收集 Splunk CIM 日志
本文档介绍了如何通过配置 Splunk 和 Google Security Operations 转发器来收集 Splunk 通用信息模型 (CIM) 日志。本文档还列出了支持的日志类型和支持的 Splunk 版本。
如需了解详情,请参阅将数据注入 Google Security Operations。
概览
以下部署架构图展示了如何配置 Splunk 代理以将日志发送到 Google Security Operations。每个客户部署都可能与此表示法不同,并且可能更复杂。
架构图显示了以下组件:
数据源:要监控的安装了 Splunk 的系统。
Splunk:从数据源收集信息,并将信息转发到 Google Security Operations 转发器。
Google Security Operations 转发器:一种轻量级软件组件,部署在客户的网络中,用于将日志转发到 Google Security Operations。
Google Security Operations:保留并分析来自 Fleet 服务器的日志。
注入标签用于标识将原始日志数据标准化为结构化 UDM 格式的解析器。本文档中的信息适用于具有 SPLUNK 注入标签的解析器。
准备工作
使用 Google Security Operations 解析器支持的 Splunk 版本 5.0。
确保部署架构中的所有系统都配置为使用世界协调时间 (UTC) 时区。
配置 Splunk 代理和 Google Security Operations 转发器
从 Splunkbase 安装符合 CIM 标准的代理。
配置 Google Security Operations 转发器,以将日志推送到 Google Security Operations 系统。以下是 Google Security Operations 转发器配置的示例:
- splunk: common: enabled: true data_type: SPLUNK batch_n_seconds: 10 batch_n_bytes: 819200 url: <SPLUNK_URL> query_cim: true is_ignore_cert: true query_string: datamodel Network_Traffic All_Traffic flat
编写 Splunk 搜索查询时的注意事项
Splunk 有自己的搜索语言,类似于 SQL。请确保您使用的搜索查询语法正确无误。创建查询时,请考虑以下搜索特征:
转义字符
如果字符串值包含英文双引号 ",请使用反斜杠字符转义该英文双引号。否则,搜索会错误地解读字符串值的末尾。
例如:如需搜索字符串 WHERE _raw="The user "vpatel" isn't authenticated.",您必须使用序列 \" 来搜索字面双引号。
按以下格式编写搜索字符串:
WHERE _raw="The user \"vpatel\" isn't authenticated."
如需转义反斜杠字符 \ ,请使用序列 \\ 搜索反斜杠。
例如,如果存在 C:\user\abc 之类的字符串,则必须将其写为 C:\\user\\abc。
语法不正确的搜索
如果查询的某个部分无效,则系统不会评估整个查询,并会显示错误消息。
请看以下示例,其中查询中缺少搜索模式选项:
multisearch [|datamodel Network_Traffic All_Traffic] [|datamodel Network_Sessions All_Sessions flat]
在此示例中,查询中缺少搜索模式选项。这会导致以下错误:
Error in 'multisearch' command: Multisearch sub searches might only contain purely streaming operations. The search job has failed due to an error.
支持多种数据模型
Splunk 支持跨数据模型的单个大型查询。以下搜索查询从多个数据模型中提取数据:
multisearch [|datamodel Network_Traffic All_Traffic flat] [|datamodel Network_Sessions All_Sessions flat]
以下是此跨数据模型查询的组成部分:
Multisearch:查询必须以字词 multisearch 开头。数据模型的查询必须用方括号 [ ] 括起来,并以竖线 | 字符开头。
Network_Traffic:数据模型的名称。
All_Traffic:Network_Traffic 数据模型的数据集。
flat:搜索模式。其他选项包括 search 和 acceleration_search。
我们建议使用以下 Splunk 查询进行多数据模型搜索:
multisearch [|datamodel Network_Traffic All_Traffic flat] [|datamodel Network_Sessions All_Sessions flat]
支持的日志类型和数据模型
| Splunk 数据模型 | 支持 |
|---|---|
| 提醒 | 是 |
| 应用状态(已弃用) | 否 |
| 身份验证 | 是 |
| 证书 | 是 |
| 更改 | 是 |
| 更改分析(已弃用) | 否 |
| 数据访问 | 是 |
| 数据库 | 是 |
| 数据泄露防护 | 是 |
| 电子邮件 | 是 |
| 端点 | 是 |
| 活动签名 | 是 |
| 进程间消息传递 | 是 |
| 入侵检测 | 是 |
| 广告资源 | 是 |
| Java 虚拟机 (JVM) | 是 |
| 恶意软件 | 是 |
| 网络解析 (DNS) | 是 |
| 网络会话 | 是 |
| 网络流量 | 是 |
| 性能 | 是 |
| Splunk 审核日志 | 是 |
| 工单管理 | 是 |
| 更新 | 是 |
| 漏洞 | 是 |
| Web | 是 |
支持的 Splunk CIM 日志格式
Splunk CIM 解析器支持 JSON 格式的日志。
支持 Splunk CIM 示例日志
JSON
{ "Channel": "Microsoft-Windows-Sysmon/Operational", "Computer": "dhcp-ad01.testdhcp2.local", "EventChannel": "Microsoft-Windows-Sysmon/Operational", "EventCode": "5", "EventData_Xml": "<Data Name='RuleName'>-<\\/Data><Data Name='UtcTime'>2021-10-22 06:38:15.540<\\/Data><Data Name='ProcessGuid'>{8AE2CCCF-5C56-6172-84FE-000000001500}<\\/Data><Data Name='ProcessId'>5616<\\/Data><Data Name='Image'>C:\\\\Program Files\\\\Splunk\\\\bin\\\\splunk-optimize.exe<\\/Data>", "EventDescription": "Process terminated", "EventID": "5", "EventRecordID": "157268", "Guid": "'{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'", "Image": "C:\\\\Program Files\\\\Splunk\\\\bin\\\\splunk-optimize.exe", "Keywords": "0x8000000000000000", "Level": "4", "Name": "'Microsoft-Windows-Sysmon'", "Opcode": "0", "ProcessGuid": "{8AE2CCCF-5C56-6172-84FE-000000001500}", "ProcessID": "'2888'", "ProcessId": "5616", "RecordID": "157268", "RecordNumber": "157268", "RuleName": "-", "SecurityID": "S-1-5-18", "SystemTime": "'2021-10-22T06:38:15.548776000Z'", "System_Props_Xml": "<Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>5<\\/EventID><Version>3<\\/Version><Level>4<\\/Level><Task>5<\\/Task><Opcode>0<\\/Opcode><Keywords>0x8000000000000000<\\/Keywords><TimeCreated SystemTime='2021-10-22T06:38:15.548776000Z'/><EventRecordID>157268<\\/EventRecordID><Correlation/><Execution ProcessID='2888' ThreadID='3648'/><Channel>Microsoft-Windows-Sysmon/Operational<\\/Channel><Computer>dhcp-ad01.testdhcp2.local<\\/Computer><Security UserID='S-1-5-18'/>", "Task": "5", "ThreadID": "'3648'", "TimeCreated": "2021-10-22T06:38:15.548776000Z", "UserID": "'S-1-5-18'", "UtcTime": "2021-10-22 06:38:15.540", "Version": "3", "_raw": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>5<\\/EventID><Version>3<\\/Version><Level>4<\\/Level><Task>5<\\/Task><Opcode>0<\\/Opcode><Keywords>0x8000000000000000<\\/Keywords><TimeCreated SystemTime='2021-10-22T06:38:15.548776000Z'/><EventRecordID>157268<\\/EventRecordID><Correlation/><Execution ProcessID='2888' ThreadID='3648'/><Channel>Microsoft-Windows-Sysmon/Operational<\\/Channel><Computer>dhcp-ad01.testdhcp2.local<\\/Computer><Security UserID='S-1-5-18'/><\\/System><EventData><Data Name='RuleName'>-<\\/Data><Data Name='UtcTime'>2021-10-22 06:38:15.540<\\/Data><Data Name='ProcessGuid'>{8AE2CCCF-5C56-6172-84FE-000000001500}<\\/Data><Data Name='ProcessId'>5616<\\/Data><Data Name='Image'>C:\\\\Program Files\\\\Splunk\\\\bin\\\\splunk-optimize.exe<\\/Data><\\/EventData><\\/Event>", "_time": "2021-10-22T12:08:15.540+0530", "action": "blocked", "date_hour": "6", "date_mday": "22", "date_minute": "38", "date_month": "october", "date_second": "15", "date_wday": "friday", "date_year": "2021", "date_zone": "0", "dest": "dummy.domain.com", "dvc_nt_host": "DHCP-AD01", "event_id": "157268", "eventtype": [ "endpoint_services_processes", "ms-sysmon-process", "windows_event_signature" ], "host": "DHCP-AD01", "id": "157268", "index": "main", "linecount": "1", "os": "Microsoft Windows", "process": "C:\\\\Program Files\\\\Splunk\\\\bin\\\\splunk-optimize.exe", "process_exec": "splunk-optimize.exe", "process_guid": "{8AE2CCCF:5C56:6172:84FE-000000001500}", "process_id": "5616", "process_name": "splunk-optimize.exe", "process_path": "C:\\\\Program Files\\\\Splunk\\\\bin\\\\splunk-optimize.exe", "punct": "<_='://../////'><><_='--'_='{----}'/><><\\/><><\\/><><", "signature": "Process terminated", "signature_id": "5", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "XmlWinEventLog", "splunk_server": "dhcp-ad01", "tag": [ "process", "report", "track_event_signatures" ], "tag2001:db8::eventtype": [ "process", "report", "track_event_signatures" ], "timeendpos": "671", "timestartpos": "648", "user_id": "'dummy-user-id'", "vendor_product": "Microsoft Sysmon" }
字段映射参考
本部分介绍 Google Security Operations 解析器如何将 Splunk 日志字段映射到 Google Security Operations 统一数据模型 (UDM) 字段(针对数据集)。如需了解详情,请参阅 5.0.1 版的 Splunk 文档。
提醒
下表列出了 Splunk 数据集“提醒”的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 应用 | observer.application |
| 说明 | security_result.description |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_type | target.resource.resource_type |
| id | metadata.product_log_id |
| mitre_technique_id | security_result.detection_fields.labels.key/value |
| 和程度上减少 | security_result.severity |
| severity_id | about.labels.key/value(已废弃) additional.fields |
| signature | metadata.description |
| signature_id | security_result.rule_name |
| src | principal.ip principal.hostname principal.labels.key/value(已废弃) |
| src_bunit | principal.labels.key/value(已废弃) additional.fields |
| src_category | principal.labels.key/value(已废弃) additional.fields |
| src_priority | principal.labels.key/value(已废弃) additional.fields |
| src_type | principal.resource.resource_type |
| 标记 | about.labels.key/value(已废弃) additional.fields |
| 类型 | security_result.alert_state |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已废弃) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_name | principal.user.userid |
| user_priority | principal.user.attribute.label.键值对 |
| vendor_account | about.labels.key/value(已废弃) additional.fields |
| vendor_region | about.location.country_or_region |
身份验证
下表列出了 Splunk 数据集“身份验证”的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| 应用 | target.application |
| authentication_method | about.labels.key/value(已废弃) additional.fields |
| authentication_service | extension.auth.auth_details |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_nt_domain | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| 时长 | network.session_duration |
