收集 Splunk 通用資訊模型 (CIM) 記錄
本文說明如何設定 Splunk 和 Google Security Operations 轉送器,收集 Splunk Common Information Model (CIM) 記錄。本文也列出支援的記錄類型和 Splunk 版本。
詳情請參閱「將資料擷取至 Google Security Operations」。
總覽
下圖顯示部署架構,說明如何設定 Splunk 代理程式,將記錄傳送至 Google Security Operations。每個客戶部署作業可能與此表示法不同,也可能更複雜。
架構圖顯示下列元件:
資料來源:要監控的系統,其中已安裝 Splunk。
Splunk:從資料來源收集資訊,並將資訊轉送至 Google Security Operations 轉送器。
Google Security Operations 轉送器:輕量級軟體元件,部署在客戶的網路中,可將記錄轉送至 Google Security Operations。
Google Security Operations:保留及分析 Fleet 伺服器的記錄檔。
擷取標籤會識別剖析器,該剖析器會將原始記錄資料正規化為具結構性的 UDM 格式。本文中的資訊適用於具有 SPLUNK 攝取標籤的剖析器。
事前準備
使用 Google Security Operations 剖析器支援的 Splunk 5.0 版。
請確保部署架構中的所有系統都以世界標準時間設定。
設定 Splunk 代理程式和 Google Security Operations 轉送器
從 Splunkbase 安裝符合 CIM 的代理程式。
設定 Google Security Operations 轉送器,將記錄推送至 Google Security Operations 系統。以下是 Google Security Operations 轉送器設定範例:
- splunk: common: enabled: true data_type: SPLUNK batch_n_seconds: 10 batch_n_bytes: 819200 url: <SPLUNK_URL> query_cim: true is_ignore_cert: true query_string: datamodel Network_Traffic All_Traffic flat
撰寫 Splunk 搜尋查詢時的注意事項
Splunk 有自己的搜尋語言,類似於 SQL。請務必使用正確的搜尋查詢語法。建立查詢時,請考量下列搜尋特性:
逸出字元
如果字串值包含雙引號 ",請使用反斜線字元逸出引號。否則搜尋會誤解字串值的結尾。
舉例來說,如要搜尋字串 WHERE _raw="The user "vpatel" isn't authenticated.",
您必須使用 \" 序列搜尋雙引號。
請依下列格式撰寫搜尋字串:
WHERE _raw="The user \"vpatel\" isn't authenticated."
如要逸出反斜線字元 \ ,請使用 \\ 序列搜尋反斜線。
舉例來說,如果字串類似 C:\user\abc,則必須寫成 C:\\user\\abc。
語法不正確的搜尋
如果查詢的某個部分無效,系統就不會評估整個查詢,並顯示錯誤訊息。
請參考以下範例,查詢中缺少搜尋模式選項:
multisearch [|datamodel Network_Traffic All_Traffic] [|datamodel Network_Sessions All_Sessions flat]
在本例中,查詢缺少搜尋模式選項。這會導致下列錯誤:
Error in 'multisearch' command: Multisearch sub searches might only contain purely streaming operations. The search job has failed due to an error.
