Monday, March 7, 2016

Splunk - SIEM - CIM (Common Information Model) Mapping

Splunk Enterprise Security module comes up with a bunch of Data models, tags and field names that needs to be mapped with the log sources for Splunk Enterprise Security to do its job, like alerting, correlation, dashboards and so on.
I am currently working in a large engagement where I had to use this CIM fields for normalisation and mapping. Though the “Overview of the Splunk Common Information Model” doco in Splunk web is a very good source. I could not find a single page for reference. I have made one for myself and this could assist the other SIEM designers and Engineers as well.

CIM - Data Model - Tags (Quick Reference)

CIM Fields - app,    body,    dest,    dest_bunit,    dest_category,    dest_priority,    id,    severity,    severity_id,    src,    src_bunit,    src_category,    src_priority,    subject,    type
Application StateAll_Application_State, &   ports, &   process, &   services(listening, &   port) OR (process, &   report) OR (service, &   report) 
CIM Fields - dest,    dest_bunit,    dest_category,    dest_priority,    dest_requires_av,    dest_should_timesync,    dest_should_update,    process,    process_id,    tag,    user,    user_bunit,    user_category,    user_priority,    dest_port,    transport,    transport_dest_port,    cpu_load_mhz,    cpu_load_percent,    cpu_time,    mem_used,    service,    service_id,    start_mode,    status
Authenticationauthentication, &   default_authentication, &   insecure_authentication, &   privileged_authenticationdefault_authentication, &   insecure_authentication, &   privileged_authentication
CIM Fields - action,    app,    dest,    dest_bunit,    dest_category,    dest_nt_domain,    dest_priority,    duration,    response_time,    src,    src_bunit,    src_category,    src_nt_domain,    src_priority,    src_user,    src_user_bunit,    src_user_category,    src_user_priority,    tag,    user,    user_bunit,    user_category,    user_priority
CertificatesAll_Certificates, &   sslcertificate, &   ssl, &   tls
CIM Fields - dest,    dest_bunit,    dest_category,    dest_port,    dest_priority,    duration,    response_time,    src,    src_bunit,    src_category,    src_priority,    tag,    transport,    ssl_end_time,    ssl_engine,    ssl_hash,    ssl_is_valid,    ssl_issuer,    ssl_issuer_common_name,    ssl_issuer_email,    ssl_issuer_locality,    ssl_issuer_organization,    ssl_issuer_state,    ssl_issuer_street,    ssl_issuer_unit,    ssl_name,    ssl_policies,    ssl_publickey,    ssl_publickey_algorithm,    ssl_serial,    ssl_session_id,    ssl_signature_algorithm,    ssl_start_time,    ssl_subject,    ssl_subject_common_name,    ssl_subject_email,    ssl_subject_locality,    ssl_subject_state,    ssl_subject_street,    ssl_subject_unit,    ssl_validity_window,    ssl_version
Change AnalysisAll_change, &   Auditing_changes, &   endpoint_changes, &   network_changes, &   account_managementchange, &   audit, &   endpoint, &   network, &   account
CIM Fields - action,    change_type,    command,    dest,   dest_bunit,   dest_category,   dest_priority,   dvc,   object,   object_attrs,    object_category,    object_id,    object_path,    result,    result_id,    src,    src_bunit,    src_category,    ,    src_priority,    status,    tag,    user,    vendor_product,    dest_nt_domain,    src_nt_domain,    src_user,    src_user_bunit,    src_user_category,    src_user_priority,    file_access_time,    file_acl,    file_create_time,    file_hash,    file_modify_time,    file_name,    file_path,    file_size
DatabasesAll_Databases, &   database_instance, &   instance_stats, &   session_info, &   lock_info, &   database_querry, &   tablespace, &   query_statsdatabase, &   instance, &   stats, &   session, &   lock, &   query, &   tablespace, &   stats
CIM Fields - dest,    dest_bunit,    dest_category,    dest_priority,    duration,    object,    response_time,    src,    src_bunit,    src_category,    src_priority,    tag,    user,    user_bunit,    user_category,    user_priority,    vendor_product,    instance_name,    instance_version,    process_limit,    session_limit,    availability,    avg_executions,    dump_area_used,    instance_reads,    instance_writes,    number_of_users,    processes,    sessions,    sga_buffer_cache_size,    sga_buffer_hit_limit,    sga_data_dict_hit_ratio,    sga_fixed_area_size,    sga_free_memory,    sga_library_cache_size,    sga_redo_log_buffer,    sga_shared_pool,    sga_sql_area_size,    start_time,    tablespace_used,    buffer_cache_hit_ratio,    commits,    cpu_used,    cursor,    elapsed_time,    logical_reads,    machine,    memory_sorts,    physical_reads,    seconds_in_wait,    session_id,    session_status,    table_scans,    wait_state,    wait_time,    last_call_minute,    lock_mode,    lock_session_id,    logon_time,    obj_name,    os_pid,    serial_num,    query,    query_id,    query_time,    records_affected,    free_bytes,    tablespace_name,    tablespace_reads,    tablespace_status,    tablespace_writes,    indexes_hit,    query_plan_hit,    stored_procedures_called,    tables_hit