| reason | security_result.summary |
| response_time | about.labels.key/value(已废弃) additional.fields |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip principal.hostname principal.labels.key/value(已废弃) |
| src_bunit | principal.labels.key/value(已废弃) additional.fields |
| src_category | principal.labels.key/value(已废弃) additional.fields |
| src_nt_domain | principal.labels.key/value(已废弃) additional.fields |
| src_priority | principal.labels.key/value(已废弃) additional.fields |
| src_user | principal.user.user_display_name |
| src_user_bunit | principal.labels.key/value(已废弃) additional.fields |
| src_user_category | principal.labels.key/value(已废弃) additional.fields |
| src_user_id | principal.user.userid |
| src_user_priority | principal.labels.key/value(已废弃) additional.fields |
| src_user_role | principal.user.attribute.roles.name(重复) |
| src_user_type | principal.user.attribute.roles.type |
| 标记 | about.labels.key/value(已废弃) additional.fields |
| 用户 | principal.user.user_display_name |
| user_agent | network.http.user_agent |
| user_bunit | about.labels.key/value(已废弃) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_id | principal.user.userid |
| user_priority | principal.user.attribute.label.键值对 |
| user_role | principal.user.attribute.roles.name(重复) |
| user_type | principal.user.attribute.roles.type |
| vendor_account | about.labels.key/value(已废弃) additional.fields |
All_Certificates
下表列出了 Splunk 数据集 All_Certificates 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_port | target.port |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| 时长 | network.session_duration |
| response_time | about.labels.key/value(已废弃) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value(已废弃) |
| src_bunit | principal.labels.key/value(已废弃) additional.fields |
| src_category | principal.labels.key/value(已废弃) additional.fields |
| src_port | principal.port |
| src_priority | principal.labels.key/value(已废弃) additional.fields |
| 标记 | about.labels.key/value(已废弃) additional.fields |
| transport | network.ip_protocol |
SSL
下表列出了 Splunk 数据集 SSL 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| ssl_end_time | network.tls.server.certificate.not_after |
| ssl_engine | about.labels.key/value(已废弃) additional.fields |
| ssl_hash | about.labels.key/value(已废弃) additional.fields |
| ssl_is_valid | about.labels.key/value(已废弃) additional.fields |
| ssl_issuer | network.tls.server.certificate.issuer |
| ssl_issuer_common_name | about.labels.key/value(已废弃) additional.fields |
| ssl_issuer_email | about.labels.key/value(已废弃) additional.fields |
| ssl_issuer_email_domain | about.labels.key/value(已废弃) additional.fields |
| ssl_issuer_locality | about.labels.key/value(已废弃) additional.fields |
| ssl_issuer_organization | about.labels.key/value(已废弃) additional.fields |
| ssl_issuer_state | about.labels.key/value(已废弃) additional.fields |
| ssl_issuer_street | about.labels.key/value(已废弃) additional.fields |
| ssl_issuer_unit | about.labels.key/value(已废弃) additional.fields |
| ssl_name | about.labels.key/value(已废弃) additional.fields |
| ssl_policies | about.labels.key/value(已废弃) additional.fields |
| ssl_publickey | about.labels.key/value(已废弃) additional.fields |
| ssl_publickey_algorithm | about.labels.key/value(已废弃) additional.fields |
| ssl_serial | network.tls.server.certificate.serial |
| ssl_session_id | network.session_id |
| ssl_signature_algorithm | about.labels.key/value(已废弃) additional.fields |
| ssl_start_time | network.tls.server.certificate.not_before |
| ssl_subject | network.tls.server.certificate.subject |
| ssl_subject_common_name | about.labels.key/value(已废弃) additional.fields |
| ssl_subject_email | about.labels.key/value(已废弃) additional.fields |
| ssl_subject_email_domain | about.labels.key/value(已废弃) additional.fields |
| ssl_subject_locality | about.labels.key/value(已废弃) additional.fields |
| ssl_subject_organization | about.labels.key/value(已废弃) additional.fields |
| ssl_subject_state | about.labels.key/value(已废弃) additional.fields |
| ssl_subject_street | about.labels.key/value(已废弃) additional.fields |
| ssl_subject_unit | about.labels.key/value(已废弃) additional.fields |
| ssl_validity_window | about.labels.key/value(已废弃) additional.fields |
| ssl_version | network.tls.server.certificate.version |
All_Changes
下表列出了 Splunk 数据集 All_Changes 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| change_type | security_result.category_details |
| 命令 | principal.process.command_line |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dvc | principal.asset.hostname、principal.asset.ip |
| 对象 | target.resource.name |
| object_attrs | about.labels.key/value(已废弃) additional.fields |
| object_category | about.labels.key/value(已废弃) additional.fields |
| object_id | target.user.product_object_id |
| object_path | target.file.full_path |
| 结果 | metadata.description |
| result_id | metadata.product_event_type |
| src | principal.ip principal.hostname principal.labels.key/value(已废弃) |
| src_bunit | principal.labels.key/value(已废弃) additional.fields |
| src_category | principal.labels.key/value(已废弃) additional.fields |
| src_priority | principal.labels.key/value(已废弃) additional.fields |
| 状态 | security_result.summary |
| 标记 | about.labels.key/value(已废弃) additional.fields |
| 用户 | target.user.userid |
| user_agent | network.http.user_agent |
| user_name | principal.user.user_display_name, target.labels.key/value |
| user_type | principal.user.attribute.roles.type, target.user.attribute.roles.type |
| vendor_account | about.labels.key/value(已废弃) additional.fields |
| vendor_product | about.labels.key/value(已废弃) additional.fields |
| vendor_region | about.location.country_or_region |
Account_Management
下表列出了 Splunk 数据集 Account_Management 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest_nt_domain | target.administrative_domain |
| src_nt_domain | principal.administrative_domain |
| src_user | principal.user.userid |
| src_user_bunit | principal.labels.key/value(已废弃) additional.fields |
| src_user_category | principal.labels.key/value(已废弃) additional.fields |
| src_user_priority | principal.labels.key/value(已废弃) additional.fields |
| src_user_name | principal.labels.key/value(已废弃) additional.fields |
| src_user_type | principal.user.attribute.roles.type |
Instance_Changes
下表列出了 Splunk 数据集 Instance_Changes 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| image_id | principal.asset_id |
| instance_type | about.labels.key/value(已废弃) additional.fields |
network_Changes
下表列出了 Splunk 数据集 network_Changes 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest_ip_range | target.labels.key/value(已弃用) additional.fields |
| dest_port_range | target.labels.key/value(已弃用) additional.fields |
| 方向 | network.direction |
| 协议 | network.ip_protocol |
| rule_action | security_result.action_details security_result.action |
| src_ip_range | principal.labels.key/value(已废弃) additional.fields |
| src_port_range | principal.labels.key/value(已废弃) additional.fields |
Data_Access
下表列出了 Splunk 数据集 Data_Access 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| 应用 | target.application |
| app_id | metadata.product_log_id |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_name | target.administrative_domain |
| dest_url | target.url |
| dvc | principal.asset.hostname、principal.asset.ip |
| 电子邮件 | principal.user.email_addresses |
| 对象 | target.resource.name |
| object_category | about.labels.key/value(已废弃) additional.fields |
| object_id | target.user.product_object_id |
| object_path | target.file.full_path |
| object_size | target.file.size |
| 所有者 | about.labels.key/value(已废弃) additional.fields |
| owner_email | about.labels.key/value(已废弃) additional.fields |
| owner_id | principal.user.userid |
| parent_object | target.resource.parent |
| parent_object_id | about.labels.key/value(已废弃) additional.fields |
| parent_object_category | about.labels.key/value(已废弃) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value(已废弃) |
| tenant_id | about.labels.key/value(已废弃) additional.fields |
| 用户 | principal.user.user_display_name |
| user_agent | network.http.user_agent |