支援多個資料模型
Splunk 支援跨資料模型的大型查詢。下列搜尋查詢會從多個資料模型擷取資料:
multisearch [|datamodel Network_Traffic All_Traffic flat] [|datamodel Network_Sessions All_Sessions flat]
以下是這項查詢的元件,涵蓋資料模型:
Multisearch:查詢必須以 multisearch 一字開頭。資料模型的查詢內容必須以方括號 [ ] 括住,並以管道 | 字元開頭。
Network_Traffic:資料模型的名稱。
All_Traffic:Network_Traffic資料模型的資料集。
flat:搜尋模式。其他選項為 search 和 acceleration_search。
建議您使用下列 Splunk 查詢,搜尋多個資料模型:
multisearch [|datamodel Network_Traffic All_Traffic flat] [|datamodel Network_Sessions All_Sessions flat]
支援的記錄類型和資料模型
| Splunk 資料模型 | 支援 |
|---|---|
| 快訊 | 是 |
| 應用程式狀態 (已淘汰) | 否 |
| 驗證 | 是 |
| 認證 | 是 |
| 變更 | 是 |
| 變更分析 (已淘汰) | 否 |
| 資料存取權 | 是 |
| 資料庫 | 是 |
| 資料遺失防護 | 是 |
| 電子郵件 | 是 |
| 端點 | 是 |
| 活動簽章 | 是 |
| 跨程序訊息傳遞 | 是 |
| 入侵偵測 | 是 |
| 廣告空間 | 是 |
| Java 虛擬機器 (JVM) | 是 |
| 惡意軟體 | 是 |
| 網路解析 (DNS) | 是 |
| 網路工作階段 | 是 |
| 網路流量 | 是 |
| 成效 | 是 |
| Splunk 稽核記錄 | 是 |
| 票證管理 | 是 |
| 更新 | 是 |
| 安全漏洞 | 是 |
| 網頁 | 是 |
支援的 Splunk CIM 記錄格式
Splunk CIM 剖析器支援 JSON 格式的記錄。
支援的 Splunk CIM 範例記錄檔
JSON
{ "Channel": "Microsoft-Windows-Sysmon/Operational", "Computer": "dhcp-ad01.testdhcp2.local", "EventChannel": "Microsoft-Windows-Sysmon/Operational", "EventCode": "5", "EventData_Xml": "<Data Name='RuleName'>-<\\/Data><Data Name='UtcTime'>2021-10-22 06:38:15.540<\\/Data><Data Name='ProcessGuid'>{8AE2CCCF-5C56-6172-84FE-000000001500}<\\/Data><Data Name='ProcessId'>5616<\\/Data><Data Name='Image'>C:\\\\Program Files\\\\Splunk\\\\bin\\\\splunk-optimize.exe<\\/Data>", "EventDescription": "Process terminated", "EventID": "5", "EventRecordID": "157268", "Guid": "'{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'", "Image": "C:\\\\Program Files\\\\Splunk\\\\bin\\\\splunk-optimize.exe", "Keywords": "0x8000000000000000", "Level": "4", "Name": "'Microsoft-Windows-Sysmon'", "Opcode": "0", "ProcessGuid": "{8AE2CCCF-5C56-6172-84FE-000000001500}", "ProcessID": "'2888'", "ProcessId": "5616", "RecordID": "157268", "RecordNumber": "157268", "RuleName": "-", "SecurityID": "S-1-5-18", "SystemTime": "'2021-10-22T06:38:15.548776000Z'", "System_Props_Xml": "<Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>5<\\/EventID><Version>3<\\/Version><Level>4<\\/Level><Task>5<\\/Task><Opcode>0<\\/Opcode><Keywords>0x8000000000000000<\\/Keywords><TimeCreated SystemTime='2021-10-22T06:38:15.548776000Z'/><EventRecordID>157268<\\/EventRecordID><Correlation/><Execution ProcessID='2888' ThreadID='3648'/><Channel>Microsoft-Windows-Sysmon/Operational<\\/Channel><Computer>dhcp-ad01.testdhcp2.local<\\/Computer><Security UserID='S-1-5-18'/>", "Task": "5", "ThreadID": "'3648'", "TimeCreated": "2021-10-22T06:38:15.548776000Z", "UserID": "'S-1-5-18'", "UtcTime": "2021-10-22 06:38:15.540", "Version": "3", "_raw": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>5<\\/EventID><Version>3<\\/Version><Level>4<\\/Level><Task>5<\\/Task><Opcode>0<\\/Opcode><Keywords>0x8000000000000000<\\/Keywords><TimeCreated SystemTime='2021-10-22T06:38:15.548776000Z'/><EventRecordID>157268<\\/EventRecordID><Correlation/><Execution ProcessID='2888' ThreadID='3648'/><Channel>Microsoft-Windows-Sysmon/Operational<\\/Channel><Computer>dhcp-ad01.testdhcp2.local<\\/Computer><Security UserID='S-1-5-18'/><\\/System><EventData><Data Name='RuleName'>-<\\/Data><Data Name='UtcTime'>2021-10-22 06:38:15.540<\\/Data><Data Name='ProcessGuid'>{8AE2CCCF-5C56-6172-84FE-000000001500}<\\/Data><Data Name='ProcessId'>5616<\\/Data><Data Name='Image'>C:\\\\Program Files\\\\Splunk\\\\bin\\\\splunk-optimize.exe<\\/Data><\\/EventData><\\/Event>", "_time": "2021-10-22T12:08:15.540+0530", "action": "blocked", "date_hour": "6", "date_mday": "22", "date_minute": "38", "date_month": "october", "date_second": "15", "date_wday": "friday", "date_year": "2021", "date_zone": "0", "dest": "dummy.domain.com", "dvc_nt_host": "DHCP-AD01", "event_id": "157268", "eventtype": [ "endpoint_services_processes", "ms-sysmon-process", "windows_event_signature" ], "host": "DHCP-AD01", "id": "157268", "index": "main", "linecount": "1", "os": "Microsoft Windows", "process": "C:\\\\Program Files\\\\Splunk\\\\bin\\\\splunk-optimize.exe", "process_exec": "splunk-optimize.exe", "process_guid": "{8AE2CCCF:5C56:6172:84FE-000000001500}", "process_id": "5616", "process_name": "splunk-optimize.exe", "process_path": "C:\\\\Program Files\\\\Splunk\\\\bin\\\\splunk-optimize.exe", "punct": "<_='://../////'><><_='--'_='{----}'/><><\\/><><\\/><><", "signature": "Process terminated", "signature_id": "5", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "XmlWinEventLog", "splunk_server": "dhcp-ad01", "tag": [ "process", "report", "track_event_signatures" ], "tag2001:db8::eventtype": [ "process", "report", "track_event_signatures" ], "timeendpos": "671", "timestartpos": "648", "user_id": "'dummy-user-id'", "vendor_product": "Microsoft Sysmon" }
欄位對應參考資料
本節說明 Google Security Operations 剖析器如何將資料集的 Splunk 記錄檔欄位對應至 Google Security Operations 統合式資料模型 (UDM) 欄位。詳情請參閱 5.0.1 版的 Splunk 文件。
快訊
下表列出 Splunk 資料集「警報」的記錄檔欄位和對應的 UDM 對應項:
| 記錄欄位 | UDM 對應 |
|---|---|
| 應用程式 | observer.application |
| 說明 | security_result.description |
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| dest_type | target.resource.resource_type |
| id | metadata.product_log_id |
| mitre_technique_id | security_result.detection_fields.labels.key/value |
| 嚴重性 | security_result.severity |
| severity_id | about.labels.key/value (已淘汰) additional.fields |
| 簽名 | metadata.description |
| signature_id | security_result.rule_name |
| src | principal.ip principal.hostname principal.labels.key/value (已淘汰) |
| src_bunit | principal.labels.key/value (已淘汰) additional.fields |
| src_category | principal.labels.key/value (已淘汰) additional.fields |
| src_priority | principal.labels.key/value (已淘汰) additional.fields |
| src_type | principal.resource.resource_type |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
| 類型 | security_result.alert_state |
| 使用者 | principal.user.user_display_name |
| user_bunit | about.labels.key/value (已淘汰) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_name | principal.user.userid |
| user_priority | principal.user.attribute.label.key/value |
| vendor_account | about.labels.key/value (已淘汰) additional.fields |
| vendor_region | about.location.country_or_region |
驗證
下表列出 Splunk 資料集「Authentication」的記錄欄位和對應的 UDM 對應項:
| 記錄欄位 | UDM 對應 |
|---|---|
| 動作 | security_result.action_details security_result.action |
| 應用程式 | target.application |
| authentication_method | about.labels.key/value (已淘汰) additional.fields |
| authentication_service | extension.auth.auth_details |
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_nt_domain | target.labels.key/value (已淘汰) additional.fields |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| 持續時間 | network.session_duration |
| 原因 | security_result.summary |
| response_time | about.labels.key/value (已淘汰) additional.fields |
| 簽名 | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip principal.hostname principal.labels.key/value (已淘汰) |
| src_bunit | principal.labels.key/value (已淘汰) additional.fields |
| src_category | principal.labels.key/value (已淘汰) additional.fields |
| src_nt_domain | principal.labels.key/value (已淘汰) additional.fields |
| src_priority | principal.labels.key/value (已淘汰) additional.fields |
| src_user | principal.user.user_display_name |
| src_user_bunit | principal.labels.key/value (已淘汰) additional.fields |
| src_user_category | principal.labels.key/value (已淘汰) additional.fields |
| src_user_id | principal.user.userid |
