_zone", + "owner": "UBA_Firewall", + "type": "string", + "fieldSearch": "src_zone=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_zone" + }, + { + "comment": { + "data_type": "string", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "recommended": true, + "possible_values": "network,communicate" + }, + "fieldName": "tag", + "owner": "UBA_Firewall", + "type": "string", + "fieldSearch": "*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tag" + }, + { + "comment": { + "data_type": "string", + "description": "The URL accessed in the request.", + "recommended": false, + "possible_values": "http://subdomain.acme.com/index.html" + }, + "fieldName": "url", + "owner": "UBA_Firewall", + "type": "string", + "fieldSearch": "url=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url" + }, + { + "comment": { + "data_type": "string", + "description": "The user who requested the traffic flow.", + "recommended": false, + "possible_values": "cronaldo" + }, + "fieldName": "user", + "owner": "UBA_Firewall", + "type": "string", + "fieldSearch": "user=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user" + }, + { + "comment": { + "data_type": "string", + "description": "The type of the event.", + "recommended": true, + "possible_values": "Teardown TCP, Built inbound connection" + }, + "fieldName": "vendor_action", + "owner": "UBA_Firewall", + "type": "string", + "fieldSearch": "vendor_action=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "vendor_action" + } + ], + "calculations": [], + "constraints": [ + { + "search": "`uba_cim_firewall_indexes` network communicate", + "owner": "UBA_Firewall" + } + ], + "lineage": "UBA_Firewall" + } + ], + "objectNameList": [ + "UBA_Firewall" + ] +} diff --git a/default/data/models/UBA_HR_Data.json b/default/data/models/UBA_HR_Data.json new file mode 100644 index 0000000..e67c262 --- /dev/null +++ b/default/data/models/UBA_HR_Data.json @@ -0,0 +1,929 @@ +{ + "modelName": "UBA_HR_Data", + "displayName": "UBA HR Data", + "description": "", + "objectSummary": { + "Event-Based": 1, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "UBA_HR_Data", + "displayName": "UBA_HR_Data", + "parentName": "BaseEvent", + "comment": "", + "fields": [ + { + "comment": { + "data_type": "string", + "description": "The user's middle name. This value is used to compute the display name field if the display name field is empty.", + "possible_values": "Michelle", + "recommended": false + }, + "fieldName": "MiddleName", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "MiddleName=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "MiddleName" + }, + { + "comment": { + "data_type": "string", + "description": "\tUser account control code from AD. Use UAC when the value in your HR data is an ENUM value such as NORMAL_ACCOUNT. If a UAC value is not available, Splunk UBA calculates the UAC using the value of the userAccountControl, such as 512 for a NORMAL_ACCOUNT.", + "possible_values": "66050, ACCOUNT_DISABLED", + "recommended": false + }, + "fieldName": "UAC", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "UAC=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "UAC" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "\tValid formats:\nWindows FileTime\nyyyy-MM-dd'T'HH:mm:ss\n %Y-%m-%dT%H:%M:%S.%QZ\nMM/dd/yyyy\nyyyyMMddHHmmss.S'Z'\nyyyyMMdd", + "possible_values": "7/9/19", + "recommended": false + }, + "fieldName": "accountExpires", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "accountExpires=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "accountExpires" + }, + { + "comment": { + "data_type": "string", + "description": "City (location) of the user.", + "possible_values": "San Francisco, London", + "recommended": false + }, + "fieldName": "city", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "city=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "city" + }, + { + "comment": { + "data_type": "string", + "description": "Country of the user.", + "possible_values": "USA, Scotland", + "recommended": false + }, + "fieldName": "co", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "co=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "co" + }, + { + "comment": { + "data_type": "string", + "description": "Country of the user.", + "possible_values": "USA, Scotland", + "recommended": false + }, + "fieldName": "country", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "country=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "country" + }, + { + "comment": { + "data_type": "string", + "description": "Whether or not the user has decided to leave the company.", + "possible_values": "true, false", + "recommended": false + }, + "fieldName": "departingUser", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "departingUser=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "departingUser" + }, + { + "comment": { + "data_type": "string", + "description": "Organizational unit (department) or business unit of the user.", + "possible_values": "Organizational unit (department) or business unit of the user.\t", + "recommended": true + }, + "fieldName": "department", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "department=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "department" + }, + { + "comment": { + "data_type": "string", + "description": "The user's full name or a service account name. If this field is empty, the display name is created by using the values in the first name, middle name, and last name fields.\t", + "possible_values": "Shruti Michelle Buttercup", + "recommended": false + }, + "fieldName": "displayName", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "displayName=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "displayName" + }, + { + "comment": { + "data_type": "string", + "description": "The user's domain + login ID. Supported formats:\nadDomain\\loginId\nadDomain\\\\loginId\nadDomain/loginId\nloginId\\adDomain\nloginId@dnsDomain\nadDomain\\loginId@dnsDomain", + "possible_values": "domain1/smbuttercup", + "recommended": false + }, + "fieldName": "domainLoginId", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "domainLoginId=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "domainLoginId" + }, + { + "comment": { + "data_type": "string", + "description": "User's email address. In some cases, you may find this stored in the userPrincipalName field.", + "possible_values": "smbuttercup@example.com", + "recommended": false + }, + "fieldName": "email", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "email=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "email" + }, + { + "comment": { + "data_type": "string", + "description": "The type of employee.", + "possible_values": "Contractor", + "recommended": false + }, + "fieldName": "employeeType", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "employeeType=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "employeeType" + }, + { + "comment": { + "data_type": "string", + "description": "The user's first name. This value is used to compute the display name field if the display name field is empty.", + "possible_values": "Shruti", + "recommended": false + }, + "fieldName": "firstname", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "firstname=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "firstname" + }, + { + "comment": { + "data_type": "string", + "description": "The user's first name. This value is used to compute the display name field if the display name field is empty.", + "possible_values": "Shruti", + "recommended": true + }, + "fieldName": "givenName", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "givenName=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "givenName" + }, + { + "comment": { + "data_type": "string", + "description": "List of AD groups that the user is a member of. If there are no groups, leave the value blank.", + "possible_values": "ACME-Support, ACME-Finance", + "recommended": false + }, + "fieldName": "groups", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "groups=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "groups" + }, + { + "comment": { + "data_type": "boolean", + "description": "Whether or not the user is identified as a high risk user, such as an executive.", + "possible_values": "true, false", + "recommended": false + }, + "fieldName": "highRiskUser", + "owner": "UBA_HR_Data", + "type": "boolean", + "fieldSearch": "highRiskUser=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "highRiskUser" + }, + { + "comment": { + "data_type": "string", + "description": "Date the user was hired. Valid formats:\nMM/dd/yyyy\nyyyyMMddHHmmss.S'Z'\nyyyMMdd", + "possible_values": "7/9/19", + "recommended": false + }, + "fieldName": "hireDate", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "hireDate=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "hireDate" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "Code of the user status.", + "possible_values": "\t3", + "recommended": false + }, + "fieldName": "hrstatuscode", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "hrstatuscode=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "hrstatuscode" + }, + { + "comment": { + "data_type": "string", + "description": "The user's middle name. This value is used to compute the display name field if the display name field is empty.", + "possible_values": "Michelle", + "recommended": true + }, + "fieldName": "initials", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "initials=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "initials" + }, + { + "comment": { + "data_type": "string", + "description": "City (location) of the user.", + "possible_values": "San Francisco, London", + "recommended": false + }, + "fieldName": "l", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "l=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "l" + }, + { + "comment": { + "data_type": "string", + "description": "Last time the user logged on. Valid formats:\nWindows FileTime\nyyyy-MM-dd'T'HH:mm:ss\n %Y-%m-%dT%H:%M:%S.%QZ\nMM/dd/yyyy\nyyyyMMddHHmmss.S'Z'\nyyyMMdd", + "possible_values": "7/9/19", + "recommended": false + }, + "fieldName": "lastLogon", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "lastLogon=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "lastLogon" + }, + { + "comment": { + "data_type": "string", + "description": "Valid formats:\nWindows FileTime\nyyyy-MM-dd'T'HH:mm:ss\n %Y-%m-%dT%H:%M:%S.%QZ\nMM/dd/yyyy\nyyyyMMddHHmmss.S'Z'\nyyyMMdd", + "possible_values": "7/9/19", + "recommended": false + }, + "fieldName": "lastLogonTimestamp", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "lastLogonTimestamp=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "lastLogonTimestamp" + }, + { + "comment": { + "data_type": "string", + "description": "The user's last name. This value is used to compute the display name field if the display name field is empty.\t", + "possible_values": "Buttercup", + "recommended": false + }, + "fieldName": "lastname", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "lastname=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "lastname" + }, + { + "comment": { + "data_type": "string", + "description": "Login ID or username of an account associated with the user.", + "possible_values": "smbuttercup", + "recommended": false + }, + "fieldName": "loginId", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "loginId=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "loginId" + }, + { + "comment": { + "data_type": "string", + "description": "User's email address. In some cases, you may find this stored in the userPrincipalName field.", + "possible_values": "smbuttercup@example.com", + "recommended": true + }, + "fieldName": "mail", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "mail=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "mail" + }, + { + "comment": { + "data_type": "string", + "description": "Name or ID of the user's manager.", + "possible_values": "Charlotte Arachnia", + "recommended": false + }, + "fieldName": "manager", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "manager=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "manager" + }, + { + "comment": { + "data_type": "string", + "description": "Name or ID of the user's manager.", + "possible_values": "Charlotte Arachnia", + "recommended": false + }, + "fieldName": "manageremployeeId", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "manageremployeeId=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "manageremployeeId" + }, + { + "comment": { + "data_type": "string", + "description": "List of AD groups that the user is a member of. If there are no groups, leave the value blank.", + "possible_values": "ACME-Support, ACME-Finance", + "recommended": false + }, + "fieldName": "memberOf", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "memberOf=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "memberOf" + }, + { + "comment": { + "data_type": "boolean", + "description": "Whether or not the user is on a performance improvement plan.", + "possible_values": "true, false", + "recommended": false + }, + "fieldName": "onPIP", + "owner": "UBA_HR_Data", + "type": "boolean", + "fieldSearch": "onPIP=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "onPIP" + }, + { + "comment": { + "data_type": "boolean", + "description": "Whether or not the user is on a performance improvement plan.", + "possible_values": "true, false", + "recommended": false + }, + "fieldName": "onPerformanceImprovementPlan", + "owner": "UBA_HR_Data", + "type": "boolean", + "fieldSearch": "onPerformanceImprovementPlan=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "onPerformanceImprovementPlan" + }, + { + "comment": { + "data_type": "string", + "description": "Organizational unit (department) or business unit of the user.", + "possible_values": "Organizational unit (department) or business unit of the user.\t", + "recommended": false + }, + "fieldName": "ou", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "ou=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "ou" + }, + { + "comment": { + "data_type": "string", + "description": "Phone number of the user.", + "possible_values": "123-456-7890", + "recommended": false + }, + "fieldName": "phone", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "phone=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "phone" + }, + { + "comment": { + "data_type": "string", + "description": "Zip code of the user.", + "possible_values": "94107", + "recommended": false + }, + "fieldName": "postalCode", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "postalCode=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "postalCode" + }, + { + "comment": { + "data_type": "string", + "description": "The user's first name. This value is used to compute the display name field if the display name field is empty.", + "possible_values": "Shruti", + "recommended": false + }, + "fieldName": "preferredName", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "preferredName=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "preferredName" + }, + { + "comment": { + "data_type": "string", + "description": "Login ID or username of an account associated with the user.", + "possible_values": "smbuttercup", + "recommended": true + }, + "fieldName": "sAMAccountName", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "sAMAccountName=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sAMAccountName" + }, + { + "comment": { + "data_type": "string", + "description": "The user's last name. This value is used to compute the display name field if the display name field is empty.\t", + "possible_values": "Buttercup", + "recommended": true + }, + "fieldName": "sn", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "sn=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sn" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "State where the user resides.", + "possible_values": "CA", + "recommended": false + }, + "fieldName": "st", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "st=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "st" + }, + { + "comment": { + "data_type": "string", + "description": "State where the user resides.", + "possible_values": "CA", + "recommended": false + }, + "fieldName": "state", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "state=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "state" + }, + { + "comment": { + "data_type": "string", + "description": "Active or inactive status of the user from the HR system.\t", + "possible_values": "Active/InActive", + "recommended": false + }, + "fieldName": "status", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "status=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "status" + }, + { + "comment": { + "data_type": "string", + "description": "Street where the user resides.", + "possible_values": "Main", + "recommended": false + }, + "fieldName": "street", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "street=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "street" + }, + { + "comment": { + "data_type": "string", + "description": "Street where the user resides.", + "possible_values": "Main", + "recommended": false + }, + "fieldName": "streetAddress", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "streetAddress=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "streetAddress" + }, + { + "comment": { + "data_type": "string", + "description": "Phone number of the user.", + "possible_values": "123-456-7890", + "recommended": false + }, + "fieldName": "telephoneNumber", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "telephoneNumber=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "telephoneNumber" + }, + { + "comment": { + "data_type": "boolean", + "description": "Whether or not the user has been terminated.", + "possible_values": "true, false", + "recommended": false + }, + "fieldName": "terminatedUser", + "owner": "UBA_HR_Data", + "type": "boolean", + "fieldSearch": "terminatedUser=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "terminatedUser" + }, + { + "comment": { + "data_type": "string", + "description": "Whether or not the user has been terminated.", + "possible_values": "true, false", + "recommended": false + }, + "fieldName": "terminationDate", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "terminationDate=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "terminationDate" + }, + { + "comment": { + "data_type": "string", + "description": "The user's title.", + "possible_values": "Senior manager, Junior developer", + "recommended": false + }, + "fieldName": "title", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "title=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "title" + }, + { + "comment": { + "data_type": "boolean", + "description": "Whether or not the user is traveling.", + "possible_values": "true, false", + "recommended": false + }, + "fieldName": "traveling", + "owner": "UBA_HR_Data", + "type": "boolean", + "fieldSearch": "traveling=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "traveling" + }, + { + "comment": { + "data_type": "string", + "description": "\tUser account control code from AD. Use UAC when the value in your HR data is an ENUM value such as NORMAL_ACCOUNT. If a UAC value is not available, Splunk UBA calculates the UAC using the value of the userAccountControl, such as 512 for a NORMAL_ACCOUNT.", + "possible_values": "66050, ACCOUNT_DISABLED", + "recommended": false + }, + "fieldName": "userAccountControl", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "userAccountControl=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "userAccountControl" + }, + { + "comment": { + "data_type": "string", + "description": "User's email address. In some cases, you may find this stored in the userPrincipalName field.", + "possible_values": "smbuttercup@example.com", + "recommended": false + }, + "fieldName": "userPrincipalName", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "userPrincipalName=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "userPrincipalName" + }, + { + "comment": { + "data_type": "string", + "description": "The type of employee.", + "possible_values": "Contractor", + "recommended": false + }, + "fieldName": "userType", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "userType=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "userType" + }, + { + "comment": { + "data_type": "string", + "description": "Zip code of the user.", + "possible_values": "94107", + "recommended": false + }, + "fieldName": "zip", + "owner": "UBA_HR_Data", + "type": "string", + "fieldSearch": "zip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "zip" + } + ], + "calculations": [], + "constraints": [ + { + "search": "index=main", + "owner": "UBA_HR_Data" + } + ], + "lineage": "UBA_HR_Data" + } + ], + "objectNameList": [ + "UBA_HR_Data" + ] +} \ No newline at end of file diff --git a/default/data/models/UBA_Host_AV.json b/default/data/models/UBA_Host_AV.json new file mode 100644 index 0000000..8784298 --- /dev/null +++ b/default/data/models/UBA_Host_AV.json @@ -0,0 +1,334 @@ +{ + "modelName": "UBA_Host_AV", + "displayName": "UBA Host AV", + "description": "Splunk UBA Host AV Data Model for CIM Validator App", + "objectSummary": { + "Event-Based": 1, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "UBA_Host_AV", + "displayName": "UBA Host AV", + "parentName": "BaseEvent", + "comment": "", + "fields": [ + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The action taken by the AV.", + "recommended": true, + "possible_values": "allowed, blocked" + }, + "fieldName": "action", + "owner": "UBA_Host_AV", + "type": "string", + "fieldSearch": "action=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action" + }, + { + "comment": { + "data_type": "string", + "description": "The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in\u00a0Filter the anomaly table.", + "recommended": false, + "possible_values": "Exfiltration" + }, + "fieldName": "alarmCategories", + "owner": "UBA_Host_AV", + "type": "string", + "fieldSearch": "alarmCategories=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "alarmCategories" + }, + { + "comment": { + "data_type": "string", + "description": "The category of the event, if applicable.", + "recommended": false, + "possible_values": "malware, watchlist.hit.ingress.process" + }, + "fieldName": "category", + "owner": "UBA_Host_AV", + "type": "string", + "fieldSearch": "category=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category" + }, + { + "comment": { + "data_type": "string", + "description": "The host name of the system that was affected by the malware event.", + "recommended": false, + "possible_values": "winhost2" + }, + "fieldName": "dest_host", + "owner": "UBA_Host_AV", + "type": "string", + "fieldSearch": "dest_host=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_host" + }, + { + "comment": { + "data_type": "string", + "description": "The IP address of the system that was affected by the malware event.", + "recommended": true, + "possible_values": "2.2.2.2" + }, + "fieldName": "dest_ip", + "owner": "UBA_Host_AV", + "type": "string", + "fieldSearch": "dest_ip=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip" + }, + { + "comment": { + "data_type": "string", + "description": "The NT domain of the destination, if applicable.", + "recommended": false, + "possible_values": "acme" + }, + "fieldName": "dest_nt_domain", + "owner": "UBA_Host_AV", + "type": "string", + "fieldSearch": "dest_nt_domain=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_nt_domain" + }, + { + "comment": { + "data_type": "integer", + "description": "The amount of time in seconds for the completion of the activity reported by AV.", + "recommended": false, + "possible_values": "241" + }, + "fieldName": "duration", + "owner": "UBA_Host_AV", + "type": "number", + "fieldSearch": "duration=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "duration" + }, + { + "comment": { + "data_type": "string", + "description": "The type of the event.", + "recommended": true, + "possible_values": "symantec_ep_risk_alert_virus" + }, + "fieldName": "eventtype", + "owner": "UBA_Host_AV", + "type": "string", + "fieldSearch": "eventtype=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "eventtype" + }, + { + "comment": { + "data_type": "string", + "description": "Name of the file involved.", + "recommended": false, + "possible_values": "creditcards.xls" + }, + "fieldName": "file_name", + "owner": "UBA_Host_AV", + "type": "string", + "fieldSearch": "file_name=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_name" + }, + { + "comment": { + "data_type": "string", + "description": "The path of the file involved.", + "recommended": false, + "possible_values": "c:\\documents" + }, + "fieldName": "file_path", + "owner": "UBA_Host_AV", + "type": "string", + "fieldSearch": "file_path=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_path" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The severity of the network protection event.", + "recommended": true, + "possible_values": "informational, unknown, low, medium, high, critical" + }, + "fieldName": "severity", + "owner": "UBA_Host_AV", + "type": "string", + "fieldSearch": "severity=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "severity" + }, + { + "comment": { + "data_type": "string", + "description": "The subcategory or signature of the event, if applicable.", + "recommended": false, + "possible_values": "process_blockin" + }, + "fieldName": "signature", + "owner": "UBA_Host_AV", + "type": "string", + "fieldSearch": "signature=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "signature" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "recommended": true, + "possible_values": "malware,attack,operations" + }, + "fieldName": "tag", + "owner": "UBA_Host_AV", + "type": "string", + "fieldSearch": "*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tag" + }, + { + "comment": { + "data_type": "string", + "description": "A URL containing more information about the vulnerability.", + "recommended": false, + "possible_values": "http://www.mydomain.com/a.html" + }, + "fieldName": "url", + "owner": "UBA_Host_AV", + "type": "string", + "fieldSearch": "url=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url" + }, + { + "comment": { + "data_type": "string", + "description": "The user involved in the activity reported by AV.", + "recommended": false, + "possible_values": "cronaldo" + }, + "fieldName": "user", + "owner": "UBA_Host_AV", + "type": "string", + "fieldSearch": "user=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user" + } + ], + "calculations": [], + "constraints": [ + { + "search": "`uba_cim_hostav_indexes` malware attack operations", + "owner": "UBA_Host_AV" + } + ], + "lineage": "UBA_Host_AV" + } + ], + "objectNameList": [ + "UBA_Host_AV" + ] +} diff --git a/default/data/models/UBA_IDS_IPS.json b/default/data/models/UBA_IDS_IPS.json new file mode 100644 index 0000000..04e4e4c --- /dev/null +++ b/default/data/models/UBA_IDS_IPS.json @@ -0,0 +1,307 @@ +{ + "modelName": "UBA_IDS_IPS", + "displayName": "UBA_IDS_IPS", + "description": "", + "objectSummary": { + "Event-Based": 1, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "UBA_IDS_IPS", + "displayName": "UBA_IDS_IPS", + "parentName": "BaseEvent", + "comment": "", + "fields": [ + { + "fieldName": "alarmCategories", + "owner": "UBA_IDS_IPS", + "type": "string", + "fieldSearch": "alarmCategories=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "alarmCategories", + "comment": "" + }, + { + "fieldName": "action", + "owner": "UBA_IDS_IPS", + "type": "string", + "fieldSearch": "action=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action", + "comment": "" + }, + { + "fieldName": "dest_ip", + "owner": "UBA_IDS_IPS", + "type": "string", + "fieldSearch": "dest_ip=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip", + "comment": "" + }, + { + "fieldName": "eventtype", + "owner": "UBA_IDS_IPS", + "type": "string", + "fieldSearch": "eventtype=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "eventtype", + "comment": "" + }, + { + "fieldName": "severity", + "owner": "UBA_IDS_IPS", + "type": "string", + "fieldSearch": "severity=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "severity", + "comment": "" + }, + { + "fieldName": "signature", + "owner": "UBA_IDS_IPS", + "type": "string", + "fieldSearch": "signature=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "signature", + "comment": "" + }, + { + "fieldName": "src_ip", + "owner": "UBA_IDS_IPS", + "type": "string", + "fieldSearch": "src_ip=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip", + "comment": "" + }, + { + "fieldName": "bytes_in", + "owner": "UBA_IDS_IPS", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bytes_in", + "comment": "" + }, + { + "fieldName": "bytes_out", + "owner": "UBA_IDS_IPS", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bytes_out", + "comment": "" + }, + { + "fieldName": "bytes", + "owner": "UBA_IDS_IPS", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bytes", + "comment": "" + }, + { + "fieldName": "category", + "owner": "UBA_IDS_IPS", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category", + "comment": "" + }, + { + "fieldName": "dest_host", + "owner": "UBA_IDS_IPS", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_host", + "comment": "" + }, + { + "fieldName": "dest_port", + "owner": "UBA_IDS_IPS", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_port", + "comment": "" + }, + { + "fieldName": "duration", + "owner": "UBA_IDS_IPS", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "duration", + "comment": "" + }, + { + "fieldName": "ids_type", + "owner": "UBA_IDS_IPS", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "ids_type", + "comment": "" + }, + { + "fieldName": "src_host", + "owner": "UBA_IDS_IPS", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_host", + "comment": "" + }, + { + "fieldName": "src_port", + "owner": "UBA_IDS_IPS", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_port", + "comment": "" + }, + { + "fieldName": "user", + "owner": "UBA_IDS_IPS", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "" + }, + { + "fieldName": "tag", + "owner": "UBA_IDS_IPS", + "type": "string", + "fieldSearch": "*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tag", + "comment": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + } + ], + "calculations": [], + "constraints": [ + { + "search": "index=main", + "owner": "UBA_IDS_IPS" + } + ], + "lineage": "UBA_IDS_IPS" + } + ], + "objectNameList": [ + "UBA_IDS_IPS" + ] +} diff --git a/default/data/models/UBA_Printer.json b/default/data/models/UBA_Printer.json new file mode 100644 index 0000000..5a09709 --- /dev/null +++ b/default/data/models/UBA_Printer.json @@ -0,0 +1,319 @@ +{ + "modelName": "UBA_Printer", + "displayName": "UBA_Printer", + "description": "", + "objectSummary": { + "Event-Based": 1, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "UBA_Printer", + "displayName": "UBA_Printer", + "parentName": "BaseEvent", + "comment": "", + "fields": [ + { + "fieldName": "file_name", + "owner": "UBA_Printer", + "type": "string", + "fieldSearch": "file_name=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_name", + "comment": "" + }, + { + "fieldName": "signature", + "owner": "UBA_Printer", + "type": "string", + "fieldSearch": "signature=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "signature", + "comment": "" + }, + { + "fieldName": "user", + "owner": "UBA_Printer", + "type": "string", + "fieldSearch": "user=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "" + }, + { + "fieldName": "data_type", + "owner": "UBA_Printer", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "data_type", + "comment": "" + }, + { + "fieldName": "driver_process", + "owner": "UBA_Printer", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "driver_process", + "comment": "" + }, + { + "fieldName": "file_size", + "owner": "UBA_Printer", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_size", + "comment": "" + }, + { + "fieldName": "job_id", + "owner": "UBA_Printer", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "job_id", + "comment": "" + }, + { + "fieldName": "operation", + "owner": "UBA_Printer", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "operation", + "comment": "" + }, + { + "fieldName": "page_printed", + "owner": "UBA_Printer", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "page_printed", + "comment": "" + }, + { + "fieldName": "parameters", + "owner": "UBA_Printer", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "parameters", + "comment": "" + }, + { + "fieldName": "print_processor", + "owner": "UBA_Printer", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "print_processor", + "comment": "" + }, + { + "fieldName": "printer", + "owner": "UBA_Printer", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "printer", + "comment": "" + }, + { + "fieldName": "priority", + "owner": "UBA_Printer", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "priority", + "comment": "" + }, + { + "fieldName": "src_host", + "owner": "UBA_Printer", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_host", + "comment": "" + }, + { + "fieldName": "src_ip", + "owner": "UBA_Printer", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip", + "comment": "" + }, + { + "fieldName": "status", + "owner": "UBA_Printer", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "status", + "comment": "" + }, + { + "fieldName": "submitted_time", + "owner": "UBA_Printer", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "submitted_time", + "comment": "" + }, + { + "fieldName": "total_pages", + "owner": "UBA_Printer", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "total_pages", + "comment": "" + }, + { + "fieldName": "type", + "owner": "UBA_Printer", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "type", + "comment": "" + }, + { + "fieldName": "tag", + "owner": "UBA_Printer", + "type": "string", + "fieldSearch": "*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tag", + "comment": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + } + ], + "calculations": [], + "constraints": [ + { + "search": "index=main", + "owner": "UBA_Printer" + } + ], + "lineage": "UBA_Printer" + } + ], + "objectNameList": [ + "UBA_Printer" + ] +} diff --git a/default/data/models/UBA_VPN.json b/default/data/models/UBA_VPN.json new file mode 100644 index 0000000..af7b4e7 --- /dev/null +++ b/default/data/models/UBA_VPN.json @@ -0,0 +1,380 @@ +{ + "modelName": "UBA_VPN", + "displayName": "UBA VPN", + "description": "Splunk UBA VPN Data Model for CIM Validator App. To properly parse traffic flow in a VPN connection, Splunk UBA requires network, session, vpn.", + "objectSummary": { + "Event-Based": 3, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "UBA_VPN", + "displayName": "UBA VPN", + "parentName": "BaseEvent", + "comment": "", + "fields": [ + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "comment": { + "data_type": "integer", + "description": "The total number of bytes transferred by the device corresponding to the\u00a0src_ip\u00a0(bytes_in + bytes_out).", + "recommended": false, + "possible_values": "1168" + }, + "fieldName": "bytes", + "owner": "UBA_VPN", + "type": "number", + "fieldSearch": "bytes=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bytes" + }, + { + "comment": { + "data_type": "integer", + "description": "The number of bytes received by the device corresponding to the\u00a0src_ip\u00a0(downloads).", + "recommended": false, + "possible_values": "1028" + }, + "fieldName": "bytes_in", + "owner": "UBA_VPN", + "type": "number", + "fieldSearch": "bytes_in=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bytes_in" + }, + { + "comment": { + "data_type": "integer", + "description": "The number of bytes sent out by the device corresponding to the\u00a0src_ip\u00a0(uploads).", + "recommended": false, + "possible_values": "140" + }, + "fieldName": "bytes_out", + "owner": "UBA_VPN", + "type": "number", + "fieldSearch": "bytes_out=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bytes_out" + }, + { + "comment": { + "data_type": "string", + "description": "The IP address of the destination device.", + "recommended": false, + "possible_values": "192.168.1.2" + }, + "fieldName": "dest_ip", + "owner": "UBA_VPN", + "type": "string", + "fieldSearch": "dest_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip" + }, + { + "comment": { + "data_type": "integer", + "description": "The duration in seconds of the VPN session. This field is expected when an\u00a0end\u00a0tag is present.", + "recommended": false, + "possible_values": "2000" + }, + "fieldName": "duration", + "owner": "UBA_VPN", + "type": "number", + "fieldSearch": "duration=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "duration" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The IP address of the originator of the request.", + "recommended": true, + "possible_values": "11.12.13.14" + }, + "fieldName": "src_ip", + "owner": "UBA_VPN", + "type": "string", + "fieldSearch": "src_ip=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip" + }, + { + "comment": { + "data_type": "string", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models. See VPN categories for VPN specific combinations", + "recommended": true, + "possible_values": "network,session,vpn" + }, + "fieldName": "tag", + "owner": "UBA_VPN", + "type": "string", + "fieldSearch": "*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tag" + }, + { + "comment": { + "data_type": "string", + "description": "The name of the user for whom the authentication is being performed.", + "recommended": true, + "possible_values": "user2" + }, + "fieldName": "user", + "owner": "UBA_VPN", + "type": "string", + "fieldSearch": "user=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user" + } + ], + "calculations": [], + "constraints": [ + { + "search": "`uba_cim_vpn_indexes` network session vpn", + "owner": "UBA_VPN" + } + ], + "lineage": "UBA_VPN" + }, + { + "objectName": "UBA_VPN_End", + "displayName": "UBA VPN End", + "parentName": "UBA_VPN", + "comment": "", + "fields": [ + { + "fieldName": "bytes", + "owner": "UBA_VPN", + "type": "number", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bytes", + "comment": "" + }, + { + "fieldName": "bytes_in", + "owner": "UBA_VPN", + "type": "number", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bytes_in", + "comment": "" + }, + { + "fieldName": "bytes_out", + "owner": "UBA_VPN", + "type": "number", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bytes_out", + "comment": "" + }, + { + "fieldName": "dest_ip", + "owner": "UBA_VPN", + "type": "ipv4", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip", + "comment": "" + }, + { + "fieldName": "duration", + "owner": "UBA_VPN", + "type": "number", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "duration", + "comment": "" + }, + { + "fieldName": "src_ip", + "owner": "UBA_VPN", + "type": "ipv4", + "fieldSearch": "src_ip=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip", + "comment": "" + }, + { + "fieldName": "user", + "owner": "UBA_VPN", + "type": "string", + "fieldSearch": "user=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + } + ], + "calculations": [], + "constraints": [ + { + "search": "end", + "owner": "UBA_VPN.UBA_VPN_End" + } + ], + "lineage": "UBA_VPN.UBA_VPN_End" + }, + { + "objectName": "UBA_VPN_Start", + "displayName": "UBA VPN Start", + "parentName": "UBA_VPN", + "comment": "", + "fields": [], + "calculations": [], + "constraints": [ + { + "search": "start", + "owner": "UBA_VPN.UBA_VPN_Start" + } + ], + "lineage": "UBA_VPN.UBA_VPN_Start" + } + ], + "objectNameList": [ + "UBA_VPN", + "UBA_VPN_End", + "UBA_VPN_Start" + ] +} diff --git a/default/data/models/UBA_Web_Proxy.json b/default/data/models/UBA_Web_Proxy.json new file mode 100644 index 0000000..47e911d --- /dev/null +++ b/default/data/models/UBA_Web_Proxy.json @@ -0,0 +1,368 @@ +{ + "modelName": "UBA_Web_Proxy", + "displayName": "UBA Web Proxy", + "description": "Splunk UBA Web Proxy Data Model for CIM Validator App.", + "objectSummary": { + "Event-Based": 1, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "UBA_Web_Proxy", + "displayName": "UBA Web Proxy", + "parentName": "BaseEvent", + "comment": "", + "fields": [ + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The action taken by the server or proxy. If this value is not present, it can be derived from the status field.", + "recommended": true, + "possible_values": "allowed, blocked" + }, + "fieldName": "action", + "owner": "UBA_Web_Proxy", + "type": "string", + "fieldSearch": "action=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action" + }, + { + "comment": { + "data_type": "integer", + "description": "The total number of bytes transferred (bytes_in + bytes_out).", + "recommended": false, + "possible_values": "1168" + }, + "fieldName": "bytes", + "owner": "UBA_Web_Proxy", + "type": "number", + "fieldSearch": "bytes=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bytes" + }, + { + "comment": { + "data_type": "integer", + "description": "The number of inbound bytes transferred.", + "recommended": true, + "possible_values": "1028" + }, + "fieldName": "bytes_in", + "owner": "UBA_Web_Proxy", + "type": "number", + "fieldSearch": "bytes_in=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bytes_in" + }, + { + "comment": { + "data_type": "integer", + "description": "The number of outbound bytes transferred.", + "recommended": true, + "possible_values": "140" + }, + "fieldName": "bytes_out", + "owner": "UBA_Web_Proxy", + "type": "number", + "fieldSearch": "bytes_out=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bytes_out" + }, + { + "comment": { + "data_type": "string", + "description": "The category of traffic provided by the proxy server.", + "recommended": false, + "possible_values": "entertainment" + }, + "fieldName": "category", + "owner": "UBA_Web_Proxy", + "type": "string", + "fieldSearch": "category=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category" + }, + { + "comment": { + "data_type": "string", + "description": "The IP address of the remote host.", + "recommended": false, + "possible_values": "2.2.2.2" + }, + "fieldName": "dest_ip", + "owner": "UBA_Web_Proxy", + "type": "string", + "fieldSearch": "dest_ip=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip" + }, + { + "comment": { + "data_type": "integer", + "description": "The time in milliseconds taken by the proxy event.", + "recommended": false, + "possible_values": "241" + }, + "fieldName": "duration", + "owner": "UBA_Web_Proxy", + "type": "number", + "fieldSearch": "duration=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "duration" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The content-type of the requested HTTP resource.", + "recommended": true, + "possible_values": "image/gif" + }, + "fieldName": "http_content_type", + "owner": "UBA_Web_Proxy", + "type": "string", + "fieldSearch": "http_content_type=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "http_content_type" + }, + { + "comment": { + "data_type": "string", + "description": "The HTTP method used in the request.", + "recommended": true, + "possible_values": "GET" + }, + "fieldName": "http_method", + "owner": "UBA_Web_Proxy", + "type": "string", + "fieldSearch": "http_method=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "http_method" + }, + { + "comment": { + "data_type": "string", + "description": "The HTTP referrer used in the request.", + "recommended": false, + "possible_values": "referrer.acme.com" + }, + "fieldName": "http_referrer", + "owner": "UBA_Web_Proxy", + "type": "string", + "fieldSearch": "http_referrer=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "http_referrer" + }, + { + "comment": { + "data_type": "string", + "description": "The user agent used in the request.", + "recommended": true, + "possible_values": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" + }, + "fieldName": "http_user_agent", + "owner": "UBA_Web_Proxy", + "type": "string", + "fieldSearch": "http_user_agent=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "http_user_agent" + }, + { + "comment": { + "data_type": "integer", + "description": "The amount of time it took to receive a response, if applicable, in milliseconds.", + "recommended": false, + "possible_values": "200" + }, + "fieldName": "response_time", + "owner": "UBA_Web_Proxy", + "type": "number", + "fieldSearch": "response_time=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "response_time" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "fieldSearch": "", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "" + }, + { + "comment": { + "data_type": "string", + "description": "The source of the network traffic, such as the client requesting the connection.", + "recommended": true, + "possible_values": "10.10.10.12" + }, + "fieldName": "src_ip", + "owner": "UBA_Web_Proxy", + "type": "string", + "fieldSearch": "src_ip=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip" + }, + { + "comment": { + "data_type": "integer", + "description": "The HTTP response code indicating the status of the proxy request.", + "recommended": true, + "possible_values": "200" + }, + "fieldName": "status", + "owner": "UBA_Web_Proxy", + "type": "number", + "fieldSearch": "status=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "status" + }, + { + "comment": { + "data_type": "string", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "recommended": true, + "possible_values": "web,proxy" + }, + "fieldName": "tag", + "owner": "UBA_Web_Proxy", + "type": "string", + "fieldSearch": "*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tag" + }, + { + "comment": { + "data_type": "string", + "description": "The URL accessed in the request.", + "recommended": true, + "possible_values": "http://subdomain.acme.com/index.html" + }, + "fieldName": "url", + "owner": "UBA_Web_Proxy", + "type": "string", + "fieldSearch": "url=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url" + }, + { + "comment": { + "data_type": "string", + "description": "The user that requested the HTTP resource.", + "recommended": false, + "possible_values": "cronaldo" + }, + "fieldName": "user", + "owner": "UBA_Web_Proxy", + "type": "string", + "fieldSearch": "user=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user" + } + ], + "calculations": [], + "constraints": [ + { + "search": "`uba_cim_webproxy_indexes` web proxy", + "owner": "UBA_Web_Proxy" + } + ], + "lineage": "UBA_Web_Proxy" + } + ], + "objectNameList": [ + "UBA_Web_Proxy" + ] +} diff --git a/default/data/ui/views/cim_dictionary.xml b/default/data/ui/views/cim_dictionary.xml index 04354b8..00aa63f 100644 --- a/default/data/ui/views/cim_dictionary.xml +++ b/default/data/ui/views/cim_dictionary.xml @@ -1,19 +1,21 @@
-
- - +
+ + + Any + Core, ES + UBA * + * - + - Any - | inputlookup cim_validation_dictionary | stats count by datamodel + | datamodel | spath modelName | table modelName | eval product_type=if(like(modelName, "UBA_%"), "uba", "core") | search product_type=$product_type|s$ | sort modelName - datamodel - datamodel - * + modelName + modelName
@@ -26,14 +28,26 @@ + + - - Datamodel count - - | stats dc(datamodel) + +
Information is populated based on the datamodel definition metadata.
+ + + + + + + Datamodel definition information + + | datamodel $dm|s$ | spath | table modelName, displayName, description + -24h@h + now - - + + +
@@ -41,16 +55,36 @@ Dictionary - | inputlookup cim_validation_dictionary | search datamodel="$dm$" field="$field$" | fields - cim_version + | datamodel $dm$ + | spath + | spath path=objects{}.fields{} output=v + | spath path=objects{}.calculations{}.outputFields{} output=u + | eval w=mvappend(v,u) + | fields modelName w + | mvexpand w + + | eval data_type=json_extract(w,"type") + | eval description=json_extract(w,"comment.description") + | eval field=json_extract(w,"fieldName") + | eval object=json_extract(w,"owner") + | eval expected_values=json_array_to_mv(json_extract(w,"comment.expected_values")) + + | rename modelName AS datamodel + | table datamodel field data_type description object expected_values + 0 - - - + - + + + + + + +
- + \ No newline at end of file diff --git a/default/data/ui/views/cim_validator.xml b/default/data/ui/views/cim_validator.xml index 56e533a..44236d9 100644 --- a/default/data/ui/views/cim_validator.xml +++ b/default/data/ui/views/cim_validator.xml @@ -12,10 +12,18 @@ datamodel search + + + Any + Core + UBA + * + * + - | datamodel | spath modelName | table modelName | sort modelName + | datamodel | spath modelName | table modelName | eval product_type=if(like(modelName, "UBA_%"), "uba", "core") | search product_type=$product_type|s$ | sort modelName modelName modelName @@ -137,7 +145,8 @@ 1==1 -
denotes recommended fields based on use within ES and UBA products.
+
+ denotes recommended fields based on use within ES and UBA products.