| user_group | principal.user.group_identifiers(repeated) |
| user_role | principal.user.attribute.roles.name(重复) |
| vendor_product | about.labels.key/value(已废弃) additional.fields |
| vendor_product_id | about.labels.key/value(已废弃) additional.fields |
All_Databases
下表列出了 Splunk 数据集 All_Databases 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| 时长 | network.session_duration |
| 对象 | target.resource.name |
| response_time | about.labels.key/value(已废弃) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value(已废弃) |
| src_bunit | principal.labels.key/value(已废弃) additional.fields |
| src_category | principal.labels.key/value(已废弃) additional.fields |
| src_priority | principal.labels.key/value(已废弃) additional.fields |
| 标记 | about.labels.key/value(已废弃) additional.fields |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已废弃) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.键值对 |
| vendor_product | about.labels.key/value(已废弃) additional.fields |
Database_Instance
下表列出了 Splunk 数据集 Database_Instance 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| instance_name | target.resource.attributes.key/value |
| instance_version | target.resource.attributes.key/value |
| process_limit | about.labels.key/value(已废弃) additional.fields |
| session_limit | about.labels.key/value(已废弃) additional.fields |
Database_Query
下表列出了 Splunk 数据集 Database_Query 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 查询 | about.labels.key/value(已废弃) additional.fields |
| query_id | about.labels.key/value(已废弃) additional.fields |
| query_time | about.labels.key/value(已废弃) additional.fields |
| records_affected | about.labels.key/value(已废弃) additional.fields |
Instance_Stats
下表列出了 Splunk 数据集 Instance_Stats 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| availability | about.labels.key/value(已废弃) additional.fields |
| avg_executions | about.labels.key/value(已废弃) additional.fields |
| dump_area_used | about.labels.key/value(已废弃) additional.fields |
| instance_reads | about.labels.key/value(已废弃) additional.fields |
| instance_writes | about.labels.key/value(已废弃) additional.fields |
| number_of_users | about.labels.key/value(已废弃) additional.fields |
| 进程 | about.labels.key/value(已废弃) additional.fields |
| 专题演讲 | about.labels.key/value(已废弃) additional.fields |
| sga_buffer_cache_size | about.labels.key/value(已废弃) additional.fields |
| sga_buffer_hit_limit | about.labels.key/value(已废弃) additional.fields |
| sga_data_dict_hit_ratio | about.labels.key/value(已废弃) additional.fields |
| sga_fixed_area_size | about.labels.key/value(已废弃) additional.fields |
| sga_free_memory | about.labels.key/value(已废弃) additional.fields |
| sga_library_cache_size | about.labels.key/value(已废弃) additional.fields |
| sga_redo_log_buffer_size | about.labels.key/value(已废弃) additional.fields |
| sga_shared_pool_size | about.labels.key/value(已废弃) additional.fields |
| sga_sql_area_size | about.labels.key/value(已废弃) additional.fields |
| start_time | about.labels.key/value(已废弃) additional.fields |
| tablespace_used | about.labels.key/value(已废弃) additional.fields |
Session_Info
下表列出了 Splunk 数据集 Session_Info 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| buffer_cache_hit_ratio | about.labels.key/value(已废弃) additional.fields |
| 项提交 | about.labels.key/value(已废弃) additional.fields |
| cpu_used | about.labels.key/value(已废弃) additional.fields |
| cursor | about.labels.key/value(已废弃) additional.fields |
| elapsed_time | about.labels.key/value(已废弃) additional.fields |
| logical_reads | about.labels.key/value(已废弃) additional.fields |
| 机器 | about.hostname |
| memory_sorts | about.labels.key/value(已废弃) additional.fields |
| physical_reads | about.labels.key/value(已废弃) additional.fields |
| seconds_in_wait | about.labels.key/value(已废弃) additional.fields |
| session_id | network.session_id |
| session_status | about.labels.key/value(已废弃) additional.fields |
| table_scans | about.labels.key/value(已废弃) additional.fields |
| wait_state | about.labels.key/value(已废弃) additional.fields |
| wait_time | about.labels.key/value(已废弃) additional.fields |
Lock_Info
下表列出了 Splunk 数据集 Lock_Info 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| last_call_minute | about.labels.key/value(已废弃) additional.fields |
| lock_mode | about.labels.key/value(已废弃) additional.fields |
| lock_session_id | about.labels.key/value(已废弃) additional.fields |
| logon_time | about.labels.key/value(已废弃) additional.fields |
| obj_name | about.labels.key/value(已废弃) additional.fields |
| os_pid | target.process.pid |
| serial_num | target.resource.product_object_id |
表空间
下表列出了 Splunk 数据集 Tablespace 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| free_bytes | about.file.size |
| tablespace_name | about.resource.name |
| tablespace_reads | about.labels.key/value(已废弃) additional.fields |
| tablespace_status | about.labels.key/value(已废弃) additional.fields |
| tablespace_writes | about.labels.key/value(已废弃) additional.fields |
Query_Stats
下表列出了 Splunk 数据集 Query_Stats 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| indexes_hit | about.labels.key/value(已废弃) additional.fields |
| query_plan_hit | about.labels.key/value(已废弃) additional.fields |
| stored_procedures_called | about.labels.key/value(已废弃) additional.fields |
| tables_hit | about.labels.key/value(已废弃) additional.fields |
DLP_Incidents
下表列出了 Splunk 数据集 DLP_Incidents 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| 应用 | target.application |
| 类别 | security_result.category_details |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_zone | target.location.country_or_origin |
| dlp_type | about.labels.key/value(已废弃) additional.fields |
| dvc | principal.asset.hostname、principal.asset.ip |
| dvc_bunit | about.labels.key/value(已废弃) additional.fields |
| dvc_category | about.labels.key/value(已废弃) additional.fields |
| dvc_priority | about.labels.key/value(已废弃) additional.fields |
| dvc_zone | principal.asset.location.country_or_region |
| 对象 | target.resource.name |
| object_category | about.labels.key/value(已废弃) additional.fields |
| object_path | target.file.full_path |
| 和程度上减少 | security_result.severity |
| severity_id | about.labels.key/value(已废弃) additional.fields |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip principal.hostname principal.labels.key/value(已废弃) |
| src_bunit | principal.labels.key/value(已废弃) additional.fields |
| src_category | principal.labels.key/value(已废弃) additional.fields |
| src_priority | principal.labels.key/value(已废弃) additional.fields |
| src_user | principal.user.user_display_name |
| src_user_bunit | principal.labels.key/value(已废弃) additional.fields |
| src_user_category | principal.labels.key/value(已废弃) additional.fields |
| src_user_priority | principal.labels.key/value(已废弃) additional.fields |
| src_zone | principal.location.country_or_origin |
| 标记 | about.labels.key/value(已废弃) additional.fields |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已废弃) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.键值对 |
| vendor_product | about.labels.key/value(已废弃) additional.fields |
All_Email
下表列出了 Splunk 数据集 All_Email 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| delay | about.labels.key/value(已废弃) additional.fields |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| 时长 | network.session_duration |
| file_hash | about.file.sha256、about.file.md5、about.file.sha1 |
| file_name | about.labels.key/value(已废弃) additional.fields |
| file_size | about.file.size |
| internal_message_id | metadata.product_log_id |
| message_id | network.email.mail_id |
| message_info | about.labels.key/value(已废弃) additional.fields |
| orig_dest | target.labels.key/value(已弃用) additional.fields |
| orig_recipient | about.labels.key/value(已废弃) additional.fields |
| orig_src | network.email.from |
| 原始事件 | principal.process.command_line |
| process_id | principal.process.pid |
| 协议 | network.application_protocol |
| 收件人 | network.email.to |
| recipient_count | about.labels.key/value(已废弃) additional.fields |
| recipient_domain | about.labels.key/value(已废弃) additional.fields |
| recipient_status | about.labels.key/value(已废弃) additional.fields |
| response_time | about.labels.key/value(已废弃) additional.fields |
| retries | about.labels.key/value(已废弃) additional.fields |