| src_user_priority | principal.labels.key/value (已淘汰) additional.fields |
| src_user_role | principal.user.attribute.roles.name (重複) |
| src_user_type | principal.user.attribute.roles.type |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
| 使用者 | principal.user.user_display_name |
| user_agent | network.http.user_agent |
| user_bunit | about.labels.key/value (已淘汰) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_id | principal.user.userid |
| user_priority | principal.user.attribute.label.key/value |
| user_role | principal.user.attribute.roles.name (重複) |
| user_type | principal.user.attribute.roles.type |
| vendor_account | about.labels.key/value (已淘汰) additional.fields |
All_Certificates
下表列出 Splunk 資料集 All_Certificates 的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_port | target.port |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| 持續時間 | network.session_duration |
| response_time | about.labels.key/value (已淘汰) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value (已淘汰) |
| src_bunit | principal.labels.key/value (已淘汰) additional.fields |
| src_category | principal.labels.key/value (已淘汰) additional.fields |
| src_port | principal.port |
| src_priority | principal.labels.key/value (已淘汰) additional.fields |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
| transport | network.ip_protocol |
SSL
下表列出 Splunk 資料集 SSL 的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| ssl_end_time | network.tls.server.certificate.not_after |
| ssl_engine | about.labels.key/value (已淘汰) additional.fields |
| ssl_hash | about.labels.key/value (已淘汰) additional.fields |
| ssl_is_valid | about.labels.key/value (已淘汰) additional.fields |
| ssl_issuer | network.tls.server.certificate.issuer |
| ssl_issuer_common_name | about.labels.key/value (已淘汰) additional.fields |
| ssl_issuer_email | about.labels.key/value (已淘汰) additional.fields |
| ssl_issuer_email_domain | about.labels.key/value (已淘汰) additional.fields |
| ssl_issuer_locality | about.labels.key/value (已淘汰) additional.fields |
| ssl_issuer_organization | about.labels.key/value (已淘汰) additional.fields |
| ssl_issuer_state | about.labels.key/value (已淘汰) additional.fields |
| ssl_issuer_street | about.labels.key/value (已淘汰) additional.fields |
| ssl_issuer_unit | about.labels.key/value (已淘汰) additional.fields |
| ssl_name | about.labels.key/value (已淘汰) additional.fields |
| ssl_policies | about.labels.key/value (已淘汰) additional.fields |
| ssl_publickey | about.labels.key/value (已淘汰) additional.fields |
| ssl_publickey_algorithm | about.labels.key/value (已淘汰) additional.fields |
| ssl_serial | network.tls.server.certificate.serial |
| ssl_session_id | network.session_id |
| ssl_signature_algorithm | about.labels.key/value (已淘汰) additional.fields |
| ssl_start_time | network.tls.server.certificate.not_before |
| ssl_subject | network.tls.server.certificate.subject |
| ssl_subject_common_name | about.labels.key/value (已淘汰) additional.fields |
| ssl_subject_email | about.labels.key/value (已淘汰) additional.fields |
| ssl_subject_email_domain | about.labels.key/value (已淘汰) additional.fields |
| ssl_subject_locality | about.labels.key/value (已淘汰) additional.fields |
| ssl_subject_organization | about.labels.key/value (已淘汰) additional.fields |
| ssl_subject_state | about.labels.key/value (已淘汰) additional.fields |
| ssl_subject_street | about.labels.key/value (已淘汰) additional.fields |
| ssl_subject_unit | about.labels.key/value (已淘汰) additional.fields |
| ssl_validity_window | about.labels.key/value (已淘汰) additional.fields |
| ssl_version | network.tls.server.certificate.version |
All_Changes
下表列出 Splunk 資料集 All_Changes 的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| 動作 | security_result.action_details security_result.action |