Data Model $dm$ (and sub models) uses these fields: @@ -175,4 +184,4 @@ - + \ No newline at end of file diff --git a/default/datamodels.conf b/default/datamodels.conf new file mode 100644 index 0000000..c15aee9 --- /dev/null +++ b/default/datamodels.conf @@ -0,0 +1,46 @@ +[UBA_Badge] + +[UBA_DLP] + +[UBA_DLP_Email] + +[UBA_Authentication] + +[UBA_Cloud_Storage] + +[UBA_DHCP] + +[UBA_DNS] + +[UBA_Email] + +[UBA_External_Alarm] + +[UBA_Firewall] + +[UBA_Host_AV] + +[UBA_IDS_IPS] + +[UBA_VPN] + +[UBA_Web_Proxy] + +[UBA_Endpoint_Port] + +[UBA_Endpoint_Processes] + +[UBA_Endpoint_Services] + +[UBA_Endpoint_Registry] + +[UBA_Endpoint_Filesystem] + +[UBA_Printer] + +[UBA_Database] + +[UBA_HR_Data] + +[UBA_Asset_Data] + diff --git a/default/macros.conf b/default/macros.conf new file mode 100644 index 0000000..38ef3ae --- /dev/null +++ b/default/macros.conf @@ -0,0 +1,95 @@ +[uba_cim_authentication_indexes] +definition = index=main +iseval = 0 + +[uba_cim_badge_indexes] +definition = index=main +iseval = 0 + +[uba_cim_cloud_indexes] +definition = index=main +iseval = 0 + +[uba_cim_database_indexes] +definition = index=main +iseval = 0 + +[uba_cim_dhcp_indexes] +definition = index=main +iseval = 0 + +[uba_cim_dlp_email_indexes] +definition = index=main +iseval = 0 + +[uba_cim_dlp_indexes] +definition = index=main +iseval = 0 + +[uba_cim_dns_indexes] +definition = index=main +iseval = 0 + +[uba_cim_email_indexes] +definition = index=main +iseval = 0 + +[uba_cim_endpoint_filesystem_indexes] +definition = index=main +iseval = 0 + +[uba_cim_endpoint_port_indexes] +definition = index=main +iseval = 0 + +[uba_cim_endpoint_process_indexes] +definition = index=main +iseval = 0 + +[uba_cim_endpoint_registry_indexes] +definition = index=main +iseval = 0 + +[uba_cim_endpoint_service_indexes] +definition = index=main +iseval = 0 + +[uba_cim_external_alarm_indexes] +definition = index=main +iseval = 0 + +[uba_cim_firewall_indexes] +definition = index=main +iseval = 0 + +[uba_cim_hostav_indexes] +definition = index=main +iseval = 0 + +[uba_cim_ids_indexes] +definition = index=main +iseval = 0 + +[uba_cim_printer_indexes] +definition = index=main +iseval = 0 + +[uba_cim_vpn_end_indexes] +definition = index=main +iseval = 0 + +[uba_cim_vpn_indexes] +definition = index=main +iseval = 0 + +[uba_cim_vpn_start_indexes] +definition = index=main +iseval = 0 + +[uba_cim_webproxy_indexes] +definition = index=main +iseval = 0 + +[uba_cim_endpoint_indexes] +definition = index=main +iseval = 0 diff --git a/default/transforms.conf b/default/transforms.conf index 962cff0..3459b75 100644 --- a/default/transforms.conf +++ b/default/transforms.conf @@ -3,9 +3,6 @@ filename = cim_validator_field_regex.csv match_type = WILDCARD(field) max_matches = 1 -[cim_validation_dictionary] -filename = cim_dictionary.csv - [cim_validator_recommended_fields] filename = cim_validator_recommended_fields.csv default_match = false diff --git a/lookups/cim_dictionary.csv b/lookups/cim_dictionary.csv deleted file mode 100644 index 8c940a3..0000000 --- a/lookups/cim_dictionary.csv +++ /dev/null @@ -1,710 +0,0 @@ -cim_version,datamodel,object,field,data_type,description,possible_values -4.3.1,Web,Web,action,string,The action taken by the server or proxy., -4.3.1,Web,Web,app,string,"The app recording the data, such as IIS, Squid, or Bluecoat.", -4.3.1,Web,Web,bytes,number,The total number of bytes transferred (bytes_in + bytes_out)., -4.3.1,Web,Web,bytes_in,number,The number of inbound bytes transferred., -4.3.1,Web,Web,bytes_out,number,The number of outbound bytes transferred., -4.3.1,Web,Web,cached,boolean,Indicates whether the event data is cached or not.,"true, false, 1, 0" -4.3.1,Web,Web,category,string,"The category of traffic, such as may be provided by a proxy server.", -4.3.1,Web,Web,cookie,string,The cookie file recorded in the event., -4.3.1,Web,Web,dest,string,"The destination of the network traffic (the remote host). You can alias this from more specific fields, such as dest_host, dest_ip, ordest_name.", -4.3.1,Web,Web,dest_bunit,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Web,Web,dest_category,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Web,Web,dest_priority,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Web,Web,duration,number,"The time taken by the proxy event, in milliseconds.", -4.3.1,Web,Web,http_content_type,string,The content-type of the requested HTTP resource., -4.3.1,Web,Web,http_method,string,The HTTP method used in the request.,"GET, PUT,POST, DELETE, etc." -4.3.1,Web,Web,http_referrer,string,The HTTP referrer used in the request. The W3C specification and many implementations misspell this as http_referer. A FIELDALIAS is recommended to handle both key names., -4.3.1,Web,Web,http_user_agent,string,The user agent used in the request., -4.3.1,Web,Web,http_user_agent_length,number,The length of the user agent used in the request., -4.3.1,Web,Web,response_time,number,"The amount of time it took to receive a response, if applicable, in milliseconds.", -4.3.1,Web,Web,site,string,"The virtual site which services the request, if applicable.", -4.3.1,Web,Web,src,string,The source of the network traffic (the client requesting the connection)., -4.3.1,Web,Web,src_bunit,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Web,Web,src_category,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Web,Web,src_priority,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Web,Web,status,string,The HTTP response code indicating the status of the proxy request.,"404, 302, 500, and so on." -4.3.1,Web,Web,tag,string,This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it., -4.3.1,Web,Web,uri_path,string,The universal resource indicator path of the resource served by the webserver or proxy., -4.3.1,Web,Web,uri_query,string,The universal resource indicator path of the resource requested by the client., -4.3.1,Web,Web,url,string,The URL of the requested HTTP resource., -4.3.1,Web,Web,url_length,number,The length of the URL., -4.3.1,Web,Web,user,string,The user that requested the HTTP resource., -4.3.1,Web,Web,user_bunit,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Web,Web,user_category,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Web,Web,user_priority,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Web,Web,vendor_product,string,"The vendor of the proxy server, such as Squid Proxy Server.", -4.3.1,Alerts,Alerts,app,string,"The application involved in the event, such as win:app:trendmicro, vmware,nagios.", -4.3.1,Alerts,Alerts,body,string,The body of a message., -4.3.1,Alerts,Alerts,dest,string,"The destination where the alert message was sent to, such as an email address or SNMP trap. You can alias this from more specific fields, such as dest_host,dest_ip, or dest_name.", -4.3.1,Alerts,Alerts,dest_bunit,string,The business unit associated with the destination., -4.3.1,Alerts,Alerts,dest_category,string,The category of the destination., -4.3.1,Alerts,Alerts,dest_priority,string,The priority of the destination., -4.3.1,Alerts,Alerts,id,string,The unique identifier of a message., -4.3.1,Alerts,Alerts,severity,string,"The severity of a message. Note: This field is a string. Please use aseverity_id field for severity ID fields that are integer data types. Specific values are required. Please use vendor_severity for the vendor's own human-readable strings (such as Good, Bad, Really Bad, and so on).","critical, high, medium, low,informational, unknown" -4.3.1,Alerts,Alerts,severity_id,string,A numeric severity indicator for a message., -4.3.1,Alerts,Alerts,src,string,"The source of the message. You can aliasthis from more specific fields, such assrc_host, src_ip, or src_name.", -4.3.1,Alerts,Alerts,src_bunit,string,The business unit associated with the source., -4.3.1,Alerts,Alerts,src_category,string,The category of the source., -4.3.1,Alerts,Alerts,src_priority,string,The priority of the source., -4.3.1,Alerts,Alerts,subject,string,The message subject., -4.3.1,Alerts,Alerts,type,string,The message type.,"alarm, alert, event, task, unknown" -4.3.1,Application_State,All_Application_State,dest,string,"The compute resource where the service is installed. You can alias this from more specific fields, such asdest_host, dest_ip, ordest_name.", -4.3.1,Application_State,All_Application_State,dest_bunit,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Application_State,All_Application_State,dest_category,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Application_State,All_Application_State,dest_priority,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Application_State,All_Application_State,dest_requires_av,boolean,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Application_State,All_Application_State,dest_should_timesync,boolean,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Application_State,All_Application_State,dest_should_update,boolean,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Application_State,All_Application_State,process,string,"The name of a process or service file, such as sqlsrvr.exe or httpd. Note: This field is not appropriate for service or daemon names, such asSQL Server or Apache Web Server. Service or daemon names belong to the service field (see below). Also, note that this field is a string. Please use a process_id field for process ID fields that are integer data types.", -4.3.1,Application_State,All_Application_State,process_id,string,A numeric indicator (PID) for a process., -4.3.1,Application_State,All_Application_State,tag,string,This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it., -4.3.1,Application_State,All_Application_State,user,string,"The user account the service is running as, such as System orhttpdsvc.", -4.3.1,Application_State,All_Application_State,user_bunit,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Application_State,All_Application_State,user_category,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Application_State,All_Application_State,user_priority,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Application_State,Ports,dest_port,number,"Network ports communicated to by the process, such as 53.", -4.3.1,Application_State,Ports,transport,string,"The network ports listened to by the application process, such as tcp, udp, etc.", -4.3.1,Application_State,Ports,transport_dest_port,string,"Calculated as transport/dest_port, such as tcp/53.", -4.3.1,Application_State,Processes,cpu_load_mhz,number,CPU Load in megahertz, -4.3.1,Application_State,Processes,cpu_load_percent,number,CPU Load in percent, -4.3.1,Application_State,Processes,cpu_time,string,CPU Time, -4.3.1,Application_State,Processes,mem_used,number,Memory used in bytes, -4.3.1,Application_State,Services,service,string,"The name of the service, such as SQL Server or Apache Web Server. Note: This field is not appropriate for filenames, such as sqlsrvr.exe orhttpd. Filenames should belong to the process field instead. Also, note that field is a string. Please use theservice_id field for service ID fields that are integer data types.", -4.3.1,Application_State,Services,service_id,string,A numeric indicator for a service., -4.3.1,Application_State,Services,start_mode,string,The start mode for the service.,"disabled, enabled, auto." -4.3.1,Application_State,Services,status,string,The status of the service.,"critical, started,stopped, warning" -4.3.1,Authentication,Authentication,action,string,The action performed on the resource.,"success, failure,unknown" -4.3.1,Authentication,Authentication,app,string,"The application involved in the event (such asssh, splunk, win:local).", -4.3.1,Authentication,Authentication,dest,string,"The target involved in the authentication. You canalias this from more specific fields, such asdest_host, dest_ip, or dest_nt_host.", -4.3.1,Authentication,Authentication,dest_bunit,string,The business unit of the authentication target. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security., -4.3.1,Authentication,Authentication,dest_category,string,"The category of the authentication target, such asemail_server or SOX-compliant. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.", -4.3.1,Authentication,Authentication,dest_nt_domain,string,"The name of the Active Directory used by the authentication target, if applicable.", -4.3.1,Authentication,Authentication,dest_priority,string,The priority of the authentication target., -4.3.1,Authentication,Authentication,duration,number,"The amount of time for the completion of the authentication event, in seconds.", -4.3.1,Authentication,Authentication,response_time,number,"The amount of time it took to receive a response in the authentication event, in seconds.", -4.3.1,Authentication,Authentication,src,string,"The source involved in the authentication. In the case of endpoint protection authentication thesrc is the client. You can alias this from more specific fields, such as src_host, src_ip, orsrc_nt_host. Note: Do not confuse src with the event sourceor sourcetype fields.", -4.3.1,Authentication,Authentication,src_bunit,string,The business unit of the authentication source. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security., -4.3.1,Authentication,Authentication,src_category,string,"The category of the authentication source, such asemail_server or SOX-compliant. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.", -4.3.1,Authentication,Authentication,src_nt_domain,string,"The name of the Active Directory used by the authentication source, if applicable.", -4.3.1,Authentication,Authentication,src_priority,string,The priority of the authentication source., -4.3.1,Authentication,Authentication,src_user,string,"In privilege escalation events, src_userrepresents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.", -4.3.1,Authentication,Authentication,src_user_bunit,string,The business unit of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed., -4.3.1,Authentication,Authentication,src_user_category,string,The category of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed., -4.3.1,Authentication,Authentication,src_user_priority,string,The priority of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed., -4.3.1,Authentication,Authentication,tag,string,A tag associated with the authentication event., -4.3.1,Authentication,Authentication,user,string,"The name of the user involved in the event, or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation.", -4.3.1,Authentication,Authentication,user_bunit,string,"The business unit of the user involved in the event, or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation.", -4.3.1,Authentication,Authentication,user_category,string,"The category of the user involved in the event, or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation.", -4.3.1,Authentication,Authentication,user_priority,string,"The priority of the user involved in the event, or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation.", -4.3.1,Certificates,All_Certificates,dest,string,The target in the certificate management event., -4.3.1,Certificates,All_Certificates,dest_bunit,string,The business unit of the target. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security., -4.3.1,Certificates,All_Certificates,dest_category,string,"The category of the target, such asemail_server or SOX-compliant. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.", -4.3.1,Certificates,All_Certificates,dest_port,number,The port number of the target., -4.3.1,Certificates,All_Certificates,dest_priority,string,The priority of the target., -4.3.1,Certificates,All_Certificates,duration,number,"The amount of time for the completion of the certificate management event, in seconds.", -4.3.1,Certificates,All_Certificates,response_time,number,"The amount of time it took to receive a response in the certificate management event, if applicable.", -4.3.1,Certificates,All_Certificates,src,string,"The source involved in the certificate management event. You can alias this from more specific fields, such as src_host, src_ip, or src_nt_host. Note: Do not confuse src with the event sourceor sourcetype fields.", -4.3.1,Certificates,All_Certificates,src_bunit,string,The business unit of the certificate management source. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security., -4.3.1,Certificates,All_Certificates,src_category,string,"The category of the certificate management source, such as email_server or SOX-compliant. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.", -4.3.1,Certificates,All_Certificates,src_priority,string,The priority of the certificate management source., -4.3.1,Certificates,All_Certificates,tag,string,This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it., -4.3.1,Certificates,All_Certificates,transport,string,The transport protocol of the Network Traffic involved with this certificate., -4.3.1,Certificates,SSL,ssl_end_time,time,The expiry time of the certificate., -4.3.1,Certificates,SSL,ssl_engine,string,The name of the signature engine that created the certificate., -4.3.1,Certificates,SSL,ssl_hash,string,The hash of the certificate., -4.3.1,Certificates,SSL,ssl_is_valid,boolean,Indicator of whether the ssl certificate is valid or not.,"true, false, 1, 0" -4.3.1,Certificates,SSL,ssl_issuer,string,The certificate issuer's RFC2253 Distinguished Name., -4.3.1,Certificates,SSL,ssl_issuer_common_name,string,The certificate issuer's common name., -4.3.1,Certificates,SSL,ssl_issuer_email,string,The certificate issuer's email address., -4.3.1,Certificates,SSL,ssl_issuer_locality,string,The certificate issuer's locality., -4.3.1,Certificates,SSL,ssl_issuer_organization,string,The certificate issuer's organization., -4.3.1,Certificates,SSL,ssl_issuer_state,string,The certificate issuer's state of residence., -4.3.1,Certificates,SSL,ssl_issuer_street,string,The certificate issuer's street address., -4.3.1,Certificates,SSL,ssl_issuer_unit,string,The certificate issuer's organizational unit., -4.3.1,Certificates,SSL,ssl_name,string,The name of the ssl certificate., -4.3.1,Certificates,SSL,ssl_policies,string,The Object Identification Numbers's of the certificate's policies in a comma separated string., -4.3.1,Certificates,SSL,ssl_publickey,string,The certificates public key., -4.3.1,Certificates,SSL,ssl_publickey_algorithm,string,The algorithm used to create the public key., -4.3.1,Certificates,SSL,ssl_serial,string,The certificates serial number., -4.3.1,Certificates,SSL,ssl_session_id,string,The session identifier for this certificate., -4.3.1,Certificates,SSL,ssl_signature_algorithm,string,The algorithm used by the Certificate Authority to sign the certificate., -4.3.1,Certificates,SSL,ssl_start_time,time,This is the start date and time for this certificate's validity., -4.3.1,Certificates,SSL,ssl_subject,string,The certificate owner's RFC2253 Distinguished Name., -4.3.1,Certificates,SSL,ssl_subject_common_name,string,This certificate owners common name., -4.3.1,Certificates,SSL,ssl_subject_email,string,The certificate owners e-mail address., -4.3.1,Certificates,SSL,ssl_subject_locality,string,The certificate owners locality., -4.3.1,Certificates,SSL,ssl_subject_state,string,The certificate owners state of residence., -4.3.1,Certificates,SSL,ssl_subject_street,string,The certificate owners street address., -4.3.1,Certificates,SSL,ssl_subject_unit,string,The certificate owner's organizational unit., -4.3.1,Certificates,SSL,ssl_validity_window,number,The length of time (in seconds) for which this certificate is valid., -4.3.1,Certificates,SSL,ssl_version,string,The ssl version of this certificate., -4.3.1,Change_Analysis,All_Changes,action,string,The action performed on the resource.,"created, read, modified,deleted, acl_modified,unknown" -4.3.1,Change_Analysis,All_Changes,change_type,string,"The type of change, such asfilesystem or AAA(authentication, authorization, and accounting).", -4.3.1,Change_Analysis,All_Changes,command,string,The command that initiated the change., -4.3.1,Change_Analysis,All_Changes,dest,string,"The resource where change occurred. You can alias this from more specific fields, such asdest_host, dest_ip, ordest_name.", -4.3.1,Change_Analysis,All_Changes,dest_bunit,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Change_Analysis,All_Changes,dest_category,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Change_Analysis,All_Changes,dest_priority,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Change_Analysis,All_Changes,dvc,string,"The device that reported the change, if applicable, such as a FIP or CIM server. You can alias this from more specific fields, such asdvc_host, dvc_ip, or dvc_name.", -4.3.1,Change_Analysis,All_Changes,object,string,"Name of the affected object on the resource (such as a router interface, user account, or server volume).", -4.3.1,Change_Analysis,All_Changes,object_attrs,string,"The attributes that were updated on the updated resource object, if applicable.", -4.3.1,Change_Analysis,All_Changes,object_category,string,Generic name for the class of the updated resource object. Expected values may be specific to an App.,"directory, file, group,object, registry, unknown,user" -4.3.1,Change_Analysis,All_Changes,object_id,string,"The unique updated resource object ID as presented to the system, if applicable (for instance, a SID, UUID, or GUID value).", -4.3.1,Change_Analysis,All_Changes,object_path,string,"The path of the modified resource object, if applicable (such as a file, directory, or volume).", -4.3.1,Change_Analysis,All_Changes,result,string,"The vendor-specific result of a change, or clarification of anaction status. For instance,status=failure may be accompanied by result=blocked by policy or result=disk full. Note: result is a string. Please use a msg_severity_idfield for severity ID fields that are integer data types.", -4.3.1,Change_Analysis,All_Changes,result_id,string,A result indicator for an actionstatus., -4.3.1,Change_Analysis,All_Changes,src,string,"The resource where the change was originated. You can alias this from more specific fields, such assrc_host, src_ip, or src_name.", -4.3.1,Change_Analysis,All_Changes,src_bunit,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Change_Analysis,All_Changes,src_category,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Change_Analysis,All_Changes,src_priority,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Change_Analysis,All_Changes,status,string,Status of the update.,"success, failure, unknown" -4.3.1,Change_Analysis,All_Changes,tag,string,This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it., -4.3.1,Change_Analysis,All_Changes,user,string,The user or entity performing the change (can be UID or PID)., -4.3.1,Change_Analysis,All_Changes,vendor_product,string,The product or service that detected the vulnerability., -4.3.1,Change_Analysis,Account_Management,dest_nt_domain,string,"The NT domain of the destination, if applicable.", -4.3.1,Change_Analysis,Account_Management,src_nt_domain,string,"The NT domain of the source, if applicable.", -4.3.1,Change_Analysis,Account_Management,src_user,string,"The user associated with the source, if applicable.", -4.3.1,Change_Analysis,Account_Management,src_user_bunit,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Change_Analysis,Account_Management,src_user_category,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Change_Analysis,Account_Management,src_user_priority,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Change_Analysis,Filesystem_Changes,file_access_time,time,The time the file (the object of the event) was accessed., -4.3.1,Change_Analysis,Filesystem_Changes,file_acl,string,Access controls associated with the file affected by the event., -4.3.1,Change_Analysis,Filesystem_Changes,file_create_time,time,The time the file (the object of the event) was created., -4.3.1,Change_Analysis,Filesystem_Changes,file_hash,string,A cryptographic identifier assigned to the file object affected by the event., -4.3.1,Change_Analysis,Filesystem_Changes,file_modify_time,time,The time the file (the object of the event) was altered., -4.3.1,Change_Analysis,Filesystem_Changes,file_name,string,The name of the file that is the object of the event (without location information related to local file or directory structure)., -4.3.1,Change_Analysis,Filesystem_Changes,file_path,string,"The location of the file that is the object of the event, in local file and directory structure terms.", -4.3.1,Change_Analysis,Filesystem_Changes,file_size,number,"The size of the file that is the object of the event, in kilobytes.", -4.3.1,Databases,All_Databases,dest,string,"The destination of the database event. You can alias this from more specific fields, such asdest_host, dest_ip, ordest_name.", -4.3.1,Databases,All_Databases,dest_bunit,string,The business unit of the destination., -4.3.1,Databases,All_Databases,dest_category,string,The category of the destination., -4.3.1,Databases,All_Databases,dest_priority,string,"The priority of the destination, if applicable.", -4.3.1,Databases,All_Databases,duration,number,"The amount of time for the completion of the database event, in seconds.", -4.3.1,Databases,All_Databases,object,string,The name of the database object., -4.3.1,Databases,All_Databases,response_time,number,"The amount of time it took to receive a response in the database event, if applicable.", -4.3.1,Databases,All_Databases,src,string,"The source of the database event. You can alias this from more specific fields, such assrc_host, src_ip, orsrc_name.", -4.3.1,Databases,All_Databases,src_bunit,string,The business unit of the source., -4.3.1,Databases,All_Databases,src_category,string,The category of the source., -4.3.1,Databases,All_Databases,src_priority,string,The priority of the source., -4.3.1,Databases,All_Databases,tag,string,This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.., -4.3.1,Databases,All_Databases,user,string,Name of the database process user., -4.3.1,Databases,All_Databases,user_bunit,string,The business unit of the user., -4.3.1,Databases,All_Databases,user_category,string,The category associated with the user., -4.3.1,Databases,All_Databases,user_priority,string,The priority of the user., -4.3.1,Databases,All_Databases,vendor_product,string,"The vendor product name of the database system. You can extract this from the fieldsvendor and product in the raw event data, if available.", -4.3.1,Databases,Database_Instance,instance_name,string,The name of the database instance., -4.3.1,Databases,Database_Instance,instance_version,string,The version of the database instance., -4.3.1,Databases,Database_Instance,process_limit,number,The maximum number of processes that the database instance can handle., -4.3.1,Databases,Database_Instance,session_limit,number,The maximum number of sessions that the database instance can handle., -4.3.1,Databases,Instance_Stats,availability,string,The status of the database server.,"Available, Not Available" -4.3.1,Databases,Instance_Stats,avg_executions,number,The average number of executions for the database instance., -4.3.1,Databases,Instance_Stats,dump_area_used,string,The amount of the database dump area that has been used., -4.3.1,Databases,Instance_Stats,instance_reads,number,The total number of reads for the database instance., -4.3.1,Databases,Instance_Stats,instance_writes,number,The total number of writes for the database instance., -4.3.1,Databases,Instance_Stats,number_of_users,number,The total number of users for the database instance., -4.3.1,Databases,Instance_Stats,processes,number,The number of processes currently running for the database instance., -4.3.1,Databases,Instance_Stats,sessions,number,The total number of sessions currently in use for the database instance., -4.3.1,Databases,Instance_Stats,sga_buffer_cache_size,number,"The total size of the buffer cache for the database instance, in bytes.", -4.3.1,Databases,Instance_Stats,sga_buffer_hit_limit,number,The maximum number of number of buffers that can be hit in the database instance without finding a free buffer., -4.3.1,Databases,Instance_Stats,sga_data_dict_hit_ratio,number,The hit-to-miss ratio for the database instance's data dictionary., -4.3.1,Databases,Instance_Stats,sga_fixed_area_size,number,"The size of the fixed area (also referred to as the fixed SGA) for the database instance, in bytes.", -4.3.1,Databases,Instance_Stats,sga_free_memory,number,"The total amount of free memory in the database instance SGA, in bytes.", -4.3.1,Databases,Instance_Stats,sga_library_cache_size,number,"The total library cache size for the database instance, in bytes.", -4.3.1,Databases,Instance_Stats,sga_redo_log_buffer,number,"The total size of the redo log buffer for the database instance, in bytes", -4.3.1,Databases,Instance_Stats,sga_shared_pool,number,"The total size of the shared pool for this database instance, in bytes.", -4.3.1,Databases,Instance_Stats,sga_sql_area_size,number,"The total size of the SQL area for this database instance, in bytes.", -4.3.1,Databases,Instance_Stats,start_time,time,The total amount of uptime for the database instance., -4.3.1,Databases,Instance_Stats,tablespace_used,string,"The total amount of tablespace used for the database instance, in bytes.", -4.3.1,Databases,Session_Info,buffer_cache_hit_ratio,number,The percentage of logical reads from the buffer during the session (1-physical reads/session logical reads*100)., -4.3.1,Databases,Session_Info,commits,number,The number of commits per second performed by the user associated with the session., -4.3.1,Databases,Session_Info,cpu_used,number,The number of CPU centiseconds used by the session. Divide this value by 100 to get the CPU seconds., -4.3.1,Databases,Session_Info,cursor,number,The number of the cursor currently in use by the session., -4.3.1,Databases,Session_Info,elapsed_time,number,"The total amount of time elapsed since the user started the session by logging into the database server, in seconds.", -4.3.1,Databases,Session_Info,logical_reads,number,The total number of consistent gets and database block gets performed during the session., -4.3.1,Databases,Session_Info,machine,string,The name of the logical host associated with the database instance., -4.3.1,Databases,Session_Info,memory_sorts,number,The total number of memory sorts performed during the session., -4.3.1,Databases,Session_Info,physical_reads,number,The total number of physical reads performed during the session., -4.3.1,Databases,Session_Info,seconds_in_wait,number,"The description ofseconds_in_wait depends on the value of wait_time. Ifwait_time = 0,seconds_in_wait is the number of seconds spent in the current wait condition. Ifwait_time has a nonzero value, seconds_in_wait is the number of seconds that have elapsed since the start of the last wait. You can get the active seconds that have elapsed since the last wait ended by calculating seconds_in_wait - wait_time / 100.", -4.3.1,Databases,Session_Info,session_id,string,The unique id that identifies the session., -4.3.1,Databases,Session_Info,session_status,string,The current status of the session.,"Online, Offline." -4.3.1,Databases,Session_Info,table_scans,number,Number of table scans performed during the session., -4.3.1,Databases,Session_Info,wait_state,string,Provides the current wait state for the session. Can indicate that the session is currently waiting or provide information about the session's last wait.,"WAITING (the session is currently waiting), WAITED UNKNOWN TIME (the duration of the last session wait is unknown),WAITED SHORT TIME (the last session wait was < 1/100th of a second), WAITED KNOWN TIME(the wait_time is the duration of the last session wait)." -4.3.1,Databases,Session_Info,wait_time,number,"When wait_time = 0, the session is waiting. Whenwait_time has a nonzero value, it is displaying the last wait time for the session.", -4.3.1,Databases,Lock_Info,last_call_minute,number,"Represents the amount of time elapsed since thesession_status changed to its current status. The definition of this field depends on thesession_status value. Ifsession_status = ONLINE, the last_call_minute value represents the time elapsed since the session became active. If session_status = OFFLINE, the last_call_minute value represents the time elapsed since the session became inactive.", -4.3.1,Databases,Lock_Info,lock_mode,string,The mode of the lock on the object., -4.3.1,Databases,Lock_Info,lock_session_id,string,The session identifier of the locked object., -4.3.1,Databases,Lock_Info,logon_time,number,The database logon time for the session., -4.3.1,Databases,Lock_Info,obj_name,string,The name of the locked object., -4.3.1,Databases,Lock_Info,os_pid,string,The process identifier for the operating system., -4.3.1,Databases,Lock_Info,serial_num,string,The mode of the lock on the object., -4.3.1,Databases,Database_Query,query,string,The full database query., -4.3.1,Databases,Database_Query,query_id,string,The identifier for the database query., -4.3.1,Databases,Database_Query,query_time,time,The time the system initiated the database query., -4.3.1,Databases,Database_Query,records_affected,number,The number of records affected by the database query., -4.3.1,Databases,Tablespace,free_bytes,number,"The total amount of free space in the tablespace, in bytes.", -4.3.1,Databases,Tablespace,tablespace_name,string,The name of the tablespace., -4.3.1,Databases,Tablespace,tablespace_reads,number,The number of tablespace reads carried out by the query., -4.3.1,Databases,Tablespace,tablespace_status,string,The status of the tablespace.,"Offline, Online, Read Only" -4.3.1,Databases,Tablespace,tablespace_writes,number,The number of tablespace writes carried out by the query., -4.3.1,Databases,Query_Stats,indexes_hit,string,The names of the index or indexes hit by the database query., -4.3.1,Databases,Query_Stats,query_plan_hit,string,The name of the query plan hist by the query., -4.3.1,Databases,Query_Stats,stored_procedures_called,string,The names of the stored procedures called by the query., -4.3.1,Databases,Query_Stats,tables_hit,string,The names of the tables hit by the query., -4.3.1,Email,Email,action,string,Action taken by the reporting device.,"delivered, blocked, quarantined,deleted, unknown" -4.3.1,Email,Email,delay,number,Total sending delay in milliseconds., -4.3.1,Email,Email,dest,string,"The endpoint system to which the message was delivered. You can aliasthis from more specific fields, such asdest_host, dest_ip, or dest_name.", -4.3.1,Email,Email,dest_bunit,string,The business unit of the endpoint system to which the message was delivered., -4.3.1,Email,Email,dest_category,string,The category of the endpoint system to which the message was delivered., -4.3.1,Email,Email,dest_priority,string,The priority of the endpoint system to which the message was delivered., -4.3.1,Email,Email,duration,number,"The amount of time for the completion of the messaging event, in seconds.", -4.3.1,Email,Email,file_hash,string,"The hash(es) for the file(s) attached to the message, if any exist.", -4.3.1,Email,Email,file_name,string,"The name(s) of the file(s) attached to the message, if any exist.", -4.3.1,Email,Email,file_size,number,"The size of the file(s) attached the message, if they exist..", -4.3.1,Email,Email,internal_message_id,string,"Host-specific unique message identifier (such as aid in sendmail, IMI in Domino, Internal-Message-ID in Exchange, and MID in Ironport).", -4.3.1,Email,Email,message_id,string,The globally-unique message identifier., -4.3.1,Email,Email,message_info,string,Additional information about the message., -4.3.1,Email,Email,orig_dest,string,The original destination host of the message. The message destination host can change when a message is relayed or bounced., -4.3.1,Email,Email,orig_recipient,string,The original recipient of the message. The message recipient can change when the original email address is an alias and has to be resolved to the actual recipient., -4.3.1,Email,Email,orig_src,string,The original source of the message., -4.3.1,Email,Email,process,string,"The name of the email executable that carries out the message transaction, such as sendmail, postfix, or the name of an email client.", -4.3.1,Email,Email,process_id,number,The numeric identifier of the process invoked to send the message., -4.3.1,Email,Email,protocol,string,"The email protocol involved, such asSMTP or RPC.", -4.3.1,Email,Email,recipient,string,"A field listing individual recipient email addresses, such asrecipient=""foo@splunk.com"",recipient=""bar@splunk.com"".", -4.3.1,Email,Email,recipient_count,number,The total number of intended message recipients., -4.3.1,Email,Email,recipient_status,string,"The recipient delivery status, if available.", -4.3.1,Email,Email,response_time,number,"The amount of time it took to receive a response in the messaging event, if applicable.", -4.3.1,Email,Email,retries,number,"The number of times that the message was automatically resent because it was bounced back, or a similar transmission error condition.", -4.3.1,Email,Email,return_addr,string,The return address for the message., -4.3.1,Email,Email,size,number,"The size of the message, in bytes.", -4.3.1,Email,Email,src,string,"The system that sent the message. You can alias this from more specific fields, such as src_host, src_ip, orsrc_name.", -4.3.1,Email,Email,src_bunit,string,The business unit of the system that sent the message., -4.3.1,Email,Email,src_category,string,The category of the system that sent the message., -4.3.1,Email,Email,src_priority,string,The priority of the system that sent the message., -4.3.1,Email,Email,src_user,string,The email address of the message sender., -4.3.1,Email,Email,src_user_bunit,string,The business unit of the message sender., -4.3.1,Email,Email,src_user_category,string,The category of the message sender., -4.3.1,Email,Email,src_user_priority,string,The priority of the message sender., -4.3.1,Email,Email,status_code,string,The status code associated with the message., -4.3.1,Email,Email,subject,string,The subject of the message., -4.3.1,Email,Email,tag,string,"The tag(s) associated with the message, if any exist.", -4.3.1,Email,Email,url,string,"The URL associated with the message, if any.", -4.3.1,Email,Email,user,string,"The user context for the process. This is not the email address for the sender. For that, look at the src_user field.", -4.3.1,Email,Email,user_bunit,string,The business unit of the user context for the process., -4.3.1,Email,Email,user_category,string,The category of the user context for theprocess., -4.3.1,Email,Email,user_priority,string,The priority of the user context for theprocess., -4.3.1,Email,Email,vendor_product,string,The vendor of the email server used for the email transaction., -4.3.1,Email,Email,xdelay,string,Extended delay information for the message transaction. May contain details of all the delays from all the servers in the message transmission chain., -4.3.1,Email,Email,xref,string,An external reference. Can contain message IDs or recipient addresses from related messages., -4.3.1,Email,Filtering,filter_action,string,"The status produced by the filter, such as ""accepted"", ""rejected"", or ""dropped"".", -4.3.1,Email,Filtering,filter_score,number,Numeric indicator assigned to specific emails by an email filter., -4.3.1,Email,Filtering,signature,string,The name of the filter applied., -4.3.1,Email,Filtering,signature_extra,string,Any additional information about the filter., -4.3.1,Email,Filtering,signature_id,string,The id associated with the filter name., -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,dest,string,"The destination of the message. You canalias this from more specific fields, such asdest_host, dest_ip, or dest_name.", -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,dest_bunit,string,The business unit of the destination., -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,dest_category,string,The type of message destination.,"queue,topic" -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,dest_priority,string,The priority of the destination., -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,duration,number,The number of seconds from message call to message response. Can be derived by getting the difference between therequest_sent_time and themessage_received_time., -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,endpoint,string,The endpoint that the message accessed during the RPC (remote procedure call) transaction., -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,endpoint_version,string,"The version of the endpoint accessed during the RPC (remote procedure call) transaction, such as 1.0 or 1.22.", -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,message,string,A command or reference that an RPC (remote procedure call) reads or responds to., -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,message_consumed_time,time,The time that the RPC (remote procedure call) read the message and was prepared to take some sort of action., -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,message_correlation_id,string,The message correlation identification value., -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,message_delivered_time,time,The time that the message producer sent the message., -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,message_delivery_mode,string,"The message delivery mode. Possible values depend on the type of message-oriented middleware (MOM) solution in use. They can be words like Transient (meaning the message is stored in memory and is lost if the server dies or restarts) or Persistent(meaning the message is stored both in memory and on disk and is preserved if the server dies or restarts). They can also be numbers like 1, 2, and so on.", -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,message_expiration_time,time,The time that the message expired., -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,message_id,string,The message identification., -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,message_priority,string,"The priority of the message. Important jobs that the message queue should answer no matter what receive a highermessage_priority than other jobs, ensuring they are completed before the others.", -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,message_properties,string,An arbitrary list of message properties. The set of properties displayed depends on the message-oriented middleware (MOM) solution that you are using., -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,message_received_time,time,The time that the message was received by a message-oriented middleware (MOM) solution., -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,message_redelivered,boolean,Indicates whether or not the message was redelivered., -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,message_reply_dest,string,The name of the destination for replies to the message., -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,message_type,string,"The type of message, such as call orreply.", -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,parameters,string,Arguments that have been passed to an endpoint by a REST call or something similar. A sample parameter could be something likefoo=bar., -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,payload,string,The message payload., -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,payload_type,string,"The type of payload in the message. The payload type can be text (such as json,xml, and raw) or binary (such ascompressed, object, encrypted, andimage).", -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,request_payload,string,The content of the message request., -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,request_payload_type,string,"The type of payload in the message request. The payload type can be text (such as json,xml, and raw) or binary (such ascompressed, object, encrypted, andimage).", -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,request_sent_time,time,The time that the message request was sent., -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,response_code,string,The response status code sent by the receiving server. Ranges between 200 and404., -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,response_payload_type,string,"The type of payload in the message response. The payload type can be text (such as json, xml, and raw) or binary (such ascompressed, object, encrypted, andimage).", -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,response_received_time,time,The time that the message response was received., -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,response_time,number,"The amount of time it took to receive a response, in seconds.", -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,return_message,string,The response status message sent by the message server., -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,rpc_protocol,string,"The protocol that the message server uses for remote procedure calls (RPC). Possible values include HTTP REST, SOAP, and EJB.", -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,status,boolean,The status of the message response.,"pass,fail" -4.3.1,Interprocess_Messaging,All_Interprocess_Messaging,tag,string,Tags associated with the message., -4.3.1,Intrusion_Detection,IDS_Attacks,action,string,The action taken by the intrusion detection system (IDS)., -4.3.1,Intrusion_Detection,IDS_Attacks,category,string,"The vendor-provided category of the triggered signature, such as spyware. Note: This field is a string. Use acategory_id field for category ID fields that are integer data types (category_idfields are optional, so they are not included in this table).", -4.3.1,Intrusion_Detection,IDS_Attacks,dest,string,"The destination of the attack detected by the intrusion detection system (IDS). You can alias this from more specific fields, such as dest_host, dest_ip, ordest_name.", -4.3.1,Intrusion_Detection,IDS_Attacks,dest_bunit,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Intrusion_Detection,IDS_Attacks,dest_category,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Intrusion_Detection,IDS_Attacks,dest_priority,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Intrusion_Detection,IDS_Attacks,dvc,string,"The device that detected the intrusion event. You can alias this from more specific fields, such as dvc_host, dvc_ip, ordvc_name.", -4.3.1,Intrusion_Detection,IDS_Attacks,dvc_bunit,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Intrusion_Detection,IDS_Attacks,dvc_category,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Intrusion_Detection,IDS_Attacks,dvc_priority,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Intrusion_Detection,IDS_Attacks,ids_type,string,The type of IDS that generated the event.,"network, host, application" -4.3.1,Intrusion_Detection,IDS_Attacks,severity,string,"The severity of the network protection event. Note: This field is a string. Please use aseverity_id field for severity ID fields that are integer data types (severity_idfields are optional, so they are not included in this table). Also, specific values are required for this field. Usevendor_severity for the vendor's own human readable severity strings (such asGood, Bad, and Really Bad).","critical, high, medium, low,informational, unknown" -4.3.1,Intrusion_Detection,IDS_Attacks,signature,string,"The name of the intrusion detected on the client (the src), such as PlugAndPlay_BOand JavaScript_Obfuscation_Fre. Note: This is a string value; please usesignature_id for numeric indicators (signature_id fields are optional, so they are not included in this table).", -4.3.1,Intrusion_Detection,IDS_Attacks,src,string,"The source involved in the attack detected by the IDS. You can alias this from more specific fields, such as src_host,src_ip, or src_name.", -4.3.1,Intrusion_Detection,IDS_Attacks,src_bunit,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Intrusion_Detection,IDS_Attacks,src_category,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Intrusion_Detection,IDS_Attacks,src_priority,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Intrusion_Detection,IDS_Attacks,tag,string,This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it., -4.3.1,Intrusion_Detection,IDS_Attacks,user,string,The user involved with the intrusion detection event., -4.3.1,Intrusion_Detection,IDS_Attacks,user_bunit,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Intrusion_Detection,IDS_Attacks,user_category,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Intrusion_Detection,IDS_Attacks,user_priority,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Intrusion_Detection,IDS_Attacks,vendor_product,string,"The vendor product name of the IDS or IPS system that detected the vulnerability, such as HP Tipping Point. This field can be automatically populated by vendor andproduct fields in your data.", -4.3.1,Compute_Inventory,All_Inventory,description,string,The description of the inventory system., -4.3.1,Compute_Inventory,All_Inventory,dest,string,"The system where the data originated, the source of the event. You can alias this from more specific fields, such asdest_host, dest_ip, or dest_name.", -4.3.1,Compute_Inventory,All_Inventory,dest_bunit,string,The business unit of the system where the data originated. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security., -4.3.1,Compute_Inventory,All_Inventory,dest_category,string,"The category of the system where the data originated, such asemail_server or SOX-compliant. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.", -4.3.1,Compute_Inventory,All_Inventory,dest_priority,string,The priority of the system where the data originated., -4.3.1,Compute_Inventory,All_Inventory,enabled,boolean,Indicates whether the resource is enabled or disabled., -4.3.1,Compute_Inventory,All_Inventory,family,string,"The product family of the resource, such as 686_64 or RISC.", -4.3.1,Compute_Inventory,All_Inventory,hypervisor_id,string,"The hypervisor identifier, if applicable.", -4.3.1,Compute_Inventory,All_Inventory,serial,string,The serial number of the resource., -4.3.1,Compute_Inventory,All_Inventory,status,string,The current reported state of the resource., -4.3.1,Compute_Inventory,All_Inventory,tag,string,Splunk uses this automatically generated field to access tags from within data models. You do not need to populate it., -4.3.1,Compute_Inventory,All_Inventory,vendor_product,string,"The vendor and product name of the resource, such as Cisco Catalyst 3850.", -4.3.1,Compute_Inventory,All_Inventory,version,string,"The version of a computer resource, such as 2008r2 or3.0.0.", -4.3.1,Compute_Inventory,CPU,cpu_cores,number,"The number of CPU cores reported by the resource (total, not per CPU).", -4.3.1,Compute_Inventory,CPU,cpu_count,number,The number of CPUs reported by the resource., -4.3.1,Compute_Inventory,CPU,cpu_mhz,number,The maximum speed of the CPU reported by the resource (in megahertz)., -4.3.1,Compute_Inventory,Memory,mem,number,"The total amount of memory installed in or allocated to the resource, in megabytes.", -4.3.1,Compute_Inventory,Network,dest_ip,string,The IP address for the system that the data is going to., -4.3.1,Compute_Inventory,Network,dns,string,The domain name server for the resource., -4.3.1,Compute_Inventory,Network,inline_nat,string,Identifies whether the resource is a network address translation pool., -4.3.1,Compute_Inventory,Network,interface,string,"The network interfaces of the computing resource, such aseth0, eth1 or Wired Ethernet Connection, Teredo Tunneling Pseudo-Interface.", -4.3.1,Compute_Inventory,Network,ip,string,"The network addresses of the computing resource, such as192.168.1.1 orE80:0000:0000:0000:0202:B3FF:FE1E:8329.", -4.3.1,Compute_Inventory,Network,lb_method,string,"The load balancing method used by the computing resource such as method, round robin, or least weight.", -4.3.1,Compute_Inventory,Network,mac,string,"A MAC (media access control) address associated with the resource, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.", -4.3.1,Compute_Inventory,Network,name,string,A name field provided in some data sources., -4.3.1,Compute_Inventory,Network,node,string,Represents a node hit., -4.3.1,Compute_Inventory,Network,node_port,number,The number of the destination port on the server that you requested from., -4.3.1,Compute_Inventory,Network,src_ip,string,The IP address for the system from which the data originates., -4.3.1,Compute_Inventory,Network,vip_port,number,The port number for the virtual IP address (VIP). A VIP allows multiple MACs to use one IP address. VIPs are often used by load balancers., -4.3.1,Compute_Inventory,OS,os,string,"The operating system of the resource, such as Microsoft Windows Server 2008r2. This field is constructed fromvendor_product and version fields.", -4.3.1,Compute_Inventory,Storage,array,string,"The array that the storage resource is a member of, if applicable", -4.3.1,Compute_Inventory,Storage,blocksize,number,"The block size used by the storage resource, in kilobytes.", -4.3.1,Compute_Inventory,Storage,cluster,string,"The index cluster that the resource is a member of, if applicable.", -4.3.1,Compute_Inventory,Storage,fd_max,number,The maximum number of file descriptors available., -4.3.1,Compute_Inventory,Storage,latency,number,"The latency reported by the resource, in milliseconds.", -4.3.1,Compute_Inventory,Storage,mount,string,The path at which a storage resource is mounted., -4.3.1,Compute_Inventory,Storage,parent,string,"A higher level object that this resource is owned by, if applicable.", -4.3.1,Compute_Inventory,Storage,read_blocks,number,The maximum possible number of blocks read per second during a polling period ., -4.3.1,Compute_Inventory,Storage,read_latency,number,"For a polling period, the average amount of time elapsed until a read request is filled by the host disks (in ms).", -4.3.1,Compute_Inventory,Storage,read_ops,number,The total number of read operations in the polling period., -4.3.1,Compute_Inventory,Storage,storage,number,"The amount of storage capacity allocated to the resource, in megabytes.", -4.3.1,Compute_Inventory,Storage,write_blocks,number,The maximum possible number of blocks written per second during a polling period., -4.3.1,Compute_Inventory,Storage,write_latency,number,"For a polling period, the average amount of time elapsed until a write request is filled by the host disks (in ms).", -4.3.1,Compute_Inventory,Storage,write_ops,number,The total number of write operations in the polling period., -4.3.1,Compute_Inventory,User,interactive,boolean,Indicates whether a locally defined account on a resource can be interactively logged in., -4.3.1,Compute_Inventory,User,password,string,"Displays the stored password(s) for a locally defined account, if it has any. For instance, an add-on may report the password column from /etc/passwd in this field.", -4.3.1,Compute_Inventory,User,shell,string,Indicates the shell program used by a locally defined account., -4.3.1,Compute_Inventory,User,user,string,The full name of a locally defined account., -4.3.1,Compute_Inventory,User,user_bunit,string,The business unit of the locally-defined user account. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security., -4.3.1,Compute_Inventory,User,user_category,string,"The category of the system where the data originated, such asemail_server or SOX-compliant. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.", -4.3.1,Compute_Inventory,User,user_id,number,The user identification for a locally defined account., -4.3.1,Compute_Inventory,User,user_priority,string,The priority of a locally-defined account., -4.3.1,Compute_Inventory,Virtual_OS,hypervisor,string,The hypervisor parent of a virtual guest OS., -4.3.1,Compute_Inventory,Snapshot,size,number,"The snapshot file size, in megabytes.", -4.3.1,Compute_Inventory,Snapshot,snapshot,string,The name of a snapshot file., -4.3.1,Compute_Inventory,Snapshot,time,time,The time at which the snapshot was taken., -4.3.1,JVM,JVM,jvm_description,string,A description field provided in some data sources., -4.3.1,JVM,JVM,tag,string,This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it., -4.3.1,JVM,Threading,cm_enabled,boolean,Indicates whether thread contention monitoring is enabled.,"true, false, 1,0" -4.3.1,JVM,Threading,cm_supported,boolean,Indicates whether the JVM supports thread contention monitoring.,"true, false, 1,0" -4.3.1,JVM,Threading,cpu_time_enabled,boolean,Indicates whether thread CPU time measurement is enabled.,"true, false, 1,0" -4.3.1,JVM,Threading,cpu_time_supported,boolean,Indicates whether the Java virtual machine supports CPU time measurement for the current thread.,"true, false, 1,0" -4.3.1,JVM,Threading,current_cpu_time,number,"CPU-space time taken by the JVM, in seconds.", -4.3.1,JVM,Threading,current_user_time,number,"User-space time taken by the JVM, in seconds.", -4.3.1,JVM,Threading,daemon_thread_count,number,The JVM's current daemon count., -4.3.1,JVM,Threading,omu_supported,boolean,Indicates whether the JVM supports monitoring of object monitor usage.,"true, false, 1,0" -4.3.1,JVM,Threading,peak_thread_count,number,The JVM's peak thread count, -4.3.1,JVM,Threading,synch_supported,boolean,Indicates whether the JVM supports monitoring of ownable synchronizer usage.,"true, false, 1,0" -4.3.1,JVM,Threading,thread_count,number,The JVM's current thread count., -4.3.1,JVM,Threading,threads_started,number,The total number of threads started in the JVM., -4.3.1,JVM,Runtime,process_name,string,Process name of the JVM process., -4.3.1,JVM,Runtime,start_time,timestamp,Start time of the JVM process., -4.3.1,JVM,Runtime,uptime,int,Uptime of the JVM process., -4.3.1,JVM,Runtime,vendor_product,string,The JVM product or service. This field can be automatically populated by the the vendor andproduct fields in your raw data., -4.3.1,JVM,Runtime,version,string,Version of the JVM., -4.3.1,JVM,OS,committed_memory,number,Amount of memory committed to the JVM., -4.3.1,JVM,OS,cpu_time,number,Amount of CPU time taken by the JVM., -4.3.1,JVM,OS,free_physical_memory,number,Amount of free physical memory remaining to the JVM., -4.3.1,JVM,OS,free_swap,number,Amount of free swap memory remaining to the JVM., -4.3.1,JVM,OS,max_file_descriptors,number,Maximum file descriptors available to the JVM., -4.3.1,JVM,OS,open_file_descriptors,number,Number of file descriptors opened by the JVM., -4.3.1,JVM,OS,os,string,OS that the JVM is running on., -4.3.1,JVM,OS,os_architecture,string,OS architecture that the JVM is running on., -4.3.1,JVM,OS,os_version,string,OS version that the JVM is running on., -4.3.1,JVM,OS,physical_memory,number,Physical memory available to the OS that the JVM is running on., -4.3.1,JVM,OS,swap_space,number,Swap memory space available to the OS that the JVM is running on., -4.3.1,JVM,OS,system_load,number,System load of the OS that the JVM is running on., -4.3.1,JVM,OS,total_processors,number,Total processor cores available to the OS that the JVM is running on., -4.3.1,JVM,Compilation,compilation_time,number,Time taken by JIT compilation., -4.3.1,JVM,Classloading,current_loaded,number,The current count of classes loaded in the JVM., -4.3.1,JVM,Classloading,total_loaded,number,The total count of classes loaded in the JVM., -4.3.1,JVM,Classloading,total_unloaded,number,The total count of classes unloaded from the JVM., -4.3.1,JVM,Memory,heap_committed,number,Committed amount of heap memory used by the JVM., -4.3.1,JVM,Memory,heap_initial,number,Initial amount of heap memory used by the JVM., -4.3.1,JVM,Memory,heap_max,number,Maximum amount of heap memory used by the JVM., -4.3.1,JVM,Memory,heap_used,number,Heap memory used by the JVM., -4.3.1,JVM,Memory,non_heap_committed,number,Committed amount of non-heap memory used by the JVM., -4.3.1,JVM,Memory,non_heap_initial,number,Initial amount of non-heap memory used by the JVM., -4.3.1,JVM,Memory,non_heap_max,number,Maximum amount of non-heap memory used by the JVM., -4.3.1,JVM,Memory,non_heap_used,number,Non-heap memory used by the JVM., -4.3.1,JVM,Memory,objects_pending,number,Number of objects pending in the JVM., -4.3.1,Malware,Malware_Attacks,action,string,The action taken by the reporting device.,"allowed, blocked,deferred, unknown" -4.3.1,Malware,Malware_Attacks,category,string,"The category of the malware event, such as keylogger or ad-supported program. Note: This is a string value. Use acategory_id field for category ID fields that are integer data types (category_id fields are optional, so they are not included in this table).", -4.3.1,Malware,Malware_Attacks,date,string,The date of the malware event., -4.3.1,Malware,Malware_Attacks,dest,string,"The system that was affected by the malware event. You can alias this from more specific fields, such asdest_host, dest_ip, or dest_name.", -4.3.1,Malware,Malware_Attacks,dest_bunit,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Malware,Malware_Attacks,dest_category,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Malware,Malware_Attacks,dest_nt_domain,string,"The NT domain of the destination, if applicable.", -4.3.1,Malware,Malware_Attacks,dest_priority,string,This is a derived field provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. It should be left blank when writing add-ons., -4.3.1,Malware,Malware_Attacks,dest_requires_av,boolean,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Malware,Malware_Attacks,file_hash,string,The hash of the file with suspected malware., -4.3.1,Malware,Malware_Attacks,file_name,string,The name of the file with suspected malware., -4.3.1,Malware,Malware_Attacks,file_path,string,The full file path of the file with suspected malware., -4.3.1,Malware,Malware_Attacks,signature,string,"The name of the malware infection detected on the client (the dest), such as Trojan.Vundo, Spyware.Gaobot, and W32.Nimbda. Note: This is a string value. Use asignature_id field for signature ID fields that are integer data types (signature_id fields are optional, so they are not included in this table)", -4.3.1,Malware,Malware_Attacks,src,string,"The source of the endpoint event, such as a DAT file relay server.You can aliasthis from more specific fields, such assrc_host, src_ip, or src_name.", -4.3.1,Malware,Malware_Attacks,src_bunit,string,The business unit of the source., -4.3.1,Malware,Malware_Attacks,src_category,string,The category of the source., -4.3.1,Malware,Malware_Attacks,src_priority,string,The priority of the source., -4.3.1,Malware,Malware_Attacks,tag,string,This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it., -4.3.1,Malware,Malware_Attacks,user,string,The user involved in the malware event., -4.3.1,Malware,Malware_Attacks,user_bunit,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Malware,Malware_Attacks,user_category,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Malware,Malware_Attacks,user_priority,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Malware,Malware_Attacks,vendor_product,string,"The vendor product name of the endpoint protection system, such asSymantec AntiVirus.", -4.3.1,Malware,Malware_Operations,dest,string,The system where the malware operations event occurred., -4.3.1,Malware,Malware_Operations,dest_bunit,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Malware,Malware_Operations,dest_category,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Malware,Malware_Operations,dest_nt_domain,string,"The NT domain of the dest system, if applicable.", -4.3.1,Malware,Malware_Operations,dest_priority,string,This is a derived field provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. It should be left blank when writing add-ons., -4.3.1,Malware,Malware_Operations,dest_requires_av,boolean,This is a derived field provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. It should be left blank when writing add-ons., -4.3.1,Malware,Malware_Operations,product_version,string,The product version of the malware operations product., -4.3.1,Malware,Malware_Operations,signature_version,string,The version of the malware signature bundle in a signature update operations event., -4.3.1,Malware,Malware_Operations,tag,string,The tag associated with the maleware operations event., -4.3.1,Malware,Malware_Operations,vendor_product,string,The vendor product name of the malware operations product., -4.3.1,Network_Resolution,DNS,additional_answer_count,number,"Number of entries in the ""additional"" section of the DNS message.", -4.3.1,Network_Resolution,DNS,answer,string,Resolved address for the query., -4.3.1,Network_Resolution,DNS,answer_count,number,Number of entries in the answer section of the DNS message., -4.3.1,Network_Resolution,DNS,authority_answer_count,number,"Number of entries in the ""authority"" section of the DNS message.", -4.3.1,Network_Resolution,DNS,dest,string,"The destination of the network resolution event. You can alias this from more specific fields, such as dest_host,dest_ip, or dest_name.", -4.3.1,Network_Resolution,DNS,dest_category,string,"The category of the network resolution target, such as email_server or SOX-compliant. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.", -4.3.1,Network_Resolution,DNS,dest_port,number,The destination port number., -4.3.1,Network_Resolution,DNS,dest_priority,string,"The priority of the destination, if applicable.", -4.3.1,Network_Resolution,DNS,duration,number,"The time taken by the network resolution event, in seconds.", -4.3.1,Network_Resolution,DNS,message_type,string,Type of DNS message.,"Query, Response, unknown" -4.3.1,Network_Resolution,DNS,query,string,"The domain which needs to be resolved. Applies to messages of type ""Query"".", -4.3.1,Network_Resolution,DNS,query_count,number,"Number of entries that appear in the ""Questions"" section of the DNS query.", -4.3.1,Network_Resolution,DNS,query_type,string,The DNS OpCode name as defined inhttps://tools.ietf.org/html/rfc2929#section-2.2.,"Query, IQuery, Status, Notify, Update, unknown" -4.3.1,Network_Resolution,DNS,reply_code,string,Return code for the response as defined inhttps://tools.ietf.org/html/rfc2929#section-2.3.,"NoError, FormErr, ServFail, NXDomain, NotImp, Refused, YXDomain, YXRRSet, NotAuth, NotZone, BADVERS, BADSIG, BADKEY, BADTIME, BADMODE, BADNAME, BADALG, unknown" -4.3.1,Network_Resolution,DNS,reply_code_id,number,Numerical id of the return code as defined inhttps://tools.ietf.org/html/rfc2929#section-2.3.,"0-10, 16-21" -4.3.1,Network_Resolution,DNS,response_time,number,"The amount of time it took to receive a response in the network resolution event, if applicable.", -4.3.1,Network_Resolution,DNS,src,string,"The source of the network resolution event. You can alias this from more specific fields, such as src_host,src_ip, or src_name.", -4.3.1,Network_Resolution,DNS,src_bunit,string,The business unit of the source. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security., -4.3.1,Network_Resolution,DNS,src_category,string,"The category of the source, such asemail_server or SOX-compliant. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.", -4.3.1,Network_Resolution,DNS,src_port,number,The port number of the source., -4.3.1,Network_Resolution,DNS,src_priority,string,The priority of the source., -4.3.1,Network_Resolution,DNS,tag,string,This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it., -4.3.1,Network_Resolution,DNS,transaction_id,number,The unique numerical transaction id of the network resolution event., -4.3.1,Network_Resolution,DNS,transport,string,The transport protocol used by the network resolution event., -4.3.1,Network_Resolution,DNS,ttl,number,The time-to-live of the network resolution event., -4.3.1,Network_Resolution,DNS,vendor_product,string,"The vendor product name of the DNS server. The Splunk platform can derive this field from the fields vendor andproduct in the raw data, if they exist.", -4.3.1,Network_Sessions,All_Sessions,action,string,The action taken by the reporting device.,"added, blocked, unknown" -4.3.1,Network_Sessions,All_Sessions,dest_bunit,string,The business unit of the destination., -4.3.1,Network_Sessions,All_Sessions,dest_category,string,The category of the destination., -4.3.1,Network_Sessions,All_Sessions,dest_ip,string,"The IP address of the system reporting a network session event. If the system is a Dynamic Host Configuration Protocol (DHCP) server, this is the lease IP for that server. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.", -4.3.1,Network_Sessions,All_Sessions,dest_mac,string,The MAC address of the system reporting a network session event. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security., -4.3.1,Network_Sessions,All_Sessions,dest_nt_host,string,"The name of the Active Directory for the system reporting a network session event, if applicable. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.", -4.3.1,Network_Sessions,All_Sessions,dest_priority,string,The priority of the destination., -4.3.1,Network_Sessions,All_Sessions,duration,number,"The amount of time for the completion of the network session event, in seconds.", -4.3.1,Network_Sessions,All_Sessions,response_time,number,"The amount of time it took to receive a response in the network session event, if applicable.", -4.3.1,Network_Sessions,All_Sessions,signature,string,An indication of the type of network session event., -4.3.1,Network_Sessions,All_Sessions,src_bunit,string,The business unit of the source., -4.3.1,Network_Sessions,All_Sessions,src_category,string,The category of the source., -4.3.1,Network_Sessions,All_Sessions,src_dns,string,The domain name server of the originator of a Dynamic Host Configuration Protocol (DHCP) or DNS event . This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security., -4.3.1,Network_Sessions,All_Sessions,src_ip,string,The IP address of the originator of a Dynamic Host Configuration Protocol (DHCP) or DNS event. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security., -4.3.1,Network_Sessions,All_Sessions,src_mac,string,The MAC address of the originator of a Dynamic Host Configuration Protocol (DHCP) or DNS event . This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security., -4.3.1,Network_Sessions,All_Sessions,src_nt_host,string,The Active Directory name of the originator of a Dynamic Host Configuration Protocol (DHCP) or DNS event . This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security., -4.3.1,Network_Sessions,All_Sessions,src_priority,string,The priority of the source., -4.3.1,Network_Sessions,All_Sessions,tag,string,This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it., -4.3.1,Network_Sessions,All_Sessions,user,string,"The user in a network session event, where applicable. For instance, a VPN session or an authenticated DHCP event.", -4.3.1,Network_Sessions,All_Sessions,user_bunit,string,The business unit associated with the user., -4.3.1,Network_Sessions,All_Sessions,user_category,string,The category of the user., -4.3.1,Network_Sessions,All_Sessions,user_priority,string,The priority of the user., -4.3.1,Network_Sessions,All_Sessions,vendor_product,string,"The full name of the Dynamic Host Configuration Protocol (DHCP) or DNS server involved in this event including vendor and product name, such asMicrosoft DHCP or ISC BIND. This field is generated by combining the values of the vendor andproduct fields.", -4.3.1,Network_Sessions,DHCP,lease_duration,number,"The duration of the Dynamic Host Configuration Protocol (DHCP) lease, in seconds.", -4.3.1,Network_Sessions,DHCP,lease_scope,string,The consecutive range of possible IP addresses that the Dynamic Host Configuration Protocol (DHCP) server can lease to clients on a subnet. A lease_scopetypically defines a single physical subnet on your network to which DHCP services are offered., -4.3.1,Network_Traffic,All_Traffic,action,string,The action taken by the network device.,"allowed, blocked, dropped,unknown" -4.3.1,Network_Traffic,All_Traffic,app,string,The application protocol of the traffic., -4.3.1,Network_Traffic,All_Traffic,bytes,number,Total count of bytes handled by this device/interface (bytes_in + bytes_out)., -4.3.1,Network_Traffic,All_Traffic,bytes_in,number,How many bytes this device/interface received., -4.3.1,Network_Traffic,All_Traffic,bytes_out,number,How many bytes this device/interface transmitted., -4.3.1,Network_Traffic,All_Traffic,channel,number,The 802.11 channel used by a wireless network., -4.3.1,Network_Traffic,All_Traffic,dest,string,"The destination of the network traffic (the remote host). You can alias this from more specific fields, such asdest_host, dest_ip, or dest_name.", -4.3.1,Network_Traffic,All_Traffic,dest_bunit,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Network_Traffic,All_Traffic,dest_category,string,, -4.3.1,Network_Traffic,All_Traffic,dest_interface,string,"The interface that is listening remotely or receiving packets locally. Can also be referred to as the ""egress interface.""", -4.3.1,Network_Traffic,All_Traffic,dest_ip,string,The IP address of the destination., -4.3.1,Network_Traffic,All_Traffic,dest_mac,string,"The destination TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note:Always use colons instead of dashes, spaces, or no separator.", -4.3.1,Network_Traffic,All_Traffic,dest_port,number,"The destination port of the network traffic. Note: Do not translate the values of this field to strings (tcp/80 is 80, nothttp). You can set up the corresponding string value in thedest_svc field.", -4.3.1,Network_Traffic,All_Traffic,dest_priority,string,"The destination priority, if applicable.", -4.3.1,Network_Traffic,All_Traffic,dest_translated_ip,string,The NATed IPv4 or IPv6 address to which a packet has been sent., -4.3.1,Network_Traffic,All_Traffic,dest_translated_port,number,"The NATed port to which a packet has been sent. Note: Do not translate the values of this field to strings (tcp/80 is 80, nothttp).", -4.3.1,Network_Traffic,All_Traffic,direction,string,The direction the packet is travelling.,"inbound, outbound, unknown" -4.3.1,Network_Traffic,All_Traffic,duration,number,"The amount of time for the completion of the network event, in seconds.", -4.3.1,Network_Traffic,All_Traffic,dvc,string,"The device that reported the traffic event. You can alias this from more specific fields, such as dvc_host,dvc_ip, or dvc_name.", -4.3.1,Network_Traffic,All_Traffic,dvc_bunit,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Network_Traffic,All_Traffic,dvc_category,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Network_Traffic,All_Traffic,dvc_ip,string,, -4.3.1,Network_Traffic,All_Traffic,dvc_mac,string,, -4.3.1,Network_Traffic,All_Traffic,dvc_priority,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Network_Traffic,All_Traffic,flow_id,string,"Unique identifier for this traffic stream, such as a netflow, jflow, or cflow.", -4.3.1,Network_Traffic,All_Traffic,icmp_code,string,"The RFC 2780 or RFC 4443 human-readable code value of the traffic, such as Destination Unreachable orParameter Problem . See the IMCP Type Numbers and the IMCPv6 Type Numbers.", -4.3.1,Network_Traffic,All_Traffic,icmp_type,number,The RFC 2780 or RFC 4443 numeric value of the traffic. See the IMCP Type Numbers and the IMCPv6 Type Numbers.,0 to 254 -4.3.1,Network_Traffic,All_Traffic,packets,number,The total count of packets handled by this device/interface (packets_in +packets_out)., -4.3.1,Network_Traffic,All_Traffic,packets_in,number,The total count of packets received by this device/interface., -4.3.1,Network_Traffic,All_Traffic,packets_out,number,The total count of packets transmitted by this device/interface., -4.3.1,Network_Traffic,All_Traffic,protocol,string,"The OSI layer 3 (network) protocol of the traffic observed, in lower case. For example, ip, appletalk, ipx.", -4.3.1,Network_Traffic,All_Traffic,protocol_version,string,Version of the OSI layer 3 protocol., -4.3.1,Network_Traffic,All_Traffic,response_time,number,"The amount of time it took to receive a response in the network event, if applicable.", -4.3.1,Network_Traffic,All_Traffic,rule,string,"The rule which defines the action that was taken in the network event. Note: This is a string value. Use arule_id field for rule fields that are integer data types (rule_id fields are optional, so they are not included in this table).", -4.3.1,Network_Traffic,All_Traffic,session_id,string,The session identifier. Multiple transactions build a session., -4.3.1,Network_Traffic,All_Traffic,src,string,"The source of the network traffic (the client requesting the connection). You can alias this from more specific fields, such as src_host, src_ip, orsrc_name.", -4.3.1,Network_Traffic,All_Traffic,src_category,string,The category of the network traffic source., -4.3.1,Network_Traffic,All_Traffic,src_interface,string,"The interface that is listening locally or sending packets remotely. Can also be referred to as the ""ingress interface.""", -4.3.1,Network_Traffic,All_Traffic,src_ip,string,The ip address of the source., -4.3.1,Network_Traffic,All_Traffic,src_mac,string,"The source TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note:Always use colons instead of dashes, spaces, or no separator.", -4.3.1,Network_Traffic,All_Traffic,src_port,number,"The source port of the network traffic. Note: Do not translate the values of this field to strings (tcp/80 is 80, nothttp). You can set up the corresponding string value in thesrc_svc field.", -4.3.1,Network_Traffic,All_Traffic,src_priority,number,"The priority of the source, if applicable.", -4.3.1,Network_Traffic,All_Traffic,src_translated_ip,string,The NATed IPv4 or IPv6 address from which a packet has been sent.., -4.3.1,Network_Traffic,All_Traffic,src_translated_port,number,"The NATed port from which a packet has been sent. Note: Do not translate the values of this field to strings (tcp/80 is 80, nothttp).", -4.3.1,Network_Traffic,All_Traffic,ssid,string,The 802.11 service set identifier (ssid) assigned to a wireless session., -4.3.1,Network_Traffic,All_Traffic,tag,string,The tag associated with the traffic., -4.3.1,Network_Traffic,All_Traffic,tcp_flag,string,The TCP flag(s) specified in the event.,"Can be one or more of SYN, ACK,FIN, RST, URG, or PSH." -4.3.1,Network_Traffic,All_Traffic,transport,string,"The OSI layer 4 (transport) protocol of the traffic observed, in lower case.","tcp, udp, unknown" -4.3.1,Network_Traffic,All_Traffic,tos,string,The combination of source and destination IP ToS (type of service) values in the event., -4.3.1,Network_Traffic,All_Traffic,ttl,number,"The ""time to live"" of a packet or diagram.", -4.3.1,Network_Traffic,All_Traffic,user,string,The user that requested the traffic flow., -4.3.1,Network_Traffic,All_Traffic,user_bunit,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Network_Traffic,All_Traffic,user_category,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Network_Traffic,All_Traffic,user_priority,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Network_Traffic,All_Traffic,vendor_product,string,"The vendor technology of the device generating the network event, such asJuniper or Cisco.", -4.3.1,Network_Traffic,All_Traffic,vlan,string,The virtual local area network (VLAN) specified in the record., -4.3.1,Network_Traffic,All_Traffic,wifi,string,"The wireless standard(s) in use, such as802.11a, 802.11b, 802.11g, or802.11n.", -4.3.1,Performance,All_Performance,dest,string,"The system where the event occurred, usually a facilities resource such as a rack or room. You can alias this from more specific fields, such as dest_host, dest_ip, ordest_name.", -4.3.1,Performance,All_Performance,dest_bunit,string,The business unit of the system where the event occurred. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security., -4.3.1,Performance,All_Performance,dest_category,string,The category of the system where the event occurred. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security., -4.3.1,Performance,All_Performance,dest_priority,string,The priority of the system where the performance event occurred., -4.3.1,Performance,All_Performance,dest_should_timesync,boolean,Indicates whether or not the system where the performance event occurred should time sync. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security., -4.3.1,Performance,All_Performance,dest_should_update,boolean,Indicates whether or not the system where the performance event occurred should update. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security., -4.3.1,Performance,All_Performance,hypervisor_id,string,The ID of the virtualization hypervisor., -4.3.1,Performance,All_Performance,resource_type,string,"The type of facilities resource involved in the performance event, such as a rack, room, orsystem.", -4.3.1,Performance,All_Performance,tag,string,A tag associated with the performance event., -4.3.1,Performance,CPU,cpu_load_mhz,number,The amount of CPU load reported by the controller in megahertz., -4.3.1,Performance,CPU,cpu_load_percent,number,The amount of CPU load reported by the controller in percentage points., -4.3.1,Performance,CPU,cpu_time,number,The number of CPU seconds consumed by processes., -4.3.1,Performance,CPU,cpu_user_percent,number,Percentage of CPU user time consumed by processes., -4.3.1,Performance,Facilities,fan_speed,number,"The speed of the cooling fan in the facilities resource, in rotations per second.", -4.3.1,Performance,Facilities,power,number,"Amount of power consumed by the facilities resource, in Kw/h.", -4.3.1,Performance,Facilities,temperature,number,"Average temperature of the facilities resource, in C.", -4.3.1,Performance,Memory,mem,number,"The total amount of memory capacity reported by the resource, in megabytes.", -4.3.1,Performance,Memory,mem_committed,number,"The committed amount of memory reported by the resource, in megabytes.", -4.3.1,Performance,Memory,mem_free,number,"The free amount of memory reported by the resource, in megabytes.", -4.3.1,Performance,Memory,mem_used,number,"The used amount of memory reported by the resource, in megabytes.", -4.3.1,Performance,Memory,swap,number,"The total swap space size, in megabytes, if applicable.", -4.3.1,Performance,Memory,swap_free,number,"The free swap space size, in megabytes, if applicable.", -4.3.1,Performance,Memory,swap_used,number,"The used swap space size, in megabytes, if applicable.", -4.3.1,Performance,Storage,array,number,"The array that the resource is a member of, if applicable.", -4.3.1,Performance,Storage,blocksize,number,"Block size used by the storage resource, in kilobytes.", -4.3.1,Performance,Storage,cluster,string,"The cluster that the resource is a member of, if applicable.", -4.3.1,Performance,Storage,fd_max,number,The maximum number of available file descriptors., -4.3.1,Performance,Storage,fd_used,number,The current number of open file descriptors., -4.3.1,Performance,Storage,latency,number,"The latency reported by the resource, in milliseconds.", -4.3.1,Performance,Storage,mount,string,The mount point of a storage resource., -4.3.1,Performance,Storage,parent,string,"A generic indicator of hierarchy. For instance, a disk event might include the array id here.", -4.3.1,Performance,Storage,read_blocks,number,Number of blocks read., -4.3.1,Performance,Storage,read_latency,number,"The latency of read operations, in milliseconds.", -4.3.1,Performance,Storage,read_ops,number,Number of read operations., -4.3.1,Performance,Storage,storage,number,"The total amount of storage capacity reported by the resource, in megabytes.", -4.3.1,Performance,Storage,storage_free,number,"The free amount of storage capacity reported by the resource, in megabytes.", -4.3.1,Performance,Storage,storage_free_percent,number,The percentage of storage capacity reported by the resource that is free., -4.3.1,Performance,Storage,storage_used,number,"The used amount of storage capacity reported by the resource, in megabytes.", -4.3.1,Performance,Storage,storage_used_percent,number,The percentage of storage capacity reported by the resource that is used., -4.3.1,Performance,Storage,write_blocks,number,The number of blocks written by the resource., -4.3.1,Performance,Storage,write_latency,number,"The latency of write operations, in milliseconds.", -4.3.1,Performance,Storage,write_ops,number,The total number of write operations processed by the resource., -4.3.1,Performance,Network,thruput,number,"The current throughput reported by the service, in bytes.", -4.3.1,Performance,Network,thruput_max,number,"The maximum possible throughput reported by the service, in bytes.", -4.3.1,Performance,OS,signature,string,"The event description signature, if available.", -4.3.1,Performance,Timesync,action,string,The result of a time sync event.,"success, failure,unknown" -4.3.1,Performance,Uptime,uptime,number,"The uptime of the compute resource, in seconds.", -4.3.1,Ticket_Management,All_Ticket_Management,affect_dest,string,Destinations affected by the service request., -4.3.1,Ticket_Management,All_Ticket_Management,comments,string,Comments about the service request., -4.3.1,Ticket_Management,All_Ticket_Management,description,string,The description of the service request., -4.3.1,Ticket_Management,All_Ticket_Management,dest,string,"The destination of the service request. You can aliasthis from more specific fields, such as dest_host,dest_ip, or dest_name.", -4.3.1,Ticket_Management,All_Ticket_Management,dest_bunit,string,The business unit of the destination., -4.3.1,Ticket_Management,All_Ticket_Management,dest_category,string,The category of the destination., -4.3.1,Ticket_Management,All_Ticket_Management,dest_priority,string,The priority of the destination., -4.3.1,Ticket_Management,All_Ticket_Management,priority,string,The relative priority of the service request., -4.3.1,Ticket_Management,All_Ticket_Management,severity,string,The relative severity of the service request., -4.3.1,Ticket_Management,All_Ticket_Management,src_user,string,"The user or entity that triggered or created the service request, if applicable.", -4.3.1,Ticket_Management,All_Ticket_Management,src_user_bunit,string,The business user associated with the user or entity that triggered the service request., -4.3.1,Ticket_Management,All_Ticket_Management,src_user_category,string,The category associated with the user or entity that triggered the service request., -4.3.1,Ticket_Management,All_Ticket_Management,status,string,The relative status of the service request., -4.3.1,Ticket_Management,All_Ticket_Management,tag,string,A tag for the service request., -4.3.1,Ticket_Management,All_Ticket_Management,ticket_id,string,"An identification name, code, or number for the service request.", -4.3.1,Ticket_Management,All_Ticket_Management,time_submitted,time,The time that the src_user submitted the service request., -4.3.1,Ticket_Management,All_Ticket_Management,user,string,"The name of the user or entity that is assigned to carry out the service request, if applicable.", -4.3.1,Ticket_Management,All_Ticket_Management,user_bunit,string,"The business unit associated with the user or entity that is assigned to carry out the service request, if applicable.", -4.3.1,Ticket_Management,All_Ticket_Management,user_category,string,"The category associated with the user or entity that is assigned to carry out the service request, if applicable.", -4.3.1,Ticket_Management,All_Ticket_Management,user_priority,string,"The priority of the user or entity that is assigned to carry out the service request, if applicable.", -4.3.1,Ticket_Management,Change,change,string,Designation for a request for change (RFC) that is raised to modify an IT service to resolve an incidentor problem., -4.3.1,Ticket_Management,Incident,incident,string,"The incident that triggered the service request. Can be a rare occurrence, or something that happens more frequently An incident that occurs on a frequent basis can also be classified as a problem.", -4.3.1,Ticket_Management,Problem,problem,string,"When multiple occurrences of related incidents are observed, they are collectively designated with a singleproblem value. Problem management differs from the process of managing an isolated incident. Often problems are managed by a specific set of staff and through a problem management process.", -4.3.1,Updates,Updates,dest,string,"The system that is affected by the patch change. You can alias this from more specific fields, such as dest_host,dest_ip, or dest_name.", -4.3.1,Updates,Updates,dest_bunit,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Updates,Updates,dest_category,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Updates,Updates,dest_priority,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Updates,Updates,dest_should_update,boolean,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Updates,Updates,dvc,string,"The device that detected the patch event, such as a patching or configuration management server. You can alias this from more specific fields, such as dvc_host, dvc_ip, ordvc_name.", -4.3.1,Updates,Updates,file_hash,string,The checksum of the patch package that was installed or attempted., -4.3.1,Updates,Updates,file_name,string,The name of the patch package that was installed or attempted., -4.3.1,Updates,Updates,severity,string,The severity associated with the patch event.,"critical, high, medium, low,informational" -4.3.1,Updates,Updates,signature,string,"The name of the patch requirement detected on the client (the dest), such asMS08-067 or RHBA-2013:0739. Note: This is a string value. Please usesignature_id for numeric indicators.", -4.3.1,Updates,Updates,signature_id,int,The numeric ID of the intrusion detected on the client (the src). Note: This is an integer value. Please use signature_id for human-readable signature names., -4.3.1,Updates,Updates,status,string,Indicates the status of a given patch requirement.,"available, installed, invalid,reboot_required, unknown" -4.3.1,Updates,Updates,tag,string,This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it., -4.3.1,Updates,Updates,vendor_product,string,"The patch monitoring product, such asTEM, Patchlink, or SCCM.", -4.3.1,Vulnerabilities,Vulnerabilities,bugtraq,string,Corresponds to an identifier in the vulnerability database provided by the Security Focus website (searchable athttp://www.securityfocus.com/)., -4.3.1,Vulnerabilities,Vulnerabilities,category,string,"The category of the discovered vulnerability, such as DoS. Note: This field is a string. Please use acategory_id field for fields that are integer data type. Keep in mind that thecategory_id field is optional and thus is not part of the CIM.", -4.3.1,Vulnerabilities,Vulnerabilities,cert,string,"Corresponds to an identifier in the vulnerability database provided by the US Computer Emergency Readiness Team (US-CERT, searchable athttp://www.kb.cert.org/vuls/).", -4.3.1,Vulnerabilities,Vulnerabilities,cve,string,Corresponds to an identifier provided in the Common Vulnerabilities and Exposures index (searchable athttp://cve.mitre.org)., -4.3.1,Vulnerabilities,Vulnerabilities,cvss,number,Numeric indicator of the common vulnerability scoring system., -4.3.1,Vulnerabilities,Vulnerabilities,dest,string,"The host with the discovered vulnerability. You can alias this from more specific fields, such as dest_host,dest_ip, or dest_name.", -4.3.1,Vulnerabilities,Vulnerabilities,dest_bunit,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Vulnerabilities,Vulnerabilities,dest_category,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Vulnerabilities,Vulnerabilities,dest_priority,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Vulnerabilities,Vulnerabilities,dvc,string,"The system that discovered the vulnerability. You can alias this from more specific fields, such as dvc_host,dvc_ip, or dvc_name.", -4.3.1,Vulnerabilities,Vulnerabilities,dvc_bunit,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Vulnerabilities,Vulnerabilities,dvc_category,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Vulnerabilities,Vulnerabilities,dvc_priority,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Vulnerabilities,Vulnerabilities,msft,string,Corresponds to a Microsoft Security Advisory number (http://technet.microsoft.com/en-us/security/advisory/)., -4.3.1,Vulnerabilities,Vulnerabilities,mskb,string,Corresponds to a Microsoft Knowledge Base article number (http://support.microsoft.com/kb/)., -4.3.1,Vulnerabilities,Vulnerabilities,severity,string,"The severity of the vulnerability detection event. Specific values are required. Usevendor_severity for the vendor's own human readable strings (such as Good,Bad, and Really Bad). Note: This field is a string. Please use aseverity_id field for severity ID fields that are integer data types. Keep in mind that the severity_id field is optional and thus is not part of the CIM.","critical, high, informational,low, medium, unknown" -4.3.1,Vulnerabilities,Vulnerabilities,signature,string,"The name of the vulnerability detected on the host, such as HPSBMU02785 SSRT100526 rev.2 - HP LoadRunner Running on Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS). Note: This field has a string value. Please use signature_id for numeric indicators. Keep in mind that thesignature_id field is optional and thus is not part of the CIM.", -4.3.1,Vulnerabilities,Vulnerabilities,tag,string,A tag associated with the vulnerability., -4.3.1,Vulnerabilities,Vulnerabilities,user,string,The user that requested the HTTP resource., -4.3.1,Vulnerabilities,Vulnerabilities,user_bunit,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Vulnerabilities,Vulnerabilities,user_category,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Vulnerabilities,Vulnerabilities,user_priority,string,These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons., -4.3.1,Vulnerabilities,Vulnerabilities,vendor_product,string,The vendor of the vulnerability detection product or service., -4.3.1,Vulnerabilities,Vulnerabilities,xref,string,"A cross-reference identifier associated with the vulnerability. In most cases, thexref field contains both the short name of the database being cross-referenced and the unique identifier used in the external database.", From 8d88c0bfa4856383dd302adfceb6904cf3b8b1de Mon Sep 17 00:00:00 2001 From: vladimir Date: Tue, 20 Feb 2024 22:04:55 -0500 Subject: [PATCH 02/28] Update cim_validator.xml product type should match cim_dictionary --- default/data/ui/views/cim_validator.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/default/data/ui/views/cim_validator.xml b/default/data/ui/views/cim_validator.xml index 44236d9..1720ab0 100644 --- a/default/data/ui/views/cim_validator.xml +++ b/default/data/ui/views/cim_validator.xml @@ -15,7 +15,7 @@ Any - Core + Core, ES UBA * * @@ -184,4 +184,4 @@ - \ No newline at end of file + From f621422675ccea070c33719ed6c207fce7e84b3c Mon Sep 17 00:00:00 2001 From: hire-vladimir Date: Fri, 23 Feb 2024 18:34:10 +0000 Subject: [PATCH 03/28] added field filter back and merge of expected values --- default/data/ui/views/cim_dictionary.xml | 38 ++++++++++++++++++++---- 1 file changed, 33 insertions(+), 5 deletions(-) diff --git a/default/data/ui/views/cim_dictionary.xml b/default/data/ui/views/cim_dictionary.xml index 00aa63f..953ad8d 100644 --- a/default/data/ui/views/cim_dictionary.xml +++ b/default/data/ui/views/cim_dictionary.xml @@ -1,6 +1,6 @@
-
+
Any @@ -12,10 +12,15 @@ - | datamodel | spath modelName | table modelName | eval product_type=if(like(modelName, "UBA_%"), "uba", "core") | search product_type=$product_type|s$ | sort modelName + | datamodel | spath modelName | table modelName | eval product_type=if(like(modelName, "UBA_%"), "uba", "core") | search product_type=$product_type|s$ | sort modelName modelName modelName + Any + + + + .*
@@ -28,6 +33,15 @@ + + + Datamodel count + + | stats dc(datamodel) + + + + @@ -41,7 +55,7 @@
Datamodel definition information - | datamodel $dm|s$ | spath | table modelName, displayName, description + | datamodel $dm|s$ | spath | eval product_type=if(like(modelName, "UBA_%"), "uba", "core") | table modelName, product_type, displayName, description | search product_type=$product_type|s$ -24h@h now @@ -61,16 +75,26 @@ | spath path=objects{}.calculations{}.outputFields{} output=u | eval w=mvappend(v,u) | fields modelName w + | fields - _raw | mvexpand w | eval data_type=json_extract(w,"type") | eval description=json_extract(w,"comment.description") | eval field=json_extract(w,"fieldName") | eval object=json_extract(w,"owner") + + | eval recommended=json_extract(w,"comment.recommended"), recommended=if(match(recommended, "(?i)true|1"), "✅", "") + | eval expected_values=json_array_to_mv(json_extract(w,"comment.expected_values")) + | eval possible_values=split(json_extract(w,"comment.possible_values"), ","), possible_values=mvmap(possible_values, trim(possible_values)) + | eval combined_expected_values=mvdedup(mvappend(expected_values, possible_values)) + - | rename modelName AS datamodel - | table datamodel field data_type description object expected_values + | rename modelName AS datamodel combined_expected_values AS expected_values + | table datamodel field recommended data_type description object expected_values + | eval product_type=if(like(datamodel, "UBA_%"), "uba", "core") + | where match(field, $field|s$) | search product_type=$product_type|s$ + | fields - product_type 0 @@ -84,6 +108,10 @@ + + + +
From 85c5ff84a4948d594781c127b2e83113da4377e0 Mon Sep 17 00:00:00 2001 From: hire-vladimir Date: Fri, 23 Feb 2024 21:09:08 +0000 Subject: [PATCH 04/28] added datamodel match field, each DM can now have own field validation regex. Also added UBA support --- lookups/cim_validator_field_regex.csv | 282 +++++++++++++++++++++++--- 1 file changed, 249 insertions(+), 33 deletions(-) diff --git a/lookups/cim_validator_field_regex.csv b/lookups/cim_validator_field_regex.csv index 2f8f9e9..e0236f9 100644 --- a/lookups/cim_validator_field_regex.csv +++ b/lookups/cim_validator_field_regex.csv @@ -1,33 +1,249 @@ -field,validation_regex -tag,".*" -severity,"^(critical|high|medium|low|informational)$" -action,"^(success|failure|allowed|blocked|deferred)$" -dest,"^[\w\.-]+$" -src,"^[\w\.-]+$" -dvc,"^[\w\.-]+$" -*_ip,"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$" -*_port,"^\d{1,5}$" -*_mac,"^[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}$" -direction,"^(inbound|outbound)$" -bytes*,"^\d+$" -duration,"^\d+(:?\.\d{1,6})?$" -packets*,"^\d+$" -protocol,"^[a-z0-9]+$" -transport,"^[a-z0-9]+$" -vendor_product,"^[\w\s\-:]+$" -ids_type,"^(network|host|application)$" -category,"^.{3,30}$" -signature,"^.{3,80}$" -*user,"^[\w\/\\\-\.$]{1,20}$" -app,"^[\w:\-]+$" -*_nt_domain,"^[\w\/\\\-\.$]{1,20}$" -file_hash,"^[0-9a-fA-F]{32,512}$" -file_name,"^.{1,255}$" -date,"^[01]\d-[0123]\d-[12]\d{3}$" -http_method,"^(?:GET|POST|HEAD|PUT|DELETE|OPTIONS|TRACE|CONNECT)$" -*_length,"^\d+$" -channel,"^\d+$" -url,"^(?:https?|ftp):\/{2}.+" -http_referrer,"^(?:https?|ftp):\/{2}.+" -http_content_type,"^\w+\/[\w\-\+\.]+$" -cached,"^(?:true|false|1|0)$" +datamodel,field,"validation_regex" +"UBA_Authentication",action,"^(success|failure|unknown|added)$" +"UBA_Badge","failure_reason",".*" +"UBA_Badge","object_name",".*" +"UBA_Badge","object_type",".*" +"UBA_Badge","site_name",".*" +"UBA_Badge",vendor,".*" +"UBA_Cloud","change_type","^(download|preview|delete|create|edit)$" +"UBA_Cloud",object,"^[^\/]+\.[a-zA-Z0-9]+$" +"UBA_Cloud","object_path","\/.*\/.*" +"UBA_Cloud","object_type","^(file|folder|document|image)$" +"UBA_Cloud","parent_category",".*" +"UBA_Database","action_name","^[A-Za-z\s]+$" +"UBA_Database","command_name","^[A-Za-z\s]+$" +"UBA_Database",commits,"^\d+$" +"UBA_Database","cpu_used","^\d+$" +"UBA_Database","elapsed_time","^\d+$" +"UBA_Database",eventtype,".*" +"UBA_Database","instance_name","^[A-Za-z\s]+$" +"UBA_Database",object,".*" +"UBA_Database",query,"/^\s*(SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|AND|OR|ORDER BY|GROUP BY|HAVING|JOIN|INNER JOIN|LEFT JOIN|RIGHT JOIN|OUTER JOIN|ON|VALUES|SET|LIMIT)\b.*/gm" +"UBA_Database","records_affected","^\d+$" +"UBA_Database","tables_hit",".*" +"UBA_Database","tablespace_name",".*" +"UBA_Database",vendor,".*" +"UBA_DHCP","lease_duration","^\d+(:?\.\d{1,6})?$" +"UBA_DLP",action,"^(allowed|blocked)$" +"UBA_DLP","dest_path","\/.*\/.*" +"UBA_DLP","dlp_status",".*" +"UBA_DLP","match_count",".*" +"UBA_DLP",policy,".*" +"UBA_DLP","prevention_status",".*" +"UBA_DLP",recipient,"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b" +"UBA_DLP",restricted,"^(yes|no)$" +"UBA_DLP",sender,"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b" +"UBA_DLP","serial_number","^\d+$" +"UBA_DLP","src_path","\/.*\/.*" +"UBA_DLP",subject,".*" +"UBA_DLP",vendor,".*" +"UBA_DNS",answer,"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$" +"UBA_DNS","message_type",".*" +"UBA_DNS",query,"^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$" +"UBA_DNS","query_type","\b(Query|IQuery|Status|Notify|Update|unknown|A|MX|NS|PTR)\b" +"UBA_DNS","record_type","^(A|DNAME|MX|NS|PTR)$" +"UBA_DNS",ttl,"^\d+$" +"UBA_Email",action,"\b(delivered|blocked|quarantined|deleted|unknown)\b" +"UBA_Email",recipient,"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b" +"UBA_Email",subject,".*" +"UBA_Endpoint_Filesystem",action,"\b(?:allowed|blocked)\b" +"UBA_Endpoint_Filesystem",alarmCategories,"\b(?:Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|Local|Signature|Behavior|FlightRisk|DataDestruction|Allowed|PeerGroup|Incoming|Internal|Outgoing|Blocked|Blacklisted|Beaconing|Outlier|UnusualActivity|ExternalAlarm|ExternalAttack|SuspiciousPattern|SuspiciousDownload|WebShell|UnusualResourceAccess|RuleBased|NetworkConnection|DataDeletion|CloudStorage|ExternalScan|ApplicationLog|External|Network|EndPoint|AD|Firewall|IPS|CloudData|Correlation|Printer|Badge|RareUser|RareProcess|RareDevice|RareDomain|RareNetwork|RareApplication|RareLocation|Unknown|CIS|Reconnaissance|ActionsonObjectives|Delivery|Installation|Exploitation|ValidAccounts|NetworkSniffing|AccountManipulation|ExploitationofVulnerability|SystemInformationDiscovery|DataStaged|EmailCollection|CommonlyUsedPort|StandardNon-ApplicationLayer|ExfiltrationOverAlternativeProtocol|StandardApplicationLayerProtocol|ExfiltrationOverCommandandControlChannel|PowerShell|Scripting|CredentialDumping|Command-LineInterface|DisablingSecurityTools|ModifyRegistry|NewService|NodifyExistingService|RegistryRunKeys\/StartFolder|AppInitDLLs|AuthenticationPackage|ScheduledTask|WebService|Third-partySoftware|AccountDiscovery|RemoteDesktopProtocol|PasstheHash|IndicatorRemovalonHost|Masquerading|WindowsManagementInstrumentation|ChangeDefaultFileAssociation|ApplicationShimming|LocalPortMonitor|AccessibilityFeatures|Rundll32|CreateAccount|PR|ID|RS|DE)\b" +"UBA_Endpoint_Filesystem",eventtype,".*" +"UBA_Endpoint_Port",action,"\b(?:allowed|blocked)\b" +"UBA_Endpoint_Port",alarmCategories,"\b(Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|L" +"UBA_Endpoint_Port","cpu_load_percent","^\d+$" +"UBA_Endpoint_Port","creation_time","^\d+$" +"UBA_Endpoint_Port",eventtype,".*" +"UBA_Endpoint_Port","mem_used","^\d+$" +"UBA_Endpoint_Port",os,".*" +"UBA_Endpoint_Port",state,".*" +"UBA_Endpoint_Processes",action,"\b(?:allowed|blocked)\b" +"UBA_Endpoint_Processes",alarmCategories,"\b(Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|L" +"UBA_Endpoint_Processes",eventtype,".*" +"UBA_Endpoint_Processes","parent_process_exec","^[^\/]+\.[a-zA-Z0-9]+$" +"UBA_Endpoint_Processes","parent_process_guid","^[^\n\r]+$" +"UBA_Endpoint_Processes","parent_process_name","^[^\/]+\.[a-zA-Z0-9]+$" +"UBA_Endpoint_Processes","parent_process_path","\/.*\/.*" +"UBA_Endpoint_Processes",process,"\/.*\/.*" +"UBA_Endpoint_Processes","process_current_directory","/^\/(?:[a-zA-Z0-9_]+\/?)+$" +"UBA_Endpoint_Processes","process_exec","^[^\/]+\.[a-zA-Z0-9]+$" +"UBA_Endpoint_Processes","process_guid.",".*" +"UBA_Endpoint_Processes","process_integrity_level",".*" +"UBA_Endpoint_Processes","process_path","\/.*\/.*" +"UBA_Endpoint_Registry",action,"\b(?:allowed|blocked)\b" +"UBA_Endpoint_Registry",alarmCategories,"\b(Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|L" +"UBA_Endpoint_Registry",eventtype,".*" +"UBA_Endpoint_Registry","registry_hive",".*" +"UBA_Endpoint_Registry","registry_key_name",".*" +"UBA_Endpoint_Registry","registry_path","^\\[a-zA-Z]+(?:\\[a-zA-Z]+)*(?:\\[a-zA-Z0-9]+(?:-[a-zA-Z0-9]+)*)*\\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}}\\[a-zA-Z0-9_]+$" +"UBA_Endpoint_Registry","registry_value_data",".*" +"UBA_Endpoint_Registry","registry_value_name",".*" +"UBA_Endpoint_Registry","registry_value_text",".*" +"UBA_Endpoint_Registry","registry_value_type",".*" +"UBA_Endpoint_Registry",status,"\b(?:failure|success)\b" +"UBA_Endpoint_Services",action,"\b(?:allowed|blocked)\b" +"UBA_Endpoint_Services",alarmCategories,"\b(Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|L" +"UBA_Endpoint_Services",description,"\b\w+(?:[.-]\w+)*\b" +"UBA_Endpoint_Services",eventtype,".*" +"UBA_Endpoint_Services","service_dll","^[^\/]+\.[a-zA-Z0-9]+$" +"UBA_Endpoint_Services","service_dll_path","\/.*\/.*" +"UBA_Endpoint_Services","service_dll_signature_exists","^[a-zA-Z\s_]+$" +"UBA_Endpoint_Services","service_dll_signature_verified","^[a-zA-Z\s_]+$" +"UBA_Endpoint_Services","service_exec","^[^\/]+\.[a-zA-Z0-9]+$" +"UBA_Endpoint_Services","service_name",".*" +"UBA_Endpoint_Services","service_path","\/.*\/.*" +"UBA_Endpoint_Services","start_mode",".*" +"UBA_Endpoint_Services",status,"\b(?:critical|started|stopped|warning|failure|success)\b" +"UBA_External_Alarm",action,"\b(?:allowed|blocked|deferred)\b" +"UBA_External_Alarm",alarmCategories,"\b(Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|L" +"UBA_External_Alarm","dest_zone","^[a-zA-Z\s_]+$" +"UBA_External_Alarm","signature or eventtype","^[a-zA-Z\s_]+$" +"UBA_External_Alarm","src_zone",".*" +"UBA_External_Alarm",url,"^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$" +"UBA_Firewall",action,"^(allowed|blocked|dropped|teardown|delivered|quarantined|deleted|unknown|deferred|added)$" +"UBA_Firewall","dest_zone","^[a-zA-Z\s_]+$" +"UBA_Firewall","src_zone","^[a-zA-Z\s_]+$" +"UBA_Firewall",url,"^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$" +"UBA_Firewall","vendor_action","\b\w+(?:[.-]\w+)*\b" +"UBA_Host AV",action,"\b(?:allowed|blocked)\b" +"UBA_Host AV",alarmCategories,"\b(?:Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|Local|Signature|Behavior|FlightRisk|DataDestruction|Allowed|PeerGroup|Incoming|Internal|Outgoing|Blocked|Blacklisted|Beaconing|Outlier|UnusualActivity|ExternalAlarm|ExternalAttack|SuspiciousPattern|SuspiciousDownload|WebShell|UnusualResourceAccess|RuleBased|NetworkConnection|DataDeletion|CloudStorage|ExternalScan|ApplicationLog|External|Network|EndPoint|AD|Firewall|IPS|CloudData|Correlation|Printer|Badge|RareUser|RareProcess|RareDevice|RareDomain|RareNetwork|RareApplication|RareLocation|Unknown|CIS|Reconnaissance|ActionsonObjectives|Delivery|Installation|Exploitation|ValidAccounts|NetworkSniffing|AccountManipulation|ExploitationofVulnerability|SystemInformationDiscovery|DataStaged|EmailCollection|CommonlyUsedPort|StandardNon-ApplicationLayer|ExfiltrationOverAlternativeProtocol|StandardApplicationLayerProtocol|ExfiltrationOverCommandandControlChannel|PowerShell|Scripting|CredentialDumping|Command-LineInterface|DisablingSecurityTools|ModifyRegistry|NewService|NodifyExistingService|RegistryRunKeys\/StartFolder|AppInitDLLs|AuthenticationPackage|ScheduledTask|WebService|Third-partySoftware|AccountDiscovery|RemoteDesktopProtocol|PasstheHash|IndicatorRemovalonHost|Masquerading|WindowsManagementInstrumentation|ChangeDefaultFileAssociation|ApplicationShimming|LocalPortMonitor|AccessibilityFeatures|Rundll32|CreateAccount|PR|ID|RS|DE)\b" +"UBA_Host AV",eventtype,"\b\w+(?:[.-]\w+)*\b" +"UBA_Host AV",url,"^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$" +"UBA_IDS_IPS",action,"\b(?:allowed|blocked)\b" +"UBA_IDS_IPS",alarmCategories,"\b(Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|L" +"UBA_IDS_IPS",eventtype,".*" +"UBA_Printer","data_type",".*" +"UBA_Printer","driver_process",".*" +"UBA_Printer",operation,".*" +"UBA_Printer","page_printed","^\d+$" +"UBA_Printer",parameters,"^\d+$" +"UBA_Printer","print_processor",".*" +"UBA_Printer",printer,".*" +"UBA_Printer",priority,"^\d+$" +"UBA_Printer",status,".*" +"UBA_Printer","submitted_time",".*" +"UBA_Printer","total_pages","^\d+$" +"UBA_Printer",type,".*" +"UBA_Web_Proxy",action,"\b(?:allowed|blocked)\b" +"UBA_Web_Proxy","response_time","^\d+$" +"UBA_Web_Proxy",status,"^\d+$" +"UBA_Web_Proxy",url,"^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$" +"UBA_HR_Data",memberOf,".*" +"UBA_HR_Data",groups,".*" +"UBA_HR_Data",l,"^[A-Za-z\s.'-]+$" +"UBA_HR_Data",city,"^[A-Za-z\s.'-]+$" +"UBA_HR_Data",co,"^[A-Za-z\s.'-]+$" +"UBA_HR_Data",country,"^[A-Za-z\s.'-]+$" +"UBA_HR_Data",departingUser,"^(true|false)$" +"UBA_HR_Data",displayName,"^[A-Za-z\s.'-]+$" +"UBA_HR_Data",domainLoginId,"^[a-zA-Z0-9\/\\@]+$" +"UBA_HR_Data",mail,"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b" +"UBA_HR_Data",email,"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b" +"UBA_HR_Data",employeeType,".*" +"UBA_HR_Data",accountExpires,".*" +"UBA_HR_Data",preferredName,".*" +"UBA_HR_Data",givenName,".*" +"UBA_HR_Data",firstname,".*" +"UBA_HR_Data",highRiskUser,"^(true|false)$" +"UBA_HR_Data",hireDate,".*" +"UBA_HR_Data",lastLogon,".*" +"UBA_HR_Data",lastLogonTimestamp,".*" +"UBA_HR_Data",sn,".*" +"UBA_HR_Data",lastname,".*" +"UBA_HR_Data",sAMAccountName,"^[a-zA-Z0-9_]+$" +"UBA_HR_Data",loginId,"^[a-zA-Z0-9_]+$" +"UBA_HR_Data",manager,".*" +"UBA_HR_Data",manageremployeeId,".*" +"UBA_HR_Data",initials,".*" +"UBA_HR_Data",MiddleName,".*" +"UBA_HR_Data",department,".*" +"UBA_HR_Data",ou,".*" +"UBA_HR_Data",onPerformanceImprovementPlan,"^(true|false)$" +"UBA_HR_Data",onPIP,"^(true|false)$" +"UBA_HR_Data",telephoneNumber,".*" +"UBA_HR_Data",phone,".*" +"UBA_HR_Data",st,".*" +"UBA_HR_Data",state,".*" +"UBA_HR_Data",hrstatuscode,".*" +"UBA_HR_Data",streetAddress,".*" +"UBA_HR_Data",street,".*" +"UBA_HR_Data",terminatedUser,"^(true|false)$" +"UBA_HR_Data",terminationDate,".*" +"UBA_HR_Data",title,".*" +"UBA_HR_Data",traveling,"^(true|false)$" +"UBA_HR_Data",UAC,".*" +"UBA_HR_Data",status,"^(InActive|Active)$" +"UBA_HR_Data",postalCode,".*" +"UBA_HR_Data",zip,".*" +"UBA_DLP_Email",action,"^(allowed|blocked)$" +"UBA_DLP_Email","dest_path","\/.*\/.*" +"UBA_DLP_Email","dlp_status",".*" +"UBA_DLP_Email","match_count",".*" +"UBA_DLP_Email",policy,".*" +"UBA_DLP_Email","prevention_status",".*" +"UBA_DLP_Email",recipient,"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b" +"UBA_DLP_Email",restricted,"^(yes|no)$" +"UBA_DLP_Email",sender,"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b" +"UBA_DLP_Email","serial_number","^\d+$" +"UBA_DLP_Email","src_path","\/.*\/.*" +"UBA_DLP_Email",subject,".*" +"UBA_DLP_Email",vendor,".*" +"UBA_Asset_Data",hostname,"^[\w\.-]+$" +"UBA_Asset_Data",denyListDeviceIr,"^(true|false)$" +"UBA_Asset_Data",denyListUserIr,"^(true|false)$" +"UBA_Asset_Data","asset_tag",".*" +"UBA_Asset_Data",bunit,".*" +"UBA_Asset_Data",city,"^[A-Za-z\s.'-]+$" +"UBA_Asset_Data","cost_center",".*" +"UBA_Asset_Data",country,".*" +"UBA_Asset_Data","created_by",".*" +"UBA_Asset_Data",department,".*" +"UBA_Asset_Data",deviceType,".*" +"UBA_Asset_Data",dns,".*" +"UBA_Asset_Data",ip,"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$" +"UBA_Asset_Data","is_expected","^(true|false)$" +"UBA_Asset_Data",latitude,".*" +"UBA_Asset_Data",longitude,".*" +"UBA_Asset_Data",mac,"^[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}$" +"UBA_Asset_Data","managed_by",".*" +"UBA_Asset_Data",os,".*" +"UBA_Asset_Data",owner,".*" +"UBA_Asset_Data",serial,".*" +"UBA_Asset_Data",status,".*" +"UBA_Asset_Data",substatus,".*" +"UBA_Asset_Data","sys_created_on",".*" +"UBA_Asset_Data","sys_updated_on",".*" +"*",tag,".*" +"*",severity,"^(critical|high|medium|low|informational)$" +"*",action,"^(success|failure|allowed|blocked|deferred)$" +"*",dest,"^[\w\.-]+$" +"*",src,"^[\w\.-]+$" +"*",dvc,"^[\w\.-]+$" +"*","*_ip","^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$" +"*","*_port","^\d{1,5}$" +"*","*_mac","^[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}$" +"*",direction,"^(inbound|outbound)$" +"*","bytes*","^\d+$" +"*",duration,"^\d+(:?\.\d{1,6})?$" +"*","packets*","^\d+$" +"*",protocol,"^[a-z0-9]+$" +"*",transport,"^[a-z0-9]+$" +"*","vendor_product","^[\w\d\s\-:]+$" +"*","ids_type","^(network|host|application)$" +"*",category,"^.{3,100}$" +"*",signature,"^.{3,100}$" +"*","*user","^[\w\/\\\-\.$]{1,30}$" +"*",app,"^[\w:\-\d\s]+$" +"*","*_nt_domain","^[\w\/\\\-\.$]{1,20}$" +"*","file_hash","^[0-9a-fA-F]{32,512}$" +"*","file_name","^.{1,255}$" +"*",date,"^[01]\d-[0123]\d-[12]\d{3}$" +"*","http_method","^(?:GET|POST|HEAD|PUT|DELETE|OPTIONS|TRACE|CONNECT)$" +"*","*_length","^\d+$" +"*",channel,"^\d+$" +"*",url,"^(?:https?|ftp):\/{2}.+" +"*","http_referrer","^(?:https?|ftp):\/{2}.+" +"*","http_content_type","^\w+\/[\w\-\+\.]+$" +"*",cached,"^(?:true|false|1|0)$" +"*","*_id","^\d+$" +"*","*_host","^.{1,80}$" From 5dc8d64c1f6552eb25ab8b48534f651482e48806 Mon Sep 17 00:00:00 2001 From: hire-vladimir Date: Fri, 23 Feb 2024 21:12:51 +0000 Subject: [PATCH 05/28] added support for regex validation per datamodel, enhanced instructions on the page --- default/data/ui/views/cim_validator.xml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/default/data/ui/views/cim_validator.xml b/default/data/ui/views/cim_validator.xml index 1720ab0..d20b18b 100644 --- a/default/data/ui/views/cim_validator.xml +++ b/default/data/ui/views/cim_validator.xml @@ -1,7 +1,7 @@ - + - | datamodel $dm$ | rex max_match=999 "fieldName\":\"(?<field>[^\"]+)" | stats values(field) as field | mvexpand field | where NOT match(field, "_time|host|sourcetype|source|[A-Z]+|_bunit|_category|_priority|_requires_av|_should_update") OR match(field, "object_category") | join type=outer field [$search_type$ $cim_search$ | head $event_limit$ | fieldsummary maxvals=15 | eventstats max(count) AS total | eval percent_coverage=round(count/total*100, 2) | table field, percent_coverage, distinct_count, total, values] | spath input=values | rename {}.value AS sample_values {}.count AS sample_count distinct_count AS distinct_value_count total AS total_events | fillnull value=0 percent_coverage, distinct_value_count, total_events | mvmath field=sample_count field2=total_events | eval field_values=mvzip(mvmath_result, sample_values, " ") | lookup cim_validation_regex field | mvrex showcount=t showunmatched=t field=sample_values validation_regex | eval is_cim_valid=case(total_events==0, "severe!!!no extracted values found", percent_coverage < 90, "elevated!!!event coverage less than 90%", mvrex_unmatched_count > 0, "elevated!!!found ".mvrex_unmatched_count." unexpected values (".mvjoin(mvrex_unmatched, ", ").")", isnull(validation_regex) OR validation_regex=="", "check!!!no validation regex was found to evaluate", 1==1, "low!!!looking good!") | lookup cim_validator_recommended_fields field OUTPUT is_recommended | eval ir=if(is_recommended=="true", "star", null()) | table ir, field, total_events, distinct_value_count, percent_coverage, field_values, is_cim_valid + | datamodel $dm$ | spath | rex max_match=999 "fieldName\":\"(?<field>[^\"]+)" | stats values(field) as field by modelName | rename modelName AS datamodel | mvexpand field | where NOT match(field, "_time|host|sourcetype|source|[A-Z]+|_bunit|_category|_priority|_requires_av|_should_update") OR match(field, "object_category") | join type=outer field [$search_type$ $cim_search$ | head $event_limit$ | fieldsummary maxvals=15 | eventstats max(count) AS total | eval percent_coverage=round(count/total*100, 2) | table field, percent_coverage, distinct_count, total, values] | spath input=values | rename {}.value AS sample_values {}.count AS sample_count distinct_count AS distinct_value_count total AS total_events | fillnull value=0 percent_coverage, distinct_value_count, total_events | mvmath field=sample_count field2=total_events | eval field_values=mvzip(mvmath_result, sample_values, " ") | lookup cim_validation_regex datamodel field OUTPUT validation_regex | mvrex showcount=t showunmatched=t field=sample_values validation_regex | eval is_cim_valid=case(total_events==0, "severe!!!no extracted values found", percent_coverage < 90, "elevated!!!event coverage less than 90%", mvrex_unmatched_count > 0, "elevated!!!found ".mvrex_unmatched_count." unexpected values (".mvjoin(mvrex_unmatched, ", ").")", isnull(validation_regex) OR validation_regex=="", "check!!!no validation regex was found to evaluate", 1==1, "low!!!looking good!") | lookup cim_validator_recommended_fields field OUTPUT is_recommended | eval ir=if(is_recommended=="true", "star", null()) | table ir, field, total_events, distinct_value_count, percent_coverage, field_values, is_cim_valid $timerange.earliest$ $timerange.latest$ @@ -9,7 +9,7 @@ _raw - datamodel + generating search @@ -129,9 +129,13 @@ Please keep following things in mind:
  • Fields that are derived from asset and identity lookups are excluded, i.e. src_category, src_priority, etc.