| return_addr | about.labels.key/value(已废弃) additional.fields |
| 大小 | about.labels.key/value(已废弃) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value(已废弃) |
| src_bunit | principal.labels.key/value(已废弃) additional.fields |
| src_category | principal.labels.key/value(已废弃) additional.fields |
| src_priority | principal.labels.key/value(已废弃) additional.fields |
| src_user | principal.user.email_addresses |
| src_user_bunit | principal.labels.key/value(已废弃) additional.fields |
| src_user_category | principal.labels.key/value(已废弃) additional.fields |
| src_user_domain | principal.administrative_domain |
| src_user_priority | principal.labels.key/value(已废弃) additional.fields |
| status_code | about.labels.key/value(已废弃) additional.fields |
| subject | network.email.subject(repeated) |
| 标记 | about.labels.key/value(已废弃) additional.fields |
| 网址 | about.url |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已废弃) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.键值对 |
| vendor_product | about.labels.key/value(已废弃) additional.fields |
| xdelay | about.labels.key/value(已废弃) additional.fields |
| xref | about.labels.key/value(已废弃) additional.fields |
过滤
下表列出了 Splunk 数据集过滤的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| filter_action | about.labels.key/value(已废弃) additional.fields |
| filter_score | about.labels.key/value(已废弃) additional.fields |
| signature | metadata.description |
| signature_extra | about.labels.key/value(已废弃) additional.fields |
| signature_id | metadata.product_event_type |
端口
下表列出了 Splunk 数据集“端口”的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| creation_time | about.labels.key/value(已废弃) additional.fields |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_port | target.port |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_requires_av | target.labels.key/value(已弃用) additional.fields |
| dest_should_timesync | target.labels.key/value(已弃用) additional.fields |
| dest_should_update | target.labels.key/value(已弃用) additional.fields |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| src | principal.ip principal.hostname principal.labels.key/value(已废弃) |
| src_category | principal.labels.key/value(已废弃) additional.fields |
| src_priority | principal.labels.key/value(已废弃) additional.fields |
| src_port | principal.port |
| src_requires_av | principal.labels.key/value(已废弃) additional.fields |
| src_should_timesync | principal.labels.key/value(已废弃) additional.fields |
| src_should_update | principal.labels.key/value(已废弃) additional.fields |
| state | about.labels.key/value(已废弃) additional.fields |
| 标记 | about.labels.key/value(已废弃) additional.fields |
| transport | network.ip_protocol |
| transport_dest_port | target.labels.key/value(已弃用) additional.fields |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已废弃) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.键值对 |
进程
下表列出了 Splunk 数据集“进程”的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| cpu_load_percent | about.labels.key/value(已废弃) additional.fields |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_is_expected | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_requires_av | target.labels.key/value(已弃用) additional.fields |
| dest_should_timesync | target.labels.key/value(已弃用) additional.fields |
| dest_should_update | target.labels.key/value(已弃用) additional.fields |
| mem_used | about.labels.key/value(已废弃) additional.fields |
| original_file_name | src.file.full_path |
| os | principal.asset.platform_software.platform_version |
| parent_process | about.labels.key/value(已废弃) additional.fields |
| parent_process_exec | about.labels.key/value(已废弃) additional.fields |
| parent_process_id | principal.process.parent_process.parent_pid |
| parent_process_guid | principal.process.parent_process.product_specific_process_id |
| parent_process_name | about.labels.key/value(已废弃) additional.fields |
| parent_process_path | principal.process.parent_process.command_line |
| 原始事件 | about.labels.key/value(已废弃) additional.fields |
| process_current_directory | about.labels.key/value(已废弃) additional.fields |
| process_exec | about.labels.key/value(已废弃) additional.fields |
| process_hash | principal.process.file.sha256/principal.process.file.md5/principal..process.file.sha1 |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| process_integrity_level | security_result.severity |
| process_name | principal.process.command_line |
| process_path | principal.process.file.full_path |
| 标记 | about.labels.key/value(已废弃) additional.fields |
| 用户 | principal.user.user_display_name |
| user_id | principal.user.userid |
| user_bunit | about.labels.key/value(已废弃) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.键值对 |
| vendor_product | about.labels.key/value(已废弃) additional.fields |
服务
下表列出了 Splunk 数据集“服务”的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 说明 | security_result.description |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_is_expected | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_requires_av | target.labels.key/value(已弃用) additional.fields |
| dest_should_timesync | target.labels.key/value(已弃用) additional.fields |
| dest_should_update | target.labels.key/value(已弃用) additional.fields |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| 服务 | target.application |
| service_dll | about.labels.key/value(已废弃) additional.fields |
| service_dll_path | about.file.full_path |
| service_dll_hash | about.labels.key/value(已废弃) additional.fields |
| service_dll_signature_exists | about.labels.key/value(已废弃) additional.fields |
| service_dll_signature_verified | about.labels.key/value(已废弃) additional.fields |
| service_exec | target.process.file.full_path |
| service_hash | about.labels.key/value(已废弃) additional.fields |
| service_id | about.labels.key/value(已废弃) additional.fields |
| service_name | about.labels.key/value(已废弃) additional.fields |
| service_path | about.labels.key/value(已废弃) additional.fields |
| service_signature_exists | about.labels.key/value(已废弃) additional.fields |
| service_signature_verified | about.labels.key/value(已废弃) additional.fields |
| start_mode | about.labels.key/value(已废弃) additional.fields |
| 状态 | security_result.summary |
| 标记 | about.labels.key/value(已废弃) additional.fields |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已废弃) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.键值对 |
| vendor_product | about.labels.key/value(已废弃) additional.fields |
文件系统
下表列出了 Splunk 数据集“文件系统”的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_requires_av | target.labels.key/value(已弃用) additional.fields |
| dest_should_timesync | target.labels.key/value(已弃用) additional.fields |
| dest_should_update | target.labels.key/value(已弃用) additional.fields |
| file_access_time | about.labels.key/value(已废弃) additional.fields |
| file_create_time | target.asset.attribute.creation_time |
| file_hash | target.file.sha256、target.file.md5、target.file.sha1 |
| file_modify_time | about.labels.key/value(已废弃) additional.fields |
| file_name | about.labels.key/value(已废弃) additional.fields |
| file_path | target.file.full_path |
| file_acl | about.labels.key/value(已废弃) additional.fields |
| file_size | target.file.size |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| 标记 | about.labels.key/value(已废弃) additional.fields |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已废弃) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.键值对 |
| vendor_product | about.labels.key/value(已废弃) additional.fields |
注册表
下表列出了 Splunk 数据集注册表的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_requires_av | target.labels.key/value(已弃用) additional.fields |
| dest_should_timesync | target.labels.key/value(已弃用) additional.fields |
| dest_should_update | target.labels.key/value(已弃用) additional.fields |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| registry_hive | about.labels.key/value(已废弃) additional.fields |
| registry_path | about.labels.key/value(已废弃) additional.fields |
| registry_key_name | target.registry.registry_key |
| registry_value_data | target.registry.registry_value_data |
| registry_value_name | target.registry.registry_value_name |
| registry_value_text | about.labels.key/value(已废弃) additional.fields |