Emailall_email, &   delivery, &   content, &   filteringemail, &   delivery, &   content, &   filter
CIM Field - action,    delay,    dest,    dest_bunit,    dest_category,    dest_priority,    duration,    file_hash,    file_name,    file_size,    internal_message_id,    message_id,    message_info,    orig_dest,    orig_recipient,    orig_src,    process,    process_id,    protocol,    recipient,    recipient_count,    recipient_status,    response_time,    retries,    return_addr,    size,    src,    src_bunit,    src_category,    src_priority,    src_user,    src_user_bunit,    src_user_category,    src_user_priority,    status_code,    subject,    tag,    url,    user,    user_bunit,    user_category,    user_priority,    vendor_product,    xdelay,    xref,    filter_action,    filter_score,    signature,    signature_extra,    signature_id 
Interprocess MessagingAll_Interprocess_Messagingmessaging
CIM Field - dest,    dest_bunit,    dest_category,    dest_priority,    duration,    endpoint,    endpoint_version,    message,    message_consumed_time,    message_correlation_id,    message_delivered_time,    message_delivery_mode,    message_expiration_time,    message_id,    message_priority,    message_properties,    message_received_time,    message_redelivered,    message_reply_dest,    message_type,    parameters,    payload,    payload_type,    request_payload,    request_payload_type,    request_sent_time,    response_code,    response_payload_type,    response_received_time,    response_time,    return_message,    rpc_protocol,    status,    tag
Intrusion DetectionIDS_Attacksids, &   attack
CIM Field - action,    category,    dest,    dest_bunit,    dest_category,    dest_priority,    dvc,    dvc_bunit,    dvc_category,    dvc_priority,    ids_type,    severity,    signature,    src,    src_bunit,    src_category,    src_priority,    tag,    user,    user_bunit,    user_category,    user_priority,    vendor_product
InventoryAll_Inventory, CPU, Memory, Network, Storage, OS, User, Default_Accounts, Virtual_OS, Snapshot, ToolsInventory, CPU, Memory, Network, Storage, OS, User, Default_Accounts, Virtual_OS, Snapshot, Tools
CIM Fields - description,  dest,  dest_bunit,  dest_category,  dest_priority,  enabled,  family,  hypervisor_id,  serial,  status,  tag,  vendor_product,  version,  cpu_cores,  cpu_count,  cpu_mhz,  mem,  dest_ip,  dns,  inline_nat,  interface,  ip,  lb_method,  mac,  name,  node,  node_port,  src_ip,  vip_port,  os,  array,  blocksize,  cluster,  fd_max,  latency,  mount,  parent,  read_blocks,  read_latency,  read_ops,  storage,  write_blocks,  write_latency,  write_ops,  interactive,  password,  shell,  user,  user_bunit,  user_category,  user_id,  user_priority,  hypervisor,  size,  snapshot,  time
Java Virtual MachineJVM, & Threading, &  Runtime, &  OS, &  Compilation, &  Classloading, &  MemoryJVM, & Threading, &  Runtime, &  OS, &  Compilation, &  Classloading, &  Memory
CIM Fields - jvm_description,  tag,  cm_enabled,  cm_supported,  cpu_time_enabled,  cpu_time_supported,  current_cpu_time,  current_user_time,  daemon_thread_count,  omu_supported,  peak_thread_count,  synch_supported,  thread_count,  threads_started,  process_name,  start_time,  uptime,  vendor_product,  version,  committed_memory,  cpu_time,  free_physical_memory,  free_swap,  max_file_descriptors,  open_file_descriptors,  os,  os_architecture,  os_version,  physical_memory,  swap_space,  system_load,  total_processors,  compilation_time,  current_loaded,  total_loaded,  total_unloaded,  heap_committed,  heap_initial,  heap_max,  heap_used,  non_heap_committed,  non_heap_initial,  non_heap_max,  non_heap_used,  objects_pending
MalwareMalware_Attacks, Malware_Operationsmalware, attack, operations
CIM Fields - action,  category,  date,  dest,  dest_bunit,  dest_category,  dest_nt_domain,  dest_priority,  dest_requires_av,  file_hash,  file_name,  file_path,  signature,  src,  src_bunit,  src_category,  src_priority,  tag,  user,  user_bunit,  user_category,  user_priority,  vendor_product,  dest,  dest_bunit,  dest_category,  dest_nt_domain,  dest_priority,  dest_requires_av,  product_version,  signature_version,  tag,  vendor_product