| change_type | security_result.category_details |
| 指令 | principal.process.command_line |
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| dvc | principal.asset.hostname、principal.asset.ip |
| 物件 | target.resource.name |
| object_attrs | about.labels.key/value (已淘汰) additional.fields |
| object_category | about.labels.key/value (已淘汰) additional.fields |
| object_id | target.user.product_object_id |
| object_path | target.file.full_path |
| result | metadata.description |
| result_id | metadata.product_event_type |
| src | principal.ip principal.hostname principal.labels.key/value (已淘汰) |
| src_bunit | principal.labels.key/value (已淘汰) additional.fields |
| src_category | principal.labels.key/value (已淘汰) additional.fields |
| src_priority | principal.labels.key/value (已淘汰) additional.fields |
| 狀態 | security_result.summary |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
| 使用者 | target.user.userid |
| user_agent | network.http.user_agent |
| user_name | principal.user.user_display_name、target.labels.key/value |
| user_type | principal.user.attribute.roles.type、target.user.attribute.roles.type |
| vendor_account | about.labels.key/value (已淘汰) additional.fields |
| vendor_product | about.labels.key/value (已淘汰) additional.fields |
| vendor_region | about.location.country_or_region |
Account_Management
下表列出 Splunk 資料集 Account_Management 的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| dest_nt_domain | target.administrative_domain |
| src_nt_domain | principal.administrative_domain |
| src_user | principal.user.userid |
| src_user_bunit | principal.labels.key/value (已淘汰) additional.fields |
| src_user_category | principal.labels.key/value (已淘汰) additional.fields |
| src_user_priority | principal.labels.key/value (已淘汰) additional.fields |
| src_user_name | principal.labels.key/value (已淘汰) additional.fields |
| src_user_type | principal.user.attribute.roles.type |
Instance_Changes
下表列出 Splunk 資料集 Instance_Changes 的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| image_id | principal.asset_id |
| instance_type | about.labels.key/value (已淘汰) additional.fields |
network_Changes
下表列出 Splunk 資料集 network_Changes 的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| dest_ip_range | target.labels.key/value (已淘汰) additional.fields |
| dest_port_range | target.labels.key/value (已淘汰) additional.fields |
| 方向 | network.direction |
| 通訊協定 | network.ip_protocol |
| rule_action | security_result.action_details security_result.action |
| src_ip_range | principal.labels.key/value (已淘汰) additional.fields |
| src_port_range | principal.labels.key/value (已淘汰) additional.fields |
Data_Access
下表列出 Splunk 資料集 Data_Access 的記錄欄位和對應的 UDM 對映:
| 記錄欄位 | UDM 對應 |
|---|---|
| 動作 | security_result.action_details security_result.action |
| 應用程式 | target.application |
| app_id | metadata.product_log_id |
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_name | target.administrative_domain |
| dest_url | target.url |
| dvc | principal.asset.hostname、principal.asset.ip |
| 電子郵件 | principal.user.email_addresses |
| 物件 | target.resource.name |
| object_category | about.labels.key/value (已淘汰) additional.fields |
| object_id | target.user.product_object_id |
| object_path | target.file.full_path |
| object_size | target.file.size |
| 擁有者 | about.labels.key/value (已淘汰) additional.fields |
| owner_email | about.labels.key/value (已淘汰) additional.fields |
| owner_id | principal.user.userid |
| parent_object | target.resource.parent |
| parent_object_id | about.labels.key/value (已淘汰) additional.fields |
| parent_object_category | about.labels.key/value (已淘汰) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value (已淘汰) |
| tenant_id | about.labels.key/value (已淘汰) additional.fields |