| registry_value_type | about.labels.key/value(已废弃) additional.fields |
| 状态 | security_result.summary |
| 标记 | about.labels.key/value(已废弃) additional.fields |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已废弃) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.键值对 |
| vendor_product | about.labels.key/value(已废弃) additional.fields |
签名
下表列出了 Splunk 数据集“签名”的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| 标记 | about.labels.key/value(已废弃) additional.fields |
Signatures_vendor_product
下表列出了 Splunk 数据集 Signatures_vendor_product 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| vendor_product | about.labels.key/value(已废弃) additional.fields |
All_Interprocess_Messaging
下表列出了 Splunk 数据集 All_Interprocess_Messaging 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| 时长 | network.session_duration |
| endpoint | about.labels.key/value(已废弃) additional.fields |
| endpoint_version | about.labels.key/value(已废弃) additional.fields |
| 消息 | about.labels.key/value(已废弃) additional.fields |
| message_consumed_time | about.labels.key/value(已废弃) additional.fields |
| message_correlation_id | about.labels.key/value(已废弃) additional.fields |
| message_delivered_time | about.labels.key/value(已废弃) additional.fields |
| message_delivery_mode | about.labels.key/value(已废弃) additional.fields |
| message_expiration_time | about.labels.key/value(已废弃) additional.fields |
| message_id | metadata.product.log_id |
| message_priority | about.labels.key/value(已废弃) additional.fields |
| message_properties | about.labels.key/value(已废弃) additional.fields |
| message_received_time | about.labels.key/value(已废弃) additional.fields |
| message_redelivered | about.labels.key/value(已废弃) additional.fields |
| message_reply_dest | target.labels.key/value(已弃用) additional.fields |
| message_type | about.labels.key/value(已废弃) additional.fields |
| 参数 | about.labels.key/value(已废弃) additional.fields |
| payload | about.labels.key/value(已废弃) additional.fields |
| payload_type | about.labels.key/value(已废弃) additional.fields |
| request_payload | about.labels.key/value(已废弃) additional.fields |
| request_payload_type | about.labels.key/value(已废弃) additional.fields |
| request_sent_time | about.labels.key/value(已废弃) additional.fields |
| response_code | network.http.response_code |
| response_payload_type | about.labels.key/value(已废弃) additional.fields |
| response_received_time | about.labels.key/value(已废弃) additional.fields |
| response_time | about.labels.key/value(已废弃) additional.fields |
| return_message | about.labels.key/value(已废弃) additional.fields |
| rpc_protocol | network.application_protocol |
| 状态 | security_result.summary |
| 标记 | about.labels.key/value(已废弃) additional.fields |
IDS_Attacks
下表列出了 Splunk 数据集 IDS_Attacks 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| 类别 | security_result.category_details |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dvc | principal.asset.hostname、principal.asset.ip |
| dvc_bunit | about.labels.key/value(已废弃) additional.fields |
| dvc_category | about.labels.key/value(已废弃) additional.fields |
| dvc_priority | about.labels.key/value(已废弃) additional.fields |
| file_hash | target.file.sha256、target.file.md5、target.file.sha1 |
| file_name | about.labels.key/value(已废弃) additional.fields |
| file_path | target.file.full_path |
| ids_type | about.labels.key/value(已废弃) additional.fields |
| 和程度上减少 | security_result.severity |
| severity_id | about.labels.key/value(已废弃) additional.fields |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip principal.hostname principal.labels.key/value(已废弃) |
| src_bunit | principal.labels.key/value(已废弃) additional.fields |
| src_category | principal.labels.key/value(已废弃) additional.fields |
| src_priority | principal.labels.key/value(已废弃) additional.fields |
| src_port | principal.port |
| 标记 | about.labels.key/value(已废弃) additional.fields |
| transport | network.ip_protocol |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已废弃) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.键值对 |
| vendor_product | about.labels.key/value(已废弃) additional.fields |
DS_Attacks
下表列出了 Splunk 数据集 DS_Attacks 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest_port | target.port |
All_Inventory
下表列出了 Splunk 数据集 All_Inventory 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 说明 | security_result.description |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| 已启用 | about.labels.key/value(已废弃) additional.fields |
| 系列 | about.labels.key/value(已废弃) additional.fields |
| hypervisor_id | about.labels.key/value(已废弃) additional.fields |
| serial | principal.asset.hardware.serial_number |
| 状态 | security_result.summary |
| 标记 | about.labels.key/value(已废弃) additional.fields |
| vendor_product | about.labels.key/value(已废弃) additional.fields |
| 版本 | about.labels.key/value(已废弃) additional.fields |
CPU
下表列出了 Splunk 数据集 CPU 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| cpu_cores | principal.asset.hardware.cpu_number_cores |
| cpu_count | about.labels.key/value(已废弃) additional.fields |
| cpu_mhz | principal.asset.hardware.cpu_clock_speed |
| cpu_load_mhz | principal.asset.hardware.cpu_clock_speed |
| cpu_load_percent | about.labels.key/value(已废弃) additional.fields |
| cpu_time | about.labels.key/value(已废弃) additional.fields |
| cpu_user_percent | about.labels.key/value(已废弃) additional.fields |
内存
下表列出了 Splunk 数据集“内存”的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 内存 | principal.asset.hardware.ram |
| heap_committed | about.labels.key/value(已废弃) additional.fields |
| heap_initial | about.labels.key/value(已废弃) additional.fields |
| heap_max | about.labels.key/value(已废弃) additional.fields |
| heap_used | about.labels.key/value(已废弃) additional.fields |
| non_heap_committed | about.labels.key/value(已废弃) additional.fields |
| non_heap_initial | about.labels.key/value(已废弃) additional.fields |
| non_heap_max | about.labels.key/value(已废弃) additional.fields |
| non_heap_used | about.labels.key/value(已废弃) additional.fields |
| objects_pending | about.labels.key/value(已废弃) additional.fields |
| 内存 | principal.asset.hardware.ram |
| mem_committed | about.labels.key/value(已废弃) additional.fields |
| mem_free | about.labels.key/value(已废弃) additional.fields |
| mem_used | about.labels.key/value(已废弃) additional.fields |
| 交换空间 | about.labels.key/value(已废弃) additional.fields |
| swap_free | about.labels.key/value(已废弃) additional.fields |
| swap_used | about.labels.key/value(已废弃) additional.fields |
网络
下表列出了 Splunk 数据集网络对应的日志字段和 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest_ip | target.ip |
| dns | about.labels.key/value(已废弃) additional.fields |
| inline_nat | about.labels.key/value(已废弃) additional.fields |
| 接口 | about.labels.key/value(已废弃) additional.fields |
| ip | principal.asset.ip |
| lb_method | about.labels.key/value(已废弃) additional.fields |
| mac | principal.asset.mac |
| name | principal.resource.name |
| 节点 | about.labels.key/value(已废弃) additional.fields |
| node_port | target.port |
| src_ip | principal.ip |
| vip_port | about.labels.key/value(已废弃) additional.fields |
| thruput | about.labels.key/value(已废弃) additional.fields |
| thruput_max | about.labels.key/value(已废弃) additional.fields |
操作系统
下表列出了 Splunk 数据集 OS 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| os | principal.asset.platform_software.platform_version |
| committed_memory | about.labels.key/value(已废弃) additional.fields |
| cpu_time | about.labels.key/value(已废弃) additional.fields |
| free_physical_memory | about.labels.key/value(已废弃) additional.fields |
| free_swap | about.labels.key/value(已废弃) additional.fields |
| max_file_descriptors | about.labels.key/value(已废弃) additional.fields |
| open_file_descriptors | about.labels.key/value(已废弃) additional.fields |
| os | principal.asset.platform_software.platform_version |
| os_architecture | about.labels.key/value(已废弃) additional.fields |
| os_version | about.labels.key/value(已废弃) additional.fields |
| physical_memory | about.labels.key/value(已废弃) additional.fields |
| swap_space | about.labels.key/value(已废弃) additional.fields |
| system_load | about.labels.key/value(已废弃) additional.fields |
| total_processors | about.labels.key/value(已废弃) additional.fields |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