    • -
  • - field_values percentage calculation behavior differs from that of Splunk. Instead of percentage calculation occurring on values that only exist, calculation in this table also takes into the account values that are “null” or do not exist.
    • -
  • Use Search type picker to tell the validator if search type. i.e. _raw search will be index=network sourcetype=firewall, datamodel as | datamodel Network_Traffic All_Traffic. Searches on _raw are particularly helpful, as they allow to "test" data before it makes it into the accelerated datamodel; removing the need to need for constant rebuild during development/test cycle.
    • +
  • field_values percentage calculation behavior differs from that of Splunk. Instead of percentage calculation occurring on values that only exist, calculation in this table also takes into the account values that are “null” or do not exist.
    • +
  • Use the Search type picker to set the type of the search used to retrieve the data +
      +
    • _raw search will be a search that does not start with a pipe, for example index=network sourcetype=firewall tag=network
      • +
    • generating search will be any generating command that starts with a pope, for example | datamodel Network_Traffic All_Traffic or with | from, | inputlookup etc.
      • +
    + Searches with the _raw are particularly helpful, as they allow to "test" data before it makes it into the accelerated datamodel; removing the need to need for constant rebuild during development/test cycle.
@@ -184,4 +188,4 @@ - + \ No newline at end of file From 773a4ad7341c8141d9dc0f6250d636f759a98853 Mon Sep 17 00:00:00 2001 From: hire-vladimir Date: Fri, 23 Feb 2024 22:00:52 +0000 Subject: [PATCH 06/28] uba support --- default/data/models/UBA_Asset_Data.json | 64 +- default/data/models/UBA_Authentication.json | 26 +- default/data/models/UBA_Badge.json | 36 +- default/data/models/UBA_Cloud_Storage.json | 29 +- default/data/models/UBA_DHCP.json | 47 +- default/data/models/UBA_DLP.json | 515 +++++++++++----- default/data/models/UBA_DLP_Email.json | 576 ++++++++++++------ default/data/models/UBA_DNS.json | 66 +- default/data/models/UBA_Database.json | 94 ++- default/data/models/UBA_Email.json | 64 +- .../data/models/UBA_Endpoint_Filesystem.json | 123 +++- default/data/models/UBA_Endpoint_Port.json | 133 +++- .../data/models/UBA_Endpoint_Processes.json | 150 +++-- .../data/models/UBA_Endpoint_Registry.json | 139 ++++- .../data/models/UBA_Endpoint_Services.json | 154 +++-- default/data/models/UBA_External_Alarm.json | 78 ++- default/data/models/UBA_Firewall.json | 103 +++- default/data/models/UBA_HR_Data.json | 234 +++++-- default/data/models/UBA_Host_AV.json | 75 ++- default/data/models/UBA_IDS_IPS.json | 363 +++++++---- default/data/models/UBA_Printer.json | 352 +++++++---- default/data/models/UBA_VPN.json | 183 ++---- default/data/models/UBA_Web_Proxy.json | 76 ++- default/macros.conf | 76 +-- default/transforms.conf | 2 +- 25 files changed, 2582 insertions(+), 1176 deletions(-) diff --git a/default/data/models/UBA_Asset_Data.json b/default/data/models/UBA_Asset_Data.json index c2fee16..40b87a5 100644 --- a/default/data/models/UBA_Asset_Data.json +++ b/default/data/models/UBA_Asset_Data.json @@ -1,7 +1,7 @@ { "modelName": "UBA_Asset_Data", "displayName": "UBA Asset Data", - "description": "", + "description": "Splunk UBA Asset Data Model for CIM Validator App", "objectSummary": { "Event-Based": 1, "Transaction-Based": 0, @@ -30,7 +30,7 @@ "comment": { "data_type": "string", "description": "The application name.", - "possible_values": "Database", + "expected_values": ["Database"], "recommended": false }, "fieldName": "app", @@ -47,7 +47,7 @@ "comment": { "data_type": "string", "description": "The asset ID on the physical asset tag such as a sticker that is typically placed on each device in your organization.", - "possible_values": "123456", + "expected_values": ["123456"], "recommended": false }, "fieldName": "asset_tag", @@ -64,7 +64,7 @@ "comment": { "data_type": "string", "description": "The business unit that the device belongs to.", - "possible_values": "EMEA, NorCal", + "expected_values": ["EMEA", "NorCal"], "recommended": false }, "fieldName": "bunit", @@ -81,7 +81,7 @@ "comment": { "data_type": "string", "description": "The city where the device is located.", - "possible_values": "Chicago", + "expected_values": ["Chicago"], "recommended": false }, "fieldName": "city", @@ -98,7 +98,7 @@ "comment": { "data_type": "string", "description": "The cost center that the device belongs to.", - "possible_values": "SP01FIN", + "expected_values": ["SP01FIN"], "recommended": false }, "fieldName": "cost_center", @@ -115,7 +115,7 @@ "comment": { "data_type": "string", "description": "The country where the device is located.", - "possible_values": "USA", + "expected_values": ["USA"], "recommended": false }, "fieldName": "country", @@ -132,7 +132,7 @@ "comment": { "data_type": "string", "description": "The name of the user who created the device in the system.", - "possible_values": "DevOps", + "expected_values": ["DevOps"], "recommended": false }, "fieldName": "created_by", @@ -149,7 +149,7 @@ "comment": { "data_type": "boolean", "description": "Recommended. Indicates whether or not any IP addresses are associated with the MAC address for this device. Set to\u00a0true\u00a0to prevent any IP addresses from being associated with the MAC address for this device. See\u00a0Exclude identity resolution for devices or users.", - "possible_values": "TRUE,FALSE", + "expected_values": ["TRUE","FALSE"], "recommended": true }, "fieldName": "denyListDeviceIr", @@ -166,7 +166,7 @@ "comment": { "data_type": "boolean", "description": "Recommended. Indicates whether or not any users are associated with this device. Set to\u00a0true\u00a0to prevent any users from being associated with this device. See\u00a0Exclude identity resolution for devices or users.", - "possible_values": "TRUE,FALSE", + "expected_values": ["TRUE","FALSE"], "recommended": true }, "fieldName": "denyListUserIr", @@ -183,7 +183,7 @@ "comment": { "data_type": "string", "description": "The department that the device belongs to.", - "possible_values": "Field Reps, ITS, Products, HR", + "expected_values": ["Field Reps", "ITS", "Products", "HR"], "recommended": false }, "fieldName": "department", @@ -200,7 +200,7 @@ "comment": { "data_type": "string", "description": "The type of device.", - "possible_values": "client", + "expected_values": ["client"], "recommended": false }, "fieldName": "deviceType", @@ -217,7 +217,7 @@ "comment": { "data_type": "string", "description": "The FQDN of the device.", - "possible_values": "server1.corp1.acmetech.org", + "expected_values": ["server1.corp1.acmetech.org"], "recommended": false }, "fieldName": "dns", @@ -234,7 +234,7 @@ "comment": { "data_type": "string", "description": "The domain of the device.", - "possible_values": "www.acmetech.org", + "expected_values": ["www.acmetech.org"], "recommended": false }, "fieldName": "dns_domain", @@ -263,7 +263,7 @@ "comment": { "data_type": "string", "description": "Required. The hostname of the device.", - "possible_values": "server1", + "expected_values": ["server1"], "recommended": true }, "fieldName": "hostname", @@ -280,7 +280,7 @@ "comment": { "data_type": "string", "description": "The IP address of the device. The field may contain multiple values. See\u00a0Configure asset ingestion for multi-valued fields.", - "possible_values": "2.1.1.1", + "expected_values": ["2.1.1.1"], "recommended": false }, "fieldName": "ip", @@ -297,7 +297,7 @@ "comment": { "data_type": "boolean", "description": "Indicates whether or not this device is always expected. Alerts are generated if this device stops reporting events.", - "possible_values": "TRUE,FALSE", + "expected_values": ["TRUE","FALSE"], "recommended": false }, "fieldName": "is_expected", @@ -314,7 +314,7 @@ "comment": { "data_type": "string", "description": "The latitude location of the device.", - "possible_values": "37.78008", + "expected_values": ["37.78008"], "recommended": false }, "fieldName": "latitude", @@ -331,7 +331,7 @@ "comment": { "data_type": "string", "description": "The longitude location of the device.", - "possible_values": "-122.42017", + "expected_values": ["-122.42017"], "recommended": false }, "fieldName": "longitude", @@ -348,7 +348,7 @@ "comment": { "data_type": "string", "description": "The MAC address of the device. The field may contain multiple values. See\u00a0Configure asset ingestion for multi-valued fields.", - "possible_values": "00:50:ef:84:f1:21|00:50:ef:84:f1:20", + "expected_values": ["00:50:ef:84:f1:21","00:50:ef:84:f1:20"], "recommended": false }, "fieldName": "mac", @@ -365,7 +365,7 @@ "comment": { "data_type": "string", "description": "The manager of the device.", - "possible_values": "admin", + "expected_values": ["admin"], "recommended": false }, "fieldName": "managed_by", @@ -382,7 +382,7 @@ "comment": { "data_type": "string", "description": "The operating system running on the device.", - "possible_values": "macOS, WIndows", + "expected_values": ["macOS", "Windows"], "recommended": false }, "fieldName": "os", @@ -399,7 +399,7 @@ "comment": { "data_type": "string", "description": "The OS domain of the device.", - "possible_values": "Windows", + "expected_values": ["Windows"], "recommended": false }, "fieldName": "os_domain", @@ -416,7 +416,7 @@ "comment": { "data_type": "string", "description": "The owner of the device.", - "possible_values": "f.prefect@acmetech.org, DevOps, Bill", + "expected_values": ["f.prefect@acmetech.org", "DevOps", "Bill"], "recommended": false }, "fieldName": "owner", @@ -433,7 +433,7 @@ "comment": { "data_type": "string", "description": "The PCI address domain of the device.", - "possible_values": "dmz, untrust", + "expected_values": ["dmz", "untrust"], "recommended": false }, "fieldName": "pci_domain", @@ -450,7 +450,7 @@ "comment": { "data_type": "string", "description": "The serial number of the device.", - "possible_values": "AB1C24D5EFGH", + "expected_values": ["AB1C24D5EFGH"], "recommended": false }, "fieldName": "serial", @@ -491,7 +491,7 @@ "comment": { "data_type": "string", "description": "The hexadecimal Windows status code for the device.", - "possible_values": "0XC0000234 (user is currently locked out)", + "expected_values": ["0XC0000234 (user is currently locked out)"], "recommended": false }, "fieldName": "status", @@ -508,7 +508,7 @@ "comment": { "data_type": "string", "description": "The hexadecimal sub-status code for the device.", - "possible_values": "0XC000006D (invalid username or authentication)", + "expected_values": ["0XC000006D (invalid username or authentication)"], "recommended": false }, "fieldName": "substatus", @@ -524,8 +524,8 @@ { "comment": { "data_type": "string", - "description": "The date and time stamp of when the device was first entered into the system. The format is\u00a0MM/DD/YYYY.", - "possible_values": "5/1/19", + "description": "The date and time stamp of when the device was first entered into the system. The format is MM/DD/YYYY.", + "expected_values": ["5/1/19"], "recommended": false }, "fieldName": "sys_created_on", @@ -542,7 +542,7 @@ "comment": { "data_type": "string", "description": "The data and time stamp of the last time the device was updated. For example, a laptop may be assigned to a new owner. The format is\u00a0MM/DD/YYYY.", - "possible_values": "5/1/19", + "expected_values": ["5/1/19"], "recommended": false }, "fieldName": "sys_updated_on", @@ -559,7 +559,7 @@ "calculations": [], "constraints": [ { - "search": "index=main", + "search": "`uba_cim_asset_data`", "owner": "UBA_Asset_Data" } ], diff --git a/default/data/models/UBA_Authentication.json b/default/data/models/UBA_Authentication.json index d4f95af..6976602 100644 --- a/default/data/models/UBA_Authentication.json +++ b/default/data/models/UBA_Authentication.json @@ -9,14 +9,10 @@ }, "objects": [ { - "comment": { - "tags": [ - "authentication" - ] - }, "objectName": "UBA_Authentication", "displayName": "UBA Authentication", "parentName": "BaseEvent", + "comment": "", "fields": [ { "fieldName": "_time", @@ -35,7 +31,7 @@ "data_type": "string", "description": "The action performed on the resource.", "recommended": true, - "possible_values": "success, failure, unknown, added" + "expected_values": ["success", "failure", "unknown", "added"] }, "fieldName": "action", "owner": "UBA_Authentication", @@ -52,7 +48,7 @@ "data_type": "string", "description": "The application involved in the event.", "recommended": false, - "possible_values": "ssh, splunk, win:local" + "expected_values": ["ssh", "splunk", "win:local"] }, "fieldName": "app", "owner": "UBA_Authentication", @@ -69,7 +65,7 @@ "data_type": "string", "description": "The target involved in the authentication. You can alias this from more specific fields including\u00a0dest_ip\u00a0and\u00a0dest_host.", "recommended": true, - "possible_values": "192.168.10.11, winhost1" + "expected_values": ["192.168.10.11", "winhost1"] }, "fieldName": "dest", "owner": "UBA_Authentication", @@ -86,7 +82,7 @@ "data_type": "integer", "description": "The amount of time in seconds that it took to complete the authentication event.", "recommended": false, - "possible_values": "2" + "expected_values": ["2"] }, "fieldName": "duration", "owner": "UBA_Authentication", @@ -139,7 +135,7 @@ "data_type": "string", "description": "The source involved in the authentication. In the case of endpoint protection authentication the src is the client. You can alias this from more specific fields including\u00a0src_ip\u00a0and\u00a0src_host.", "recommended": true, - "possible_values": "192.168.10.12, winhost2" + "expected_values": ["192.168.10.12", "winhost2"] }, "fieldName": "src", "owner": "UBA_Authentication", @@ -156,7 +152,7 @@ "data_type": "string", "description": "In privilege escalation events, src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation is not performed.", "recommended": false, - "possible_values": "user1" + "expected_values": ["user1"] }, "fieldName": "src_user", "owner": "UBA_Authentication", @@ -171,9 +167,9 @@ { "comment": { "data_type": "string", - "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform when using Splunk Direct in Splunk UBA.", "recommended": true, - "possible_values": "authentication" + "expected_values": ["authentication"] }, "fieldName": "tag", "owner": "UBA_Authentication", @@ -190,7 +186,7 @@ "data_type": "string", "description": "The name of the user for whom the authentication is being performed.", "recommended": true, - "possible_values": "user2" + "expected_values": ["user2"] }, "fieldName": "user", "owner": "UBA_Authentication", @@ -206,7 +202,7 @@ "calculations": [], "constraints": [ { - "search": "`uba_cim_authentication_indexes` authentication", + "search": "`uba_cim_authentication_indexes`", "owner": "UBA_Authentication" } ], diff --git a/default/data/models/UBA_Badge.json b/default/data/models/UBA_Badge.json index 1383a80..35c1c76 100644 --- a/default/data/models/UBA_Badge.json +++ b/default/data/models/UBA_Badge.json @@ -30,8 +30,8 @@ "comment": { "data_type": "string", "description": "The category of the badge access event.", - "possible_values": "Failed Access", - "required": true + "expected_values": ["Failed Access"], + "recommended": true }, "fieldName": "category", "owner": "UBA_Badge", @@ -47,8 +47,8 @@ "comment": { "data_type": "string", "description": "The reason for the failed operation.", - "possible_values": "Unauthorized Access Attempt", - "required": false + "expected_values": ["Unauthorized Access Attempt"], + "recommended": false }, "fieldName": "failure_reason", "owner": "UBA_Badge", @@ -76,8 +76,8 @@ "comment": { "data_type": "string", "description": "The location in the building where the badge access was requested.", - "possible_values": "Mail Room", - "required": true + "expected_values": ["Mail Room"], + "recommended": true }, "fieldName": "object_name", "owner": "UBA_Badge", @@ -93,8 +93,8 @@ "comment": { "data_type": "string", "description": "The type of device used in the badge access event.", - "possible_values": "ACCESS_POINT", - "required": true + "expected_values": ["ACCESS_POINT"], + "recommended": true }, "fieldName": "object_type", "owner": "UBA_Badge", @@ -110,8 +110,8 @@ "comment": { "data_type": "string", "description": "The location of the building.", - "possible_values": "123 Main Street", - "required": false + "expected_values": ["123 Main Street"], + "recommended": false }, "fieldName": "site_name", "owner": "UBA_Badge", @@ -150,9 +150,9 @@ { "comment": { "data_type": "string", - "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", - "possible_values": "badge", - "required": true + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform when using Splunk Direct in Splunk UBA.", + "expected_values": ["badge"], + "recommended": true }, "fieldName": "tag", "owner": "UBA_Badge", @@ -168,8 +168,8 @@ "comment": { "data_type": "string", "description": "The user involved in this badge access event.", - "possible_values": "cronaldo", - "required": false + "expected_values": ["cronaldo"], + "recommended": false }, "fieldName": "user", "owner": "UBA_Badge", @@ -185,8 +185,8 @@ "comment": { "data_type": "string", "description": "The vendor of the badge access solution.", - "possible_values": "brivo", - "required": false + "expected_values": ["brivo"], + "recommended": false }, "fieldName": "vendor", "owner": "UBA_Badge", @@ -202,7 +202,7 @@ "calculations": [], "constraints": [ { - "search": "`uba_cim_badge_indexes` badge", + "search": "`uba_cim_badge_indexes`", "owner": "UBA_Badge" } ], diff --git a/default/data/models/UBA_Cloud_Storage.json b/default/data/models/UBA_Cloud_Storage.json index 170c373..ea5bf69 100644 --- a/default/data/models/UBA_Cloud_Storage.json +++ b/default/data/models/UBA_Cloud_Storage.json @@ -31,7 +31,7 @@ "data_type": "string", "description": "The application that is generating this event.", "recommended": true, - "possible_values": "Box, Office365, Google Drive." + "expected_values": ["Box", "Office365", "Google Drive."] }, "fieldName": "app", "owner": "UBA_Cloud_Storage", @@ -48,7 +48,7 @@ "data_type": "string", "description": "The type of access.", "recommended": true, - "possible_values": "Download, Preview, Delete, Create, Edit." + "expected_values": ["Download", "Preview", "Delete", "Create", "Edit."] }, "fieldName": "change_type", "owner": "UBA_Cloud_Storage", @@ -65,7 +65,7 @@ "data_type": "string", "description": "The user targeted by this action. Usually this is linked to permission changes made by another user, such as when an admin change the privileges of a user in a file.", "recommended": false, - "possible_values": "cronaldo" + "expected_values": ["cronaldo"] }, "fieldName": "dest_user", "owner": "UBA_Cloud_Storage", @@ -82,7 +82,7 @@ "data_type": "integer", "description": "The unique identifier of the resource. This should be assigned by the product, such as Box, Sharepoint, or Google Drive.", "recommended": true, - "possible_values": "17283982137" + "expected_values": ["17283982137"] }, "fieldName": "file_hash", "owner": "UBA_Cloud_Storage", @@ -99,7 +99,7 @@ "data_type": "integer", "description": "The size in bytes of the resource associated to this event.", "recommended": false, - "possible_values": "10280" + "expected_values": ["10280"] }, "fieldName": "file_size", "owner": "UBA_Cloud_Storage", @@ -128,7 +128,7 @@ "data_type": "string", "description": "The name of the file.", "recommended": true, - "possible_values": "this_picture.png" + "expected_values": ["this_picture.png"] }, "fieldName": "object", "owner": "UBA_Cloud_Storage", @@ -145,7 +145,7 @@ "data_type": "string", "description": "The absolute or relative location of the resource.", "recommended": true, - "possible_values": "/bpatinho/photos" + "expected_values": ["/bpatinho/photos"] }, "fieldName": "object_path", "owner": "UBA_Cloud_Storage", @@ -162,7 +162,7 @@ "data_type": "string", "description": "The type of the file.", "recommended": true, - "possible_values": "File, Folder, Document, Image, etc." + "expected_values": ["File", "Folder", "Document", "Image", "etc."] }, "fieldName": "object_type", "owner": "UBA_Cloud_Storage", @@ -179,7 +179,7 @@ "data_type": "string", "description": "The type of the parent resource.", "recommended": false, - "possible_values": "Folder, Link, etc." + "expected_values": ["Folder", "Link", "etc."] }, "fieldName": "parent_category", "owner": "UBA_Cloud_Storage", @@ -196,7 +196,7 @@ "data_type": "integer", "description": "The unique identifier of the parent resource. This should be assigned by the product, such as Box, Sharepoint, or Google Drive.", "recommended": true, - "possible_values": "9864239674" + "expected_values": ["9864239674"] }, "fieldName": "parent_hash", "owner": "UBA_Cloud_Storage", @@ -237,7 +237,7 @@ "data_type": "string", "description": "The user creating this event.", "recommended": true, - "possible_values": "user1" + "expected_values": ["user1"] }, "fieldName": "src_user", "owner": "UBA_Cloud_Storage", @@ -252,9 +252,8 @@ { "comment": { "data_type": "string", - "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", - "recommended": true, - "possible_values": "cloud" + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform when using Splunk Direct in Splunk UBA.", "recommended": true, + "expected_values": ["cloud"] }, "fieldName": "tag", "owner": "UBA_Cloud_Storage Storage", @@ -270,7 +269,7 @@ "calculations": [], "constraints": [ { - "search": "`uba_cim_cloud_indexes` cloud", + "search": "`uba_cim_cloud_indexes`", "owner": "UBA_Cloud_Storage" } ], diff --git a/default/data/models/UBA_DHCP.json b/default/data/models/UBA_DHCP.json index 1379322..78676ff 100644 --- a/default/data/models/UBA_DHCP.json +++ b/default/data/models/UBA_DHCP.json @@ -31,7 +31,9 @@ "data_type": "string", "description": "The host name of the machine to which the IP address is being assigned.", "recommended": false, - "possible_values": "winhost1" + "expected_values": [ + "winhost1" + ] }, "fieldName": "dest_host", "owner": "UBA_DHCP", @@ -48,7 +50,9 @@ "data_type": "string", "description": "The assigned IP address.", "recommended": true, - "possible_values": "192.168.1.12" + "expected_values": [ + "192.168.1.12" + ] }, "fieldName": "dest_ip", "owner": "UBA_DHCP", @@ -65,7 +69,9 @@ "data_type": "string", "description": "The MAC address of the machine to which the IP address is being assigned.", "recommended": true, - "possible_values": "ad:7b:3d:db:49:8b" + "expected_values": [ + "ad:7b:3d:db:49:8b" + ] }, "fieldName": "dest_mac", "owner": "UBA_DHCP", @@ -94,7 +100,9 @@ "data_type": "integer", "description": "The duration in seconds of the Dynamic Host Configuration Protocol (DHCP) lease.", "recommended": true, - "possible_values": "2000" + "expected_values": [ + "2000" + ] }, "fieldName": "lease_duration", "owner": "UBA_DHCP", @@ -111,7 +119,24 @@ "data_type": "string", "description": "An indication of the type of network session event.", "recommended": true, - "possible_values": "DHCPACK, DHCPOFFER, DHCPREQUEST, DHCPINFORM, DHCPDISCOVER , DHCPNAK, DHCPDECLINE, DHCPRELEASE\r\n\"A new IP address was leased to a client\", \"Issued\", \"DHCP_GrantLease\",\r\n\"An IP address was found to be in use on the network\"\r\n\"A lease was renewed by a client\", \"Fixed\", \"Renewed\", \"DHCP_RenewLease\"\r\n\"A lease was released by a client\", \"DHCP Release\", \"Freed\"\r\n\"No DHCP lease available to offer from subnet\"" + "expected_values": [ + "DHCPACK", + "DHCPOFFER", + "DHCPREQUEST", + "DHCPINFORM", + "DHCPDISCOVER", + "DHCPNAK", + "DHCPDECLINE", + "DHCPRELEASE\r\n\"A new IP address was leased to a client\"", + "\"Issued\"", + "\"DHCP_GrantLease\"", + "\"An IP address was found to be in use on the network\"\r\n\"A lease was renewed by a client\"", + "\"Fixed\"", + "\"Renewed\"", + "\"DHCP_RenewLease\"\r\n\"A lease was released by a client\"", + "\"DHCP Release\"", + "\"Freed\"\r\n\"No DHCP lease available to offer from subnet\"" + ] }, "fieldName": "signature", "owner": "UBA_DHCP", @@ -150,9 +175,13 @@ { "comment": { "data_type": "string", - "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform when using Splunk Direct in Splunk UBA.", "recommended": true, - "possible_values": "network,session,dhcp" + "expected_values": [ + "network", + "session", + "dhcp" + ] }, "fieldName": "tag", "owner": "UBA_DHCP", @@ -168,7 +197,7 @@ "calculations": [], "constraints": [ { - "search": "`uba_cim_dhcp_indexes` network session dhcp", + "search": "`uba_cim_dhcp_indexes`", "owner": "UBA_DHCP" } ], @@ -178,4 +207,4 @@ "objectNameList": [ "UBA_DHCP" ] -} +} \ No newline at end of file diff --git a/default/data/models/UBA_DLP.json b/default/data/models/UBA_DLP.json index 0687e72..45ae2d1 100644 --- a/default/data/models/UBA_DLP.json +++ b/default/data/models/UBA_DLP.json @@ -1,7 +1,7 @@ { "modelName": "UBA_DLP", "displayName": "UBA DLP", - "description": "", + "description": "Splunk UBA DLP Data Model for CIM Validator App", "objectSummary": { "Event-Based": 1, "Transaction-Based": 0, @@ -10,423 +10,648 @@ "objects": [ { "objectName": "UBA_DLP", - "displayName": "UBA_DLP", + "displayName": "UBA DLP", "parentName": "BaseEvent", "comment": "", "fields": [ { - "fieldName": "action", - "owner": "UBA_DLP", - "type": "string", - "fieldSearch": "action=*", - "required": true, - "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "action", - "comment": "" - }, - { - "fieldName": "category", - "owner": "UBA_DLP", - "type": "string", - "fieldSearch": "category=*", - "required": true, + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "category", + "displayName": "_time", "comment": "" }, { - "fieldName": "severity", + "comment": { + "data_type": "string", + "description": "The action taken by the DLP device.", + "expected_values": [ + "allowed", + "blocked" + ], + "recommended": true + }, + "fieldName": "action", "owner": "UBA_DLP", "type": "string", - "fieldSearch": "severity=*", - "required": true, + "fieldSearch": "action=*", + "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "severity", - "comment": "" + "displayName": "action" }, { - "fieldName": "signature", + "comment": { + "data_type": "string", + "description": "The application involved in the event.", + "expected_values": [ + "Symantec DLP" + ], + "recommended": false + }, + "fieldName": "app", "owner": "UBA_DLP", "type": "string", - "fieldSearch": "signature=*", - "required": true, + "fieldSearch": "app=*", + "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "signature", - "comment": "" + "displayName": "app" }, { - "fieldName": "app", + "comment": { + "data_type": "string", + "description": "The category of the DLP event.", + "expected_values": [ + "malware", + "keylogger", + "ad-supported program" + ], + "recommended": true + }, + "fieldName": "category", "owner": "UBA_DLP", "type": "string", - "fieldSearch": "", + "fieldSearch": "category=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "app", - "comment": "" + "displayName": "category" }, { - "fieldName": "dest_ip", + "comment": { + "data_type": "string", + "description": "The name of the destination file involved.", + "expected_values": [ + "creditcards.xls" + ], + "recommended": false + }, + "fieldName": "dest_file", "owner": "UBA_DLP", - "type": "ipv4", - "fieldSearch": "", + "type": "string", + "fieldSearch": "dest_file=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "dest_ip", - "comment": "" + "displayName": "dest_file" }, { + "comment": { + "data_type": "string", + "description": "The host name of the destination.", + "expected_values": [ + "winhost2" + ], + "recommended": false + }, "fieldName": "dest_host", "owner": "UBA_DLP", "type": "string", - "fieldSearch": "", + "fieldSearch": "dest_host=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "dest_host", - "comment": "" + "displayName": "dest_host" }, { - "fieldName": "dest_file", + "comment": { + "data_type": "string", + "description": "The IP address of the destination.", + "expected_values": [ + "2.2.2.2" + ], + "recommended": false + }, + "fieldName": "dest_ip", "owner": "UBA_DLP", "type": "string", - "fieldSearch": "", + "fieldSearch": "dest_ip=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "dest_file", - "comment": "" + "displayName": "dest_ip" }, { + "comment": { + "data_type": "string", + "description": "The path of the destination file involved.", + "expected_values": [ + "c:\\documents" + ], + "recommended": false + }, "fieldName": "dest_path", "owner": "UBA_DLP", "type": "string", - "fieldSearch": "", + "fieldSearch": "dest_path=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "dest_path", - "comment": "" + "displayName": "dest_path" }, { + "comment": { + "data_type": "string", + "description": "The destination user involved in the activity reported by DLP.", + "expected_values": [ + "cronaldo" + ], + "recommended": false + }, "fieldName": "dest_user", "owner": "UBA_DLP", "type": "string", - "fieldSearch": "", + "fieldSearch": "dest_user=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "dest_user", - "comment": "" + "displayName": "dest_user" }, { + "comment": { + "data_type": "integer", + "description": "The ID of the USB device.", + "expected_values": [ + "987654" + ], + "recommended": false + }, "fieldName": "device_id", "owner": "UBA_DLP", - "type": "string", - "fieldSearch": "", + "type": "number", + "fieldSearch": "device_id=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "device_id", - "comment": "" + "displayName": "device_id" }, { + "comment": { + "data_type": "string", + "description": "The DLP incident status.", + "expected_values": [ + "Working" + ], + "recommended": false + }, "fieldName": "dlp_status", "owner": "UBA_DLP", "type": "string", - "fieldSearch": "", + "fieldSearch": "dlp_status=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "dlp_status", - "comment": "" + "displayName": "dlp_status" }, { + "comment": { + "data_type": "integer", + "description": "The event type ID.", + "expected_values": [ + "13" + ], + "recommended": false + }, "fieldName": "event_type_id", "owner": "UBA_DLP", - "type": "string", - "fieldSearch": "", + "type": "number", + "fieldSearch": "event_type_id=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "event_type_id", - "comment": "" + "displayName": "event_type_id" }, { + "comment": { + "data_type": "integer", + "description": "The size in bytes of the file transferred", + "expected_values": [ + "10000" + ], + "recommended": false + }, "fieldName": "file_size", "owner": "UBA_DLP", + "type": "number", + "fieldSearch": "file_size=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_size" + }, + { + "fieldName": "host", + "owner": "BaseEvent", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "file_size", + "displayName": "host", "comment": "" }, { + "comment": { + "data_type": "integer", + "description": "The number of unique matches of the DLP signature.", + "expected_values": [ + "1", + "10", + "1040" + ], + "recommended": false + }, "fieldName": "match_count", "owner": "UBA_DLP", - "type": "string", - "fieldSearch": "", + "type": "number", + "fieldSearch": "match_count=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "match_count", - "comment": "" + "displayName": "match_count" }, { + "comment": { + "data_type": "string", + "description": "The policy that triggered the DLP alarm.", + "expected_values": [ + "Social Security Number" + ], + "recommended": false + }, "fieldName": "policy", "owner": "UBA_DLP", "type": "string", - "fieldSearch": "", + "fieldSearch": "policy=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "policy", - "comment": "" + "displayName": "policy" }, { + "comment": { + "data_type": "string", + "description": "The DLP incident prevention status.", + "expected_values": [ + "9", + "Blocked" + ], + "recommended": false + }, "fieldName": "prevention_status", "owner": "UBA_DLP", "type": "string", - "fieldSearch": "", + "fieldSearch": "prevention_status=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "prevention_status", - "comment": "" + "displayName": "prevention_status" }, { + "comment": { + "data_type": "string", + "description": "The individual email addresses of the message recipients.", + "expected_values": [ + "a@b.com", + "c@b.com" + ], + "recommended": false + }, "fieldName": "recipient", "owner": "UBA_DLP", "type": "string", - "fieldSearch": "", + "fieldSearch": "recipient=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "recipient", - "comment": "" + "displayName": "recipient" }, { + "comment": { + "data_type": "string", + "description": "Is it a sensitive or restricted file?", + "expected_values": [ + "no", + "yes" + ], + "recommended": false + }, "fieldName": "restricted", "owner": "UBA_DLP", "type": "string", - "fieldSearch": "", + "fieldSearch": "restricted=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "restricted", - "comment": "" + "displayName": "restricted" }, { + "comment": { + "data_type": "string", + "description": "The email address of the message sender.", + "expected_values": [ + "d@b.com" + ], + "recommended": false + }, "fieldName": "sender", "owner": "UBA_DLP", "type": "string", - "fieldSearch": "", + "fieldSearch": "sender=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "sender", - "comment": "" + "displayName": "sender" }, { + "comment": { + "data_type": "integer", + "description": "The serial number of USB device.", + "expected_values": [ + "1234567890" + ], + "recommended": false + }, "fieldName": "serial_number", "owner": "UBA_DLP", - "type": "string", - "fieldSearch": "", + "type": "number", + "fieldSearch": "serial_number=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "serial_number", - "comment": "" + "displayName": "serial_number" }, { - "fieldName": "src_file", + "comment": { + "data_type": "string", + "description": "The severity of the network protection event.", + "expected_values": [ + "informational", + "unknown", + "low", + "medium", + "high", + "critical" + ], + "recommended": true + }, + "fieldName": "severity", "owner": "UBA_DLP", "type": "string", - "fieldSearch": "", + "fieldSearch": "severity=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "src_file", - "comment": "" + "displayName": "severity" }, { - "fieldName": "src_host", + "comment": { + "data_type": "string", + "description": "The type of the event.", + "expected_values": [ + "HTTP Incident" + ], + "recommended": true + }, + "fieldName": "signature", "owner": "UBA_DLP", "type": "string", - "fieldSearch": "", + "fieldSearch": "signature=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "src_host", - "comment": "" + "displayName": "signature" }, { - "fieldName": "src_ip", - "owner": "UBA_DLP", + "fieldName": "source", + "owner": "BaseEvent", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "src_ip", + "displayName": "source", "comment": "" }, { - "fieldName": "src_path", - "owner": "UBA_DLP", + "fieldName": "sourcetype", + "owner": "BaseEvent", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "src_path", + "displayName": "sourcetype", "comment": "" }, { - "fieldName": "src_user", + "comment": { + "data_type": "string", + "description": "The name of the source file involved.", + "expected_values": [ + "creditcards.xls" + ], + "recommended": false + }, + "fieldName": "src_file", "owner": "UBA_DLP", "type": "string", - "fieldSearch": "", + "fieldSearch": "src_file=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "src_user", - "comment": "" + "displayName": "src_file" }, { - "fieldName": "subject", + "comment": { + "data_type": "string", + "description": "The host name of the source.", + "expected_values": [ + "winhost1" + ], + "recommended": false + }, + "fieldName": "src_host", "owner": "UBA_DLP", "type": "string", - "fieldSearch": "", + "fieldSearch": "src_host=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "subject", - "comment": "" + "displayName": "src_host" }, { - "fieldName": "user_department", + "comment": { + "data_type": "string", + "description": "The source of the network traffic (the client requesting the connection).", + "expected_values": [ + "10.10.10.12" + ], + "recommended": false + }, + "fieldName": "src_ip", "owner": "UBA_DLP", "type": "string", - "fieldSearch": "", + "fieldSearch": "src_ip=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "user_department", - "comment": "" + "displayName": "src_ip" }, { - "fieldName": "vendor", + "comment": { + "data_type": "string", + "description": "The path of the source file involved.", + "expected_values": [ + "c:\\documents" + ], + "recommended": false + }, + "fieldName": "src_path", "owner": "UBA_DLP", "type": "string", - "fieldSearch": "", + "fieldSearch": "src_path=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "vendor", - "comment": "" + "displayName": "src_path" }, { - "fieldName": "tag", + "comment": { + "data_type": "string", + "description": "The source user involved in the activity reported by DLP.", + "expected_values": [ + "cronaldo" + ], + "recommended": false + }, + "fieldName": "src_user", "owner": "UBA_DLP", "type": "string", - "fieldSearch": "*", - "required": true, + "fieldSearch": "src_user=*", + "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "tag", - "comment": "" + "displayName": "src_user" }, { - "fieldName": "_time", - "owner": "BaseEvent", - "type": "timestamp", - "fieldSearch": "", + "comment": { + "data_type": "string", + "description": "The subject of the email message.", + "expected_values": [ + "Important Message", + "Open Now!" + ], + "recommended": false + }, + "fieldName": "subject", + "owner": "UBA_DLP", + "type": "string", + "fieldSearch": "subject=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "_time", - "comment": "" + "displayName": "subject" }, { - "fieldName": "host", - "owner": "BaseEvent", + "comment": { + "data_type": "string", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform when using Splunk Direct in Splunk UBA.", + "expected_values": [ + "dlp", + "incident" + ], + "recommended": true + }, + "fieldName": "tag", + "owner": "UBA_DLP", "type": "string", - "fieldSearch": "", + "fieldSearch": "tag=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "host", - "comment": "" + "displayName": "tag" }, { - "fieldName": "source", - "owner": "BaseEvent", + "comment": { + "data_type": "string", + "description": "The department of the user involved in the activity reported by DLP.", + "expected_values": [ + "Finance" + ], + "recommended": false + }, + "fieldName": "user_department", + "owner": "UBA_DLP", "type": "string", - "fieldSearch": "", + "fieldSearch": "user_department=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "source", - "comment": "" + "displayName": "user_department" }, { - "fieldName": "sourcetype", - "owner": "BaseEvent", + "comment": { + "data_type": "string", + "description": "The USB vendor.", + "expected_values": [ + "FUJITSU" + ], + "recommended": false + }, + "fieldName": "vendor", + "owner": "UBA_DLP", "type": "string", - "fieldSearch": "", + "fieldSearch": "vendor=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "sourcetype", - "comment": "" + "displayName": "vendor" } ], "calculations": [], "constraints": [ { - "search": "index=main", + "search": "`uba_cim_dlp_indexes`", "owner": "UBA_DLP" } ], @@ -436,4 +661,4 @@ "objectNameList": [ "UBA_DLP" ] -} +} \ No newline at end of file diff --git a/default/data/models/UBA_DLP_Email.json b/default/data/models/UBA_DLP_Email.json index 912b6f4..f341528 100644 --- a/default/data/models/UBA_DLP_Email.json +++ b/default/data/models/UBA_DLP_Email.json @@ -1,7 +1,7 @@ { "modelName": "UBA_DLP_Email", "displayName": "UBA DLP Email", - "description": "", + "description": "Splunk UBA DLP Email Data Model for CIM Validator App", "objectSummary": { "Event-Based": 1, "Transaction-Based": 0, @@ -9,431 +9,657 @@ }, "objects": [ { - "objectName": "UBA_DLP", - "displayName": "UBA_DLP_Email", + "objectName": "UBA_DLP_Email", + "displayName": "UBA DLP Email", "parentName": "BaseEvent", "comment": "", "fields": [ { - "fieldName": "action", - "owner": "UBA_DLP", - "type": "string", - "fieldSearch": "action=*", - "required": true, - "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "action", - "comment": "" - }, - { - "fieldName": "category", - "owner": "UBA_DLP", - "type": "string", - "fieldSearch": "category=*", - "required": true, + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "category", + "displayName": "_time", "comment": "" }, { - "fieldName": "severity", - "owner": "UBA_DLP", + "comment": { + "data_type": "string", + "description": "The action taken by the DLP device.", + "expected_values": [ + "allowed", + "blocked" + ], + "recommended": true + }, + "fieldName": "action", + "owner": "UBA_DLP_Email", "type": "string", - "fieldSearch": "severity=*", - "required": true, + "fieldSearch": "action=*", + "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "severity", - "comment": "" + "displayName": "action" }, { - "fieldName": "signature", - "owner": "UBA_DLP", + "comment": { + "data_type": "string", + "description": "The application involved in the event.", + "expected_values": [ + "Symantec DLP" + ], + "recommended": false + }, + "fieldName": "app", + "owner": "UBA_DLP_Email", "type": "string", - "fieldSearch": "signature=*", - "required": true, + "fieldSearch": "app=*", + "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "signature", - "comment": "" + "displayName": "app" }, { - "fieldName": "app", - "owner": "UBA_DLP", + "comment": { + "data_type": "string", + "description": "The category of the DLP event.", + "expected_values": [ + "malware", + "keylogger", + "ad-supported program" + ], + "recommended": true + }, + "fieldName": "category", + "owner": "UBA_DLP_Email", "type": "string", - "fieldSearch": "", + "fieldSearch": "category=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "app", - "comment": "" + "displayName": "category" }, { - "fieldName": "dest_ip", - "owner": "UBA_DLP", - "type": "ipv4", - "fieldSearch": "", + "comment": { + "data_type": "string", + "description": "The name of the destination file involved.", + "expected_values": [ + "creditcards.xls" + ], + "recommended": false + }, + "fieldName": "dest_file", + "owner": "UBA_DLP_Email", + "type": "string", + "fieldSearch": "dest_file=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "dest_ip", - "comment": "" + "displayName": "dest_file" }, { + "comment": { + "data_type": "string", + "description": "The host name of the destination.", + "expected_values": [ + "winhost2" + ], + "recommended": false + }, "fieldName": "dest_host", - "owner": "UBA_DLP", + "owner": "UBA_DLP_Email", "type": "string", - "fieldSearch": "", + "fieldSearch": "dest_host=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "dest_host", - "comment": "" + "displayName": "dest_host" }, { - "fieldName": "dest_file", - "owner": "UBA_DLP", + "comment": { + "data_type": "string", + "description": "The IP address of the destination.", + "expected_values": [ + "2.2.2.2" + ], + "recommended": false + }, + "fieldName": "dest_ip", + "owner": "UBA_DLP_Email", "type": "string", - "fieldSearch": "", + "fieldSearch": "dest_ip=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "dest_file", - "comment": "" + "displayName": "dest_ip" }, { + "comment": { + "data_type": "string", + "description": "The path of the destination file involved.", + "expected_values": [ + "c:\\documents" + ], + "recommended": false + }, "fieldName": "dest_path", - "owner": "UBA_DLP", + "owner": "UBA_DLP_Email", "type": "string", - "fieldSearch": "", + "fieldSearch": "dest_path=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "dest_path", - "comment": "" + "displayName": "dest_path" }, { + "comment": { + "data_type": "string", + "description": "The destination user involved in the activity reported by DLP.", + "expected_values": [ + "cronaldo" + ], + "recommended": false + }, "fieldName": "dest_user", - "owner": "UBA_DLP", + "owner": "UBA_DLP_Email", "type": "string", - "fieldSearch": "", + "fieldSearch": "dest_user=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "dest_user", - "comment": "" + "displayName": "dest_user" }, { + "comment": { + "data_type": "integer", + "description": "The ID of the USB device.", + "expected_values": [ + "987654" + ], + "recommended": false + }, "fieldName": "device_id", - "owner": "UBA_DLP", - "type": "string", - "fieldSearch": "", + "owner": "UBA_DLP_Email", + "type": "number", + "fieldSearch": "device_id=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "device_id", - "comment": "" + "displayName": "device_id" }, { + "comment": { + "data_type": "string", + "description": "The DLP incident status.", + "expected_values": [ + "Working" + ], + "recommended": false + }, "fieldName": "dlp_status", - "owner": "UBA_DLP", + "owner": "UBA_DLP_Email", "type": "string", - "fieldSearch": "", + "fieldSearch": "dlp_status=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "dlp_status", - "comment": "" + "displayName": "dlp_status" }, { + "comment": { + "data_type": "integer", + "description": "The event type ID.", + "expected_values": [ + "13" + ], + "recommended": false + }, "fieldName": "event_type_id", - "owner": "UBA_DLP", - "type": "string", - "fieldSearch": "", + "owner": "UBA_DLP_Email", + "type": "number", + "fieldSearch": "event_type_id=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "event_type_id", - "comment": "" + "displayName": "event_type_id" }, { + "comment": { + "data_type": "integer", + "description": "The size in bytes of the file transferred", + "expected_values": [ + "10000" + ], + "recommended": false + }, "fieldName": "file_size", - "owner": "UBA_DLP", + "owner": "UBA_DLP_Email", + "type": "number", + "fieldSearch": "file_size=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_size" + }, + { + "fieldName": "host", + "owner": "BaseEvent", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "file_size", + "displayName": "host", "comment": "" }, { + "comment": { + "data_type": "integer", + "description": "The number of unique matches of the DLP signature.", + "expected_values": [ + "1", + "10", + "1040" + ], + "recommended": false + }, "fieldName": "match_count", - "owner": "UBA_DLP", - "type": "string", - "fieldSearch": "", + "owner": "UBA_DLP_Email", + "type": "number", + "fieldSearch": "match_count=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "match_count", - "comment": "" + "displayName": "match_count" }, { + "comment": { + "data_type": "string", + "description": "The