| 使用者 | principal.user.user_display_name |
| user_agent | network.http.user_agent |
| user_group | principal.user.group_identifiers(repeated) |
| user_role | principal.user.attribute.roles.name (重複) |
| vendor_product | about.labels.key/value (已淘汰) additional.fields |
| vendor_product_id | about.labels.key/value (已淘汰) additional.fields |
All_Databases
下表列出 Splunk 資料集 All_Databases 的記錄欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| 持續時間 | network.session_duration |
| 物件 | target.resource.name |
| response_time | about.labels.key/value (已淘汰) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value (已淘汰) |
| src_bunit | principal.labels.key/value (已淘汰) additional.fields |
| src_category | principal.labels.key/value (已淘汰) additional.fields |
| src_priority | principal.labels.key/value (已淘汰) additional.fields |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
| 使用者 | principal.user.user_display_name |
| user_bunit | about.labels.key/value (已淘汰) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value (已淘汰) additional.fields |
Database_Instance
下表列出 Splunk 資料集 Database_Instance 的記錄欄位和對應的 UDM 對應項:
| 記錄欄位 | UDM 對應 |
|---|---|
| instance_name | target.resource.attributes.key/value |
| instance_version | target.resource.attributes.key/value |
| process_limit | about.labels.key/value (已淘汰) additional.fields |
| session_limit | about.labels.key/value (已淘汰) additional.fields |
Database_Query
下表列出 Splunk 資料集 Database_Query 的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| 查詢 | about.labels.key/value (已淘汰) additional.fields |
| query_id | about.labels.key/value (已淘汰) additional.fields |
| query_time | about.labels.key/value (已淘汰) additional.fields |
| records_affected | about.labels.key/value (已淘汰) additional.fields |
Instance_Stats
下表列出 Splunk 資料集 Instance_Stats 的記錄欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| 供應情形 | about.labels.key/value (已淘汰) additional.fields |
| avg_executions | about.labels.key/value (已淘汰) additional.fields |
| dump_area_used | about.labels.key/value (已淘汰) additional.fields |
| instance_reads | about.labels.key/value (已淘汰) additional.fields |
| instance_writes | about.labels.key/value (已淘汰) additional.fields |
| number_of_users | about.labels.key/value (已淘汰) additional.fields |
| 程序 | about.labels.key/value (已淘汰) additional.fields |
| 工作階段 | about.labels.key/value (已淘汰) additional.fields |
| sga_buffer_cache_size | about.labels.key/value (已淘汰) additional.fields |
| sga_buffer_hit_limit | about.labels.key/value (已淘汰) additional.fields |
| sga_data_dict_hit_ratio | about.labels.key/value (已淘汰) additional.fields |
| sga_fixed_area_size | about.labels.key/value (已淘汰) additional.fields |
| sga_free_memory | about.labels.key/value (已淘汰) additional.fields |
| sga_library_cache_size | about.labels.key/value (已淘汰) additional.fields |
| sga_redo_log_buffer_size | about.labels.key/value (已淘汰) additional.fields |
| sga_shared_pool_size | about.labels.key/value (已淘汰) additional.fields |
| sga_sql_area_size | about.labels.key/value (已淘汰) additional.fields |
| start_time | about.labels.key/value (已淘汰) additional.fields |
| tablespace_used | about.labels.key/value (已淘汰) additional.fields |
Session_Info
下表列出 Splunk 資料集 Session_Info 的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| buffer_cache_hit_ratio | about.labels.key/value (已淘汰) additional.fields |
| 個修訂版本 | about.labels.key/value (已淘汰) additional.fields |
| cpu_used | about.labels.key/value (已淘汰) additional.fields |
| cursor | about.labels.key/value (已淘汰) additional.fields |
| elapsed_time | about.labels.key/value (已淘汰) additional.fields |
| logical_reads | about.labels.key/value (已淘汰) additional.fields |
| 機器 | about.hostname |
| memory_sorts | about.labels.key/value (已淘汰) additional.fields |