Network Resolutiondnsnetwork, resolution, dns
CIM Fields - additional_answer_count,  answer,  answer_count,  authority_answer_count,  dest,  dest_category,  dest_port,  dest_priority,  duration,  message_type,  query,  query_count,  query_type,  reply_code,  reply_code_id,  response_time,  src,  src_bunit,  src_category,  src_port,  src_priority,  tag,  transaction_id,  transport,  ttl,  vendor_product
Network SessionsAll_sessions, session_start, session_end, DHCP, VPNnetwork, & session, & start, & end, & dhcp, & vpn
Fields - action,  dest_bunit,  dest_category,  dest_ip,  dest_mac,  dest_nt_host,  dest_priority,  duration,  response_time,  signature,  src_bunit,  src_category,  src_dns,  src_ip,  src_mac,  src_nt_host,  src_priority,  tag,  user,  user_bunit,  user_category,  user_priority,  vendor_product,  lease_duration,  lease_scope
Network TrafficAll_trafficnetwork, communicate
CIM Fields - action,  app,  bytes,  bytes_in,  bytes_out,  channel,  dest,  dest_bunit,  dest_category,  dest_interface,  dest_ip,  dest_mac,  dest_port,  dest_priority,  dest_translated_ip,  dest_translated_port,  direction,  duration,  dvc,  dvc_bunit,  dvc_category,  dvc_ip,  dvc_mac,  dvc_priority,  flow_id,  icmp_code,  icmp_type,  packets,  packets_in,  packets_out,  protocol,  protocol_version,  response_time,  rule,  session_id,  src,  src_category,  src_interface,  src_ip,  src_mac,  src_port,  src_priority,  src_translated_ip,  src_translated_port,  ssid,  tag,  tcp_flag,  transport,  tos,  ttl,  user,  user_bunit,  user_category,  user_priority,  vendor_product,  vlan,  wifi
PerformanceALL_performance,  cpu,  facilities,  memory,  storage,  network,  os,  uptime,  time,  performance,  cpu,  facilities,  memory,  storage,  network,  os,  uptime,  time, synchronize
CIM Fields - dest,  dest_bunit,  dest_category,  dest_priority,  dest_should_timesync,  dest_should_update,  hypervisor_id,  resource_type,  tag,  cpu_load_mhz,  cpu_load_percent,  cpu_time,  cpu_user_percent,  fan_speed,  power,  temperature,  mem,  mem_committed,  mem_free,  mem_used,  swap,  swap_free,  swap_used,  array,  blocksize,  cluster,  fd_max,  fd_used,  latency,  mount,  parent,  read_blocks,  read_latency,  read_ops,  storage,  storage_free,  storage_free_percent,  storage_used,  storage_used_percent,  write_blocks,  write_latency,  write_ops,  thruput,  thruput_max,  signature,  action,  uptime
Splunk Audit Logs View_Activity, Datamodel_Acceleration, Search_Activity, Scheduler_Activity, Web_Service_Errors 
CIM Fields - app,  user,  view,  access_count,  access_time,  app,  buckets,  buckets_size,  complete,  cron,  datamodel,  digest,  earliest,  is_inprogress,  last_error,  last_sid,  latest,  mod_time,  retention,  size,  summary_id,  host,  info,  search,  search_type,  source,  sourcetype,  user,  user_bunit,  user_category,  user_priority,  app,  host,  savedsearch_name,  sid,  source,  sourcetype,  splunk_server,  status,  user,  host,  source,  sourcetype,  event_id
Ticket Management ALL_TICKET_MANAGEMENT, ticketing, change, incident, problemticketing, change, incident, problem
CIM Fields - affect_dest,  comments,  description,  dest,  dest_bunit,  dest_category,  dest_priority,  priority,  severity,  src_user,  src_user_bunit,  src_user_category,  status,  tag,  ticket_id,  time_submitted,  user,  user_bunit,  user_category,  user_priority,  change,  incident,  problem
Updates updates, update_errorsupdate, & status, & update, & error
CIM Fields - dest,  dest_bunit,  dest_category,  dest_priority,  dest_should_update,  dvc,  file_hash,  file_name,  severity,  signature,  signature_id,  status,  tag,  vendor_product
Vulnerabilities Vulnerabilitiesreport, Vulnerabilities
CIM Fields - bugtraq,  category,  cert,  cve,  cvss,  dest,  dest_bunit,  dest_category,  dest_priority,  dvc,  dvc_bunit,  dvc_category,  dvc_priority,  msft,  mskb,  severity,  signature,  tag,  user,  user_bunit,  user_category,  user_priority,  vendor_product,  xref
Web Web, ProxyWeb, Proxy
CIM Fields - action,  app,  bytes,  bytes_in,  bytes_out,  cached,  category,  cookie,  dest,  dest_bunit,  dest_category,  dest_priority,  duration,  http_content_type,  http_method,  http_referrer,  http_user_agent,  http_user_agent_length,  response_time,  site,  src,  src_bunit,  src_category,  src_priority,  status,  tag,  uri_path,  uri_query,  url,  url_length,  user,  user_bunit,  user_category,  user_priority,  vendor_product