policy that triggered the DLP alarm.", + "expected_values": [ + "Social Security Number" + ], + "recommended": false + }, "fieldName": "policy", - "owner": "UBA_DLP", + "owner": "UBA_DLP_Email", "type": "string", - "fieldSearch": "", + "fieldSearch": "policy=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "policy", - "comment": "" + "displayName": "policy" }, { + "comment": { + "data_type": "string", + "description": "The DLP incident prevention status.", + "expected_values": [ + "9", + "Blocked" + ], + "recommended": false + }, "fieldName": "prevention_status", - "owner": "UBA_DLP", + "owner": "UBA_DLP_Email", "type": "string", - "fieldSearch": "", + "fieldSearch": "prevention_status=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "prevention_status", - "comment": "" + "displayName": "prevention_status" }, { + "comment": { + "data_type": "string", + "description": "The individual email addresses of the message recipients.", + "expected_values": [ + "a@b.com", + "c@b.com" + ], + "recommended": false + }, "fieldName": "recipient", - "owner": "UBA_DLP", + "owner": "UBA_DLP_Email", "type": "string", - "fieldSearch": "", + "fieldSearch": "recipient=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "recipient", - "comment": "" + "displayName": "recipient" }, { + "comment": { + "data_type": "string", + "description": "Is it a sensitive or restricted file?", + "expected_values": [ + "no", + "yes" + ], + "recommended": false + }, "fieldName": "restricted", - "owner": "UBA_DLP", + "owner": "UBA_DLP_Email", "type": "string", - "fieldSearch": "", + "fieldSearch": "restricted=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "restricted", - "comment": "" + "displayName": "restricted" }, { + "comment": { + "data_type": "string", + "description": "The email address of the message sender.", + "expected_values": [ + "d@b.com" + ], + "recommended": false + }, "fieldName": "sender", - "owner": "UBA_DLP", + "owner": "UBA_DLP_Email", "type": "string", - "fieldSearch": "", + "fieldSearch": "sender=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "sender", - "comment": "" + "displayName": "sender" }, { + "comment": { + "data_type": "integer", + "description": "The serial number of USB device.", + "expected_values": [ + "1234567890" + ], + "recommended": false + }, "fieldName": "serial_number", - "owner": "UBA_DLP", - "type": "string", - "fieldSearch": "", + "owner": "UBA_DLP_Email", + "type": "number", + "fieldSearch": "serial_number=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "serial_number", - "comment": "" + "displayName": "serial_number" }, { - "fieldName": "src_file", - "owner": "UBA_DLP", + "comment": { + "data_type": "string", + "description": "The severity of the network protection event.", + "expected_values": [ + "informational", + "unknown", + "low", + "medium", + "high", + "critical" + ], + "recommended": true + }, + "fieldName": "severity", + "owner": "UBA_DLP_Email", "type": "string", - "fieldSearch": "", + "fieldSearch": "severity=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "src_file", - "comment": "" + "displayName": "severity" }, { - "fieldName": "src_host", - "owner": "UBA_DLP", + "comment": { + "data_type": "string", + "description": "The type of the event.", + "expected_values": [ + "HTTP Incident" + ], + "recommended": true + }, + "fieldName": "signature", + "owner": "UBA_DLP_Email", "type": "string", - "fieldSearch": "", + "fieldSearch": "signature=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "src_host", - "comment": "" + "displayName": "signature" }, { - "fieldName": "src_ip", - "owner": "UBA_DLP", + "fieldName": "source", + "owner": "BaseEvent", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "src_ip", + "displayName": "source", "comment": "" }, { - "fieldName": "src_path", - "owner": "UBA_DLP", + "fieldName": "sourcetype", + "owner": "BaseEvent", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "src_path", + "displayName": "sourcetype", "comment": "" }, { - "fieldName": "src_user", - "owner": "UBA_DLP", + "comment": { + "data_type": "string", + "description": "The name of the source file involved.", + "expected_values": [ + "creditcards.xls" + ], + "recommended": false + }, + "fieldName": "src_file", + "owner": "UBA_DLP_Email", "type": "string", - "fieldSearch": "", + "fieldSearch": "src_file=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "src_user", - "comment": "" + "displayName": "src_file" }, { - "fieldName": "subject", - "owner": "UBA_DLP", + "comment": { + "data_type": "string", + "description": "The host name of the source.", + "expected_values": [ + "winhost1" + ], + "recommended": false + }, + "fieldName": "src_host", + "owner": "UBA_DLP_Email", "type": "string", - "fieldSearch": "", + "fieldSearch": "src_host=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "subject", - "comment": "" + "displayName": "src_host" }, { - "fieldName": "user_department", - "owner": "UBA_DLP", + "comment": { + "data_type": "string", + "description": "The source of the network traffic (the client requesting the connection).", + "expected_values": [ + "10.10.10.12" + ], + "recommended": false + }, + "fieldName": "src_ip", + "owner": "UBA_DLP_Email", "type": "string", - "fieldSearch": "", + "fieldSearch": "src_ip=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "user_department", - "comment": "" + "displayName": "src_ip" }, { - "fieldName": "vendor", - "owner": "UBA_DLP", + "comment": { + "data_type": "string", + "description": "The path of the source file involved.", + "expected_values": [ + "c:\\documents" + ], + "recommended": false + }, + "fieldName": "src_path", + "owner": "UBA_DLP_Email", "type": "string", - "fieldSearch": "", + "fieldSearch": "src_path=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "vendor", - "comment": "" + "displayName": "src_path" }, { - "fieldName": "tag", - "owner": "UBA_DLP", + "comment": { + "data_type": "string", + "description": "The source user involved in the activity reported by DLP.", + "expected_values": [ + "cronaldo" + ], + "recommended": false + }, + "fieldName": "src_user", + "owner": "UBA_DLP_Email", "type": "string", - "fieldSearch": "*", - "required": true, + "fieldSearch": "src_user=*", + "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "tag", - "comment": "" + "displayName": "src_user" }, { - "fieldName": "_time", - "owner": "BaseEvent", - "type": "timestamp", - "fieldSearch": "", + "comment": { + "data_type": "string", + "description": "The subject of the email message.", + "expected_values": [ + "Important Message", + "Open Now!" + ], + "recommended": false + }, + "fieldName": "subject", + "owner": "UBA_DLP_Email", + "type": "string", + "fieldSearch": "subject=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "_time", - "comment": "" + "displayName": "subject" }, { - "fieldName": "host", - "owner": "BaseEvent", + "comment": { + "data_type": "string", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform when using Splunk Direct in Splunk UBA.", + "expected_values": [ + "dlp", + "incident", + "email" + ], + "recommended": true + }, + "fieldName": "tag", + "owner": "UBA_DLP_Email", "type": "string", - "fieldSearch": "", + "fieldSearch": "tag=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "host", - "comment": "" + "displayName": "tag" }, { - "fieldName": "source", - "owner": "BaseEvent", + "comment": { + "data_type": "string", + "description": "The department of the user involved in the activity reported by DLP.", + "expected_values": [ + "Finance" + ], + "recommended": false + }, + "fieldName": "user_department", + "owner": "UBA_DLP_Email", "type": "string", - "fieldSearch": "", + "fieldSearch": "user_department=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "source", - "comment": "" + "displayName": "user_department" }, { - "fieldName": "sourcetype", - "owner": "BaseEvent", + "comment": { + "data_type": "string", + "description": "The USB vendor.", + "expected_values": [ + "FUJITSU" + ], + "recommended": false + }, + "fieldName": "vendor", + "owner": "UBA_DLP_Email", "type": "string", - "fieldSearch": "", + "fieldSearch": "vendor=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "sourcetype", - "comment": "" + "displayName": "vendor" } ], "calculations": [], "constraints": [ { - "search": "index=*", - "owner": "UBA_DLP" + "search": "`uba_cim_dlp_email_indexes`", + "owner": "UBA_DLP_Email" } ], - "lineage": "UBA_DLP" + "lineage": "UBA_DLP_Email" } ], "objectNameList": [ - "UBA_DLP" + "UBA_DLP_Email" ] -} +} \ No newline at end of file diff --git a/default/data/models/UBA_DNS.json b/default/data/models/UBA_DNS.json index 15c340e..f6ad52f 100644 --- a/default/data/models/UBA_DNS.json +++ b/default/data/models/UBA_DNS.json @@ -31,7 +31,9 @@ "data_type": "string", "description": "The resolved address for the query.", "recommended": true, - "possible_values": "12.13.14.15" + "expected_values": [ + "12.13.14.15" + ] }, "fieldName": "answer", "owner": "UBA_DNS", @@ -48,7 +50,9 @@ "data_type": "string", "description": "The destination IP address of the network resolution event.", "recommended": false, - "possible_values": "192.168.1.14" + "expected_values": [ + "192.168.1.14" + ] }, "fieldName": "dest_ip", "owner": "UBA_DNS", @@ -65,7 +69,9 @@ "data_type": "integer", "description": "The amount of time in seconds taken by the network resolution event.", "recommended": false, - "possible_values": "1" + "expected_values": [ + "1" + ] }, "fieldName": "duration", "owner": "UBA_DNS", @@ -94,7 +100,10 @@ "data_type": "string", "description": "The type of DNS message.", "recommended": true, - "possible_values": "Query, Response" + "expected_values": [ + "Query", + "Response" + ] }, "fieldName": "message_type", "owner": "UBA_DNS", @@ -111,7 +120,9 @@ "data_type": "string", "description": "The domain that needs to be resolved.", "recommended": true, - "possible_values": "www.google.com" + "expected_values": [ + "www.google.com" + ] }, "fieldName": "query", "owner": "UBA_DNS", @@ -128,7 +139,18 @@ "data_type": "string", "description": "The field may contain DNS OpCodes or Resource Record Type codes.", "recommended": true, - "possible_values": "Query, IQuery, Status, Notify, Update, unknown, A, MX, NS, PTR" + "expected_values": [ + "Query", + "IQuery", + "Status", + "Notify", + "Update", + "unknown", + "A", + "MX", + "NS", + "PTR" + ] }, "fieldName": "query_type", "owner": "UBA_DNS", @@ -145,7 +167,13 @@ "data_type": "string", "description": "The DNS resource record type.", "recommended": false, - "possible_values": "A, DNAME, MX, NS, PTR" + "expected_values": [ + "A", + "DNAME", + "MX", + "NS", + "PTR" + ] }, "fieldName": "record_type", "owner": "UBA_DNS", @@ -186,7 +214,9 @@ "data_type": "string", "description": "The source IP address of the network resolution event.", "recommended": true, - "possible_values": "192.168.1.11" + "expected_values": [ + "192.168.1.11" + ] }, "fieldName": "src_ip", "owner": "UBA_DNS", @@ -203,7 +233,9 @@ "data_type": "integer", "description": "The source port of the network resolution event.", "recommended": false, - "possible_values": "3022" + "expected_values": [ + "3022" + ] }, "fieldName": "src_port", "owner": "UBA_DNS", @@ -218,9 +250,13 @@ { "comment": { "data_type": "string", - "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform when using Splunk Direct in Splunk UBA.", "recommended": true, - "possible_values": "network,resolution,dns" + "expected_values": [ + "network", + "resolution", + "dns" + ] }, "fieldName": "tag", "owner": "UBA_DNS", @@ -237,7 +273,9 @@ "data_type": "integer", "description": "The time-to-live of the network resolution event.", "recommended": false, - "possible_values": "2000" + "expected_values": [ + "2000" + ] }, "fieldName": "ttl", "owner": "UBA_DNS", @@ -253,7 +291,7 @@ "calculations": [], "constraints": [ { - "search": "`uba_cim_dns_indexes` network resolution dns", + "search": "`uba_cim_dns_indexes`", "owner": "UBA_DNS" } ], @@ -263,4 +301,4 @@ "objectNameList": [ "UBA_DNS" ] -} +} \ No newline at end of file diff --git a/default/data/models/UBA_Database.json b/default/data/models/UBA_Database.json index a739eec..56b9e8e 100644 --- a/default/data/models/UBA_Database.json +++ b/default/data/models/UBA_Database.json @@ -31,7 +31,11 @@ "data_type": "string", "description": "The action performed by the user.", "recommended": false, - "possible_values": "LOGON, LOGOFF, CREATE FUNCTION" + "expected_values": [ + "LOGON", + "LOGOFF", + "CREATE FUNCTION" + ] }, "fieldName": "action_name", "owner": "UBA_Database", @@ -48,7 +52,12 @@ "data_type": "string", "description": "The SQL query command.", "recommended": false, - "possible_values": "select, locktable, insert, delete" + "expected_values": [ + "select", + "locktable", + "insert", + "delete" + ] }, "fieldName": "command_name", "owner": "UBA_Database", @@ -65,7 +74,9 @@ "data_type": "integer", "description": "The number of commits per second performed by the user associated with the session.", "recommended": false, - "possible_values": "5" + "expected_values": [ + "5" + ] }, "fieldName": "commits", "owner": "UBA_Database", @@ -82,7 +93,9 @@ "data_type": "integer", "description": "The number of CPU centiseconds used by the session. Divide this value by 100 to get the CPU seconds.", "recommended": false, - "possible_values": "1" + "expected_values": [ + "1" + ] }, "fieldName": "cpu_used", "owner": "UBA_Database", @@ -99,7 +112,9 @@ "data_type": "string", "description": "The host name of the destination.", "recommended": false, - "possible_values": "winhost2" + "expected_values": [ + "winhost2" + ] }, "fieldName": "dest_host", "owner": "UBA_Database", @@ -116,7 +131,9 @@ "data_type": "string", "description": "The IP address of the destination.", "recommended": false, - "possible_values": "2.2.2.2" + "expected_values": [ + "2.2.2.2" + ] }, "fieldName": "dest_ip", "owner": "UBA_Database", @@ -133,7 +150,9 @@ "data_type": "integer", "description": "The duration in seconds of the database connection.", "recommended": false, - "possible_values": "241" + "expected_values": [ + "241" + ] }, "fieldName": "duration", "owner": "UBA_Database", @@ -150,7 +169,9 @@ "data_type": "integer", "description": "The total amount of time in seconds that elapsed since the user started the session by logging into the database server.", "recommended": false, - "possible_values": "10" + "expected_values": [ + "10" + ] }, "fieldName": "elapsed_time", "owner": "UBA_Database", @@ -167,7 +188,10 @@ "data_type": "string", "description": "The type of event.", "recommended": true, - "possible_values": "oracle_auth, oracle_session" + "expected_values": [ + "oracle_auth", + "oracle_session" + ] }, "fieldName": "eventtype", "owner": "UBA_Database", @@ -196,7 +220,9 @@ "data_type": "string", "description": "The name of the database instance.", "recommended": true, - "possible_values": "myinstance" + "expected_values": [ + "myinstance" + ] }, "fieldName": "instance_name", "owner": "UBA_Database", @@ -213,7 +239,10 @@ "data_type": "string", "description": "The name of the database object.", "recommended": false, - "possible_values": "view1, index1" + "expected_values": [ + "view1", + "index1" + ] }, "fieldName": "object", "owner": "UBA_Database", @@ -230,7 +259,9 @@ "data_type": "string", "description": "The full database query.", "recommended": false, - "possible_values": "select * from my_table" + "expected_values": [ + "select * from my_table" + ] }, "fieldName": "query", "owner": "UBA_Database", @@ -247,7 +278,9 @@ "data_type": "integer", "description": "The number of records affected by the database query.", "recommended": false, - "possible_values": "1" + "expected_values": [ + "1" + ] }, "fieldName": "records_affected", "owner": "UBA_Database", @@ -288,7 +321,9 @@ "data_type": "string", "description": "The domain name of the source server of the database event.", "recommended": false, - "possible_values": "winhost1" + "expected_values": [ + "winhost1" + ] }, "fieldName": "src_host", "owner": "UBA_Database", @@ -305,7 +340,9 @@ "data_type": "string", "description": "The IP address of the source server of the database event.", "recommended": false, - "possible_values": "10.10.10.12" + "expected_values": [ + "10.10.10.12" + ] }, "fieldName": "src_ip", "owner": "UBA_Database", @@ -322,7 +359,10 @@ "data_type": "string", "description": "The names of the tables hit by the query.", "recommended": false, - "possible_values": "table1, table2" + "expected_values": [ + "table1", + "table2" + ] }, "fieldName": "tables_hit", "owner": "UBA_Database", @@ -339,7 +379,9 @@ "data_type": "string", "description": "The name of the tablespace.", "recommended": false, - "possible_values": "my table space" + "expected_values": [ + "my table space" + ] }, "fieldName": "tablespace_name", "owner": "UBA_Database", @@ -354,9 +396,11 @@ { "comment": { "data_type": "string", - "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform when using Splunk Direct in Splunk UBA.", "recommended": true, - "possible_values": "database" + "expected_values": [ + "database" + ] }, "fieldName": "tag", "owner": "UBA_Database", @@ -373,7 +417,9 @@ "data_type": "string", "description": "The name of the database process user.", "recommended": true, - "possible_values": "cronaldo" + "expected_values": [ + "cronaldo" + ] }, "fieldName": "user", "owner": "UBA_Database", @@ -390,7 +436,9 @@ "data_type": "string", "description": "The vendor and product name of the database system. This field can be automatically populated by vendor and product fields in your data.", "recommended": false, - "possible_values": "oracle" + "expected_values": [ + "oracle" + ] }, "fieldName": "vendor", "owner": "UBA_Database", @@ -406,7 +454,7 @@ "calculations": [], "constraints": [ { - "search": "`uba_cim_database_indexes` database", + "search": "`uba_cim_database_indexes`", "owner": "UBA_Database" } ], @@ -416,4 +464,4 @@ "objectNameList": [ "UBA_Database" ] -} +} \ No newline at end of file diff --git a/default/data/models/UBA_Email.json b/default/data/models/UBA_Email.json index 20a6d06..d6e20ff 100644 --- a/default/data/models/UBA_Email.json +++ b/default/data/models/UBA_Email.json @@ -31,7 +31,13 @@ "data_type": "string", "description": "The action taken by the reporting device.", "recommended": false, - "possible_values": "delivered, blocked, quarantined, deleted, unknown" + "expected_values": [ + "delivered", + "blocked", + "quarantined", + "deleted", + "unknown" + ] }, "fieldName": "action", "owner": "UBA_Email", @@ -48,7 +54,9 @@ "data_type": "string", "description": "The names of the files attached to the message, if any.", "recommended": false, - "possible_values": "example.txt" + "expected_values": [ + "example.txt" + ] }, "fieldName": "file_name", "owner": "UBA_Email", @@ -65,7 +73,9 @@ "data_type": "integer", "description": "The size of the file attached to the message, if any. If the message has multiple attachments, the sum value of all attachments as a single integer.", "recommended": false, - "possible_values": "10280" + "expected_values": [ + "10280" + ] }, "fieldName": "file_size", "owner": "UBA_Email", @@ -94,7 +104,10 @@ "data_type": "string", "description": "A field listing individual recipient email addresses.", "recommended": true, - "possible_values": "abc@example.com, bcd@example.com" + "expected_values": [ + "abc@example.com", + "bcd@example.com" + ] }, "fieldName": "recipient", "owner": "UBA_Email", @@ -106,6 +119,26 @@ "editable": true, "displayName": "recipient" }, + { + "comment": { + "data_type": "string", + "description": "A field listing individual sender email addresses. The scope is internal users or users in the HR Data.", + "recommended": true, + "expected_values": [ + "abc@example.com", + "bcd@example.com" + ] + }, + "fieldName": "sender", + "owner": "UBA_Email", + "type": "string", + "fieldSearch": "sender=*", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sender" + }, { "fieldName": "source", "owner": "BaseEvent", @@ -135,7 +168,9 @@ "data_type": "string", "description": "The system that sent the message. You can alias this from more specific fields, such as\u00a0src_host,\u00a0src_ip, or\u00a0src_name.", "recommended": false, - "possible_values": "11.12.13.14" + "expected_values": [ + "11.12.13.14" + ] }, "fieldName": "src", "owner": "UBA_Email", @@ -152,7 +187,9 @@ "data_type": "string", "description": "The email address of the message sender.", "recommended": false, - "possible_values": "tony@stark.co" + "expected_values": [ + "acme@example.com" + ] }, "fieldName": "src_user", "owner": "UBA_Email", @@ -169,7 +206,10 @@ "data_type": "string", "description": "The subject of the email message.", "recommended": true, - "possible_values": "Important Message, Meeting Agenda Update" + "expected_values": [ + "Important Message", + "Meeting Agenda Update" + ] }, "fieldName": "subject", "owner": "UBA_Email", @@ -184,9 +224,11 @@ { "comment": { "data_type": "string", - "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform when using Splunk Direct in Splunk UBA.", "recommended": true, - "possible_values": "email" + "expected_values": [ + "email" + ] }, "fieldName": "tag", "owner": "UBA_Email", @@ -202,7 +244,7 @@ "calculations": [], "constraints": [ { - "search": "`uba_cim_email_indexes` email", + "search": "`uba_cim_email_indexes`", "owner": "UBA_Email" } ], @@ -212,4 +254,4 @@ "objectNameList": [ "UBA_Email" ] -} +} \ No newline at end of file diff --git a/default/data/models/UBA_Endpoint_Filesystem.json b/default/data/models/UBA_Endpoint_Filesystem.json index 27732d7..7843c65 100644 --- a/default/data/models/UBA_Endpoint_Filesystem.json +++ b/default/data/models/UBA_Endpoint_Filesystem.json @@ -31,7 +31,10 @@ "data_type": "string", "description": "The action taken by the endpoint.", "recommended": true, - "possible_values": "allowed, blocked" + "expected_values": [ + "allowed", + "blocked" + ] }, "fieldName": "action", "owner": "UBA_Endpoint_Filesystem", @@ -48,7 +51,9 @@ "data_type": "string", "description": "The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in\u00a0Filter the anomaly table.", "recommended": false, - "possible_values": "Exfiltration" + "expected_values": [ + "Exfiltration" + ] }, "fieldName": "alarmCategories", "owner": "UBA_Endpoint_Filesystem", @@ -65,7 +70,10 @@ "data_type": "string", "description": "The event category, if applicable.", "recommended": false, - "possible_values": "malware, watchlist.hit.ingress.process" + "expected_values": [ + "malware", + "watchlist.hit.ingress.process" + ] }, "fieldName": "category", "owner": "UBA_Endpoint_Filesystem", @@ -82,7 +90,9 @@ "data_type": "string", "description": "The host name of the endpoint.", "recommended": true, - "possible_values": "winhost1" + "expected_values": [ + "winhost1" + ] }, "fieldName": "dest_host", "owner": "UBA_Endpoint_Filesystem", @@ -99,7 +109,9 @@ "data_type": "string", "description": "IP address of the endpoint where the activity happened.", "recommended": false, - "possible_values": "1.1.1.1" + "expected_values": [ + "1.1.1.1" + ] }, "fieldName": "dest_ip", "owner": "UBA_Endpoint_Filesystem", @@ -116,7 +128,9 @@ "data_type": "string", "description": "The NT domain of the endpoint, if applicable.", "recommended": false, - "possible_values": "acme" + "expected_values": [ + "acme" + ] }, "fieldName": "dest_nt_domain", "owner": "UBA_Endpoint_Filesystem", @@ -133,7 +147,9 @@ "data_type": "string", "description": "The host name of the endpoint.", "recommended": true, - "possible_values": "winhost1" + "expected_values": [ + "winhost1" + ] }, "fieldName": "endpoint_dns", "owner": "UBA_Endpoint_Filesystem", @@ -150,7 +166,9 @@ "data_type": "string", "description": "IP address of the endpoint where the activity happened.", "recommended": false, - "possible_values": "1.1.1.1" + "expected_values": [ + "1.1.1.1" + ] }, "fieldName": "endpoint_ip", "owner": "UBA_Endpoint_Filesystem", @@ -167,7 +185,9 @@ "data_type": "string", "description": "The NT domain of the endpoint, if applicable.", "recommended": false, - "possible_values": "acme" + "expected_values": [ + "acme" + ] }, "fieldName": "endpoint_nt_domain", "owner": "UBA_Endpoint_Filesystem", @@ -184,7 +204,9 @@ "data_type": "integer", "description": "Network port listening on the endpoint.", "recommended": false, - "possible_values": "53" + "expected_values": [ + "53" + ] }, "fieldName": "endpoint_port", "owner": "UBA_Endpoint_Filesystem", @@ -201,7 +223,9 @@ "data_type": "integer", "description": "The event ID or code for the activity.", "recommended": false, - "possible_values": "7045" + "expected_values": [ + "7045" + ] }, "fieldName": "event_id", "owner": "UBA_Endpoint_Filesystem", @@ -218,7 +242,10 @@ "data_type": "string", "description": "The type of the event.", "recommended": true, - "possible_values": "symantec_ep_risk_alert_virus, A service was installed in the system" + "expected_values": [ + "symantec_ep_risk_alert_virus", + "A service was installed in the system" + ] }, "fieldName": "eventtype", "owner": "UBA_Endpoint_Filesystem", @@ -235,7 +262,9 @@ "data_type": "integer", "description": "The epoch time that the file (the object of the event) was accessed.", "recommended": true, - "possible_values": "1547749588" + "expected_values": [ + "1547749588" + ] }, "fieldName": "file_access_time", "owner": "UBA_Endpoint_Filesystem", @@ -252,7 +281,9 @@ "data_type": "string", "description": "Access controls associated with the file affected by the event.", "recommended": true, - "possible_values": "readonly" + "expected_values": [ + "readonly" + ] }, "fieldName": "file_acl", "owner": "UBA_Endpoint_Filesystem", @@ -269,7 +300,9 @@ "data_type": "integer", "description": "The epoch time that the file (the object of the event) was created.", "recommended": true, - "possible_values": "1547749588" + "expected_values": [ + "1547749588" + ] }, "fieldName": "file_create_time", "owner": "UBA_Endpoint_Filesystem", @@ -286,7 +319,9 @@ "data_type": "integer", "description": "The epoch time that the file (the object of the event) was altered.", "recommended": true, - "possible_values": "1547749588" + "expected_values": [ + "1547749588" + ] }, "fieldName": "file_modify_time", "owner": "UBA_Endpoint_Filesystem", @@ -303,7 +338,9 @@ "data_type": "string", "description": "The name of the file.", "recommended": true, - "possible_values": "notepad.exe" + "expected_values": [ + "notepad.exe" + ] }, "fieldName": "file_name", "owner": "UBA_Endpoint_Filesystem", @@ -320,7 +357,9 @@ "data_type": "string", "description": "The path of the file.", "recommended": true, - "possible_values": "C:\\Windows\\System32\\notepad.exe" + "expected_values": [ + "C:\\Windows\\System32\\notepad.exe" + ] }, "fieldName": "file_path", "owner": "UBA_Endpoint_Filesystem", @@ -337,7 +376,9 @@ "data_type": "integer", "description": "The size in kilobytes of the file that is the object of the event.", "recommended": true, - "possible_values": "5346" + "expected_values": [ + "5346" + ] }, "fieldName": "file_size", "owner": "UBA_Endpoint_Filesystem", @@ -366,7 +407,14 @@ "data_type": "string", "description": "The severity of the endpoint event.", "recommended": false, - "possible_values": "informational, unknown, low, medium, high, critical" + "expected_values": [ + "informational", + "unknown", + "low", + "medium", + "high", + "critical" + ] }, "fieldName": "severity", "owner": "UBA_Endpoint_Filesystem", @@ -383,7 +431,9 @@ "data_type": "string", "description": "The sub-category or signature of the event, if applicable.", "recommended": false, - "possible_values": "process_blocking" + "expected_values": [ + "process_blocking" + ] }, "fieldName": "signature", "owner": "UBA_Endpoint_Filesystem", @@ -424,7 +474,9 @@ "data_type": "string", "description": "The hostname of the \"remote\" system connected to the listening port (if applicable)", "recommended": false, - "possible_values": "acmehost1" + "expected_values": [ + "acmehost1" + ] }, "fieldName": "src_dns", "owner": "UBA_Endpoint_Filesystem", @@ -441,7 +493,9 @@ "data_type": "string", "description": "The hostname of the \"remote\" system connected to the listening port (if applicable)", "recommended": false, - "possible_values": "acmehost1" + "expected_values": [ + "acmehost1" + ] }, "fieldName": "src_host", "owner": "UBA_Endpoint_Filesystem", @@ -458,7 +512,9 @@ "data_type": "string", "description": "The IP address of the \"remote\" system connected to the listening port (if applicable).", "recommended": false, - "possible_values": "2.2.2.2" + "expected_values": [ + "2.2.2.2" + ] }, "fieldName": "src_ip", "owner": "UBA_Endpoint_Filesystem", @@ -475,7 +531,9 @@ "data_type": "integer", "description": "The \"remote\" port connected to the listening port (if applicable).", "recommended": false, - "possible_values": "53" + "expected_values": [ + "53" + ] }, "fieldName": "src_port", "owner": "UBA_Endpoint_Filesystem", @@ -490,9 +548,12 @@ { "comment": { "data_type": "string", - "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform when using Splunk Direct in Splunk UBA.", "recommended": true, - "possible_values": "endpoint,filesystem" + "expected_values": [ + "endpoint", + "filesystem" + ] }, "fieldName": "tag", "owner": "UBA_Endpoint_Filesystem", @@ -509,7 +570,9 @@ "data_type": "string", "description": "The user account associated with the service or the filesystem access, or the registry access.", "recommended": true, - "possible_values": "cronaldo" + "expected_values": [ + "cronaldo" + ] }, "fieldName": "user", "owner": "UBA_Endpoint_Filesystem", @@ -525,7 +588,7 @@ "calculations": [], "constraints": [ { - "search": "`uba_cim_endpoint_indexes` endpoint filesystem", + "search": "`uba_cim_endpoint_filesystem_indexes`", "owner": "UBA_Endpoint_Filesystem" } ], @@ -535,4 +598,4 @@ "objectNameList": [ "UBA_Endpoint_Filesystem" ] -} +} \ No newline at end of file diff --git a/default/data/models/UBA_Endpoint_Port.json b/default/data/models/UBA_Endpoint_Port.json index 3249675..8b3bede 100644 --- a/default/data/models/UBA_Endpoint_Port.json +++ b/default/data/models/UBA_Endpoint_Port.json @@ -31,7 +31,10 @@ "data_type": "string", "description": "The action taken by the endpoint.", "recommended": true, - "possible_values": "allowed, blocked" + "expected_values": [ + "allowed", + "blocked" + ] }, "fieldName": "action", "owner": "UBA_Endpoint_Port", @@ -48,7 +51,9 @@ "data_type": "string", "description": "The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in\u00a0Filter the anomaly table.", "recommended": false, - "possible_values": "Exfiltration" + "expected_values": [ + "Exfiltration" + ] }, "fieldName": "alarmCategories", "owner": "UBA_Endpoint_Port", @@ -65,7 +70,10 @@ "data_type": "string", "description": "The event category, if applicable.", "recommended": false, - "possible_values": "malware, watchlist.hit.ingress.process" + "expected_values": [ + "malware", + "watchlist.hit.ingress.process" + ] }, "fieldName": "category", "owner": "UBA_Endpoint_Port", @@ -82,7 +90,9 @@ "data_type": "integer", "description": "CPU load consumed by the process (in percent)", "recommended": false, - "possible_values": "85" + "expected_values": [ + "85" + ] }, "fieldName": "cpu_load_percent", "owner": "UBA_Endpoint_Port", @@ -99,7 +109,9 @@ "data_type": "integer", "description": "The epoch time at which the network port started listening on the endpoint.", "recommended": false, - "possible_values": "1547749588" + "expected_values": [ + "1547749588" + ] }, "fieldName": "creation_time", "owner": "UBA_Endpoint_Port", @@ -116,7 +128,9 @@ "data_type": "string", "description": "The host name of the endpoint.", "recommended": true, - "possible_values": "winhost1" + "expected_values": [ + "winhost1" + ] }, "fieldName": "dest_host", "owner": "UBA_Endpoint_Port", @@ -133,7 +147,9 @@ "data_type": "string", "description": "IP address of the endpoint where the activity happened.", "recommended": false, - "possible_values": "1.1.1.1" + "expected_values": [ + "1.1.1.1" + ] }, "fieldName": "dest_ip", "owner": "UBA_Endpoint_Port", @@ -150,7 +166,9 @@ "data_type": "string", "description": "The NT domain of the endpoint, if applicable.", "recommended": false, - "possible_values": "acme" + "expected_values": [ + "acme" + ] }, "fieldName": "dest_nt_domain", "owner": "UBA_Endpoint_Port", @@ -167,7 +185,9 @@ "data_type": "integer", "description": "The network port listening on the endpoint.", "recommended": true, - "possible_values": "53" + "expected_values": [ + "53" + ] }, "fieldName": "dest_port", "owner": "UBA_Endpoint_Port", @@ -184,7 +204,9 @@ "data_type": "string", "description": "The host name of the endpoint.", "recommended": true, - "possible_values": "winhost1" + "expected_values": [ + "winhost1" + ] }, "fieldName": "endpoint_dns", "owner": "UBA_Endpoint_Port", @@ -201,7 +223,9 @@ "data_type": "string", "description": "IP address of the endpoint where the activity happened.", "recommended": false, - "possible_values": "1.1.1.1" + "expected_values": [ + "1.1.1.1" + ] }, "fieldName": "endpoint_ip", "owner": "UBA_Endpoint_Port", @@ -218,7 +242,9 @@ "data_type": "string", "description": "The NT domain of the endpoint, if applicable.", "recommended": false, - "possible_values": "acme" + "expected_values": [ + "acme" + ] }, "fieldName": "endpoint_nt_domain", "owner": "UBA_Endpoint_Port", @@ -235,7 +261,9 @@ "data_type": "integer", "description": "Network port listening on the endpoint.", "recommended": false, - "possible_values": "53" + "expected_values": [ + "53" + ] }, "fieldName": "endpoint_port", "owner": "UBA_Endpoint_Port", @@ -252,7 +280,9 @@ "data_type": "integer", "description": "The event ID or code for the activity.", "recommended": false, - "possible_values": "7045" + "expected_values": [ + "7045" + ] }, "fieldName": "event_id", "owner": "UBA_Endpoint_Port", @@ -269,7 +299,10 @@ "data_type": "string", "description": "The type of the event.", "recommended": true, - "possible_values": "symantec_ep_risk_alert_virus, A service was installed in the system" + "expected_values": [ + "symantec_ep_risk_alert_virus", + "A service was installed in the system" + ] }, "fieldName": "eventtype", "owner": "UBA_Endpoint_Port", @@ -298,7 +331,9 @@ "data_type": "integer", "description": "Memory in bytes used by the process.", "recommended": false, - "possible_values": "12345" + "expected_values": [ + "12345" + ] }, "fieldName": "mem_used", "owner": "UBA_Endpoint_Port", @@ -315,7 +350,9 @@ "data_type": "string", "description": "The operating system of the resource.", "recommended": false, - "possible_values": "Microsoft Windows Server 2008r2" + "expected_values": [ + "Microsoft Windows Server 2008r2" + ] }, "fieldName": "os", "owner": "UBA_Endpoint_Port", @@ -332,7 +369,9 @@ "data_type": "integer", "description": "The numeric identifier of the process assigned by the operating system.", "recommended": false, - "possible_values": "12345" + "expected_values": [ + "12345" + ] }, "fieldName": "process_id", "owner": "UBA_Endpoint_Port", @@ -349,7 +388,14 @@ "data_type": "string", "description": "The severity of the endpoint event.", "recommended": false, - "possible_values": "informational, unknown, low, medium, high, critical" + "expected_values": [ + "informational", + "unknown", + "low", + "medium", + "high", + "critical" + ] }, "fieldName": "severity", "owner": "UBA_Endpoint_Port", @@ -366,7 +412,9 @@ "data_type": "string", "description": "The sub-category or signature of the event, if applicable.", "recommended": false, - "possible_values": "process_blocking" + "expected_values": [ + "process_blocking" + ] }, "fieldName": "signature", "owner": "UBA_Endpoint_Port", @@ -407,7 +455,9 @@ "data_type": "string", "description": "The hostname of the \"remote\" system connected to the listening port (if applicable)", "recommended": true, - "possible_values": "acmehost1" + "expected_values": [ + "acmehost1" + ] }, "fieldName": "src_dns", "owner": "UBA_Endpoint_Port", @@ -424,7 +474,9 @@ "data_type": "string", "description": "The hostname of the \"remote\" system connected to the listening port (if applicable)", "recommended": true, - "possible_values": "acmehost1" + "expected_values": [ + "acmehost1" + ] }, "fieldName": "src_host", "owner": "UBA_Endpoint_Port", @@ -441,7 +493,9 @@ "data_type": "string", "description": "The IP address of the \"remote\" system connected to the listening port (if applicable).", "recommended": false, - "possible_values": "2.2.2.2" + "expected_values": [ + "2.2.2.2" + ] }, "fieldName": "src_ip", "owner": "UBA_Endpoint_Port", @@ -458,7 +512,9 @@ "data_type": "integer", "description": "The \"remote\" port connected to the listening port (if applicable).", "recommended": true, - "possible_values": "53" + "expected_values": [ + "53" + ] }, "fieldName": "src_port", "owner": "UBA_Endpoint_Port", @@ -475,7 +531,10 @@ "data_type": "string", "description": "The status of the listening port.", "recommended": true, - "possible_values": "established, listening" + "expected_values": [ + "established", + "listening" + ] }, "fieldName": "state", "owner": "UBA_Endpoint_Port", @@ -490,9 +549,12 @@ { "comment": { "data_type": "string", - "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform when using Splunk Direct in Splunk UBA.", "recommended": true, - "possible_values": "listening,port" + "expected_values": [ + "listening", + "port" + ] }, "fieldName": "tag", "owner": "UBA_Endpoint_Port", @@ -509,7 +571,10 @@ "data_type": "string", "description": "The network transport protocol associated with the listening port.", "recommended": true, - "possible_values": "tcp, udp" + "expected_values": [ + "tcp", + "udp" + ] }, "fieldName": "transport", "owner": "UBA_Endpoint_Port", @@ -526,7 +591,9 @@ "data_type": "string", "description": "The user account that spawned the process.", "recommended": true, - "possible_values": "cronaldo" + "expected_values": [ + "cronaldo" + ] }, "fieldName": "user", "owner": "UBA_Endpoint_Port", @@ -543,7 +610,9 @@ "data_type": "string", "description": "The vendor and product name of the Endpoint solution that reported the event.", "recommended": false, - "possible_values": "Carbon Black Cb Response" + "expected_values": [ + "Carbon Black Cb Response" + ] }, "fieldName": "vendor_product", "owner": "UBA_Endpoint_Port", @@ -559,7 +628,7 @@ "calculations": [], "constraints": [ { - "search": "`uba_cim_endpoint_indexes` listening port", + "search": "`uba_cim_endpoint_port_indexes`", "owner": "UBA_Endpoint_Port" } ], @@ -569,4 +638,4 @@ "objectNameList": [ "UBA_Endpoint_Port" ] -} +} \ No newline at end of file diff --git a/default/data/models/UBA_Endpoint_Processes.json b/default/data/models/UBA_Endpoint_Processes.json index 6967bbf..e530f30 100644 --- a/default/data/models/UBA_Endpoint_Processes.json +++ b/default/data/models/UBA_Endpoint_Processes.json @@ -31,7 +31,10 @@ "data_type": "string", "description": "The action taken by the endpoint.", "recommended": true, - "possible_values": "allowed, blocked" + "expected_values": [ + "allowed", + "blocked" + ] }, "fieldName": "action", "owner": "UBA_Endpoint_Processes", @@ -48,7 +51,9 @@ "data_type": "string", "description": "The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in\u00a0Filter the anomaly table.", "recommended": false, - "possible_values": "Exfiltration" + "expected_values": [ + "Exfiltration" + ] }, "fieldName": "alarmCategories", "owner": "UBA_Endpoint_Processes", @@ -65,7 +70,10 @@ "data_type": "string", "description": "The event category, if applicable.", "recommended": false, - "possible_values": "malware, watchlist.hit.ingress.process" + "expected_values": [ + "malware", + "watchlist.hit.ingress.process" + ] }, "fieldName": "category", "owner": "UBA_Endpoint_Processes", @@ -82,7 +90,9 @@ "data_type": "string", "description": "The host name of the endpoint.", "recommended": false, - "possible_values": "winhost1" + "expected_values": [ + "winhost1" + ] }, "fieldName": "dest_host", "owner": "UBA_Endpoint_Processes", @@ -99,7 +109,9 @@ "data_type": "string", "description": "IP address of the endpoint where the activity happened.", "recommended": false, - "possible_values": "1.1.1.1" + "expected_values": [ + "1.1.1.1" + ] }, "fieldName": "dest_ip", "owner": "UBA_Endpoint_Processes", @@ -116,7 +128,9 @@ "data_type": "string", "description": "The NT domain of the endpoint, if applicable.", "recommended": false, - "possible_values": "acme" + "expected_values": [ + "acme" + ] }, "fieldName": "dest_nt_domain", "owner": "UBA_Endpoint_Processes", @@ -133,7 +147,9 @@ "data_type": "string", "description": "The host name of the endpoint.", "recommended": false, - "possible_values": "winhost1" + "expected_values": [ + "winhost1" + ] }, "fieldName": "endpoint_dns", "owner": "UBA_Endpoint_Processes", @@ -150,7 +166,9 @@ "data_type": "string", "description": "IP address of the endpoint where the activity happened.", "recommended": false, - "possible_values": "1.1.1.1" + "expected_values": [ + "1.1.1.1" + ] }, "fieldName": "endpoint_ip", "owner": "UBA_Endpoint_Processes", @@ -167,7 +185,9 @@ "data_type": "string", "description": "The NT domain of the endpoint, if applicable.", "recommended": false, - "possible_values": "acme" + "expected_values": [ + "acme" + ] }, "fieldName": "endpoint_nt_domain", "owner": "UBA_Endpoint_Processes", @@ -184,7 +204,9 @@ "data_type": "integer", "description": "Network port listening on the endpoint.", "recommended": false, - "possible_values": "53" + "expected_values": [ + "53" + ] }, "fieldName": "endpoint_port", "owner": "UBA_Endpoint_Processes", @@ -201,7 +223,9 @@ "data_type": "integer", "description": "The event ID or code for the activity.", "recommended": false, - "possible_values": "7045" + "expected_values": [ + "7045" + ] }, "fieldName": "event_id", "owner": "UBA_Endpoint_Processes", @@ -218,7 +242,10 @@ "data_type": "string", "description": "The type of the event.", "recommended": true, - "possible_values": "symantec_ep_risk_alert_virus, A service was installed in the system" + "expected_values": [ + "symantec_ep_risk_alert_virus", + "A service was installed in the system" + ] }, "fieldName": "eventtype", "owner": "UBA_Endpoint_Processes", @@ -247,7 +274,9 @@ "data_type": "string", "description": "The executable name of the parent process.", "recommended": true, - "possible_values": "notepad.exe" + "expected_values": [ + "notepad.exe" + ] }, "fieldName": "parent_process_exec", "owner": "UBA_Endpoint_Processes", @@ -264,7 +293,9 @@ "data_type": "string", "description": "The globally unique identifier of the parent process assigned by the vendor_product.", "recommended": false, - "possible_values": "0dd879c-ee2f-11db-8314-0800200c9a66" + "expected_values": [ + "0dd879c-ee2f-11db-8314-0800200c9a66" + ] }, "fieldName": "parent_process_guid", "owner": "UBA_Endpoint_Processes", @@ -281,7 +312,9 @@ "data_type": "integer", "description": "The numeric identifier of the parent process assigned by the operating system.", "recommended": false, - "possible_values": "12345" + "expected_values": [ + "12345" + ] }, "fieldName": "parent_process_id", "owner": "UBA_Endpoint_Processes", @@ -298,7 +331,9 @@ "data_type": "string", "description": "The friendly name of the parent process.", "recommended": true, - "possible_values": "notepad.exe" + "expected_values": [ + "notepad.exe" + ] }, "fieldName": "parent_process_name", "owner": "UBA_Endpoint_Processes", @@ -315,7 +350,9 @@ "data_type": "string", "description": "The full command string of the parent process.", "recommended": false, - "possible_values": "C:\\\\WINDOWS\\\\system32\\\\cmd.exe \\/c \\\"\\\"C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\etc\\\\system\\\\bin\\\\powershell.cmd\\\" --scheme" + "expected_values": [ + "C:\\\\WINDOWS\\\\system32\\\\cmd.exe \\/c \\\"\\\"C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\etc\\\\system\\\\bin\\\\powershell.cmd\\\" --scheme" + ] }, "fieldName": "parent_process_path", "owner": "UBA_Endpoint_Processes", @@ -332,7 +369,9 @@ "data_type": "string", "description": "The full command string of the spawned process.", "recommended": true, - "possible_values": "C:\\\\WINDOWS\\\\system32\\\\cmd.exe \\/c \\\"\\\"C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\etc\\\\system\\\\bin\\\\powershell.cmd\\\" --scheme" + "expected_values": [ + "C:\\\\WINDOWS\\\\system32\\\\cmd.exe \\/c \\\"\\\"C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\etc\\\\system\\\\bin\\\\powershell.cmd\\\" --scheme" + ] }, "fieldName": "process", "owner": "UBA_Endpoint_Processes", @@ -349,7 +388,9 @@ "data_type": "string", "description": "The current working directory used to spawn the process.", "recommended": false, - "possible_values": "/usr/bin/" + "expected_values": [ + "/usr/bin/" + ] }, "fieldName": "process_current_directory", "owner": "UBA_Endpoint_Processes", @@ -366,7 +407,9 @@ "data_type": "string", "description": "The executable name of the process.", "recommended": false, - "possible_values": "notepad.exe" + "expected_values": [ + "notepad.exe" + ] }, "fieldName": "process_exec", "owner": "UBA_Endpoint_Processes", @@ -383,7 +426,10 @@ "data_type": "string", "description": "The globally unique identifier of the process assigned by the vendor_product.", "recommended": false, - "possible_values": "example_guid, example_id" + "expected_values": [ + "example_guid", + "example_id" + ] }, "fieldName": "process_guid.", "owner": "UBA_Endpoint_Processes", @@ -400,7 +446,10 @@ "data_type": "string", "description": "The digests of the parent process.", "recommended": false, - "possible_values": ", " + "expected_values": [ + "", + "" + ] }, "fieldName": "process_hash", "owner": "UBA_Endpoint_Processes", @@ -417,7 +466,9 @@ "data_type": "integer", "description": "The numeric identifier of the process assigned by the operating system.", "recommended": false, - "possible_values": "12345" + "expected_values": [ + "12345" + ] }, "fieldName": "process_id", "owner": "UBA_Endpoint_Processes", @@ -434,7 +485,10 @@ "data_type": "string", "description": "The Windows integrity level of the process.", "recommended": false, - "possible_values": "System, Medium" + "expected_values": [ + "System", + "Medium" + ] }, "fieldName": "process_integrity_level", "owner": "UBA_Endpoint_Processes", @@ -451,7 +505,9 @@ "data_type": "string", "description": "The