存储
下表列出了 Splunk 数据集存储空间的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 数组 | about.labels.key/value(已废弃) additional.fields |
| blocksize | about.labels.key/value(已废弃) additional.fields |
| 集群 | about.resource.resource_type = "CLUSTER" |
| fd_max | about.labels.key/value(已废弃) additional.fields |
| 延迟时间 | about.labels.key/value(已废弃) additional.fields |
| mount | principal.resource.attribute.labels.key/value |
| 父级 | principal.resource.parent |
| read_blocks | about.labels.key/value(已废弃) additional.fields |
| read_latency | about.labels.key/value(已废弃) additional.fields |
| read_ops | about.labels.key/value(已废弃) additional.fields |
| 存储 | about.labels.key/value(已废弃) additional.fields |
| write_blocks | about.labels.key/value(已废弃) additional.fields |
| write_latency | about.labels.key/value(已废弃) additional.fields |
| write_ops | about.labels.key/value(已废弃) additional.fields |
| 数组 | about.labels.key/value(已废弃) additional.fields |
| blocksize | about.labels.key/value(已废弃) additional.fields |
| 集群 | about.resource.resource_type = "CLUSTER" |
| fd_max | about.labels.key/value(已废弃) additional.fields |
| fd_used | about.labels.key/value(已废弃) additional.fields |
| 延迟时间 | about.labels.key/value(已废弃) additional.fields |
| mount | about.labels.key/value(已废弃) additional.fields |
| 父级 | principal.resource.parent |
| read_blocks | about.labels.key/value(已废弃) additional.fields |
| read_latency | about.labels.key/value(已废弃) additional.fields |
| read_ops | about.labels.key/value(已废弃) additional.fields |
| 存储 | about.labels.key/value(已废弃) additional.fields |
| storage_free | about.labels.key/value(已废弃) additional.fields |
| storage_free_percent | about.labels.key/value(已废弃) additional.fields |
| storage_used | about.labels.key/value(已废弃) additional.fields |
| storage_used_percent | about.labels.key/value(已废弃) additional.fields |
| write_blocks | about.labels.key/value(已废弃) additional.fields |
| write_latency | about.labels.key/value(已废弃) additional.fields |
| write_ops | about.labels.key/value(已废弃) additional.fields |
| error_code | security_result.description |
| 操作 | about.labels.key/value(已废弃) additional.fields |
| storage_name | about.resource.name |
用户
下表列出了 Splunk 数据集“用户”的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| interactive | about.labels.key/value(已废弃) additional.fields |
| 密码 | about.labels.key/value(已废弃) additional.fields |
| shell | about.labels.key/value(已废弃) additional.fields |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已废弃) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_id | principal.user.userid |
| user_priority | principal.user.attribute.label.键值对 |
Virtual_OS
下表列出了 Splunk 数据集 Virtual_OS 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 管理程序 | about.labels.key/value(已废弃) additional.fields |
快照
下表列出了 Splunk 数据集快照的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 大小 | about.file.size |
| 快照 | about.labels.key/value(已废弃) additional.fields |
| 时间 | about.labels.key/value(已废弃) additional.fields |
JVM
下表列出了 Splunk 数据集 JVM 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| jvm_description | security_result.description |
| 标记 | about.labels.key/value(已废弃) additional.fields |
线程处理
下表列出了 Splunk 数据集“Threading”的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| cm_enabled | about.labels.key/value(已废弃) additional.fields |
| cm_supported | about.labels.key/value(已废弃) additional.fields |
| cpu_time_enabled | about.labels.key/value(已废弃) additional.fields |
| cpu_time_supported | about.labels.key/value(已废弃) additional.fields |
| current_cpu_time | about.labels.key/value(已废弃) additional.fields |
| current_user_time | about.labels.key/value(已废弃) additional.fields |
| daemon_thread_count | about.labels.key/value(已废弃) additional.fields |
| omu_supported | about.labels.key/value(已废弃) additional.fields |
| peak_thread_count | about.labels.key/value(已废弃) additional.fields |
| synch_supported | about.labels.key/value(已废弃) additional.fields |
| thread_count | about.labels.key/value(已废弃) additional.fields |
| threads_started | about.labels.key/value(已废弃) additional.fields |
运行时
下表列出了 Splunk 数据集“运行时”的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| process_name | principal.process.command_line |
| start_time | about.labels.key/value(已废弃) additional.fields |
| uptime | about.labels.key/value(已废弃) additional.fields |
| vendor_product | about.labels.key/value(已废弃) additional.fields |
| 版本 | about.labels.key/value(已废弃) additional.fields |
编译
下表列出了 Splunk 数据集“Compilation”的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| compilation_time | about.labels.key/value(已废弃) additional.fields |
类加载
下表列出了 Splunk 数据集“类加载”的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| current_loaded | about.labels.key/value(已废弃) additional.fields |
| total_loaded | about.labels.key/value(已废弃) additional.fields |
| total_unloaded | about.labels.key/value(已废弃) additional.fields |
Malware_Attacks
下表列出了 Splunk 数据集 Malware_Attacks 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| 类别 | security_result.category_details |
| 日期 | about.labels.key/value(已废弃) additional.fields |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_nt_domain | target.administrative_domain |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_requires_av | target.labels.key/value(已弃用) additional.fields |
| file_hash | target.file.sha256、target.file.md5、target.file.sha1 |
| file_name | about.labels.key/value(已废弃) additional.fields |
| file_path | target.file.full_path |
| 和程度上减少 | security_result.severity |
| severity_id | about.labels.key/value(已废弃) additional.fields |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip principal.hostname principal.labels.key/value(已废弃) |
| src_bunit | principal.labels.key/value(已废弃) additional.fields |
| src_category | principal.labels.key/value(已废弃) additional.fields |
| src_priority | principal.labels.key/value(已废弃) additional.fields |
| src_user | principal.user.user_display_name |
| 标记 | about.labels.key/value(已废弃) additional.fields |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已废弃) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.键值对 |
| 网址 | about.url |
| vendor_product | about.labels.key/value(已废弃) additional.fields |
Malware_Operations
下表列出了 Splunk 数据集 Malware_Operations 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_nt_domain | target.labels.key/value(已弃用) additional.fields |
| dest_nt_domain | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_requires_av | target.labels.key/value(已弃用) additional.fields |
| product_version | about.labels.key/value(已废弃) additional.fields |
| signature_version | security_result.rule_version |
| 标记 | about.labels.key/value(已废弃) additional.fields |
| vendor_product | about.labels.key/value(已废弃) additional.fields |
Malware_Operations
下表列出了 Splunk 数据集 Malware_Operations 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest_category | target.labels.key/value(已弃用) additional.fields |
DNS
下表列出了 Splunk 数据集 DNS 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| additional_answer_count | about.labels.key/value(已废弃) additional.fields |
| 答案 | network.dns.answer.data |
| answer_count | about.labels.key/value(已废弃) additional.fields |
| authority_answer_count | about.labels.key/value(已废弃) additional.fields |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_port | target.port |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| 时长 | network.session_duration |
| message_type | about.labels.key/value(已废弃) additional.fields |
| name | about.labels.key/value(已废弃) additional.fields |
| 查询 | network.dns.questions.name |
| query_count | about.labels.key/value(已废弃) additional.fields |
| query_type | network.dns.questions.type |
| record_type | network.dns.answer.type(uint32) |
| reply_code | about.labels.key/value(已废弃) additional.fields |
| reply_code_id | network.dns.response_code |
| response_time | about.labels.key/value(已废弃) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value(已废弃) |
| src_bunit | principal.labels.key/value(已废弃) additional.fields |
| src_category | principal.labels.key/value(已废弃) additional.fields |
| src_port | principal.port |
| src_priority | principal.labels.key/value(已废弃) additional.fields |