file path of the process.", "recommended": true, - "possible_values": "C:\\Windows\\System32\\notepad.exe" + "expected_values": [ + "C:\\Windows\\System32\\notepad.exe" + ] }, "fieldName": "process_path", "owner": "UBA_Endpoint_Processes", @@ -468,7 +524,14 @@ "data_type": "string", "description": "The severity of the endpoint event.", "recommended": false, - "possible_values": "informational, unknown, low, medium, high, critical" + "expected_values": [ + "informational", + "unknown", + "low", + "medium", + "high", + "critical" + ] }, "fieldName": "severity", "owner": "UBA_Endpoint_Processes", @@ -485,7 +548,9 @@ "data_type": "string", "description": "The sub-category or signature of the event, if applicable.", "recommended": false, - "possible_values": "process_blocking" + "expected_values": [ + "process_blocking" + ] }, "fieldName": "signature", "owner": "UBA_Endpoint_Processes", @@ -526,7 +591,9 @@ "data_type": "string", "description": "The hostname of the \"remote\" system connected to the listening port (if applicable)", "recommended": false, - "possible_values": "acmehost1" + "expected_values": [ + "acmehost1" + ] }, "fieldName": "src_dns", "owner": "UBA_Endpoint_Processes", @@ -543,7 +610,9 @@ "data_type": "string", "description": "The hostname of the \"remote\" system connected to the listening port (if applicable)", "recommended": false, - "possible_values": "acmehost1" + "expected_values": [ + "acmehost1" + ] }, "fieldName": "src_host", "owner": "UBA_Endpoint_Processes", @@ -560,7 +629,9 @@ "data_type": "string", "description": "The IP address of the \"remote\" system connected to the listening port (if applicable).", "recommended": false, - "possible_values": "2.2.2.2" + "expected_values": [ + "2.2.2.2" + ] }, "fieldName": "src_ip", "owner": "UBA_Endpoint_Processes", @@ -577,7 +648,9 @@ "data_type": "integer", "description": "The \"remote\" port connected to the listening port (if applicable).", "recommended": false, - "possible_values": "53" + "expected_values": [ + "53" + ] }, "fieldName": "src_port", "owner": "UBA_Endpoint_Processes", @@ -592,9 +665,12 @@ { "comment": { "data_type": "string", - "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform when using Splunk Direct in Splunk UBA.", "recommended": true, - "possible_values": "process,report" + "expected_values": [ + "process", + "report" + ] }, "fieldName": "tag", "owner": "UBA_Endpoint_Processes", @@ -611,7 +687,9 @@ "data_type": "string", "description": "The unique identifier of the user account which spawned the process.", "recommended": true, - "possible_values": "example_user" + "expected_values": [ + "example_user" + ] }, "fieldName": "user", "owner": "UBA_Endpoint_Processes", @@ -627,7 +705,7 @@ "calculations": [], "constraints": [ { - "search": "`uba_cim_endpoint_indexes` process report", + "search": "`uba_cim_endpoint_process_indexes`", "owner": "UBA_Endpoint_Processes" } ], @@ -637,4 +715,4 @@ "objectNameList": [ "UBA_Endpoint_Processes" ] -} +} \ No newline at end of file diff --git a/default/data/models/UBA_Endpoint_Registry.json b/default/data/models/UBA_Endpoint_Registry.json index cc0dea2..f7097d2 100644 --- a/default/data/models/UBA_Endpoint_Registry.json +++ b/default/data/models/UBA_Endpoint_Registry.json @@ -31,7 +31,10 @@ "data_type": "string", "description": "The action taken by the endpoint.", "recommended": true, - "possible_values": "allowed, blocked" + "expected_values": [ + "allowed", + "blocked" + ] }, "fieldName": "action", "owner": "UBA_Endpoint_Registry", @@ -48,7 +51,9 @@ "data_type": "string", "description": "The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in\u00a0Filter the anomaly table.", "recommended": false, - "possible_values": "Exfiltration" + "expected_values": [ + "Exfiltration" + ] }, "fieldName": "alarmCategories", "owner": "UBA_Endpoint_Registry", @@ -65,7 +70,10 @@ "data_type": "string", "description": "The event category, if applicable.", "recommended": false, - "possible_values": "malware, watchlist.hit.ingress.process" + "expected_values": [ + "malware", + "watchlist.hit.ingress.process" + ] }, "fieldName": "category", "owner": "UBA_Endpoint_Registry", @@ -82,7 +90,9 @@ "data_type": "string", "description": "The host name of the endpoint.", "recommended": true, - "possible_values": "winhost1" + "expected_values": [ + "winhost1" + ] }, "fieldName": "dest_host", "owner": "UBA_Endpoint_Registry", @@ -99,7 +109,9 @@ "data_type": "string", "description": "IP address of the endpoint where the activity happened.", "recommended": false, - "possible_values": "1.1.1.1" + "expected_values": [ + "1.1.1.1" + ] }, "fieldName": "dest_ip", "owner": "UBA_Endpoint_Registry", @@ -116,7 +128,9 @@ "data_type": "string", "description": "The NT domain of the endpoint, if applicable.", "recommended": false, - "possible_values": "acme" + "expected_values": [ + "acme" + ] }, "fieldName": "dest_nt_domain", "owner": "UBA_Endpoint_Registry", @@ -133,7 +147,9 @@ "data_type": "string", "description": "The host name of the endpoint.", "recommended": true, - "possible_values": "winhost1" + "expected_values": [ + "winhost1" + ] }, "fieldName": "endpoint_dns", "owner": "UBA_Endpoint_Registry", @@ -150,7 +166,9 @@ "data_type": "string", "description": "IP address of the endpoint where the activity happened.", "recommended": false, - "possible_values": "1.1.1.1" + "expected_values": [ + "1.1.1.1" + ] }, "fieldName": "endpoint_ip", "owner": "UBA_Endpoint_Registry", @@ -167,7 +185,9 @@ "data_type": "string", "description": "The NT domain of the endpoint, if applicable.", "recommended": false, - "possible_values": "acme" + "expected_values": [ + "acme" + ] }, "fieldName": "endpoint_nt_domain", "owner": "UBA_Endpoint_Registry", @@ -184,7 +204,9 @@ "data_type": "integer", "description": "Network port listening on the endpoint.", "recommended": false, - "possible_values": "53" + "expected_values": [ + "53" + ] }, "fieldName": "endpoint_port", "owner": "UBA_Endpoint_Registry", @@ -201,7 +223,9 @@ "data_type": "integer", "description": "The event ID or code for the activity.", "recommended": false, - "possible_values": "7045" + "expected_values": [ + "7045" + ] }, "fieldName": "event_id", "owner": "UBA_Endpoint_Registry", @@ -218,7 +242,10 @@ "data_type": "string", "description": "The type of the event.", "recommended": true, - "possible_values": "symantec_ep_risk_alert_virus, A service was installed in the system" + "expected_values": [ + "symantec_ep_risk_alert_virus", + "A service was installed in the system" + ] }, "fieldName": "eventtype", "owner": "UBA_Endpoint_Registry", @@ -247,7 +274,10 @@ "data_type": "string", "description": "The logical grouping of registry keys, subkeys, and values.", "recommended": false, - "possible_values": "HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER" + "expected_values": [ + "HKEY_CURRENT_CONFIG", + "HKEY_CURRENT_USER" + ] }, "fieldName": "registry_hive", "owner": "UBA_Endpoint_Registry", @@ -264,7 +294,9 @@ "data_type": "string", "description": "The name of the registry key.", "recommended": true, - "possible_values": "PrinterDriverData" + "expected_values": [ + "PrinterDriverData" + ] }, "fieldName": "registry_key_name", "owner": "UBA_Endpoint_Registry", @@ -281,7 +313,9 @@ "data_type": "string", "description": "The path to the registry value.", "recommended": true, - "possible_values": "\\win\\directory\\directory2\\{676235CD-B656-42D5-B737-49856E97D072}\\PrinterDriverData" + "expected_values": [ + "\\win\\directory\\directory2\\{676235CD-B656-42D5-B737-49856E97D072}\\PrinterDriverData" + ] }, "fieldName": "registry_path", "owner": "UBA_Endpoint_Registry", @@ -298,7 +332,9 @@ "data_type": "string", "description": "The unaltered registry value.", "recommended": true, - "possible_values": "example_value" + "expected_values": [ + "example_value" + ] }, "fieldName": "registry_value_data", "owner": "UBA_Endpoint_Registry", @@ -315,7 +351,9 @@ "data_type": "string", "description": "The name of the registry value.", "recommended": true, - "possible_values": "example_name" + "expected_values": [ + "example_name" + ] }, "fieldName": "registry_value_name", "owner": "UBA_Endpoint_Registry", @@ -332,7 +370,9 @@ "data_type": "string", "description": "The textual representation of registry_value_data (if applicable).", "recommended": false, - "possible_values": "example_text" + "expected_values": [ + "example_text" + ] }, "fieldName": "registry_value_text", "owner": "UBA_Endpoint_Registry", @@ -349,7 +389,19 @@ "data_type": "string", "description": "The type of the registry value.", "recommended": true, - "possible_values": "REG_BINARY, REG_DWORD, REG_DWORD_LITTLE_ENDIAN, REG_DWORD_BIG_ENDIAN, REG_EXPAND_SZ, REG_LINK, REG_MULTI_SZ, REG_NONE, REG_QWORD, REG_QWORD_LITTLE_ENDIAN, REG_SZ" + "expected_values": [ + "REG_BINARY", + "REG_DWORD", + "REG_DWORD_LITTLE_ENDIAN", + "REG_DWORD_BIG_ENDIAN", + "REG_EXPAND_SZ", + "REG_LINK", + "REG_MULTI_SZ", + "REG_NONE", + "REG_QWORD", + "REG_QWORD_LITTLE_ENDIAN", + "REG_SZ" + ] }, "fieldName": "registry_value_type", "owner": "UBA_Endpoint_Registry", @@ -366,7 +418,14 @@ "data_type": "string", "description": "The severity of the endpoint event.", "recommended": false, - "possible_values": "informational, unknown, low, medium, high, critical" + "expected_values": [ + "informational", + "unknown", + "low", + "medium", + "high", + "critical" + ] }, "fieldName": "severity", "owner": "UBA_Endpoint_Registry", @@ -383,7 +442,9 @@ "data_type": "string", "description": "The sub-category or signature of the event, if applicable.", "recommended": false, - "possible_values": "process_blocking" + "expected_values": [ + "process_blocking" + ] }, "fieldName": "signature", "owner": "UBA_Endpoint_Registry", @@ -424,7 +485,9 @@ "data_type": "string", "description": "The hostname of the \"remote\" system connected to the listening port (if applicable)", "recommended": false, - "possible_values": "acmehost1" + "expected_values": [ + "acmehost1" + ] }, "fieldName": "src_dns", "owner": "UBA_Endpoint_Registry", @@ -441,7 +504,9 @@ "data_type": "string", "description": "The hostname of the \"remote\" system connected to the listening port (if applicable)", "recommended": false, - "possible_values": "acmehost1" + "expected_values": [ + "acmehost1" + ] }, "fieldName": "src_host", "owner": "UBA_Endpoint_Registry", @@ -458,7 +523,9 @@ "data_type": "string", "description": "The IP address of the \"remote\" system connected to the listening port (if applicable).", "recommended": false, - "possible_values": "2.2.2.2" + "expected_values": [ + "2.2.2.2" + ] }, "fieldName": "src_ip", "owner": "UBA_Endpoint_Registry", @@ -475,7 +542,9 @@ "data_type": "integer", "description": "The \"remote\" port connected to the listening port (if applicable).", "recommended": false, - "possible_values": "53" + "expected_values": [ + "53" + ] }, "fieldName": "src_port", "owner": "UBA_Endpoint_Registry", @@ -492,7 +561,10 @@ "data_type": "string", "description": "The status of the service or registry.", "recommended": false, - "possible_values": "failure, success" + "expected_values": [ + "failure", + "success" + ] }, "fieldName": "status", "owner": "UBA_Endpoint_Registry", @@ -507,9 +579,12 @@ { "comment": { "data_type": "string", - "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform when using Splunk Direct in Splunk UBA.", "recommended": true, - "possible_values": "endpoint,registry" + "expected_values": [ + "endpoint", + "registry" + ] }, "fieldName": "tag", "owner": "UBA_Endpoint_Registry", @@ -526,7 +601,9 @@ "data_type": "string", "description": "The user account associated with the service or the filesystem access, or the registry access.", "recommended": true, - "possible_values": "cronaldo" + "expected_values": [ + "cronaldo" + ] }, "fieldName": "user", "owner": "UBA_Endpoint_Registry", @@ -542,7 +619,7 @@ "calculations": [], "constraints": [ { - "search": "`uba_cim_endpoint_indexes` endpoint registry", + "search": "`uba_cim_endpoint_registry_indexes`", "owner": "UBA_Endpoint_Registry" } ], @@ -552,4 +629,4 @@ "objectNameList": [ "UBA_Endpoint_Registry" ] -} +} \ No newline at end of file diff --git a/default/data/models/UBA_Endpoint_Services.json b/default/data/models/UBA_Endpoint_Services.json index 85d6077..4fc8213 100644 --- a/default/data/models/UBA_Endpoint_Services.json +++ b/default/data/models/UBA_Endpoint_Services.json @@ -31,7 +31,10 @@ "data_type": "string", "description": "The action taken by the endpoint.", "recommended": true, - "possible_values": "allowed, blocked" + "expected_values": [ + "allowed", + "blocked" + ] }, "fieldName": "action", "owner": "UBA_Endpoint_Services", @@ -48,7 +51,9 @@ "data_type": "string", "description": "The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in\u00a0Filter the anomaly table.", "recommended": false, - "possible_values": "Exfiltration" + "expected_values": [ + "Exfiltration" + ] }, "fieldName": "alarmCategories", "owner": "UBA_Endpoint_Services", @@ -65,7 +70,10 @@ "data_type": "string", "description": "The event category, if applicable.", "recommended": false, - "possible_values": "malware, watchlist.hit.ingress.process" + "expected_values": [ + "malware", + "watchlist.hit.ingress.process" + ] }, "fieldName": "category", "owner": "UBA_Endpoint_Services", @@ -82,7 +90,9 @@ "data_type": "string", "description": "The description of the service.", "recommended": false, - "possible_values": "Example description" + "expected_values": [ + "Example description" + ] }, "fieldName": "description", "owner": "UBA_Endpoint_Services", @@ -99,7 +109,9 @@ "data_type": "string", "description": "The host name of the endpoint.", "recommended": true, - "possible_values": "winhost1" + "expected_values": [ + "winhost1" + ] }, "fieldName": "dest_host", "owner": "UBA_Endpoint_Services", @@ -116,7 +128,9 @@ "data_type": "string", "description": "IP address of the endpoint where the activity happened.", "recommended": false, - "possible_values": "1.1.1.1" + "expected_values": [ + "1.1.1.1" + ] }, "fieldName": "dest_ip", "owner": "UBA_Endpoint_Services", @@ -133,7 +147,9 @@ "data_type": "string", "description": "The NT domain of the endpoint, if applicable.", "recommended": false, - "possible_values": "acme" + "expected_values": [ + "acme" + ] }, "fieldName": "dest_nt_domain", "owner": "UBA_Endpoint_Services", @@ -150,7 +166,9 @@ "data_type": "string", "description": "The host name of the endpoint.", "recommended": true, - "possible_values": "winhost1" + "expected_values": [ + "winhost1" + ] }, "fieldName": "endpoint_dns", "owner": "UBA_Endpoint_Services", @@ -167,7 +185,9 @@ "data_type": "string", "description": "IP address of the endpoint where the activity happened.", "recommended": false, - "possible_values": "1.1.1.1" + "expected_values": [ + "1.1.1.1" + ] }, "fieldName": "endpoint_ip", "owner": "UBA_Endpoint_Services", @@ -184,7 +204,9 @@ "data_type": "string", "description": "The NT domain of the endpoint, if applicable.", "recommended": false, - "possible_values": "acme" + "expected_values": [ + "acme" + ] }, "fieldName": "endpoint_nt_domain", "owner": "UBA_Endpoint_Services", @@ -201,7 +223,9 @@ "data_type": "integer", "description": "Network port listening on the endpoint.", "recommended": false, - "possible_values": "53" + "expected_values": [ + "53" + ] }, "fieldName": "endpoint_port", "owner": "UBA_Endpoint_Services", @@ -218,7 +242,9 @@ "data_type": "integer", "description": "The event ID or code for the activity.", "recommended": false, - "possible_values": "7045" + "expected_values": [ + "7045" + ] }, "fieldName": "event_id", "owner": "UBA_Endpoint_Services", @@ -235,7 +261,10 @@ "data_type": "string", "description": "The type of the event.", "recommended": true, - "possible_values": "symantec_ep_risk_alert_virus, A service was installed in the system" + "expected_values": [ + "symantec_ep_risk_alert_virus", + "A service was installed in the system" + ] }, "fieldName": "eventtype", "owner": "UBA_Endpoint_Services", @@ -264,7 +293,9 @@ "data_type": "string", "description": "The dynamic link library associated with the service.", "recommended": false, - "possible_values": "Svc.exe" + "expected_values": [ + "Svc.exe" + ] }, "fieldName": "service_dll", "owner": "UBA_Endpoint_Services", @@ -281,7 +312,10 @@ "data_type": "string", "description": "The digests of the dynamic link library associated with the service.", "recommended": false, - "possible_values": ", " + "expected_values": [ + "", + "" + ] }, "fieldName": "service_dll_hash", "owner": "UBA_Endpoint_Services", @@ -298,7 +332,9 @@ "data_type": "string", "description": "The file path to the dynamic link library associated with the service.", "recommended": false, - "possible_values": "C:\\Windows\\System32\\comdlg32.dll" + "expected_values": [ + "C:\\Windows\\System32\\comdlg32.dll" + ] }, "fieldName": "service_dll_path", "owner": "UBA_Endpoint_Services", @@ -315,7 +351,9 @@ "data_type": "string", "description": "Whether or not the dynamic link library associated with the service has a digitally signed signature.", "recommended": false, - "possible_values": "TRUE" + "expected_values": [ + "TRUE" + ] }, "fieldName": "service_dll_signature_exists", "owner": "UBA_Endpoint_Services", @@ -332,7 +370,9 @@ "data_type": "string", "description": "Whether or not the dynamic link library associated with the service has had its digitally signed signature verified.", "recommended": false, - "possible_values": "TRUE" + "expected_values": [ + "TRUE" + ] }, "fieldName": "service_dll_signature_verified", "owner": "UBA_Endpoint_Services", @@ -349,7 +389,9 @@ "data_type": "string", "description": "The executable name of the service.", "recommended": false, - "possible_values": "svchost.exe" + "expected_values": [ + "svchost.exe" + ] }, "fieldName": "service_exec", "owner": "UBA_Endpoint_Services", @@ -366,7 +408,10 @@ "data_type": "string", "description": "The digests of the service.", "recommended": true, - "possible_values": ", " + "expected_values": [ + "", + "" + ] }, "fieldName": "service_hash", "owner": "UBA_Endpoint_Services", @@ -383,7 +428,9 @@ "data_type": "integer", "description": "The unique identifier of the service assigned by the operating system.", "recommended": true, - "possible_values": "12345" + "expected_values": [ + "12345" + ] }, "fieldName": "service_id", "owner": "UBA_Endpoint_Services", @@ -400,7 +447,9 @@ "data_type": "string", "description": "The friendly service name.", "recommended": false, - "possible_values": "example_name" + "expected_values": [ + "example_name" + ] }, "fieldName": "service_name", "owner": "UBA_Endpoint_Services", @@ -417,7 +466,9 @@ "data_type": "string", "description": "The file path of the service.", "recommended": false, - "possible_values": "C:\\WINDOWS\\system32\\svchost.exe" + "expected_values": [ + "C:\\WINDOWS\\system32\\svchost.exe" + ] }, "fieldName": "service_path", "owner": "UBA_Endpoint_Services", @@ -434,7 +485,14 @@ "data_type": "string", "description": "The severity of the endpoint event.", "recommended": false, - "possible_values": "informational, unknown, low, medium, high, critical" + "expected_values": [ + "informational", + "unknown", + "low", + "medium", + "high", + "critical" + ] }, "fieldName": "severity", "owner": "UBA_Endpoint_Services", @@ -451,7 +509,9 @@ "data_type": "string", "description": "The sub-category or signature of the event, if applicable.", "recommended": false, - "possible_values": "process_blocking" + "expected_values": [ + "process_blocking" + ] }, "fieldName": "signature", "owner": "UBA_Endpoint_Services", @@ -492,7 +552,9 @@ "data_type": "string", "description": "The hostname of the \"remote\" system connected to the listening port (if applicable)", "recommended": false, - "possible_values": "acmehost1" + "expected_values": [ + "acmehost1" + ] }, "fieldName": "src_dns", "owner": "UBA_Endpoint_Services", @@ -509,7 +571,9 @@ "data_type": "string", "description": "The hostname of the \"remote\" system connected to the listening port (if applicable)", "recommended": false, - "possible_values": "acmehost1" + "expected_values": [ + "acmehost1" + ] }, "fieldName": "src_host", "owner": "UBA_Endpoint_Services", @@ -526,7 +590,9 @@ "data_type": "string", "description": "The IP address of the \"remote\" system connected to the listening port (if applicable).", "recommended": false, - "possible_values": "2.2.2.2" + "expected_values": [ + "2.2.2.2" + ] }, "fieldName": "src_ip", "owner": "UBA_Endpoint_Services", @@ -543,7 +609,9 @@ "data_type": "integer", "description": "The \"remote\" port connected to the listening port (if applicable).", "recommended": false, - "possible_values": "53" + "expected_values": [ + "53" + ] }, "fieldName": "src_port", "owner": "UBA_Endpoint_Services", @@ -560,7 +628,9 @@ "data_type": "string", "description": "The start mode for the service.", "recommended": false, - "possible_values": "example_mode" + "expected_values": [ + "example_mode" + ] }, "fieldName": "start_mode", "owner": "UBA_Endpoint_Services", @@ -577,7 +647,14 @@ "data_type": "string", "description": "The status of the service or registry.", "recommended": true, - "possible_values": "critical, started, stopped, warning, failure, success" + "expected_values": [ + "critical", + "started", + "stopped", + "warning", + "failure", + "success" + ] }, "fieldName": "status", "owner": "UBA_Endpoint_Services", @@ -592,9 +669,12 @@ { "comment": { "data_type": "string", - "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform when using Splunk Direct in Splunk UBA.", "recommended": true, - "possible_values": "service,report" + "expected_values": [ + "service", + "report" + ] }, "fieldName": "tag", "owner": "UBA_Endpoint_Services", @@ -611,7 +691,9 @@ "data_type": "string", "description": "The user account associated with the service or the filesystem access, or the registry access.", "recommended": true, - "possible_values": "cronaldo" + "expected_values": [ + "cronaldo" + ] }, "fieldName": "user", "owner": "UBA_Endpoint_Services", @@ -627,7 +709,7 @@ "calculations": [], "constraints": [ { - "search": "`uba_cim_endpoint_indexes` service report", + "search": "`uba_cim_endpoint_service_indexes`", "owner": "UBA_Endpoint_Services" } ], @@ -637,4 +719,4 @@ "objectNameList": [ "UBA_Endpoint_Services" ] -} +} \ No newline at end of file diff --git a/default/data/models/UBA_External_Alarm.json b/default/data/models/UBA_External_Alarm.json index 3b2e8a5..809dab1 100644 --- a/default/data/models/UBA_External_Alarm.json +++ b/default/data/models/UBA_External_Alarm.json @@ -31,7 +31,11 @@ "data_type": "string", "description": "The action taken by the external device.", "recommended": false, - "possible_values": "allowed, blocked, deferred" + "expected_values": [ + "allowed", + "blocked", + "deferred" + ] }, "fieldName": "action", "owner": "UBA_External_Alarm", @@ -48,7 +52,9 @@ "data_type": "string", "description": "The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in\u00a0Filter the anomaly table.", "recommended": true, - "possible_values": "Exfiltration" + "expected_values": [ + "Exfiltration" + ] }, "fieldName": "alarmCategories", "owner": "UBA_External_Alarm", @@ -65,7 +71,9 @@ "data_type": "string", "description": "The application involved in the event.", "recommended": false, - "possible_values": "ssl" + "expected_values": [ + "ssl" + ] }, "fieldName": "app", "owner": "UBA_External_Alarm", @@ -82,7 +90,10 @@ "data_type": "string", "description": "The category of the event, if applicable.", "recommended": false, - "possible_values": "malware, watchlist.hit.ingress.proces" + "expected_values": [ + "malware", + "watchlist.hit.ingress.proces" + ] }, "fieldName": "category", "owner": "UBA_External_Alarm", @@ -99,7 +110,9 @@ "data_type": "string", "description": "The host name of the destination.", "recommended": false, - "possible_values": "winhost2" + "expected_values": [ + "winhost2" + ] }, "fieldName": "dest_host", "owner": "UBA_External_Alarm", @@ -116,7 +129,9 @@ "data_type": "string", "description": "The IP address of the destination.", "recommended": false, - "possible_values": "2.2.2.2" + "expected_values": [ + "2.2.2.2" + ] }, "fieldName": "dest_ip", "owner": "UBA_External_Alarm", @@ -133,7 +148,9 @@ "data_type": "string", "description": "The destination zone.", "recommended": false, - "possible_values": "PCI" + "expected_values": [ + "PCI" + ] }, "fieldName": "dest_zone", "owner": "UBA_External_Alarm", @@ -150,7 +167,9 @@ "data_type": "string", "description": "The type of the event.", "recommended": true, - "possible_values": "URL Filtering" + "expected_values": [ + "URL Filtering" + ] }, "fieldName": "eventtype", "owner": "UBA_External_Alarm", @@ -179,7 +198,14 @@ "data_type": "string", "description": "The severity of the external alarm.", "recommended": false, - "possible_values": "informational, unknown, low, medium, high, critical" + "expected_values": [ + "informational", + "unknown", + "low", + "medium", + "high", + "critical" + ] }, "fieldName": "severity", "owner": "UBA_External_Alarm", @@ -196,7 +222,9 @@ "data_type": "string", "description": "The type of the event.", "recommended": true, - "possible_values": "URL Filtering" + "expected_values": [ + "URL Filtering" + ] }, "fieldName": "signature", "owner": "UBA_External_Alarm", @@ -237,7 +265,9 @@ "data_type": "string", "description": "The host name of the source.", "recommended": false, - "possible_values": "winhost1" + "expected_values": [ + "winhost1" + ] }, "fieldName": "src_host", "owner": "UBA_External_Alarm", @@ -254,7 +284,9 @@ "data_type": "string", "description": "The source of the network traffic, such as the client requesting the connection.", "recommended": false, - "possible_values": "10.10.10.12" + "expected_values": [ + "10.10.10.12" + ] }, "fieldName": "src_ip", "owner": "UBA_External_Alarm", @@ -271,7 +303,9 @@ "data_type": "string", "description": "The source zone.", "recommended": false, - "possible_values": "contractor" + "expected_values": [ + "contractor" + ] }, "fieldName": "src_zone", "owner": "UBA_External_Alarm", @@ -286,9 +320,11 @@ { "comment": { "data_type": "string", - "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform when using Splunk Direct in Splunk UBA.", "recommended": true, - "possible_values": "attack" + "expected_values": [ + "attack" + ] }, "fieldName": "tag", "owner": "UBA_External_Alarm", @@ -305,7 +341,9 @@ "data_type": "string", "description": "The URL accessed in the request.", "recommended": false, - "possible_values": "http://subdomain.acme.com/index.html" + "expected_values": [ + "http://subdomain.acme.com/index.html" + ] }, "fieldName": "url", "owner": "UBA_External_Alarm", @@ -322,7 +360,9 @@ "data_type": "string", "description": "The user involved in the activity reported.", "recommended": false, - "possible_values": "cronaldo" + "expected_values": [ + "cronaldo" + ] }, "fieldName": "user", "owner": "UBA_External_Alarm", @@ -338,7 +378,7 @@ "calculations": [], "constraints": [ { - "search": "`uba_cim_external_alarm_indexes` attack", + "search": "`uba_cim_external_alarm_indexes`", "owner": "UBA_External_Alarm" } ], @@ -348,4 +388,4 @@ "objectNameList": [ "UBA_External_Alarm" ] -} +} \ No newline at end of file diff --git a/default/data/models/UBA_Firewall.json b/default/data/models/UBA_Firewall.json index 1c27863..d775702 100644 --- a/default/data/models/UBA_Firewall.json +++ b/default/data/models/UBA_Firewall.json @@ -31,7 +31,10 @@ "data_type": "string", "description": "The action taken by the firewall.", "recommended": true, - "possible_values": "allowed, blocked" + "expected_values": [ + "allowed", + "blocked" + ] }, "fieldName": "action", "owner": "UBA_Firewall", @@ -48,7 +51,9 @@ "data_type": "string", "description": "The application protocol of the traffic.", "recommended": false, - "possible_values": "SSL" + "expected_values": [ + "SSL" + ] }, "fieldName": "app", "owner": "UBA_Firewall", @@ -65,7 +70,9 @@ "data_type": "integer", "description": "The total number of bytes transferred (bytes_in + bytes_out).", "recommended": false, - "possible_values": "1168" + "expected_values": [ + "1168" + ] }, "fieldName": "bytes", "owner": "UBA_Firewall", @@ -82,7 +89,9 @@ "data_type": "integer", "description": "The number of inbound bytes transferred.", "recommended": true, - "possible_values": "1028" + "expected_values": [ + "1028" + ] }, "fieldName": "bytes_in", "owner": "UBA_Firewall", @@ -99,7 +108,9 @@ "data_type": "integer", "description": "The number of outbound bytes transferred.", "recommended": true, - "possible_values": "140" + "expected_values": [ + "140" + ] }, "fieldName": "bytes_out", "owner": "UBA_Firewall", @@ -116,7 +127,9 @@ "data_type": "string", "description": "The host name of the destination.", "recommended": false, - "possible_values": "winhost2" + "expected_values": [ + "winhost2" + ] }, "fieldName": "dest_host", "owner": "UBA_Firewall", @@ -133,7 +146,9 @@ "data_type": "string", "description": "The IP address of the destination.", "recommended": true, - "possible_values": "2.2.2.2" + "expected_values": [ + "2.2.2.2" + ] }, "fieldName": "dest_ip", "owner": "UBA_Firewall", @@ -150,7 +165,9 @@ "data_type": "integer", "description": "The port number of the destination.", "recommended": false, - "possible_values": "123" + "expected_values": [ + "123" + ] }, "fieldName": "dest_port", "owner": "UBA_Firewall", @@ -167,7 +184,9 @@ "data_type": "string", "description": "The NATed IPv4 or IPv6 address to which a packet is sent.", "recommended": false, - "possible_values": "192.168.1.12" + "expected_values": [ + "192.168.1.12" + ] }, "fieldName": "dest_translated_ip", "owner": "UBA_Firewall", @@ -184,7 +203,9 @@ "data_type": "string", "description": "The destination zone.", "recommended": false, - "possible_values": "PCI" + "expected_values": [ + "PCI" + ] }, "fieldName": "dest_zone", "owner": "UBA_Firewall", @@ -201,7 +222,9 @@ "data_type": "integer", "description": "The amount of time in seconds for the completion of the network event.", "recommended": false, - "possible_values": "241" + "expected_values": [ + "241" + ] }, "fieldName": "duration", "owner": "UBA_Firewall", @@ -230,7 +253,9 @@ "data_type": "integer", "description": "The number of inbound packets transferred.", "recommended": false, - "possible_values": "5" + "expected_values": [ + "5" + ] }, "fieldName": "packets_in", "owner": "UBA_Firewall", @@ -247,7 +272,9 @@ "data_type": "integer", "description": "The number of outbound packets transferred.", "recommended": false, - "possible_values": "6" + "expected_values": [ + "6" + ] }, "fieldName": "packets_out", "owner": "UBA_Firewall", @@ -264,7 +291,11 @@ "data_type": "string", "description": "The OSI layer 3 (network) protocol of the traffic observed, in lowercase.", "recommended": true, - "possible_values": "ip, appletalk, ipx" + "expected_values": [ + "ip", + "appletalk", + "ipx" + ] }, "fieldName": "protocol", "owner": "UBA_Firewall", @@ -305,7 +336,9 @@ "data_type": "string", "description": "The host name of the source.", "recommended": false, - "possible_values": "winhost1" + "expected_values": [ + "winhost1" + ] }, "fieldName": "src_host", "owner": "UBA_Firewall", @@ -322,7 +355,9 @@ "data_type": "string", "description": "The source of the network traffic, such as the client requesting the connection.", "recommended": true, - "possible_values": "10.10.10.12" + "expected_values": [ + "10.10.10.12" + ] }, "fieldName": "src_ip", "owner": "UBA_Firewall", @@ -339,7 +374,9 @@ "data_type": "integer", "description": "The port number of the source.", "recommended": false, - "possible_values": "12345" + "expected_values": [ + "12345" + ] }, "fieldName": "src_port", "owner": "UBA_Firewall", @@ -356,7 +393,9 @@ "data_type": "string", "description": "The NATed IPv4 or IPv6 address from which a packet is sent.", "recommended": false, - "possible_values": "192.168.1.11" + "expected_values": [ + "192.168.1.11" + ] }, "fieldName": "src_translated_ip", "owner": "UBA_Firewall", @@ -373,7 +412,9 @@ "data_type": "string", "description": "The source zone.", "recommended": false, - "possible_values": "contractor" + "expected_values": [ + "contractor" + ] }, "fieldName": "src_zone", "owner": "UBA_Firewall", @@ -388,9 +429,12 @@ { "comment": { "data_type": "string", - "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform when using Splunk Direct in Splunk UBA.", "recommended": true, - "possible_values": "network,communicate" + "expected_values": [ + "network", + "communicate" + ] }, "fieldName": "tag", "owner": "UBA_Firewall", @@ -407,7 +451,9 @@ "data_type": "string", "description": "The URL accessed in the request.", "recommended": false, - "possible_values": "http://subdomain.acme.com/index.html" + "expected_values": [ + "http://subdomain.acme.com/index.html" + ] }, "fieldName": "url", "owner": "UBA_Firewall", @@ -424,7 +470,9 @@ "data_type": "string", "description": "The user who requested the traffic flow.", "recommended": false, - "possible_values": "cronaldo" + "expected_values": [ + "cronaldo" + ] }, "fieldName": "user", "owner": "UBA_Firewall", @@ -441,7 +489,10 @@ "data_type": "string", "description": "The type of the event.", "recommended": true, - "possible_values": "Teardown TCP, Built inbound connection" + "expected_values": [ + "Teardown TCP", + "Built inbound connection" + ] }, "fieldName": "vendor_action", "owner": "UBA_Firewall", @@ -457,7 +508,7 @@ "calculations": [], "constraints": [ { - "search": "`uba_cim_firewall_indexes` network communicate", + "search": "`uba_cim_firewall_indexes`", "owner": "UBA_Firewall" } ], @@ -467,4 +518,4 @@ "objectNameList": [ "UBA_Firewall" ] -} +} \ No newline at end of file diff --git a/default/data/models/UBA_HR_Data.json b/default/data/models/UBA_HR_Data.json index e67c262..fbedbbe 100644 --- a/default/data/models/UBA_HR_Data.json +++ b/default/data/models/UBA_HR_Data.json @@ -1,7 +1,7 @@ { "modelName": "UBA_HR_Data", "displayName": "UBA HR Data", - "description": "", + "description": "Splunk UBA HR Data Model for CIM Validator App", "objectSummary": { "Event-Based": 1, "Transaction-Based": 0, @@ -18,7 +18,9 @@ "comment": { "data_type": "string", "description": "The user's middle name. This value is used to compute the display name field if the display name field is empty.", - "possible_values": "Michelle", + "expected_values": [ + "Michelle" + ], "recommended": false }, "fieldName": "MiddleName", @@ -34,8 +36,11 @@ { "comment": { "data_type": "string", - "description": "\tUser account control code from AD. Use UAC when the value in your HR data is an ENUM value such as NORMAL_ACCOUNT. If a UAC value is not available, Splunk UBA calculates the UAC using the value of the userAccountControl, such as 512 for a NORMAL_ACCOUNT.", - "possible_values": "66050, ACCOUNT_DISABLED", + "description": "User account control code from AD. Use UAC when the value in your HR data is an ENUM value such as NORMAL_ACCOUNT. If a UAC value is not available, Splunk UBA calculates the UAC using the value of the userAccountControl, such as 512 for a NORMAL_ACCOUNT.", + "expected_values": [ + "66050", + "ACCOUNT_DISABLED" + ], "recommended": false }, "fieldName": "UAC", @@ -63,8 +68,10 @@ { "comment": { "data_type": "string", - "description": "\tValid formats:\nWindows FileTime\nyyyy-MM-dd'T'HH:mm:ss\n %Y-%m-%dT%H:%M:%S.%QZ\nMM/dd/yyyy\nyyyyMMddHHmmss.S'Z'\nyyyyMMdd", - "possible_values": "7/9/19", + "description": "Valid formats:\nWindows FileTime\nyyyy-MM-dd'T'HH:mm:ss\n %Y-%m-%dT%H:%M:%S.%QZ\nMM/dd/yyyy\nyyyyMMddHHmmss.S'Z'\nyyyyMMdd", + "expected_values": [ + "7/9/19" + ], "recommended": false }, "fieldName": "accountExpires", @@ -81,7 +88,10 @@ "comment": { "data_type": "string", "description": "City (location) of the user.", - "possible_values": "San Francisco, London", + "expected_values": [ + "San Francisco", + "London" + ], "recommended": false }, "fieldName": "city", @@ -98,7 +108,10 @@ "comment": { "data_type": "string", "description": "Country of the user.", - "possible_values": "USA, Scotland", + "expected_values": [ + "USA", + "Scotland" + ], "recommended": false }, "fieldName": "co", @@ -115,7 +128,10 @@ "comment": { "data_type": "string", "description": "Country of the user.", - "possible_values": "USA, Scotland", + "expected_values": [ + "USA", + "Scotland" + ], "recommended": false }, "fieldName": "country", @@ -132,7 +148,10 @@ "comment": { "data_type": "string", "description": "Whether or not the user has decided to leave the company.", - "possible_values": "true, false", + "expected_values": [ + "true", + "false" + ], "recommended": false }, "fieldName": "departingUser", @@ -149,7 +168,9 @@ "comment": { "data_type": "string", "description": "Organizational unit (department) or business unit of the user.", - "possible_values": "Organizational unit (department) or business unit of the user.\t", + "expected_values": [ + "Organizational unit (department) or business unit of the user." + ], "recommended": true }, "fieldName": "department", @@ -165,8 +186,10 @@ { "comment": { "data_type": "string", - "description": "The user's full name or a service account name. If this field is empty, the display name is created by using the values in the first name, middle name, and last name fields.\t", - "possible_values": "Shruti Michelle Buttercup", + "description": "The user's full name or a service account name. If this field is empty, the display name is created by using the values in the first name, middle name, and last name fields.", + "expected_values": [ + "Shruti Michelle Buttercup" + ], "recommended": false }, "fieldName": "displayName", @@ -183,7 +206,9 @@ "comment": { "data_type": "string", "description": "The user's domain + login ID. Supported formats:\nadDomain\\loginId\nadDomain\\\\loginId\nadDomain/loginId\nloginId\\adDomain\nloginId@dnsDomain\nadDomain\\loginId@dnsDomain", - "possible_values": "domain1/smbuttercup", + "expected_values": [ + "domain1/smbuttercup" + ], "recommended": false }, "fieldName": "domainLoginId", @@ -200,7 +225,9 @@ "comment": { "data_type": "string", "description": "User's email address. In some cases, you may find this stored in the userPrincipalName field.", - "possible_values": "smbuttercup@example.com", + "expected_values": [ + "smbuttercup@example.com" + ], "recommended": false }, "fieldName": "email", @@ -217,7 +244,9 @@ "comment": { "data_type": "string", "description": "The type of employee.", - "possible_values": "Contractor", + "expected_values": [ + "Contractor" + ], "recommended": false }, "fieldName": "employeeType", @@ -234,7 +263,9 @@ "comment": { "data_type": "string", "description": "The user's first name. This value is used to compute the display name field if the display name field is empty.", - "possible_values": "Shruti", + "expected_values": [ + "Shruti" + ], "recommended": false }, "fieldName": "firstname", @@ -251,7 +282,9 @@ "comment": { "data_type": "string", "description": "The user's first name. This value is used to compute the display name field if the display name field is empty.", - "possible_values": "Shruti", + "expected_values": [ + "Shruti" + ], "recommended": true }, "fieldName": "givenName", @@ -268,7 +301,10 @@ "comment": { "data_type": "string", "description": "List of AD groups that the user is a member of. If there are no groups, leave the value blank.", - "possible_values": "ACME-Support, ACME-Finance", + "expected_values": [ + "ACME-Support", + "ACME-Finance" + ], "recommended": false }, "fieldName": "groups", @@ -285,7 +321,10 @@ "comment": { "data_type": "boolean", "description": "Whether or not the user is identified as a high risk user, such as an executive.", - "possible_values": "true, false", + "expected_values": [ + "true", + "false" + ], "recommended": false }, "fieldName": "highRiskUser", @@ -302,7 +341,9 @@ "comment": { "data_type": "string", "description": "Date the user was hired. Valid formats:\nMM/dd/yyyy\nyyyyMMddHHmmss.S'Z'\nyyyMMdd", - "possible_values": "7/9/19", + "expected_values": [ + "7/9/19" + ], "recommended": false }, "fieldName": "hireDate", @@ -331,7 +372,9 @@ "comment": { "data_type": "string", "description": "Code of the user status.", - "possible_values": "\t3", + "expected_values": [ + "3" + ], "recommended": false }, "fieldName": "hrstatuscode", @@ -348,7 +391,9 @@ "comment": { "data_type": "string", "description": "The user's middle name. This value is used to compute the display name field if the display name field is empty.", - "possible_values": "Michelle", + "expected_values": [ + "Michelle" + ], "recommended": true }, "fieldName": "initials", @@ -365,7 +410,10 @@ "comment": { "data_type": "string", "description": "City (location) of the user.", - "possible_values": "San Francisco, London", + "expected_values": [ + "San Francisco", + "London" + ], "recommended": false }, "fieldName": "l", @@ -382,7 +430,9 @@ "comment": { "data_type": "string", "description": "Last time the user logged on. Valid formats:\nWindows FileTime\nyyyy-MM-dd'T'HH:mm:ss\n %Y-%m-%dT%H:%M:%S.%QZ\nMM/dd/yyyy\nyyyyMMddHHmmss.S'Z'\nyyyMMdd", - "possible_values": "7/9/19", + "expected_values": [ + "7/9/19" + ], "recommended": false }, "fieldName": "lastLogon", @@ -399,7 +449,9 @@ "comment": { "data_type": "string", "description": "Valid formats:\nWindows FileTime\nyyyy-MM-dd'T'HH:mm:ss\n %Y-%m-%dT%H:%M:%S.%QZ\nMM/dd/yyyy\nyyyyMMddHHmmss.S'Z'\nyyyMMdd", - "possible_values": "7/9/19", + "expected_values": [ + "7/9/19" + ], "recommended": false }, "fieldName": "lastLogonTimestamp", @@ -415,8 +467,10 @@ { "comment": { "data_type": "string", - "description": "The user's last name. This value is used to compute the display name field if the display name field is empty.\t", - "possible_values": "Buttercup", + "description": "The user's last name. This value is used to compute the display name field if the display name field is empty.", + "expected_values": [ + "Buttercup" + ], "recommended": false }, "fieldName": "lastname", @@ -433,7 +487,9 @@ "comment": { "data_type": "string", "description": "Login ID or username of an account associated with the user.", - "possible_values": "smbuttercup", + "expected_values": [ + "smbuttercup" + ], "recommended": false }, "fieldName": "loginId", @@ -450,7 +506,9 @@ "comment": { "data_type": "string", "description": "User's email address. In some cases, you may find this stored in the userPrincipalName field.", - "possible_values": "smbuttercup@example.com", + "expected_values": [ + "smbuttercup@example.com" + ], "recommended": true }, "fieldName": "mail", @@ -467,7 +525,9 @@ "comment": { "data_type": "string", "description": "Name or ID of the user's manager.", - "possible_values": "Charlotte Arachnia", + "expected_values": [ + "Charlotte Arachnia" + ], "recommended": false }, "fieldName": "manager", @@ -484,7 +544,9 @@ "comment": { "data_type": "string", "description": "Name or ID of the user's manager.", - "possible_values": "Charlotte Arachnia", + "expected_values": [ + "Charlotte Arachnia" + ], "recommended": false }, "fieldName": "manageremployeeId", @@ -501,7 +563,10 @@ "comment": { "data_type": "string", "description": "List of AD groups that the user is a member of. If there are no groups, leave the value blank.", - "possible_values": "ACME-Support, ACME-Finance", + "expected_values": [ + "ACME-Support", + "ACME-Finance" + ], "recommended": false }, "fieldName": "memberOf", @@ -518,7 +583,10 @@ "comment": { "data_type": "boolean", "description": "Whether or not the user is on a performance improvement plan.", - "possible_values": "true, false", + "expected_values": [ + "true", + "false" + ], "recommended": false }, "fieldName": "onPIP", @@ -535,7 +603,10 @@ "comment": { "data_type": "boolean", "description": "Whether or not the user is on a performance improvement plan.", - "possible_values": "true, false", + "expected_values": [ + "true", + "false" + ], "recommended": false }, "fieldName": "onPerformanceImprovementPlan", @@ -552,7 +623,9 @@ "comment": { "data_type": "string", "description": "Organizational unit (department) or business unit of the user.", - "possible_values": "Organizational unit (department) or business unit of the user.\t", + "expected_values": [ + "Organizational unit (department) or business unit of the user." + ], "recommended": false }, "fieldName": "ou", @@ -569,7 +642,9 @@ "comment": { "data_type": "string", "description": "Phone number of the user.", - "possible_values": "123-456-7890", + "expected_values": [ + "123-456-7890" + ], "recommended": false }, "fieldName": "phone", @@ -586,7 +661,9 @@ "comment": { "data_type": "string", "description": "Zip code of the user.", - "possible_values": "94107", + "expected_values": [ + "94107" + ], "recommended": false }, "fieldName": "postalCode", @@ -603,7 +680,9 @@ "comment": { "data_type": "string", "description": "The user's first name. This value is used to compute the display name field if the display name field is empty.", - "possible_values": "Shruti", + "expected_values": [ + "Shruti" + ], "recommended": false }, "fieldName": "preferredName", @@ -620,7 +699,9 @@ "comment": { "data_type": "string", "description": "Login ID or username of an account associated with the user.", - "possible_values": "smbuttercup", + "expected_values": [ + "smbuttercup" + ], "recommended": true }, "fieldName": "sAMAccountName", @@ -636,8 +717,10 @@ { "comment": { "data_type": "string", - "description": "The user's last name. This value is used to compute the display name field if the display name field is empty.\t", - "possible_values": "Buttercup", + "description": "The user's last name. This value is used to compute the display name field if the display name field is empty.", + "expected_values": [ + "Buttercup" + ], "recommended": true }, "fieldName": "sn", @@ -678,7 +761,9 @@ "comment": { "data_type": "string", "description": "State where the user resides.", - "possible_values": "CA", + "expected_values": [ + "CA" + ], "recommended": false }, "fieldName": "st", @@ -695,7 +780,9 @@ "comment": { "data_type": "string", "description": "State where the user resides.", - "possible_values": "CA", + "expected_values": [ + "CA" + ], "recommended": false }, "fieldName": "state", @@ -711,8 +798,10 @@ { "comment": { "data_type": "string", - "description": "Active or inactive status of the user from the HR system.