| 标记 | about.labels.key/value(已废弃) additional.fields |
| transaction_id | network.dns.id |
| transport | network.ip_protocol |
| ttl | about.labels.key/value(已废弃) additional.fields |
| vendor_product | about.labels.key/value(已废弃) additional.fields |
All_Sessions
下表列出了 Splunk 数据集 All_Sessions 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_dns | target.labels.key/value(已弃用) additional.fields |
| dest_ip | network.dhcp.ciaddr |
| dest_mac | network.dhcp.chaddr |
| dest_nt_host | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| 时长 | network.session_duration |
| response_time | about.labels.key/value(已废弃) additional.fields |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| src_bunit | principal.labels.key/value(已废弃) additional.fields |
| src_category | principal.labels.key/value(已废弃) additional.fields |
| src_dns | principal.labels.key/value(已废弃) additional.fields |
| src_ip | principal.ip |
| src_mac | principal.mac |
| src_nt_host | principal.labels.key/value(已废弃) additional.fields |
| src_priority | principal.labels.key/value(已废弃) additional.fields |
| 标记 | about.labels.key/value(已废弃) additional.fields |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已废弃) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.键值对 |
| vendor_product | about.labels.key/value(已废弃) additional.fields |
DHCP
下表列出了 Splunk 数据集 DHCP 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| lease_duration | network.dhcp.lease_time_second |
| lease_scope | about.labels.key/value(已废弃) additional.fields |
All_Traffic
下表列出了 Splunk 数据集 All_Traffic 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| 应用 | network.application_protocol |
| 字节 | about.labels.key/value(已废弃) additional.fields |
| bytes_in | network.received_bytes |
| bytes_out | network.sent_bytes |
| 频道 | about.labels.key/value(已废弃) additional.fields |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_interface | target.labels.key/value(已弃用) additional.fields |
| dest_ip | target.ip |
| dest_mac | target.mac |
| dest_port | target.port |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_translated_ip | target.nat_ip |
| dest_translated_port | target.nat_port |
| dest_zone | target.location.country_or_origin |
| 方向 | network.direction |
| 时长 | network.session_duration |
| dvc | principal.asset.hostname、principal.asset.ip |
| dvc_bunit | about.labels.key/value(已废弃) additional.fields |
| dvc_category | about.labels.key/value(已废弃) additional.fields |
| dvc_ip | about.labels.key/value(已废弃) additional.fields |
| dvc_mac | principal.asset.mac |
| dvc_priority | about.labels.key/value(已废弃) additional.fields |
| dvc_zone | principal.asset.location.country_or_region |
| flow_id | about.labels.key/value(已废弃) additional.fields |
| icmp_code | about.labels.key/value(已废弃) additional.fields |
| icmp_type | about.labels.key/value(已废弃) additional.fields |
| 数据包 | about.labels.key/value(已废弃) additional.fields |
| packets_in | about.labels.key/value(已废弃) additional.fields |
| packets_out | about.labels.key/value(已废弃) additional.fields |
| 协议 | about.labels.key/value(已废弃) additional.fields |
| protocol_version | about.labels.key/value(已废弃) additional.fields |
| response_time | about.labels.key/value(已废弃) additional.fields |
| 规则 | security_result.rule_id |
| session_id | network.session_id |
| src | principal.ip principal.hostname principal.labels.key/value(已废弃) |
| src_bunit | principal.labels.key/value(已废弃) additional.fields |
| src_category | principal.labels.key/value(已废弃) additional.fields |
| src_interface | principal.labels.key/value(已废弃) additional.fields |
| src_ip | principal.ip |
| src_mac | principal.mac |
| src_port | principal.port |
| src_priority | principal.labels.key/value(已废弃) additional.fields |
| src_translated_ip | principal.nat_ip |
| src_translated_port | principal.nat_port |
| src_zone | principal.location.country_or_origin |
| ssid | about.labels.key/value(已废弃) additional.fields |
| 标记 | about.labels.key/value(已废弃) additional.fields |
| tcp_flag | about.labels.key/value(已废弃) additional.fields |
| transport | network.ip_protocol |
| tos | about.labels.key/value(已废弃) additional.fields |
| ttl | network.dns.additional.ttl |
| 用户 | principal.user.userid |
| user_bunit | about.labels.key/value(已废弃) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.键值对 |
| vendor_account | about.labels.key/value(已废弃) additional.fields |
| vendor_product | about.labels.key/value(已废弃) additional.fields |
| vlan | about.labels.key/value(已废弃) additional.fields |
| wifi | about.labels.key/value(已废弃) additional.fields |
All_Performance
下表列出了 Splunk 数据集 All_Performance 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_should_timesync | target.labels.key/value(已弃用) additional.fields |
| dest_should_update | target.labels.key/value(已弃用) additional.fields |
| hypervisor_id | about.labels.key/value(已废弃) additional.fields |
| resource_type | about.labels.key/value(已废弃) additional.fields |
| 标记 | about.labels.key/value(已废弃) additional.fields |
设施
下表列出了 Splunk 数据集“设施”的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| fan_speed | about.labels.key/value(已废弃) additional.fields |
| power | about.labels.key/value(已废弃) additional.fields |
| temperature | about.labels.key/value(已废弃) additional.fields |
Timesync
下表列出了 Splunk 数据集 Timesync 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
正常运行时间
下表列出了 Splunk 数据集“正常运行时间”的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| uptime | about.labels.key/value(已废弃) additional.fields |
View_Activity
下表列出了 Splunk 数据集 View_Activity 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 应用 | target.application |
| 支出 | about.labels.key/value(已废弃) additional.fields |
| uri | about.labels.key/value(已废弃) additional.fields |
| 用户 | principal.user.user_display_name |
| 查看 | about.labels.key/value(已废弃) additional.fields |
Datamodel_Acceleration
下表列出了 Splunk 数据集 Datamodel_Acceleration 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| access_count | about.labels.key/value(已废弃) additional.fields |
| access_time | about.labels.key/value(已废弃) additional.fields |
| 应用 | target.application |
| 存储桶 | about.labels.key/value(已废弃) additional.fields |
| buckets_size | about.labels.key/value(已废弃) additional.fields |
| 完成 | about.labels.key/value(已废弃) additional.fields |
| cron | about.labels.key/value(已废弃) additional.fields |
| datamodel | about.labels.key/value(已废弃) additional.fields |
| 摘要 | about.labels.key/value(已废弃) additional.fields |
| 最早 | about.labels.key/value(已废弃) additional.fields |
| is_inprogress | about.labels.key/value(已废弃) additional.fields |
| last_error | about.labels.key/value(已废弃) additional.fields |
| last_sid | about.labels.key/value(已废弃) additional.fields |
| 最新 | about.labels.key/value(已废弃) additional.fields |
| mod_time | about.labels.key/value(已废弃) additional.fields |
| 保留 | about.labels.key/value(已废弃) additional.fields |
| 大小 | about.file.size |
| summary_id | about.labels.key/value(已废弃) additional.fields |
Search_Activity
下表列出了 Splunk 数据集 Search_Activity 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 主机 | about.hostname |
| 信息 | about.labels.key/value(已废弃) additional.fields |
| 搜索 | about.labels.key/value(已废弃) additional.fields |
| search_et | about.labels.key/value(已废弃) additional.fields |
| search_lt | about.labels.key/value(已废弃) additional.fields |
| search_type | about.labels.key/value(已废弃) additional.fields |
| 来源 | principal.labels.key/value(已废弃) additional.fields |
| sourcetype | principal.labels.key/value(已废弃) additional.fields |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已废弃) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.键值对 |
Scheduler_Activity
下表列出了 Splunk 数据集 Scheduler_Activity 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 应用 | target.application |
| 主机 | about.hostname |
| savedsearch_name | about.labels.key/value(已废弃) additional.fields |
| sid | about.labels.key/value(已废弃) additional.fields |
| 来源 | principal.labels.key/value(已废弃) additional.fields |
| sourcetype | principal.labels.key/value(已废弃) additional.fields |
| splunk_server | principal.ip、principal.hostname |
| 状态 | security_result.summary |
| 用户 | principal.user.user_display_name |
Web_Service_Errors
下表列出了 Splunk 数据集 Web_Service_Errors 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 主机 | about.hostname |