\t", - "possible_values": "Active/InActive", + "description": "Active or inactive status of the user from the HR system.", + "expected_values": [ + "Active/InActive" + ], "recommended": false }, "fieldName": "status", @@ -729,7 +818,9 @@ "comment": { "data_type": "string", "description": "Street where the user resides.", - "possible_values": "Main", + "expected_values": [ + "Main" + ], "recommended": false }, "fieldName": "street", @@ -746,7 +837,9 @@ "comment": { "data_type": "string", "description": "Street where the user resides.", - "possible_values": "Main", + "expected_values": [ + "Main" + ], "recommended": false }, "fieldName": "streetAddress", @@ -763,7 +856,9 @@ "comment": { "data_type": "string", "description": "Phone number of the user.", - "possible_values": "123-456-7890", + "expected_values": [ + "123-456-7890" + ], "recommended": false }, "fieldName": "telephoneNumber", @@ -780,7 +875,10 @@ "comment": { "data_type": "boolean", "description": "Whether or not the user has been terminated.", - "possible_values": "true, false", + "expected_values": [ + "true", + "false" + ], "recommended": false }, "fieldName": "terminatedUser", @@ -797,7 +895,10 @@ "comment": { "data_type": "string", "description": "Whether or not the user has been terminated.", - "possible_values": "true, false", + "expected_values": [ + "true", + "false" + ], "recommended": false }, "fieldName": "terminationDate", @@ -814,7 +915,10 @@ "comment": { "data_type": "string", "description": "The user's title.", - "possible_values": "Senior manager, Junior developer", + "expected_values": [ + "Senior manager", + "Junior developer" + ], "recommended": false }, "fieldName": "title", @@ -831,7 +935,10 @@ "comment": { "data_type": "boolean", "description": "Whether or not the user is traveling.", - "possible_values": "true, false", + "expected_values": [ + "true", + "false" + ], "recommended": false }, "fieldName": "traveling", @@ -847,8 +954,11 @@ { "comment": { "data_type": "string", - "description": "\tUser account control code from AD. Use UAC when the value in your HR data is an ENUM value such as NORMAL_ACCOUNT. If a UAC value is not available, Splunk UBA calculates the UAC using the value of the userAccountControl, such as 512 for a NORMAL_ACCOUNT.", - "possible_values": "66050, ACCOUNT_DISABLED", + "description": "User account control code from AD. Use UAC when the value in your HR data is an ENUM value such as NORMAL_ACCOUNT. If a UAC value is not available, Splunk UBA calculates the UAC using the value of the userAccountControl, such as 512 for a NORMAL_ACCOUNT.", + "expected_values": [ + "66050", + "ACCOUNT_DISABLED" + ], "recommended": false }, "fieldName": "userAccountControl", @@ -865,7 +975,9 @@ "comment": { "data_type": "string", "description": "User's email address. In some cases, you may find this stored in the userPrincipalName field.", - "possible_values": "smbuttercup@example.com", + "expected_values": [ + "smbuttercup@example.com" + ], "recommended": false }, "fieldName": "userPrincipalName", @@ -882,7 +994,9 @@ "comment": { "data_type": "string", "description": "The type of employee.", - "possible_values": "Contractor", + "expected_values": [ + "Contractor" + ], "recommended": false }, "fieldName": "userType", @@ -899,7 +1013,9 @@ "comment": { "data_type": "string", "description": "Zip code of the user.", - "possible_values": "94107", + "expected_values": [ + "94107" + ], "recommended": false }, "fieldName": "zip", @@ -916,7 +1032,7 @@ "calculations": [], "constraints": [ { - "search": "index=main", + "search": "`uba_cim_hr_data`", "owner": "UBA_HR_Data" } ], diff --git a/default/data/models/UBA_Host_AV.json b/default/data/models/UBA_Host_AV.json index 8784298..68edbd9 100644 --- a/default/data/models/UBA_Host_AV.json +++ b/default/data/models/UBA_Host_AV.json @@ -31,7 +31,10 @@ "data_type": "string", "description": "The action taken by the AV.", "recommended": true, - "possible_values": "allowed, blocked" + "expected_values": [ + "allowed", + "blocked" + ] }, "fieldName": "action", "owner": "UBA_Host_AV", @@ -48,7 +51,9 @@ "data_type": "string", "description": "The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in\u00a0Filter the anomaly table.", "recommended": false, - "possible_values": "Exfiltration" + "expected_values": [ + "Exfiltration" + ] }, "fieldName": "alarmCategories", "owner": "UBA_Host_AV", @@ -65,7 +70,10 @@ "data_type": "string", "description": "The category of the event, if applicable.", "recommended": false, - "possible_values": "malware, watchlist.hit.ingress.process" + "expected_values": [ + "malware", + "watchlist.hit.ingress.process" + ] }, "fieldName": "category", "owner": "UBA_Host_AV", @@ -82,7 +90,9 @@ "data_type": "string", "description": "The host name of the system that was affected by the malware event.", "recommended": false, - "possible_values": "winhost2" + "expected_values": [ + "winhost2" + ] }, "fieldName": "dest_host", "owner": "UBA_Host_AV", @@ -99,7 +109,9 @@ "data_type": "string", "description": "The IP address of the system that was affected by the malware event.", "recommended": true, - "possible_values": "2.2.2.2" + "expected_values": [ + "2.2.2.2" + ] }, "fieldName": "dest_ip", "owner": "UBA_Host_AV", @@ -116,7 +128,9 @@ "data_type": "string", "description": "The NT domain of the destination, if applicable.", "recommended": false, - "possible_values": "acme" + "expected_values": [ + "acme" + ] }, "fieldName": "dest_nt_domain", "owner": "UBA_Host_AV", @@ -133,7 +147,9 @@ "data_type": "integer", "description": "The amount of time in seconds for the completion of the activity reported by AV.", "recommended": false, - "possible_values": "241" + "expected_values": [ + "241" + ] }, "fieldName": "duration", "owner": "UBA_Host_AV", @@ -150,7 +166,9 @@ "data_type": "string", "description": "The type of the event.", "recommended": true, - "possible_values": "symantec_ep_risk_alert_virus" + "expected_values": [ + "symantec_ep_risk_alert_virus" + ] }, "fieldName": "eventtype", "owner": "UBA_Host_AV", @@ -167,7 +185,9 @@ "data_type": "string", "description": "Name of the file involved.", "recommended": false, - "possible_values": "creditcards.xls" + "expected_values": [ + "creditcards.xls" + ] }, "fieldName": "file_name", "owner": "UBA_Host_AV", @@ -184,7 +204,9 @@ "data_type": "string", "description": "The path of the file involved.", "recommended": false, - "possible_values": "c:\\documents" + "expected_values": [ + "c:\\documents" + ] }, "fieldName": "file_path", "owner": "UBA_Host_AV", @@ -213,7 +235,14 @@ "data_type": "string", "description": "The severity of the network protection event.", "recommended": true, - "possible_values": "informational, unknown, low, medium, high, critical" + "expected_values": [ + "informational", + "unknown", + "low", + "medium", + "high", + "critical" + ] }, "fieldName": "severity", "owner": "UBA_Host_AV", @@ -230,7 +259,9 @@ "data_type": "string", "description": "The subcategory or signature of the event, if applicable.", "recommended": false, - "possible_values": "process_blockin" + "expected_values": [ + "process_blockin" + ] }, "fieldName": "signature", "owner": "UBA_Host_AV", @@ -269,9 +300,13 @@ { "comment": { "data_type": "string", - "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform when using Splunk Direct in Splunk UBA.", "recommended": true, - "possible_values": "malware,attack,operations" + "expected_values": [ + "malware", + "attack", + "operations" + ] }, "fieldName": "tag", "owner": "UBA_Host_AV", @@ -288,7 +323,9 @@ "data_type": "string", "description": "A URL containing more information about the vulnerability.", "recommended": false, - "possible_values": "http://www.mydomain.com/a.html" + "expected_values": [ + "http://www.mydomain.com/a.html" + ] }, "fieldName": "url", "owner": "UBA_Host_AV", @@ -305,7 +342,9 @@ "data_type": "string", "description": "The user involved in the activity reported by AV.", "recommended": false, - "possible_values": "cronaldo" + "expected_values": [ + "cronaldo" + ] }, "fieldName": "user", "owner": "UBA_Host_AV", @@ -321,7 +360,7 @@ "calculations": [], "constraints": [ { - "search": "`uba_cim_hostav_indexes` malware attack operations", + "search": "`uba_cim_hostav_indexes`", "owner": "UBA_Host_AV" } ], @@ -331,4 +370,4 @@ "objectNameList": [ "UBA_Host_AV" ] -} +} \ No newline at end of file diff --git a/default/data/models/UBA_IDS_IPS.json b/default/data/models/UBA_IDS_IPS.json index 04e4e4c..ede7267 100644 --- a/default/data/models/UBA_IDS_IPS.json +++ b/default/data/models/UBA_IDS_IPS.json @@ -1,7 +1,7 @@ { "modelName": "UBA_IDS_IPS", "displayName": "UBA_IDS_IPS", - "description": "", + "description": "Splunk UBA Intrusion Detection System Data Model for CIM Validator App", "objectSummary": { "Event-Based": 1, "Transaction-Based": 0, @@ -15,286 +15,429 @@ "comment": "", "fields": [ { - "fieldName": "alarmCategories", - "owner": "UBA_IDS_IPS", - "type": "string", - "fieldSearch": "alarmCategories=*", - "required": true, + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "alarmCategories", + "displayName": "_time", "comment": "" }, { + "comment": { + "data_type": "string", + "description": "The action taken by the IDS.", + "expected_values": [ + "allowed", + "blocked" + ], + "recommended": true + }, "fieldName": "action", "owner": "UBA_IDS_IPS", "type": "string", "fieldSearch": "action=*", - "required": true, + "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "action", - "comment": "" + "displayName": "action" }, { - "fieldName": "dest_ip", + "comment": { + "data_type": "string", + "description": "The categories that this external alarm belongs to. Multiple categories can be separated by comma. The values must be one or more of the categories in\u00a0Filter the anomaly table.", + "expected_values": [ + "Exfiltration" + ], + "recommended": true + }, + "fieldName": "alarmCategories", "owner": "UBA_IDS_IPS", "type": "string", - "fieldSearch": "dest_ip=*", - "required": true, + "fieldSearch": "alarmCategories=*", + "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "dest_ip", - "comment": "" + "displayName": "alarmCategories" }, { - "fieldName": "eventtype", + "comment": { + "data_type": "number", + "description": "The total number of bytes transferred (bytes_in + bytes_out).", + "expected_values": [ + "1168" + ], + "recommended": false + }, + "fieldName": "bytes", "owner": "UBA_IDS_IPS", - "type": "string", - "fieldSearch": "eventtype=*", - "required": true, + "type": "number", + "fieldSearch": "bytes=*", + "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "eventtype", - "comment": "" + "displayName": "bytes" }, { - "fieldName": "severity", + "comment": { + "data_type": "number", + "description": "The number of inbound bytes transferred.", + "expected_values": [ + "1028" + ], + "recommended": false + }, + "fieldName": "bytes_in", "owner": "UBA_IDS_IPS", - "type": "string", - "fieldSearch": "severity=*", - "required": true, + "type": "number", + "fieldSearch": "bytes_in=*", + "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "severity", - "comment": "" + "displayName": "bytes_in" }, { - "fieldName": "signature", + "comment": { + "data_type": "number", + "description": "The number of outbound bytes transferred.", + "expected_values": [ + "140" + ], + "recommended": false + }, + "fieldName": "bytes_out", "owner": "UBA_IDS_IPS", - "type": "string", - "fieldSearch": "signature=*", - "required": true, + "type": "number", + "fieldSearch": "bytes_out=*", + "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "signature", - "comment": "" + "displayName": "bytes_out" }, { - "fieldName": "src_ip", + "comment": { + "data_type": "string", + "description": "The category of the event, if applicable.", + "expected_values": [ + "malware", + "watchlist.hit.ingress.process" + ], + "recommended": false + }, + "fieldName": "category", "owner": "UBA_IDS_IPS", "type": "string", - "fieldSearch": "src_ip=*", - "required": true, + "fieldSearch": "category=*", + "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "src_ip", - "comment": "" + "displayName": "category" }, { - "fieldName": "bytes_in", + "comment": { + "data_type": "string", + "description": "The host name of the destination.", + "expected_values": [ + "winhost2" + ], + "recommended": false + }, + "fieldName": "dest_host", "owner": "UBA_IDS_IPS", "type": "string", - "fieldSearch": "", + "fieldSearch": "dest_host=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "bytes_in", - "comment": "" + "displayName": "dest_host" }, { - "fieldName": "bytes_out", + "comment": { + "data_type": "string", + "description": "The IP address of the destination.", + "expected_values": [ + "2.2.2.2" + ], + "recommended": true + }, + "fieldName": "dest_ip", "owner": "UBA_IDS_IPS", "type": "string", - "fieldSearch": "", + "fieldSearch": "dest_ip=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "bytes_out", - "comment": "" + "displayName": "dest_ip" }, { - "fieldName": "bytes", + "comment": { + "data_type": "number", + "description": "The port number of the destination.", + "expected_values": [ + "1234" + ], + "recommended": false + }, + "fieldName": "dest_port", "owner": "UBA_IDS_IPS", - "type": "string", - "fieldSearch": "", + "type": "number", + "fieldSearch": "dest_port=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "bytes", - "comment": "" + "displayName": "dest_port" }, { - "fieldName": "category", + "comment": { + "data_type": "number", + "description": "The amount of time in seconds for the completion of the activity reported by IDS.", + "expected_values": [ + "241" + ], + "recommended": false + }, + "fieldName": "duration", "owner": "UBA_IDS_IPS", - "type": "string", - "fieldSearch": "", + "type": "number", + "fieldSearch": "duration=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "category", - "comment": "" + "displayName": "duration" }, { - "fieldName": "dest_host", + "comment": { + "data_type": "string", + "description": "The type of the event.", + "expected_values": [ + "cisco_ips_vulnerable" + ], + "recommended": true + }, + "fieldName": "eventtype", "owner": "UBA_IDS_IPS", "type": "string", - "fieldSearch": "", + "fieldSearch": "eventtype=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "dest_host", - "comment": "" + "displayName": "eventtype" }, { - "fieldName": "dest_port", - "owner": "UBA_IDS_IPS", + "fieldName": "host", + "owner": "BaseEvent", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "dest_port", + "displayName": "host", "comment": "" }, { - "fieldName": "duration", + "comment": { + "data_type": "string", + "description": "The type of IDS that generated the event.", + "expected_values": [ + "network", + "host", + "application" + ], + "recommended": false + }, + "fieldName": "ids_type", "owner": "UBA_IDS_IPS", "type": "string", - "fieldSearch": "", + "fieldSearch": "ids_type=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "duration", - "comment": "" + "displayName": "ids_type" }, { - "fieldName": "ids_type", + "comment": { + "data_type": "string", + "description": "The severity of the network protection event.", + "expected_values": [ + "informational", + "unknown", + "low", + "medium", + "high", + "critical" + ], + "recommended": true + }, + "fieldName": "severity", "owner": "UBA_IDS_IPS", "type": "string", - "fieldSearch": "", + "fieldSearch": "severity=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "ids_type", - "comment": "" + "displayName": "severity" }, { - "fieldName": "src_host", + "comment": { + "data_type": "string", + "description": "The sub-category or signature of the event, if applicable.", + "expected_values": [ + "process_blocking" + ], + "recommended": true + }, + "fieldName": "signature", "owner": "UBA_IDS_IPS", "type": "string", - "fieldSearch": "", + "fieldSearch": "signature=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "src_host", - "comment": "" + "displayName": "signature" }, { - "fieldName": "src_port", - "owner": "UBA_IDS_IPS", + "fieldName": "source", + "owner": "BaseEvent", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "src_port", + "displayName": "source", "comment": "" }, { - "fieldName": "user", - "owner": "UBA_IDS_IPS", + "fieldName": "sourcetype", + "owner": "BaseEvent", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "user", + "displayName": "sourcetype", "comment": "" }, { - "fieldName": "tag", + "comment": { + "data_type": "string", + "description": "The host name of the source.", + "expected_values": [ + "winhost1" + ], + "recommended": false + }, + "fieldName": "src_host", "owner": "UBA_IDS_IPS", "type": "string", - "fieldSearch": "*", - "required": true, + "fieldSearch": "src_host=*", + "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "tag", - "comment": "" + "displayName": "src_host" }, { - "fieldName": "_time", - "owner": "BaseEvent", - "type": "timestamp", - "fieldSearch": "", + "comment": { + "data_type": "string", + "description": "The source of the network traffic (the client requesting the connection).", + "expected_values": [ + "10.10.10.12" + ], + "recommended": true + }, + "fieldName": "src_ip", + "owner": "UBA_IDS_IPS", + "type": "string", + "fieldSearch": "src_ip=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "_time", - "comment": "" + "displayName": "src_ip" }, { - "fieldName": "host", - "owner": "BaseEvent", - "type": "string", - "fieldSearch": "", + "comment": { + "data_type": "number", + "description": "The port number of the source.", + "expected_values": [ + "12345" + ], + "recommended": false + }, + "fieldName": "src_port", + "owner": "UBA_IDS_IPS", + "type": "number", + "fieldSearch": "src_port=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "host", - "comment": "" + "displayName": "src_port" }, { - "fieldName": "source", - "owner": "BaseEvent", + "comment": { + "data_type": "string", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform when using Splunk Direct in Splunk UBA.", + "expected_values": [ + "ids", + "attack" + ], + "recommended": true + }, + "fieldName": "tag", + "owner": "UBA_IDS_IPS", "type": "string", - "fieldSearch": "", + "fieldSearch": "tag=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "source", - "comment": "" + "displayName": "tag" }, { - "fieldName": "sourcetype", - "owner": "BaseEvent", + "comment": { + "data_type": "string", + "description": "The user involved in the activity reported by IDS.", + "expected_values": [ + "cronaldo" + ], + "recommended": false + }, + "fieldName": "user", + "owner": "UBA_IDS_IPS", "type": "string", - "fieldSearch": "", + "fieldSearch": "user=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "sourcetype", - "comment": "" + "displayName": "user" } ], "calculations": [], "constraints": [ { - "search": "index=main", + "search": "`uba_cim_ids_indexes`", "owner": "UBA_IDS_IPS" } ], @@ -304,4 +447,4 @@ "objectNameList": [ "UBA_IDS_IPS" ] -} +} \ No newline at end of file diff --git a/default/data/models/UBA_Printer.json b/default/data/models/UBA_Printer.json index 5a09709..8c81fc0 100644 --- a/default/data/models/UBA_Printer.json +++ b/default/data/models/UBA_Printer.json @@ -1,7 +1,7 @@ { "modelName": "UBA_Printer", - "displayName": "UBA_Printer", - "description": "", + "displayName": "UBA Printer", + "description": "Splunk UBA Printer Data Model for CIM Validator App", "objectSummary": { "Event-Based": 1, "Transaction-Based": 0, @@ -10,303 +10,443 @@ "objects": [ { "objectName": "UBA_Printer", - "displayName": "UBA_Printer", + "displayName": "UBA Printer", "parentName": "BaseEvent", "comment": "", "fields": [ { - "fieldName": "file_name", - "owner": "UBA_Printer", - "type": "string", - "fieldSearch": "file_name=*", - "required": true, + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "fieldSearch": "", + "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "file_name", + "displayName": "_time", "comment": "" }, { - "fieldName": "signature", + "comment": { + "data_type": "string", + "description": "The data type of the file that was printed.", + "expected_values": [ + "NT EMF 1.008" + ], + "recommended": true + }, + "fieldName": "data_type", "owner": "UBA_Printer", "type": "string", - "fieldSearch": "signature=*", - "required": true, + "fieldSearch": "data_type=*", + "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "signature", - "comment": "" + "displayName": "data_type" }, { - "fieldName": "user", + "comment": { + "data_type": "string", + "description": "The name of the driver.", + "expected_values": [ + "HP LaserJet M3035 mfp PCL6" + ], + "recommended": false + }, + "fieldName": "driver_process", "owner": "UBA_Printer", "type": "string", - "fieldSearch": "user=*", - "required": true, + "fieldSearch": "driver_process=*", + "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "user", - "comment": "" + "displayName": "driver_process" }, { - "fieldName": "data_type", + "comment": { + "data_type": "string", + "description": "The name of the file that was printed.", + "expected_values": [ + "LIN111757BPAM08-04Laboratory17-10-15-12104.pdf" + ], + "recommended": true + }, + "fieldName": "file_name", "owner": "UBA_Printer", "type": "string", - "fieldSearch": "", + "fieldSearch": "file_name=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "data_type", - "comment": "" + "displayName": "file_name" }, { - "fieldName": "driver_process", + "comment": { + "data_type": "number", + "description": "The size of the file being printed.", + "expected_values": [ + "10280" + ], + "recommended": false + }, + "fieldName": "file_size", "owner": "UBA_Printer", - "type": "string", - "fieldSearch": "", + "type": "number", + "fieldSearch": "file_size=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "driver_process", - "comment": "" + "displayName": "file_size" }, { - "fieldName": "file_size", - "owner": "UBA_Printer", + "fieldName": "host", + "owner": "BaseEvent", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "file_size", + "displayName": "host", "comment": "" }, { + "comment": { + "data_type": "number", + "description": "The print ID of the job.", + "expected_values": [ + "35" + ], + "recommended": false + }, "fieldName": "job_id", "owner": "UBA_Printer", - "type": "string", - "fieldSearch": "", + "type": "number", + "fieldSearch": "job_id=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "job_id", - "comment": "" + "displayName": "job_id" }, { + "comment": { + "data_type": "string", + "description": "The printer operation.", + "expected_values": [ + "add" + ], + "recommended": false + }, "fieldName": "operation", "owner": "UBA_Printer", "type": "string", - "fieldSearch": "", + "fieldSearch": "operation=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "operation", - "comment": "" + "displayName": "operation" }, { + "comment": { + "data_type": "number", + "description": "The page that was printed.", + "expected_values": [ + "7" + ], + "recommended": false + }, "fieldName": "page_printed", "owner": "UBA_Printer", - "type": "string", - "fieldSearch": "", + "type": "number", + "fieldSearch": "page_printed=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "page_printed", - "comment": "" + "displayName": "page_printed" }, { + "comment": { + "data_type": "string", + "description": "The print parameters.", + "expected_values": [ + "" + ], + "recommended": false + }, "fieldName": "parameters", "owner": "UBA_Printer", "type": "string", - "fieldSearch": "", + "fieldSearch": "parameters=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "parameters", - "comment": "" + "displayName": "parameters" }, { + "comment": { + "data_type": "string", + "description": "The print processor.", + "expected_values": [ + "hpzppwn7" + ], + "recommended": false + }, "fieldName": "print_processor", "owner": "UBA_Printer", "type": "string", - "fieldSearch": "", + "fieldSearch": "print_processor=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "print_processor", - "comment": "" + "displayName": "print_processor" }, { + "comment": { + "data_type": "string", + "description": "The printer identifier.", + "expected_values": [ + "acmeprinter1" + ], + "recommended": false + }, "fieldName": "printer", "owner": "UBA_Printer", "type": "string", - "fieldSearch": "", + "fieldSearch": "printer=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "printer", - "comment": "" + "displayName": "printer" }, { + "comment": { + "data_type": "number", + "description": "The priority of the print job.", + "expected_values": [ + "1" + ], + "recommended": false + }, "fieldName": "priority", "owner": "UBA_Printer", - "type": "string", - "fieldSearch": "", + "type": "number", + "fieldSearch": "priority=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "priority", - "comment": "" + "displayName": "priority" }, { - "fieldName": "src_host", + "comment": { + "data_type": "string", + "description": "The type of the event.", + "expected_values": [ + "Microsoft-Windows-PrintService:812" + ], + "recommended": true + }, + "fieldName": "signature", "owner": "UBA_Printer", "type": "string", - "fieldSearch": "", + "fieldSearch": "signature=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "src_host", - "comment": "" + "displayName": "signature" }, { - "fieldName": "src_ip", - "owner": "UBA_Printer", + "fieldName": "source", + "owner": "BaseEvent", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "src_ip", + "displayName": "source", "comment": "" }, { - "fieldName": "status", - "owner": "UBA_Printer", + "fieldName": "sourcetype", + "owner": "BaseEvent", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "status", + "displayName": "sourcetype", "comment": "" }, { - "fieldName": "submitted_time", + "comment": { + "data_type": "string", + "description": "The host name of the device that submitted the printer job.", + "expected_values": [ + "acmehost1" + ], + "recommended": false + }, + "fieldName": "src_host", "owner": "UBA_Printer", "type": "string", - "fieldSearch": "", + "fieldSearch": "src_host=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "submitted_time", - "comment": "" + "displayName": "src_host" }, { - "fieldName": "total_pages", + "comment": { + "data_type": "string", + "description": "The IP address of the device that submitted the printer job.", + "expected_values": [ + "10.11.12.13" + ], + "recommended": false + }, + "fieldName": "src_ip", "owner": "UBA_Printer", "type": "string", - "fieldSearch": "", + "fieldSearch": "src_ip=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "total_pages", - "comment": "" + "displayName": "src_ip" }, { - "fieldName": "type", + "comment": { + "data_type": "string", + "description": "The status of print job.", + "expected_values": [ + "printing" + ], + "recommended": false + }, + "fieldName": "status", "owner": "UBA_Printer", "type": "string", - "fieldSearch": "", + "fieldSearch": "status=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "type", - "comment": "" + "displayName": "status" }, { - "fieldName": "tag", + "comment": { + "data_type": "string", + "description": "The time that the print job was submitted. The format must be either\u00a0MM/dd/yyyy HH:mm:ss.SSS\u00a0or\u00a0MM/dd/yyyy.", + "expected_values": [ + "05/22/2019 13:10:44:001" + ], + "recommended": false + }, + "fieldName": "submitted_time", "owner": "UBA_Printer", "type": "string", - "fieldSearch": "*", - "required": true, + "fieldSearch": "submitted_time=*", + "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "tag", - "comment": "" + "displayName": "submitted_time" }, { - "fieldName": "_time", - "owner": "BaseEvent", - "type": "timestamp", - "fieldSearch": "", + "comment": { + "data_type": "string", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform when using Splunk Direct in Splunk UBA.", + "expected_values": [ + "printer" + ], + "recommended": true + }, + "fieldName": "tag", + "owner": "UBA_Printer", + "type": "string", + "fieldSearch": "tag=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "_time", - "comment": "" + "displayName": "tag" }, { - "fieldName": "host", - "owner": "BaseEvent", - "type": "string", - "fieldSearch": "", + "comment": { + "data_type": "number", + "description": "The total number of pages printed.", + "expected_values": [ + "10" + ], + "recommended": false + }, + "fieldName": "total_pages", + "owner": "UBA_Printer", + "type": "number", + "fieldSearch": "total_pages=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "host", - "comment": "" + "displayName": "total_pages" }, { - "fieldName": "source", - "owner": "BaseEvent", + "comment": { + "data_type": "string", + "description": "The type or log.", + "expected_values": [ + "PrintJob" + ], + "recommended": false + }, + "fieldName": "type", + "owner": "UBA_Printer", "type": "string", - "fieldSearch": "", + "fieldSearch": "type=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "source", - "comment": "" + "displayName": "type" }, { - "fieldName": "sourcetype", - "owner": "BaseEvent", + "comment": { + "data_type": "string", + "description": "The user involved in the activity reported.", + "expected_values": [ + "cronaldo" + ], + "recommended": true + }, + "fieldName": "user", + "owner": "UBA_Printer", "type": "string", - "fieldSearch": "", + "fieldSearch": "user=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "sourcetype", - "comment": "" + "displayName": "user" } ], "calculations": [], "constraints": [ { - "search": "index=main", + "search": "`uba_cim_printer_indexes`", "owner": "UBA_Printer" } ], @@ -316,4 +456,4 @@ "objectNameList": [ "UBA_Printer" ] -} +} \ No newline at end of file diff --git a/default/data/models/UBA_VPN.json b/default/data/models/UBA_VPN.json index af7b4e7..13cb8d1 100644 --- a/default/data/models/UBA_VPN.json +++ b/default/data/models/UBA_VPN.json @@ -31,7 +31,9 @@ "data_type": "integer", "description": "The total number of bytes transferred by the device corresponding to the\u00a0src_ip\u00a0(bytes_in + bytes_out).", "recommended": false, - "possible_values": "1168" + "expected_values": [ + "1168" + ] }, "fieldName": "bytes", "owner": "UBA_VPN", @@ -48,7 +50,9 @@ "data_type": "integer", "description": "The number of bytes received by the device corresponding to the\u00a0src_ip\u00a0(downloads).", "recommended": false, - "possible_values": "1028" + "expected_values": [ + "1028" + ] }, "fieldName": "bytes_in", "owner": "UBA_VPN", @@ -65,7 +69,9 @@ "data_type": "integer", "description": "The number of bytes sent out by the device corresponding to the\u00a0src_ip\u00a0(uploads).", "recommended": false, - "possible_values": "140" + "expected_values": [ + "140" + ] }, "fieldName": "bytes_out", "owner": "UBA_VPN", @@ -82,7 +88,9 @@ "data_type": "string", "description": "The IP address of the destination device.", "recommended": false, - "possible_values": "192.168.1.2" + "expected_values": [ + "192.168.1.2" + ] }, "fieldName": "dest_ip", "owner": "UBA_VPN", @@ -97,9 +105,11 @@ { "comment": { "data_type": "integer", - "description": "The duration in seconds of the VPN session. This field is expected when an\u00a0end\u00a0tag is present.", + "description": "The duration in seconds of the VPN session. This field is expected when end tag is present.", "recommended": false, - "possible_values": "2000" + "expected_values": [ + "2000" + ] }, "fieldName": "duration", "owner": "UBA_VPN", @@ -152,7 +162,9 @@ "data_type": "string", "description": "The IP address of the originator of the request.", "recommended": true, - "possible_values": "11.12.13.14" + "expected_values": [ + "11.12.13.14" + ] }, "fieldName": "src_ip", "owner": "UBA_VPN", @@ -167,9 +179,15 @@ { "comment": { "data_type": "string", - "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models. See VPN categories for VPN specific combinations", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform when using Splunk Direct in Splunk UBA.", "recommended": true, - "possible_values": "network,session,vpn" + "expected_values": [ + "network", + "session", + "vpn", + "start", + "end" + ] }, "fieldName": "tag", "owner": "UBA_VPN", @@ -186,7 +204,9 @@ "data_type": "string", "description": "The name of the user for whom the authentication is being performed.", "recommended": true, - "possible_values": "user2" + "expected_values": [ + "user2" + ] }, "fieldName": "user", "owner": "UBA_VPN", @@ -202,7 +222,7 @@ "calculations": [], "constraints": [ { - "search": "`uba_cim_vpn_indexes` network session vpn", + "search": "`uba_cim_vpn_indexes`", "owner": "UBA_VPN" } ], @@ -213,144 +233,11 @@ "displayName": "UBA VPN End", "parentName": "UBA_VPN", "comment": "", - "fields": [ - { - "fieldName": "bytes", - "owner": "UBA_VPN", - "type": "number", - "fieldSearch": "", - "required": false, - "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "bytes", - "comment": "" - }, - { - "fieldName": "bytes_in", - "owner": "UBA_VPN", - "type": "number", - "fieldSearch": "", - "required": false, - "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "bytes_in", - "comment": "" - }, - { - "fieldName": "bytes_out", - "owner": "UBA_VPN", - "type": "number", - "fieldSearch": "", - "required": false, - "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "bytes_out", - "comment": "" - }, - { - "fieldName": "dest_ip", - "owner": "UBA_VPN", - "type": "ipv4", - "fieldSearch": "", - "required": false, - "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "dest_ip", - "comment": "" - }, - { - "fieldName": "duration", - "owner": "UBA_VPN", - "type": "number", - "fieldSearch": "", - "required": false, - "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "duration", - "comment": "" - }, - { - "fieldName": "src_ip", - "owner": "UBA_VPN", - "type": "ipv4", - "fieldSearch": "src_ip=*", - "required": true, - "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "src_ip", - "comment": "" - }, - { - "fieldName": "user", - "owner": "UBA_VPN", - "type": "string", - "fieldSearch": "user=*", - "required": true, - "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "user", - "comment": "" - }, - { - "fieldName": "_time", - "owner": "BaseEvent", - "type": "timestamp", - "fieldSearch": "", - "required": false, - "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "_time", - "comment": "" - }, - { - "fieldName": "host", - "owner": "BaseEvent", - "type": "string", - "fieldSearch": "", - "required": false, - "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "host", - "comment": "" - }, - { - "fieldName": "source", - "owner": "BaseEvent", - "type": "string", - "fieldSearch": "", - "required": false, - "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "source", - "comment": "" - }, - { - "fieldName": "sourcetype", - "owner": "BaseEvent", - "type": "string", - "fieldSearch": "", - "required": false, - "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "sourcetype", - "comment": "" - } - ], + "fields": [], "calculations": [], "constraints": [ { - "search": "end", + "search": "`uba_cim_vpn_end_indexes`", "owner": "UBA_VPN.UBA_VPN_End" } ], @@ -365,7 +252,7 @@ "calculations": [], "constraints": [ { - "search": "start", + "search": "`uba_cim_vpn_start_indexes`", "owner": "UBA_VPN.UBA_VPN_Start" } ], @@ -377,4 +264,4 @@ "UBA_VPN_End", "UBA_VPN_Start" ] -} +} \ No newline at end of file diff --git a/default/data/models/UBA_Web_Proxy.json b/default/data/models/UBA_Web_Proxy.json index 47e911d..f4e9e6f 100644 --- a/default/data/models/UBA_Web_Proxy.json +++ b/default/data/models/UBA_Web_Proxy.json @@ -31,7 +31,10 @@ "data_type": "string", "description": "The action taken by the server or proxy. If this value is not present, it can be derived from the status field.", "recommended": true, - "possible_values": "allowed, blocked" + "expected_values": [ + "allowed", + "blocked" + ] }, "fieldName": "action", "owner": "UBA_Web_Proxy", @@ -48,7 +51,9 @@ "data_type": "integer", "description": "The total number of bytes transferred (bytes_in + bytes_out).", "recommended": false, - "possible_values": "1168" + "expected_values": [ + "1168" + ] }, "fieldName": "bytes", "owner": "UBA_Web_Proxy", @@ -65,7 +70,9 @@ "data_type": "integer", "description": "The number of inbound bytes transferred.", "recommended": true, - "possible_values": "1028" + "expected_values": [ + "1028" + ] }, "fieldName": "bytes_in", "owner": "UBA_Web_Proxy", @@ -82,7 +89,9 @@ "data_type": "integer", "description": "The number of outbound bytes transferred.", "recommended": true, - "possible_values": "140" + "expected_values": [ + "140" + ] }, "fieldName": "bytes_out", "owner": "UBA_Web_Proxy", @@ -99,7 +108,9 @@ "data_type": "string", "description": "The category of traffic provided by the proxy server.", "recommended": false, - "possible_values": "entertainment" + "expected_values": [ + "entertainment" + ] }, "fieldName": "category", "owner": "UBA_Web_Proxy", @@ -116,7 +127,9 @@ "data_type": "string", "description": "The IP address of the remote host.", "recommended": false, - "possible_values": "2.2.2.2" + "expected_values": [ + "2.2.2.2" + ] }, "fieldName": "dest_ip", "owner": "UBA_Web_Proxy", @@ -133,7 +146,9 @@ "data_type": "integer", "description": "The time in milliseconds taken by the proxy event.", "recommended": false, - "possible_values": "241" + "expected_values": [ + "241" + ] }, "fieldName": "duration", "owner": "UBA_Web_Proxy", @@ -162,7 +177,9 @@ "data_type": "string", "description": "The content-type of the requested HTTP resource.", "recommended": true, - "possible_values": "image/gif" + "expected_values": [ + "image/gif" + ] }, "fieldName": "http_content_type", "owner": "UBA_Web_Proxy", @@ -179,7 +196,9 @@ "data_type": "string", "description": "The HTTP method used in the request.", "recommended": true, - "possible_values": "GET" + "expected_values": [ + "GET" + ] }, "fieldName": "http_method", "owner": "UBA_Web_Proxy", @@ -196,7 +215,9 @@ "data_type": "string", "description": "The HTTP referrer used in the request.", "recommended": false, - "possible_values": "referrer.acme.com" + "expected_values": [ + "referrer.acme.com" + ] }, "fieldName": "http_referrer", "owner": "UBA_Web_Proxy", @@ -213,7 +234,9 @@ "data_type": "string", "description": "The user agent used in the request.", "recommended": true, - "possible_values": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" + "expected_values": [ + "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" + ] }, "fieldName": "http_user_agent", "owner": "UBA_Web_Proxy", @@ -230,7 +253,9 @@ "data_type": "integer", "description": "The amount of time it took to receive a response, if applicable, in milliseconds.", "recommended": false, - "possible_values": "200" + "expected_values": [ + "200" + ] }, "fieldName": "response_time", "owner": "UBA_Web_Proxy", @@ -271,7 +296,9 @@ "data_type": "string", "description": "The source of the network traffic, such as the client requesting the connection.", "recommended": true, - "possible_values": "10.10.10.12" + "expected_values": [ + "10.10.10.12" + ] }, "fieldName": "src_ip", "owner": "UBA_Web_Proxy", @@ -288,7 +315,9 @@ "data_type": "integer", "description": "The HTTP response code indicating the status of the proxy request.", "recommended": true, - "possible_values": "200" + "expected_values": [ + "200" + ] }, "fieldName": "status", "owner": "UBA_Web_Proxy", @@ -303,9 +332,12 @@ { "comment": { "data_type": "string", - "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform. Review this table to determine which category in Splunk UBA corresponds to the CIM data model that the events in the Splunk platform are mapped to. Click the name of the Splunk UBA category to review the field mappings between Splunk UBA and the CIM data models.", + "description": "Splunk UBA categories rely on the tags from CIM-compliant events to correctly parse data from the Splunk platform when using Splunk Direct in Splunk UBA.", "recommended": true, - "possible_values": "web,proxy" + "expected_values": [ + "web", + "proxy" + ] }, "fieldName": "tag", "owner": "UBA_Web_Proxy", @@ -322,7 +354,9 @@ "data_type": "string", "description": "The URL accessed in the request.", "recommended": true, - "possible_values": "http://subdomain.acme.com/index.html" + "expected_values": [ + "http://subdomain.acme.com/index.html" + ] }, "fieldName": "url", "owner": "UBA_Web_Proxy", @@ -339,7 +373,9 @@ "data_type": "string", "description": "The user that requested the HTTP resource.", "recommended": false, - "possible_values": "cronaldo" + "expected_values": [ + "cronaldo" + ] }, "fieldName": "user", "owner": "UBA_Web_Proxy", @@ -355,7 +391,7 @@ "calculations": [], "constraints": [ { - "search": "`uba_cim_webproxy_indexes` web proxy", + "search": "`uba_cim_webproxy_indexes`", "owner": "UBA_Web_Proxy" } ], @@ -365,4 +401,4 @@ "objectNameList": [ "UBA_Web_Proxy" ] -} +} \ No newline at end of file diff --git a/default/macros.conf b/default/macros.conf index 38ef3ae..9143ccf 100644 --- a/default/macros.conf +++ b/default/macros.conf @@ -1,95 +1,77 @@ +[uba_cim_asset_data] +definition = index=main + +[uba_cim_hr_data] +definition = index=main + [uba_cim_authentication_indexes] -definition = index=main -iseval = 0 +definition = index=main tag=authentication [uba_cim_badge_indexes] -definition = index=main -iseval = 0 +definition = index=main tag=badge [uba_cim_cloud_indexes] -definition = index=main -iseval = 0 +definition = index=main tag=cloud [uba_cim_database_indexes] -definition = index=main -iseval = 0 +definition = index=main tag=database [uba_cim_dhcp_indexes] -definition = index=main -iseval = 0 +definition = index=main tag=network tag=session tag=dhcp [uba_cim_dlp_email_indexes] -definition = index=main -iseval = 0 +definition = index=main tag=dlp tag=incident tag=email [uba_cim_dlp_indexes] -definition = index=main -iseval = 0 +definition = index=main tag=dlp tag=incident [uba_cim_dns_indexes] -definition = index=main -iseval = 0 +definition = index=main tag=network tag=resolution tag=dns [uba_cim_email_indexes] -definition = index=main -iseval = 0 +definition = index=main tag=email [uba_cim_endpoint_filesystem_indexes] -definition = index=main -iseval = 0 +definition = index=main tag=endpoint tag=filesystem [uba_cim_endpoint_port_indexes] -definition = index=main -iseval = 0 +definition = index=main tag=listening tag=port [uba_cim_endpoint_process_indexes] -definition = index=main -iseval = 0 +definition = index=main tag=process tag=report [uba_cim_endpoint_registry_indexes] -definition = index=main -iseval = 0 +definition = index=main tag=endpoint tag=registry [uba_cim_endpoint_service_indexes] -definition = index=main -iseval = 0 +definition = index=main tag=service tag=report [uba_cim_external_alarm_indexes] -definition = index=main -iseval = 0 +definition = index=main tag=attack [uba_cim_firewall_indexes] -definition = index=main -iseval = 0 +definition = index=main tag=network tag=communicate [uba_cim_hostav_indexes] -definition = index=main -iseval = 0 +definition = index=main tag=malware tag=attack tag=operations [uba_cim_ids_indexes] -definition = index=main -iseval = 0 +definition = index=main tag=ids tag=attack [uba_cim_printer_indexes] -definition = index=main -iseval = 0 +definition = index=main tag=printer [uba_cim_vpn_end_indexes] -definition = index=main -iseval = 0 +definition = index=main tag=network tag=session tag=vpn tag=end [uba_cim_vpn_indexes] -definition = index=main -iseval = 0 +definition = index=main tag=network tag=session tag=vpn [uba_cim_vpn_start_indexes] -definition = index=main -iseval = 0 +definition = index=main tag=network tag=session tag=vpn tag=start [uba_cim_webproxy_indexes] -definition = index=main -iseval = 0 +definition = index=main tag=web tag=proxy [uba_cim_endpoint_indexes] definition = index=main -iseval = 0 diff --git a/default/transforms.conf b/default/transforms.conf index 3459b75..3e69ec7 100644 --- a/default/transforms.conf +++ b/default/transforms.conf @@ -1,6 +1,6 @@ [cim_validation_regex] filename = cim_validator_field_regex.csv -match_type = WILDCARD(field) +match_type = WILDCARD(datamodel) WILDCARD(field) max_matches = 1 [cim_validator_recommended_fields] From f493a41484ecccf9bf48636c87044259bf68832b Mon Sep 17 00:00:00 2001 From: hire-vladimir Date: Fri, 23 Feb 2024 22:07:10 +0000 Subject: [PATCH 07/28] ack section --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 184d07e..53f72c6 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,10 @@ App installation can be completed using the self-service capabilities. Documenta ![CIM validator](https://raw.githubusercontent.com/hire-vladimir/SA-cim_vladiator/master/static/screenshot1.png) ## System requirements -App was developed for use with Splunk 8.x+, 9.x+ +App was developed for use with Splunk Enterprise and Splunk Cloud8.x+, 9.x+ + +# Special Thanks +Thank you to Lowell Alleman for python3 support, Annette Quach for UBA support. # Legal * *Splunk* is a registered trademark of Splunk, Inc. From 4567f292e3635e2f509f21f498db0ef14d208542 Mon Sep 17 00:00:00 2001 From: hire-vladimir Date: Fri, 23 Feb 2024 22:09:23 +0000 Subject: [PATCH 08/28] bump version to 2.0.0 as major release due to UBA support --- default/app.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/default/app.conf b/default/app.conf index bc7db5d..e6cda72 100644 --- a/default/app.conf +++ b/default/app.conf @@ -1,6 +1,6 @@ [install] is_configured = 1 -build = 1.8.2 +build = 2.0.0 [ui] is_visible = 1 @@ -9,7 +9,7 @@ label = SA-cim_vladiator [launcher] author = hire.vladimir@gmail.com description = https://github.com/hire-vladimir/SA-cim_vladiator -version = 1.8.2 +version = 2.0.0 [package] id = SA-cim_vladiator From e1294a05fab48840df4f6b9992c5429ad5c9cd7a Mon Sep 17 00:00:00 2001 From: annettefo Date: Fri, 23 Feb 2024 14:57:35 -0800 Subject: [PATCH 09/28] Update macros.conf Add tags to endpoint, hr data, asset macro --- default/macros.