| 来源 | principal.labels.key/value(已废弃) additional.fields |
| sourcetype | principal.labels.key/value(已废弃) additional.fields |
| event_id | security_result.rule_name |
Modular_Actions
下表列出了 Splunk 数据集 Modular_Actions 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| action_mode | about.labels.key/value(已废弃) additional.fields |
| action_status | about.labels.key/value(已废弃) additional.fields |
| 应用 | target.application |
| 时长 | network.session_duration |
| 组件 | about.labels.key/value(已废弃) additional.fields |
| orig_rid | about.labels.key/value(已废弃) additional.fields |
| orig_sid | about.labels.key/value(已废弃) additional.fields |
| 去除 | about.labels.key/value(已废弃) additional.fields |
| search_name | about.labels.key/value(已废弃) additional.fields |
| action_name | security_result.action_details |
| signature | metadata.description |
| sid | about.labels.key/value(已废弃) additional.fields |
| 用户 | about.labels.key/value(已废弃) additional.fields |
All_Ticket_Management
下表列出了 Splunk 数据集 All_Ticket_Management 的日志字段和对应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| affect_dest | target.labels.key/value(已弃用) additional.fields |
| 评论 | about.labels.key/value(已废弃) additional.fields |
| 说明 | security_result.description |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| 优先级 | security_result.priority_details |
| 和程度上减少 | security_result.severity |
| severity_id | about.labels.key/value(已废弃) additional.fields |
| splunk_id | about.labels.key/value(已废弃) additional.fields |
| splunk_realm | about.labels.key/value(已废弃) additional.fields |
| src_user | principal.user.user_display_name |
| src_user_bunit | principal.labels.key/value(已废弃) additional.fields |
| src_user_category | principal.labels.key/value(已废弃) additional.fields |
| src_user_priority | principal.labels.key/value(已废弃) additional.fields |
| 状态 | security_result.summary |
| 标记 | about.labels.key/value(已废弃) additional.fields |
| ticket_id | target.user.attribute.label.ley/value |
| time_submitted | principal.user.attribute.creation_time |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已废弃) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.键值对 |
更改
下表列出了 Splunk 数据集“更改”的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 更改 | about.labels.key/value(已废弃) additional.fields |
突发事件
下表列出了 Splunk 数据集“事件”的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 事件 | about.labels.key/value(已废弃) additional.fields |
问题
下表列出了 Splunk 数据集“问题”的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 问题 | about.labels.key/value(已废弃) additional.fields |
更新
下表列出了 Splunk 数据集“更新”的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_should_update | target.labels.key/value(已弃用) additional.fields |
| dvc | principal.asset.hostname、principal.asset.ip |
| file_hash | target.file.sha256、target.file.md5、target.file.sha1 |
| file_name | about.labels.key/value(已废弃) additional.fields |
| 和程度上减少 | security_result.severity |
| severity_id | about.labels.key/value(已废弃) additional.fields |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| 状态 | security_result.summary |
| 标记 | about.labels.key/value(已废弃) additional.fields |
| vendor_product | about.labels.key/value(已废弃) additional.fields |
漏洞
下表列出了 Splunk 数据集“漏洞”的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| bugtraq | about.labels.key/value(已废弃) additional.fields |
| 类别 | security_result.category_details |
| 证书 | about.labels.key/value(已废弃) additional.fields |
| CVE | vulnerabilites.cve_description |
| cvss | vulnerabilites.cvss_base_score |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dvc | principal.asset.hostname、principal.asset.ip |
| dvc_bunit | about.labels.key/value(已废弃) additional.fields |
| dvc_category | about.labels.key/value(已废弃) additional.fields |
| dvc_priority | about.labels.key/value(已废弃) additional.fields |
| msft | about.labels.key/value(已废弃) additional.fields |
| mskb | about.labels.key/value(已废弃) additional.fields |
| 和程度上减少 | extensions.vulns.vulnerabilites.severity |
| severity_id | about.labels.key/value(已废弃) additional.fields |
| signature | metadata.description |
| signature_id | metadata.product_event_type |
| 标记 | about.labels.key/value(已废弃) additional.fields |
| 网址 | extensions.vulns.vulnerabilites.about.url |
| 用户 | extensions.vulns.vulnerabilites.about.user.user_display_name |
| user_bunit | about.labels.key/value(已废弃) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.键值对 |
| vendor_product | about.labels.key/value(已废弃) additional.fields |
| xref | about.labels.key/value(已废弃) additional.fields |
Web
下表列出了 Splunk 数据集 Web 的日志字段和相应的 UDM 映射:
| 日志字段 | UDM 映射 |
|---|---|
| 操作 | security_result.action_details security_result.action |
| 应用 | target.application |
| 字节 | about.labels.key/value(已废弃) additional.fields |
| bytes_in | network.received_bytes |
| bytes_out | network.sent_bytes |
| 已缓存 | about.labels.key/value(已废弃) additional.fields |
| 类别 | security_result.category_details |
| 饼干 | about.labels.key/value(已废弃) additional.fields |
| dest | target.ip target.hostname target.labels.key/value(已弃用) |
| dest_bunit | target.labels.key/value(已弃用) additional.fields |
| dest_category | target.labels.key/value(已弃用) additional.fields |
| dest_priority | target.labels.key/value(已弃用) additional.fields |
| dest_port | target.port |
| 时长 | network.session_duration |
| http_content_type | about.labels.key/value(已废弃) additional.fields |
| http_method | network.http.method |
| http_referrer | network.http.referral_url |
| http_referrer_domain | about.labels.key/value(已废弃) additional.fields |
| http_user_agent | network.http.user_agent |
| http_user_agent_length | about.labels.key/value(已废弃) additional.fields |
| response_time | about.labels.key/value(已废弃) additional.fields |
| 网站 | about.labels.key/value(已废弃) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value(已废弃) |
| src_bunit | principal.labels.key/value(已废弃) additional.fields |
| src_category | principal.labels.key/value(已废弃) additional.fields |
| src_priority | principal.labels.key/value(已废弃) additional.fields |
| 状态 | network.http.response_code |
| 标记 | about.labels.key/value(已废弃) additional.fields |
| uri_path | about.labels.key/value(已废弃) additional.fields |
| uri_query | about.labels.key/value(已废弃) additional.fields |
| 网址 | about.url |
| url_domain | about.asset.network_domain |
| url_length | about.labels.key/value(已废弃) additional.fields |
| 用户 | principal.user.user_display_name |
| user_bunit | about.labels.key/value(已废弃) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.键值对 |
| vendor_product | about.labels.key/value(已废弃) additional.fields |
UDM 事件类型
下表列出了 Splunk 标记和相应的 UDM 事件类型:
| 数据模型 | Splunk 代码 | UDM 事件类型 |
|---|---|---|
| 提醒 | 提醒 | STATUS_UPDATE |
| 身份验证 | 身份验证 | USER_UNCATEGORIZED |
| 证书 | 证书 | NETWORK_UNCATEGORIZED |
| 更改 | 更改 | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| 数据访问 | 数据、访问权限 | USER_RESOURCE_ACCESS |
| 数据库 | 数据库 | USER_RESOURCE_ACCESS |
| 数据库 | 数据库、实例、统计信息 | STATUS_UPDATE |
| 数据库 | 数据库、实例、状态 | STATUS_UPDATE |
| 数据库 | 数据库、实例、锁定 | STATUS_UPDATE |
| 数据库 | 数据库、查询 | STATUS_UPDATE |
| 数据库 | 数据库、查询、表空间 | STATUS_UPDATE |
| 数据库 | 数据库、查询、统计信息 | STATUS_UPDATE |
| 数据泄露防护 | dlp, incident | SCAN_UNCATEGORIZED |
| 电子邮件 | 电子邮件 | EMAIL_UNCATEGORIZED |
| 电子邮件 | 电子邮件,递送 | EMAIL_TRANSACTION |
| 端点 | 正在监听,端口 | SERVICE_UNSPECIFIED |
| 端点 | 处理、报告 | PROCESS_UNCATEGORIZED |
| 端点 | 服务,报告 | SERVICE_UNSPECIFIED |
| 端点 | endpoint, filesystem | FILE_UNCATEGORIZED |
| 端点 | endpoint, registry | REGISTRY_UNCATEGORIZED |
| 活动签名 | track_event_signature | STATUS_UPDATE |
| 进程间消息传递 | 消息功能 | STATUS_UPDATE |
| 入侵检测 | id、攻击 | SERVICE_UNSPECIFIED |
| 广告资源 | 商品目录 | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| Java 虚拟机 (JVM) | jvm | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| 恶意软件 | 恶意软件 | STATUS_UPDATE |
| 网络解析(DNS) | 网络、分辨率、DNS | NETWORK_DNS |
| 网络会话 | 网络、会话 | NETWORK_CONNECTION |
| 网络会话 | 网络、会话、DHCP | NETWORK_DHCP |
| 网络流量 | 网络,通信 | NETWORK_CONNECTION |
| 性能 | 性能 | SERVICE_UNSPECIFIED |
| Splunk 审核日志 | modaction | STATUS_UPDATE |
| 工单管理 | 票务 | STATUS_UPDATE |
| 工单管理 | 票务、改签 | STATUS_UPDATE |
| 更新 | 更新 | STATUS_UPDATE |
| 漏洞 | 报告、漏洞 | SCAN_UNCATEGORIZED |
| Web | 网页 | NETWORK_UNCATEGORIZED |
后续步骤
需要更多帮助?从社区成员和 Google SecOps 专业人士那里获得解答。