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/default/macros.conf b/default/macros.conf index 9143ccf..61def3c 100644 --- a/default/macros.conf +++ b/default/macros.conf @@ -1,8 +1,8 @@ [uba_cim_asset_data] -definition = index=main +definition = index=main tag=asset [uba_cim_hr_data] -definition = index=main +definition = index=main tag=hr [uba_cim_authentication_indexes] definition = index=main tag=authentication @@ -74,4 +74,4 @@ definition = index=main tag=network tag=session tag=vpn tag=start definition = index=main tag=web tag=proxy [uba_cim_endpoint_indexes] -definition = index=main +definition = index=main tag=endpoint From 7a40c0ed25ab9c255ba608bdb109e3ea1985c536 Mon Sep 17 00:00:00 2001 From: annettefo Date: Fri, 23 Feb 2024 17:14:32 -0800 Subject: [PATCH 10/28] annette_replace_ips_10.x.x.x annette_replace_ips_10.x.x.x --- default/data/models/UBA_Asset_Data.json | 2 +- default/data/models/UBA_Authentication.json | 4 ++-- default/data/models/UBA_DHCP.json | 2 +- default/data/models/UBA_DLP.json | 4 ++-- default/data/models/UBA_DLP_Email.json | 4 ++-- default/data/models/UBA_DNS.json | 6 +++--- default/data/models/UBA_Database.json | 4 ++-- default/data/models/UBA_Email.json | 2 +- default/data/models/UBA_Endpoint_Filesystem.json | 6 +++--- default/data/models/UBA_Endpoint_Port.json | 6 +++--- default/data/models/UBA_Endpoint_Processes.json | 6 +++--- default/data/models/UBA_Endpoint_Registry.json | 6 +++--- default/data/models/UBA_Endpoint_Services.json | 6 +++--- default/data/models/UBA_External_Alarm.json | 4 ++-- default/data/models/UBA_Firewall.json | 8 ++++---- default/data/models/UBA_Host_AV.json | 2 +- default/data/models/UBA_IDS_IPS.json | 4 ++-- default/data/models/UBA_Printer.json | 2 +- default/data/models/UBA_VPN.json | 4 ++-- default/data/models/UBA_Web_Proxy.json | 4 ++-- 20 files changed, 43 insertions(+), 43 deletions(-) diff --git a/default/data/models/UBA_Asset_Data.json b/default/data/models/UBA_Asset_Data.json index 40b87a5..e3b26ca 100644 --- a/default/data/models/UBA_Asset_Data.json +++ b/default/data/models/UBA_Asset_Data.json @@ -280,7 +280,7 @@ "comment": { "data_type": "string", "description": "The IP address of the device. The field may contain multiple values. See\u00a0Configure asset ingestion for multi-valued fields.", - "expected_values": ["2.1.1.1"], + "expected_values": ["10.x.x.x"], "recommended": false }, "fieldName": "ip", diff --git a/default/data/models/UBA_Authentication.json b/default/data/models/UBA_Authentication.json index 6976602..1c675fb 100644 --- a/default/data/models/UBA_Authentication.json +++ b/default/data/models/UBA_Authentication.json @@ -65,7 +65,7 @@ "data_type": "string", "description": "The target involved in the authentication. You can alias this from more specific fields including\u00a0dest_ip\u00a0and\u00a0dest_host.", "recommended": true, - "expected_values": ["192.168.10.11", "winhost1"] + "expected_values": ["10.x.x.x", "winhost1"] }, "fieldName": "dest", "owner": "UBA_Authentication", @@ -135,7 +135,7 @@ "data_type": "string", "description": "The source involved in the authentication. In the case of endpoint protection authentication the src is the client. You can alias this from more specific fields including\u00a0src_ip\u00a0and\u00a0src_host.", "recommended": true, - "expected_values": ["192.168.10.12", "winhost2"] + "expected_values": ["10.x.x.x", "winhost2"] }, "fieldName": "src", "owner": "UBA_Authentication", diff --git a/default/data/models/UBA_DHCP.json b/default/data/models/UBA_DHCP.json index 78676ff..1a0f492 100644 --- a/default/data/models/UBA_DHCP.json +++ b/default/data/models/UBA_DHCP.json @@ -51,7 +51,7 @@ "description": "The assigned IP address.", "recommended": true, "expected_values": [ - "192.168.1.12" + "10.x.x.x" ] }, "fieldName": "dest_ip", diff --git a/default/data/models/UBA_DLP.json b/default/data/models/UBA_DLP.json index 45ae2d1..a51ef79 100644 --- a/default/data/models/UBA_DLP.json +++ b/default/data/models/UBA_DLP.json @@ -129,7 +129,7 @@ "data_type": "string", "description": "The IP address of the destination.", "expected_values": [ - "2.2.2.2" + "10.x.x.x" ], "recommended": false }, @@ -517,7 +517,7 @@ "data_type": "string", "description": "The source of the network traffic (the client requesting the connection).", "expected_values": [ - "10.10.10.12" + "10.x.x.x" ], "recommended": false }, diff --git a/default/data/models/UBA_DLP_Email.json b/default/data/models/UBA_DLP_Email.json index f341528..78295bb 100644 --- a/default/data/models/UBA_DLP_Email.json +++ b/default/data/models/UBA_DLP_Email.json @@ -129,7 +129,7 @@ "data_type": "string", "description": "The IP address of the destination.", "expected_values": [ - "2.2.2.2" + "10.x.x.x" ], "recommended": false }, @@ -517,7 +517,7 @@ "data_type": "string", "description": "The source of the network traffic (the client requesting the connection).", "expected_values": [ - "10.10.10.12" + "10.x.x.x" ], "recommended": false }, diff --git a/default/data/models/UBA_DNS.json b/default/data/models/UBA_DNS.json index f6ad52f..d589ba6 100644 --- a/default/data/models/UBA_DNS.json +++ b/default/data/models/UBA_DNS.json @@ -32,7 +32,7 @@ "description": "The resolved address for the query.", "recommended": true, "expected_values": [ - "12.13.14.15" + "10.x.x.x" ] }, "fieldName": "answer", @@ -51,7 +51,7 @@ "description": "The destination IP address of the network resolution event.", "recommended": false, "expected_values": [ - "192.168.1.14" + "10.x.x.x" ] }, "fieldName": "dest_ip", @@ -215,7 +215,7 @@ "description": "The source IP address of the network resolution event.", "recommended": true, "expected_values": [ - "192.168.1.11" + "10.x.x.x" ] }, "fieldName": "src_ip", diff --git a/default/data/models/UBA_Database.json b/default/data/models/UBA_Database.json index 56b9e8e..572e4a1 100644 --- a/default/data/models/UBA_Database.json +++ b/default/data/models/UBA_Database.json @@ -132,7 +132,7 @@ "description": "The IP address of the destination.", "recommended": false, "expected_values": [ - "2.2.2.2" + "10.x.x.x" ] }, "fieldName": "dest_ip", @@ -341,7 +341,7 @@ "description": "The IP address of the source server of the database event.", "recommended": false, "expected_values": [ - "10.10.10.12" + "10.x.x.x" ] }, "fieldName": "src_ip", diff --git a/default/data/models/UBA_Email.json b/default/data/models/UBA_Email.json index d6e20ff..e73afb0 100644 --- a/default/data/models/UBA_Email.json +++ b/default/data/models/UBA_Email.json @@ -169,7 +169,7 @@ "description": "The system that sent the message. You can alias this from more specific fields, such as\u00a0src_host,\u00a0src_ip, or\u00a0src_name.", "recommended": false, "expected_values": [ - "11.12.13.14" + "10.x.x.x" ] }, "fieldName": "src", diff --git a/default/data/models/UBA_Endpoint_Filesystem.json b/default/data/models/UBA_Endpoint_Filesystem.json index 7843c65..a603069 100644 --- a/default/data/models/UBA_Endpoint_Filesystem.json +++ b/default/data/models/UBA_Endpoint_Filesystem.json @@ -110,7 +110,7 @@ "description": "IP address of the endpoint where the activity happened.", "recommended": false, "expected_values": [ - "1.1.1.1" + "10.x.x.x" ] }, "fieldName": "dest_ip", @@ -167,7 +167,7 @@ "description": "IP address of the endpoint where the activity happened.", "recommended": false, "expected_values": [ - "1.1.1.1" + "10.x.x.x" ] }, "fieldName": "endpoint_ip", @@ -513,7 +513,7 @@ "description": "The IP address of the \"remote\" system connected to the listening port (if applicable).", "recommended": false, "expected_values": [ - "2.2.2.2" + "10.x.x.x" ] }, "fieldName": "src_ip", diff --git a/default/data/models/UBA_Endpoint_Port.json b/default/data/models/UBA_Endpoint_Port.json index 8b3bede..04b05f7 100644 --- a/default/data/models/UBA_Endpoint_Port.json +++ b/default/data/models/UBA_Endpoint_Port.json @@ -148,7 +148,7 @@ "description": "IP address of the endpoint where the activity happened.", "recommended": false, "expected_values": [ - "1.1.1.1" + "10.x.x.x" ] }, "fieldName": "dest_ip", @@ -224,7 +224,7 @@ "description": "IP address of the endpoint where the activity happened.", "recommended": false, "expected_values": [ - "1.1.1.1" + "10.x.x.x" ] }, "fieldName": "endpoint_ip", @@ -494,7 +494,7 @@ "description": "The IP address of the \"remote\" system connected to the listening port (if applicable).", "recommended": false, "expected_values": [ - "2.2.2.2" + "10.x.x.x" ] }, "fieldName": "src_ip", diff --git a/default/data/models/UBA_Endpoint_Processes.json b/default/data/models/UBA_Endpoint_Processes.json index e530f30..ee772af 100644 --- a/default/data/models/UBA_Endpoint_Processes.json +++ b/default/data/models/UBA_Endpoint_Processes.json @@ -110,7 +110,7 @@ "description": "IP address of the endpoint where the activity happened.", "recommended": false, "expected_values": [ - "1.1.1.1" + "10.x.x.x" ] }, "fieldName": "dest_ip", @@ -167,7 +167,7 @@ "description": "IP address of the endpoint where the activity happened.", "recommended": false, "expected_values": [ - "1.1.1.1" + "10.x.x.x" ] }, "fieldName": "endpoint_ip", @@ -630,7 +630,7 @@ "description": "The IP address of the \"remote\" system connected to the listening port (if applicable).", "recommended": false, "expected_values": [ - "2.2.2.2" + "10.x.x.x" ] }, "fieldName": "src_ip", diff --git a/default/data/models/UBA_Endpoint_Registry.json b/default/data/models/UBA_Endpoint_Registry.json index f7097d2..55e9b7f 100644 --- a/default/data/models/UBA_Endpoint_Registry.json +++ b/default/data/models/UBA_Endpoint_Registry.json @@ -110,7 +110,7 @@ "description": "IP address of the endpoint where the activity happened.", "recommended": false, "expected_values": [ - "1.1.1.1" + "10.x.x.x" ] }, "fieldName": "dest_ip", @@ -167,7 +167,7 @@ "description": "IP address of the endpoint where the activity happened.", "recommended": false, "expected_values": [ - "1.1.1.1" + "10.x.x.x" ] }, "fieldName": "endpoint_ip", @@ -524,7 +524,7 @@ "description": "The IP address of the \"remote\" system connected to the listening port (if applicable).", "recommended": false, "expected_values": [ - "2.2.2.2" + "10.x.x.x" ] }, "fieldName": "src_ip", diff --git a/default/data/models/UBA_Endpoint_Services.json b/default/data/models/UBA_Endpoint_Services.json index 4fc8213..f35bacd 100644 --- a/default/data/models/UBA_Endpoint_Services.json +++ b/default/data/models/UBA_Endpoint_Services.json @@ -129,7 +129,7 @@ "description": "IP address of the endpoint where the activity happened.", "recommended": false, "expected_values": [ - "1.1.1.1" + "10.x.x.x" ] }, "fieldName": "dest_ip", @@ -186,7 +186,7 @@ "description": "IP address of the endpoint where the activity happened.", "recommended": false, "expected_values": [ - "1.1.1.1" + "10.x.x.x" ] }, "fieldName": "endpoint_ip", @@ -591,7 +591,7 @@ "description": "The IP address of the \"remote\" system connected to the listening port (if applicable).", "recommended": false, "expected_values": [ - "2.2.2.2" + "10.x.x.x" ] }, "fieldName": "src_ip", diff --git a/default/data/models/UBA_External_Alarm.json b/default/data/models/UBA_External_Alarm.json index 809dab1..69efe60 100644 --- a/default/data/models/UBA_External_Alarm.json +++ b/default/data/models/UBA_External_Alarm.json @@ -130,7 +130,7 @@ "description": "The IP address of the destination.", "recommended": false, "expected_values": [ - "2.2.2.2" + "10.x.x.x" ] }, "fieldName": "dest_ip", @@ -285,7 +285,7 @@ "description": "The source of the network traffic, such as the client requesting the connection.", "recommended": false, "expected_values": [ - "10.10.10.12" + "10.x.x.x" ] }, "fieldName": "src_ip", diff --git a/default/data/models/UBA_Firewall.json b/default/data/models/UBA_Firewall.json index d775702..3d7fac1 100644 --- a/default/data/models/UBA_Firewall.json +++ b/default/data/models/UBA_Firewall.json @@ -147,7 +147,7 @@ "description": "The IP address of the destination.", "recommended": true, "expected_values": [ - "2.2.2.2" + "10.x.x.x" ] }, "fieldName": "dest_ip", @@ -185,7 +185,7 @@ "description": "The NATed IPv4 or IPv6 address to which a packet is sent.", "recommended": false, "expected_values": [ - "192.168.1.12" + "10.x.x.x" ] }, "fieldName": "dest_translated_ip", @@ -356,7 +356,7 @@ "description": "The source of the network traffic, such as the client requesting the connection.", "recommended": true, "expected_values": [ - "10.10.10.12" + "1.x.x.x" ] }, "fieldName": "src_ip", @@ -394,7 +394,7 @@ "description": "The NATed IPv4 or IPv6 address from which a packet is sent.", "recommended": false, "expected_values": [ - "192.168.1.11" + "10.x.x.x" ] }, "fieldName": "src_translated_ip", diff --git a/default/data/models/UBA_Host_AV.json b/default/data/models/UBA_Host_AV.json index 68edbd9..db102d0 100644 --- a/default/data/models/UBA_Host_AV.json +++ b/default/data/models/UBA_Host_AV.json @@ -110,7 +110,7 @@ "description": "The IP address of the system that was affected by the malware event.", "recommended": true, "expected_values": [ - "2.2.2.2" + "10.x.x.x" ] }, "fieldName": "dest_ip", diff --git a/default/data/models/UBA_IDS_IPS.json b/default/data/models/UBA_IDS_IPS.json index ede7267..b8b0953 100644 --- a/default/data/models/UBA_IDS_IPS.json +++ b/default/data/models/UBA_IDS_IPS.json @@ -166,7 +166,7 @@ "data_type": "string", "description": "The IP address of the destination.", "expected_values": [ - "2.2.2.2" + "10.x.x.x" ], "recommended": true }, @@ -361,7 +361,7 @@ "data_type": "string", "description": "The source of the network traffic (the client requesting the connection).", "expected_values": [ - "10.10.10.12" + "10.x.x.x" ], "recommended": true }, diff --git a/default/data/models/UBA_Printer.json b/default/data/models/UBA_Printer.json index 8c81fc0..8575c31 100644 --- a/default/data/models/UBA_Printer.json +++ b/default/data/models/UBA_Printer.json @@ -314,7 +314,7 @@ "data_type": "string", "description": "The IP address of the device that submitted the printer job.", "expected_values": [ - "10.11.12.13" + "10.x.x.x" ], "recommended": false }, diff --git a/default/data/models/UBA_VPN.json b/default/data/models/UBA_VPN.json index 13cb8d1..91bcd3f 100644 --- a/default/data/models/UBA_VPN.json +++ b/default/data/models/UBA_VPN.json @@ -89,7 +89,7 @@ "description": "The IP address of the destination device.", "recommended": false, "expected_values": [ - "192.168.1.2" + "10.x.x.x" ] }, "fieldName": "dest_ip", @@ -163,7 +163,7 @@ "description": "The IP address of the originator of the request.", "recommended": true, "expected_values": [ - "11.12.13.14" + "10.x.x.x" ] }, "fieldName": "src_ip", diff --git a/default/data/models/UBA_Web_Proxy.json b/default/data/models/UBA_Web_Proxy.json index f4e9e6f..73e4294 100644 --- a/default/data/models/UBA_Web_Proxy.json +++ b/default/data/models/UBA_Web_Proxy.json @@ -128,7 +128,7 @@ "description": "The IP address of the remote host.", "recommended": false, "expected_values": [ - "2.2.2.2" + "10.x.x.x" ] }, "fieldName": "dest_ip", @@ -297,7 +297,7 @@ "description": "The source of the network traffic, such as the client requesting the connection.", "recommended": true, "expected_values": [ - "10.10.10.12" + "10.x.x.x" ] }, "fieldName": "src_ip", From d6e312619df78d965f715cc726dd9c86b44ae6a6 Mon Sep 17 00:00:00 2001 From: annettefo Date: Mon, 26 Feb 2024 11:10:11 -0800 Subject: [PATCH 11/28] Update UBA_Badge.json update_recommended_fields --- default/data/models/UBA_Badge.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/default/data/models/UBA_Badge.json b/default/data/models/UBA_Badge.json index 35c1c76..4dab557 100644 --- a/default/data/models/UBA_Badge.json +++ b/default/data/models/UBA_Badge.json @@ -111,7 +111,7 @@ "data_type": "string", "description": "The location of the building.", "expected_values": ["123 Main Street"], - "recommended": false + "recommended": true }, "fieldName": "site_name", "owner": "UBA_Badge", @@ -169,7 +169,7 @@ "data_type": "string", "description": "The user involved in this badge access event.", "expected_values": ["cronaldo"], - "recommended": false + "recommended": true }, "fieldName": "user", "owner": "UBA_Badge", @@ -212,4 +212,4 @@ "objectNameList": [ "UBA_Badge" ] -} \ No newline at end of file +} From 0942045186d2337c543e950dfdcdde46827a304e Mon Sep 17 00:00:00 2001 From: annettefo Date: Mon, 26 Feb 2024 13:55:18 -0800 Subject: [PATCH 12/28] Update UBA_Email.json Feedback from docs to update splunk.com documentation --- default/data/models/UBA_Email.json | 40 +++++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/default/data/models/UBA_Email.json b/default/data/models/UBA_Email.json index e73afb0..2a149c9 100644 --- a/default/data/models/UBA_Email.json +++ b/default/data/models/UBA_Email.json @@ -26,6 +26,44 @@ "displayName": "_time", "comment": "" }, + { + "comment": { + "data_type": "string", + "description": "The email direction, based on the sender. If the sender is an internal employee, then the email is considered outbound. If the sender is not an internal employee, then the email is considered inbound.", + "recommended": true, + "expected_values": [ + "inbound", "outbound" + ] + }, + "fieldName": "direction", + "owner": "UBA_Email", + "type": "string", + "fieldSearch": "direction=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "direction" + }, + { + "comment": { + "data_type": "string", + "description": "The type of the event.", + "recommended": true, + "expected_values": [ + "stream_email(email)" + ] + }, + "fieldName": "eventtype", + "owner": "UBA_Email", + "type": "string", + "fieldSearch": "eventtype=*", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "eventtype" + }, { "comment": { "data_type": "string", @@ -254,4 +292,4 @@ "objectNameList": [ "UBA_Email" ] -} \ No newline at end of file +} From 915f77d866c4a7fc8c2313dc86bc21e8b1d76dc0 Mon Sep 17 00:00:00 2001 From: annettefo Date: Mon, 26 Feb 2024 14:22:00 -0800 Subject: [PATCH 13/28] Update UBA_External_Alarm.json alarmCategories was missing because of below filter. changed to lowercase. | where NOT match(field, "_time|^host$|sourcetype|source|[A-Z]+|_bunit|_category|_priority|_requires_av|_should_update") OR match(field, "object_category") --- default/data/models/UBA_External_Alarm.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/default/data/models/UBA_External_Alarm.json b/default/data/models/UBA_External_Alarm.json index 69efe60..616b851 100644 --- a/default/data/models/UBA_External_Alarm.json +++ b/default/data/models/UBA_External_Alarm.json @@ -56,15 +56,15 @@ "Exfiltration" ] }, - "fieldName": "alarmCategories", + "fieldName": "alarmcategories", "owner": "UBA_External_Alarm", "type": "string", - "fieldSearch": "alarmCategories=*", + "fieldSearch": "alarmcategories=*", "required": true, "multivalue": false, "hidden": false, "editable": true, - "displayName": "alarmCategories" + "displayName": "alarmcategories" }, { "comment": { @@ -388,4 +388,4 @@ "objectNameList": [ "UBA_External_Alarm" ] -} \ No newline at end of file +} From bf625716a72eb5a4e294a8857a9aca45ea3cb64a Mon Sep 17 00:00:00 2001 From: annettefo Date: Mon, 26 Feb 2024 14:25:32 -0800 Subject: [PATCH 14/28] Update UBA_Host_AV.json alarmCategories was missing because of below filter. changed to lowercase. | where NOT match(field, "_time|^host$|sourcetype|source|[A-Z]+|_bunit|_category|_priority|_requires_av|_should_update") OR match(field, "object_category") --- default/data/models/UBA_Host_AV.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/default/data/models/UBA_Host_AV.json b/default/data/models/UBA_Host_AV.json index db102d0..a91dd41 100644 --- a/default/data/models/UBA_Host_AV.json +++ b/default/data/models/UBA_Host_AV.json @@ -55,15 +55,15 @@ "Exfiltration" ] }, - "fieldName": "alarmCategories", + "fieldName": "alarmcategories", "owner": "UBA_Host_AV", "type": "string", - "fieldSearch": "alarmCategories=*", + "fieldSearch": "alarmcategories=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "alarmCategories" + "displayName": "alarmcategories" }, { "comment": { @@ -370,4 +370,4 @@ "objectNameList": [ "UBA_Host_AV" ] -} \ No newline at end of file +} From 812a02b98c12624df461fd781b7badefc00fabd4 Mon Sep 17 00:00:00 2001 From: annettefo Date: Mon, 26 Feb 2024 14:26:07 -0800 Subject: [PATCH 15/28] Update UBA_IDS_IPS.json alarmCategories was missing because of below filter. changed to lowercase. | where NOT match(field, "_time|^host$|sourcetype|source|[A-Z]+|_bunit|_category|_priority|_requires_av|_should_update") OR match(field, "object_category") --- default/data/models/UBA_IDS_IPS.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/default/data/models/UBA_IDS_IPS.json b/default/data/models/UBA_IDS_IPS.json index b8b0953..cbe2137 100644 --- a/default/data/models/UBA_IDS_IPS.json +++ b/default/data/models/UBA_IDS_IPS.json @@ -55,15 +55,15 @@ ], "recommended": true }, - "fieldName": "alarmCategories", + "fieldName": "alarmcategories", "owner": "UBA_IDS_IPS", "type": "string", - "fieldSearch": "alarmCategories=*", + "fieldSearch": "alarmcategories=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "alarmCategories" + "displayName": "alarmcategories" }, { "comment": { @@ -447,4 +447,4 @@ "objectNameList": [ "UBA_IDS_IPS" ] -} \ No newline at end of file +} From b70c81d8e6c1795c3889dff9681862495eaf59e9 Mon Sep 17 00:00:00 2001 From: annettefo Date: Mon, 26 Feb 2024 14:40:05 -0800 Subject: [PATCH 16/28] Update UBA_HR_Data.json Update casing to accomdate filter: | where NOT match(field, "_time|^host$|sourcetype|source|[A-Z]+|_bunit|_category|_priority|_requires_av|_should_update") OR match(field, "object_category") --- default/data/models/UBA_HR_Data.json | 150 +++++++++++++-------------- 1 file changed, 75 insertions(+), 75 deletions(-) diff --git a/default/data/models/UBA_HR_Data.json b/default/data/models/UBA_HR_Data.json index fbedbbe..9791fb1 100644 --- a/default/data/models/UBA_HR_Data.json +++ b/default/data/models/UBA_HR_Data.json @@ -23,15 +23,15 @@ ], "recommended": false }, - "fieldName": "MiddleName", + "fieldName": "middlename", "owner": "UBA_HR_Data", "type": "string", - "fieldSearch": "MiddleName=*", + "fieldSearch": "middlename=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "MiddleName" + "displayName": "middlename" }, { "comment": { @@ -43,15 +43,15 @@ ], "recommended": false }, - "fieldName": "UAC", + "fieldName": "uac", "owner": "UBA_HR_Data", "type": "string", - "fieldSearch": "UAC=*", + "fieldSearch": "uac=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "UAC" + "displayName": "uac" }, { "fieldName": "_time", @@ -74,15 +74,15 @@ ], "recommended": false }, - "fieldName": "accountExpires", + "fieldName": "accountexpires", "owner": "UBA_HR_Data", "type": "string", - "fieldSearch": "accountExpires=*", + "fieldSearch": "accountexpires=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "accountExpires" + "displayName": "accountexpires" }, { "comment": { @@ -154,15 +154,15 @@ ], "recommended": false }, - "fieldName": "departingUser", + "fieldName": "departinguser", "owner": "UBA_HR_Data", "type": "string", - "fieldSearch": "departingUser=*", + "fieldSearch": "departinguser=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "departingUser" + "displayName": "departinguser" }, { "comment": { @@ -192,15 +192,15 @@ ], "recommended": false }, - "fieldName": "displayName", + "fieldName": "displayname", "owner": "UBA_HR_Data", "type": "string", - "fieldSearch": "displayName=*", + "fieldSearch": "displayname=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "displayName" + "displayName": "displayname" }, { "comment": { @@ -211,15 +211,15 @@ ], "recommended": false }, - "fieldName": "domainLoginId", + "fieldName": "domainloginid", "owner": "UBA_HR_Data", "type": "string", - "fieldSearch": "domainLoginId=*", + "fieldSearch": "domainloginid=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "domainLoginId" + "displayName": "domainloginid" }, { "comment": { @@ -249,15 +249,15 @@ ], "recommended": false }, - "fieldName": "employeeType", + "fieldName": "employeetype", "owner": "UBA_HR_Data", "type": "string", - "fieldSearch": "employeeType=*", + "fieldSearch": "employeetype=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "employeeType" + "displayName": "employeetype" }, { "comment": { @@ -266,7 +266,7 @@ "expected_values": [ "Shruti" ], - "recommended": false + "recommended": true }, "fieldName": "firstname", "owner": "UBA_HR_Data", @@ -287,15 +287,15 @@ ], "recommended": true }, - "fieldName": "givenName", + "fieldName": "givenname", "owner": "UBA_HR_Data", "type": "string", - "fieldSearch": "givenName=*", + "fieldSearch": "givenname=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "givenName" + "displayName": "givenname" }, { "comment": { @@ -327,15 +327,15 @@ ], "recommended": false }, - "fieldName": "highRiskUser", + "fieldName": "highriskuser", "owner": "UBA_HR_Data", "type": "boolean", - "fieldSearch": "highRiskUser=*", + "fieldSearch": "highriskuser=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "highRiskUser" + "displayName": "highriskuser" }, { "comment": { @@ -346,15 +346,15 @@ ], "recommended": false }, - "fieldName": "hireDate", + "fieldName": "hiredate", "owner": "UBA_HR_Data", "type": "string", - "fieldSearch": "hireDate=*", + "fieldSearch": "hiredate=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "hireDate" + "displayName": "hiredate" }, { "fieldName": "host", @@ -454,15 +454,15 @@ ], "recommended": false }, - "fieldName": "lastLogonTimestamp", + "fieldName": "lastlogontimestamp", "owner": "UBA_HR_Data", "type": "string", - "fieldSearch": "lastLogonTimestamp=*", + "fieldSearch": "lastlogontimestamp=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "lastLogonTimestamp" + "displayName": "lastlogontimestamp" }, { "comment": { @@ -492,7 +492,7 @@ ], "recommended": false }, - "fieldName": "loginId", + "fieldName": "loginid", "owner": "UBA_HR_Data", "type": "string", "fieldSearch": "loginId=*", @@ -569,15 +569,15 @@ ], "recommended": false }, - "fieldName": "memberOf", + "fieldName": "memberof", "owner": "UBA_HR_Data", "type": "string", - "fieldSearch": "memberOf=*", + "fieldSearch": "memberof=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "memberOf" + "displayName": "memberof" }, { "comment": { @@ -589,15 +589,15 @@ ], "recommended": false }, - "fieldName": "onPIP", + "fieldName": "onpip", "owner": "UBA_HR_Data", "type": "boolean", - "fieldSearch": "onPIP=*", + "fieldSearch": "onpip=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "onPIP" + "displayName": "onpip" }, { "comment": { @@ -609,15 +609,15 @@ ], "recommended": false }, - "fieldName": "onPerformanceImprovementPlan", + "fieldName": "onperformanceimprovementplan", "owner": "UBA_HR_Data", "type": "boolean", - "fieldSearch": "onPerformanceImprovementPlan=*", + "fieldSearch": "onperformanceimprovementplan=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "onPerformanceImprovementPlan" + "displayName": "onperformanceimprovementplan" }, { "comment": { @@ -666,15 +666,15 @@ ], "recommended": false }, - "fieldName": "postalCode", + "fieldName": "postalcode", "owner": "UBA_HR_Data", "type": "string", - "fieldSearch": "postalCode=*", + "fieldSearch": "postalcode=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "postalCode" + "displayName": "postalcode" }, { "comment": { @@ -685,15 +685,15 @@ ], "recommended": false }, - "fieldName": "preferredName", + "fieldName": "preferredname", "owner": "UBA_HR_Data", "type": "string", - "fieldSearch": "preferredName=*", + "fieldSearch": "preferredname=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "preferredName" + "displayName": "preferredname" }, { "comment": { @@ -704,15 +704,15 @@ ], "recommended": true }, - "fieldName": "sAMAccountName", + "fieldName": "samaccountname", "owner": "UBA_HR_Data", "type": "string", - "fieldSearch": "sAMAccountName=*", + "fieldSearch": "samaccountname=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "sAMAccountName" + "displayName": "samaccountname" }, { "comment": { @@ -842,15 +842,15 @@ ], "recommended": false }, - "fieldName": "streetAddress", + "fieldName": "streetaddress", "owner": "UBA_HR_Data", "type": "string", - "fieldSearch": "streetAddress=*", + "fieldSearch": "streetaddress=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "streetAddress" + "displayName": "streetaddress" }, { "comment": { @@ -861,15 +861,15 @@ ], "recommended": false }, - "fieldName": "telephoneNumber", + "fieldName": "telephonenumber", "owner": "UBA_HR_Data", "type": "string", - "fieldSearch": "telephoneNumber=*", + "fieldSearch": "telephonenumber=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "telephoneNumber" + "displayName": "telephonenumber" }, { "comment": { @@ -881,15 +881,15 @@ ], "recommended": false }, - "fieldName": "terminatedUser", + "fieldName": "terminateduser", "owner": "UBA_HR_Data", "type": "boolean", - "fieldSearch": "terminatedUser=*", + "fieldSearch": "terminateduser=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "terminatedUser" + "displayName": "terminateduser" }, { "comment": { @@ -901,15 +901,15 @@ ], "recommended": false }, - "fieldName": "terminationDate", + "fieldName": "terminationdate", "owner": "UBA_HR_Data", "type": "string", - "fieldSearch": "terminationDate=*", + "fieldSearch": "terminationdate=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "terminationDate" + "displayName": "terminationdate" }, { "comment": { @@ -961,15 +961,15 @@ ], "recommended": false }, - "fieldName": "userAccountControl", + "fieldName": "useraccountcontrol", "owner": "UBA_HR_Data", "type": "string", - "fieldSearch": "userAccountControl=*", + "fieldSearch": "useraccountcontrol=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "userAccountControl" + "displayName": "useraccountcontrol" }, { "comment": { @@ -980,15 +980,15 @@ ], "recommended": false }, - "fieldName": "userPrincipalName", + "fieldName": "userprincipalname", "owner": "UBA_HR_Data", "type": "string", - "fieldSearch": "userPrincipalName=*", + "fieldSearch": "userprincipalname=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "userPrincipalName" + "displayName": "userprincipalname" }, { "comment": { @@ -999,15 +999,15 @@ ], "recommended": false }, - "fieldName": "userType", + "fieldName": "usertype", "owner": "UBA_HR_Data", "type": "string", - "fieldSearch": "userType=*", + "fieldSearch": "usertype=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "userType" + "displayName": "usertype" }, { "comment": { @@ -1042,4 +1042,4 @@ "objectNameList": [ "UBA_HR_Data" ] -} \ No newline at end of file +} From 3a0624a7768136fbe29ac0e3ecc24afe29979a14 Mon Sep 17 00:00:00 2001 From: annettefo Date: Mon, 26 Feb 2024 14:44:59 -0800 Subject: [PATCH 17/28] Update UBA_HR_Data.json recommended fields update ou and middlename --- default/data/models/UBA_HR_Data.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/default/data/models/UBA_HR_Data.json b/default/data/models/UBA_HR_Data.json index 9791fb1..a863e2d 100644 --- a/default/data/models/UBA_HR_Data.json +++ b/default/data/models/UBA_HR_Data.json @@ -21,7 +21,7 @@ "expected_values": [ "Michelle" ], - "recommended": false + "recommended": true }, "fieldName": "middlename", "owner": "UBA_HR_Data", @@ -74,7 +74,7 @@ ], "recommended": false }, - "fieldName": "accountexpires", + "fieldName": "accntexpires", "owner": "UBA_HR_Data", "type": "string", "fieldSearch": "accountexpires=*", @@ -626,7 +626,7 @@ "expected_values": [ "Organizational unit (department) or business unit of the user." ], - "recommended": false + "recommended": true }, "fieldName": "ou", "owner": "UBA_HR_Data", From c1dfd2e174053efe0fb6f3c864817074c6dc59f8 Mon Sep 17 00:00:00 2001 From: annettefo Date: Mon, 26 Feb 2024 14:51:50 -0800 Subject: [PATCH 18/28] Update UBA_HR_Data.json accountexpires field Typo --- default/data/models/UBA_HR_Data.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/default/data/models/UBA_HR_Data.json b/default/data/models/UBA_HR_Data.json index a863e2d..9c6c149 100644 --- a/default/data/models/UBA_HR_Data.json +++ b/default/data/models/UBA_HR_Data.json @@ -74,7 +74,7 @@ ], "recommended": false }, - "fieldName": "accntexpires", + "fieldName": "accountexpires", "owner": "UBA_HR_Data", "type": "string", "fieldSearch": "accountexpires=*", From 1a45a5eaf85a3b8e3175c43b749145538b6bb6c7 Mon Sep 17 00:00:00 2001 From: annettefo Date: Mon, 26 Feb 2024 14:56:10 -0800 Subject: [PATCH 19/28] Update UBA_Asset_Data.json Update casing to accomodate filter: | where NOT match(field, "_time|^host$|sourcetype|source|[A-Z]+|_bunit|_category|_priority|_requires_av|_should_update") OR match(field, "object_category") --- default/data/models/UBA_Asset_Data.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/default/data/models/UBA_Asset_Data.json b/default/data/models/UBA_Asset_Data.json index e3b26ca..e8de490 100644 --- a/default/data/models/UBA_Asset_Data.json +++ b/default/data/models/UBA_Asset_Data.json @@ -152,15 +152,15 @@ "expected_values": ["TRUE","FALSE"], "recommended": true }, - "fieldName": "denyListDeviceIr", + "fieldName": "denylistdeviceir", "owner": "UBA_Asset_Data", "type": "boolean", - "fieldSearch": "denyListDeviceIr=*", + "fieldSearch": "denylistdeviceir=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "denyListDeviceIr" + "displayName": "denylistdeviceir" }, { "comment": { @@ -169,15 +169,15 @@ "expected_values": ["TRUE","FALSE"], "recommended": true }, - "fieldName": "denyListUserIr", + "fieldName": "denylistuserir", "owner": "UBA_Asset_Data", "type": "boolean", - "fieldSearch": "denyListUserIr=*", + "fieldSearch": "denylistuserir=*", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "denyListUserIr" + "displayName": "denylistuserir" }, { "comment": { @@ -569,4 +569,4 @@ "objectNameList": [ "UBA_Asset_Data" ] -} \ No newline at end of file +} From e067eff6f8b905b2eb43a7a32e054e67da48a6f9 Mon Sep 17 00:00:00 2001 From: vladimir Date: Wed, 28 Feb 2024 09:48:45 -0500 Subject: [PATCH 20/28] Update README.md fix typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 53f72c6..720c4ab 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ App installation can be completed using the self-service capabilities. Documenta ![CIM validator](https://raw.githubusercontent.com/hire-vladimir/SA-cim_vladiator/master/static/screenshot1.png) ## System requirements -App was developed for use with Splunk Enterprise and Splunk Cloud8.x+, 9.x+ +App was developed for use with Splunk Enterprise and Splunk Cloud 8.x+, 9.x+ # Special Thanks Thank you to Lowell Alleman for python3 support, Annette Quach for UBA support. From a21624252aa76fcb57471bfee9b8900e157b1f4f Mon Sep 17 00:00:00 2001 From: hire-vladimir Date: Fri, 15 Mar 2024 13:30:35 +0000 Subject: [PATCH 21/28] recommended field can come from lookup or DM schema --- default/data/ui/views/cim_validator.xml | 34 +++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/default/data/ui/views/cim_validator.xml b/default/data/ui/views/cim_validator.xml index d20b18b..c772cef 100644 --- a/default/data/ui/views/cim_validator.xml +++ b/default/data/ui/views/cim_validator.xml @@ -1,7 +1,37 @@
- | datamodel $dm$ | spath | rex max_match=999 "fieldName\":\"(?<field>[^\"]+)" | stats values(field) as field by modelName | rename modelName AS datamodel | mvexpand field | where NOT match(field, "_time|host|sourcetype|source|[A-Z]+|_bunit|_category|_priority|_requires_av|_should_update") OR match(field, "object_category") | join type=outer field [$search_type$ $cim_search$ | head $event_limit$ | fieldsummary maxvals=15 | eventstats max(count) AS total | eval percent_coverage=round(count/total*100, 2) | table field, percent_coverage, distinct_count, total, values] | spath input=values | rename {}.value AS sample_values {}.count AS sample_count distinct_count AS distinct_value_count total AS total_events | fillnull value=0 percent_coverage, distinct_value_count, total_events | mvmath field=sample_count field2=total_events | eval field_values=mvzip(mvmath_result, sample_values, " ") | lookup cim_validation_regex datamodel field OUTPUT validation_regex | mvrex showcount=t showunmatched=t field=sample_values validation_regex | eval is_cim_valid=case(total_events==0, "severe!!!no extracted values found", percent_coverage < 90, "elevated!!!event coverage less than 90%", mvrex_unmatched_count > 0, "elevated!!!found ".mvrex_unmatched_count." unexpected values (".mvjoin(mvrex_unmatched, ", ").")", isnull(validation_regex) OR validation_regex=="", "check!!!no validation regex was found to evaluate", 1==1, "low!!!looking good!") | lookup cim_validator_recommended_fields field OUTPUT is_recommended | eval ir=if(is_recommended=="true", "star", null()) | table ir, field, total_events, distinct_value_count, percent_coverage, field_values, is_cim_valid + | datamodel $dm$ | spath + | spath path=objects{}.fields{} output=v + | spath path=objects{}.calculations{}.outputFields{} output=u + | eval w=mvappend(v,u) + | fields - _raw | fields modelName w + | mvexpand w + | eval field=json_extract(w,"fieldName") + | eval recommended=json_extract(w,"comment.recommended"), recommended=if(match(recommended, "(?i)true|1"), "true", "false") + | rename modelName AS datamodel + | table datamodel, field, recommended + | where NOT match(field, "_time|^host$|sourcetype|source|[A-Z]+|_bunit|_category|_priority|_requires_av|_should_update") OR match(field, "object_category") + + | join type=outer field + [ $search_type$ $cim_search$ | head $event_limit$ + | fieldsummary maxvals=15 + | eventstats max(count) AS total + | eval percent_coverage=round(count/total*100, 2) + | table field, percent_coverage, distinct_count, total, values] + + | spath input=values + | rename {}.value AS sample_values {}.count AS sample_count distinct_count AS distinct_value_count total AS total_events + | fillnull value=0 percent_coverage, distinct_value_count, total_events + | mvmath field=sample_count field2=total_events + | eval field_values=mvzip(mvmath_result, sample_values, " ") + | lookup cim_validation_regex datamodel field OUTPUT validation_regex + | mvrex showcount=t showunmatched=t field=sample_values validation_regex + | eval is_cim_valid=case(total_events==0, "severe!!!no extracted values found", percent_coverage < 90, "elevated!!!event coverage less than 90%", mvrex_unmatched_count > 0, "elevated!!!found ".mvrex_unmatched_count." unexpected values (".mvjoin(mvrex_unmatched, ", ").")", isnull(validation_regex) OR validation_regex=="", "check!!!no validation regex was found to evaluate", 1==1, "low!!!looking good!") + | lookup cim_validator_recommended_fields field OUTPUT is_recommended + | eval ir=if(is_recommended=="true" OR recommended="true", "star", null()) + | table ir, field, total_events, distinct_value_count, percent_coverage, field_values, is_cim_valid + $timerange.earliest$ $timerange.latest$ @@ -150,7 +180,7 @@
- denotes recommended fields based on use within ES and UBA products.
+ denotes recommended fields based on use within ES and UBA products, or as defined in the CIM model definition. Data Model $dm$ (and sub models) uses these fields: From 1f7bd106edfe61b518b5e807aaa789becc524368 Mon Sep 17 00:00:00 2001 From: hire-vladimir Date: Fri, 15 Mar 2024 23:35:21 +0000 Subject: [PATCH 22/28] sort by field --- default/data/ui/views/cim_validator.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/default/data/ui/views/cim_validator.xml b/default/data/ui/views/cim_validator.xml index c772cef..c920bee 100644 --- a/default/data/ui/views/cim_validator.xml +++ b/default/data/ui/views/cim_validator.xml @@ -31,6 +31,7 @@ | lookup cim_validator_recommended_fields field OUTPUT is_recommended | eval ir=if(is_recommended=="true" OR recommended="true", "star", null()) | table ir, field, total_events, distinct_value_count, percent_coverage, field_values, is_cim_valid + | sort field $timerange.earliest$ $timerange.latest$ From 679c71bbe30e311c8e8950cf10ed50ea40948670 Mon Sep 17 00:00:00 2001 From: hire-vladimir Date: Fri, 15 Mar 2024 23:36:47 +0000 Subject: [PATCH 23/28] sort by field and recommended field from lookup too --- default/data/ui/views/cim_dictionary.xml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/default/data/ui/views/cim_dictionary.xml b/default/data/ui/views/cim_dictionary.xml index 953ad8d..4fdf6da 100644 --- a/default/data/ui/views/cim_dictionary.xml +++ b/default/data/ui/views/cim_dictionary.xml @@ -55,7 +55,7 @@
Datamodel definition information - | datamodel $dm|s$ | spath | eval product_type=if(like(modelName, "UBA_%"), "uba", "core") | table modelName, product_type, displayName, description | search product_type=$product_type|s$ + | datamodel $dm|s$ | spath | eval product_type=if(like(modelName, "UBA_%"), "uba", "core") | table modelName, product_type, displayName, description | search product_type=$product_type|s$ | sort modelName -24h@h now @@ -74,8 +74,7 @@ | spath path=objects{}.fields{} output=v | spath path=objects{}.calculations{}.outputFields{} output=u | eval w=mvappend(v,u) - | fields modelName w - | fields - _raw + | fields - _raw | fields modelName w | mvexpand w | eval data_type=json_extract(w,"type") @@ -83,7 +82,8 @@ | eval field=json_extract(w,"fieldName") | eval object=json_extract(w,"owner") - | eval recommended=json_extract(w,"comment.recommended"), recommended=if(match(recommended, "(?i)true|1"), "✅", "") + | lookup cim_validator_recommended_fields field OUTPUT is_recommended + | eval recommended=json_extract(w,"comment.recommended"), recommended=if(is_recommended=="true" OR match(recommended, "(?i)true|1"), "✅", "") | eval expected_values=json_array_to_mv(json_extract(w,"comment.expected_values")) | eval possible_values=split(json_extract(w,"comment.possible_values"), ","), possible_values=mvmap(possible_values, trim(possible_values)) @@ -95,6 +95,7 @@ | eval product_type=if(like(datamodel, "UBA_%"), "uba", "core") | where match(field, $field|s$) | search product_type=$product_type|s$ | fields - product_type + | sort field 0 From 90a3d843e79e4b7e8daedfcf380933ad0595085e Mon Sep 17 00:00:00 2001 From: hire-vladimir Date: Fri, 15 Mar 2024 23:41:30 +0000 Subject: [PATCH 24/28] accomodate appinspect check_that_setup_has_not_been_performed --- default/app.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/default/app.conf b/default/app.conf index e6cda72..8fe6660 100644 --- a/default/app.conf +++ b/default/app.conf @@ -1,5 +1,5 @@ [install] -is_configured = 1 +is_configured = false build = 2.0.0 [ui] From 9758efb1a0b3037ef4ba4dc3df518c3d837f2176 Mon Sep 17 00:00:00 2001 From: hire-vladimir Date: Sat, 16 Mar 2024 00:09:40 +0000 Subject: [PATCH 25/28] rename master to main branch / fix warn for check_for_bias_language --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 720c4ab..60ec421 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ App installation can be completed using the self-service capabilities. Documenta # Getting Started ## Screenshot -![CIM validator](https://raw.githubusercontent.com/hire-vladimir/SA-cim_vladiator/master/static/screenshot1.png) +![CIM validator](https://raw.githubusercontent.com/hire-vladimir/SA-cim_vladiator/main/static/screenshot1.png) ## System requirements App was developed for use with Splunk Enterprise and Splunk Cloud 8.x+, 9.x+ From 90a0415900f88ddbd3112e541d8ab8d8ff81cd2c Mon Sep 17 00:00:00 2001 From: hire-vladimir Date: Wed, 20 Mar 2024 04:04:57 +0000 Subject: [PATCH 26/28] really use is_recommended value and dedup on fields from sub models --- default/data/ui/views/cim_validator.xml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/default/data/ui/views/cim_validator.xml b/default/data/ui/views/cim_validator.xml index c920bee..c73f075 100644 --- a/default/data/ui/views/cim_validator.xml +++ b/default/data/ui/views/cim_validator.xml @@ -8,9 +8,13 @@ | fields - _raw | fields modelName w | mvexpand w | eval field=json_extract(w,"fieldName") - | eval recommended=json_extract(w,"comment.recommended"), recommended=if(match(recommended, "(?i)true|1"), "true", "false") + + | lookup cim_validator_recommended_fields field OUTPUT is_recommended + | eval recommended=json_extract(w,"comment.recommended"), recommended=if(is_recommended=="true" OR match(recommended, "(?i)true|1"), "true", "false") + | rename modelName AS datamodel - | table datamodel, field, recommended + | stats values(recommended) AS recommended by datamodel, field + | eval recommended=if(match(recommended, "true"), "true", "false") | where NOT match(field, "_time|^host$|sourcetype|source|[A-Z]+|_bunit|_category|_priority|_requires_av|_should_update") OR match(field, "object_category") | join type=outer field From d52654b6f842435938163c0086f5987b96cca83d Mon Sep 17 00:00:00 2001 From: hire-vladimir Date: Wed, 20 Mar 2024 04:17:27 +0000 Subject: [PATCH 27/28] explicitly set acceleration = false --- default/datamodels.conf | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/default/datamodels.conf b/default/datamodels.conf index c15aee9..6997531 100644 --- a/default/datamodels.conf +++ b/default/datamodels.conf @@ -1,46 +1,68 @@ [UBA_Badge] +acceleration = false [UBA_DLP] +acceleration = false [UBA_DLP_Email] +acceleration = false [UBA_Authentication] +acceleration = false [UBA_Cloud_Storage] +acceleration = false [UBA_DHCP] +acceleration = false [UBA_DNS] +acceleration = false [UBA_Email] +acceleration = false [UBA_External_Alarm] +acceleration = false [UBA_Firewall] +acceleration = false [UBA_Host_AV] +acceleration = false [UBA_IDS_IPS] +acceleration = false [UBA_VPN] +acceleration = false [UBA_Web_Proxy] +acceleration = false [UBA_Endpoint_Port] +acceleration = false [UBA_Endpoint_Processes] +acceleration = false [UBA_Endpoint_Services] +acceleration = false [UBA_Endpoint_Registry] +acceleration = false [UBA_Endpoint_Filesystem] +acceleration = false [UBA_Printer] +acceleration = false [UBA_Database] +acceleration = false [UBA_HR_Data] +acceleration = false [UBA_Asset_Data] - +acceleration = false From b25e65debd49406d6e917f26d7e9420fb3dd29ff Mon Sep 17 00:00:00 2001 From: vladimir Date: Wed, 20 Mar 2024 12:58:57 -0400 Subject: [PATCH 28/28] fix typo --- default/data/ui/views/cim_validator.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/default/data/ui/views/cim_validator.xml b/default/data/ui/views/cim_validator.xml index c73f075..3ea9386 100644 --- a/default/data/ui/views/cim_validator.xml +++ b/default/data/ui/views/cim_validator.xml @@ -168,7 +168,7 @@
  • Use the Search type picker to set the type of the search used to retrieve the data
    • _raw search will be a search that does not start with a pipe, for example index=network sourcetype=firewall tag=network
      • -
    • generating search will be any generating command that starts with a pope, for example | datamodel Network_Traffic All_Traffic or with | from, | inputlookup etc.
      • +
    • generating search will be any generating command that starts with a pipe, for example | datamodel Network_Traffic All_Traffic or with | from, | inputlookup etc.
    Searches with the _raw are particularly helpful, as they allow to "test" data before it makes it into the accelerated datamodel; removing the need to need for constant rebuild during development/test cycle.
    • @@ -223,4 +223,4 @@ - \ No newline at end of file +