| physical_reads | about.labels.key/value (已淘汰) additional.fields |
| seconds_in_wait | about.labels.key/value (已淘汰) additional.fields |
| session_id | network.session_id |
| session_status | about.labels.key/value (已淘汰) additional.fields |
| table_scans | about.labels.key/value (已淘汰) additional.fields |
| wait_state | about.labels.key/value (已淘汰) additional.fields |
| wait_time | about.labels.key/value (已淘汰) additional.fields |
Lock_Info
下表列出 Splunk 資料集 Lock_Info 的記錄檔欄位和對應的 UDM 對應項:
| 記錄欄位 | UDM 對應 |
|---|---|
| last_call_minute | about.labels.key/value (已淘汰) additional.fields |
| lock_mode | about.labels.key/value (已淘汰) additional.fields |
| lock_session_id | about.labels.key/value (已淘汰) additional.fields |
| logon_time | about.labels.key/value (已淘汰) additional.fields |
| obj_name | about.labels.key/value (已淘汰) additional.fields |
| os_pid | target.process.pid |
| serial_num | target.resource.product_object_id |
表空間
下表列出 Splunk 資料集 Tablespace 的記錄欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| free_bytes | about.file.size |
| tablespace_name | about.resource.name |
| tablespace_reads | about.labels.key/value (已淘汰) additional.fields |
| tablespace_status | about.labels.key/value (已淘汰) additional.fields |
| tablespace_writes | about.labels.key/value (已淘汰) additional.fields |
Query_Stats
下表列出 Splunk 資料集 Query_Stats 的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| indexes_hit | about.labels.key/value (已淘汰) additional.fields |
| query_plan_hit | about.labels.key/value (已淘汰) additional.fields |
| stored_procedures_called | about.labels.key/value (已淘汰) additional.fields |
| tables_hit | about.labels.key/value (已淘汰) additional.fields |
DLP_Incidents
下表列出 Splunk 資料集 DLP_Incidents 的記錄欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| 動作 | security_result.action_details security_result.action |
| 應用程式 | target.application |
| category | security_result.category_details |
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| dest_zone | target.location.country_or_origin |
| dlp_type | about.labels.key/value (已淘汰) additional.fields |
| dvc | principal.asset.hostname、principal.asset.ip |
| dvc_bunit | about.labels.key/value (已淘汰) additional.fields |
| dvc_category | about.labels.key/value (已淘汰) additional.fields |
| dvc_priority | about.labels.key/value (已淘汰) additional.fields |
| dvc_zone | principal.asset.location.country_or_region |
| 物件 | target.resource.name |
| object_category | about.labels.key/value (已淘汰) additional.fields |
| object_path | target.file.full_path |
| 嚴重性 | security_result.severity |
| severity_id | about.labels.key/value (已淘汰) additional.fields |
| 簽名 | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip principal.hostname principal.labels.key/value (已淘汰) |
| src_bunit | principal.labels.key/value (已淘汰) additional.fields |
| src_category | principal.labels.key/value (已淘汰) additional.fields |
| src_priority | principal.labels.key/value (已淘汰) additional.fields |
| src_user | principal.user.user_display_name |
| src_user_bunit | principal.labels.key/value (已淘汰) additional.fields |
| src_user_category | principal.labels.key/value (已淘汰) additional.fields |
| src_user_priority | principal.labels.key/value (已淘汰) additional.fields |
| src_zone | principal.location.country_or_origin |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
| 使用者 | principal.user.user_display_name |
| user_bunit | about.labels.key/value (已淘汰) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value (已淘汰) additional.fields |
All_Email
下表列出 Splunk 資料集 All_Email 的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| 動作 | security_result.action_details security_result.action |
| delay | about.labels.key/value (已淘汰) additional.fields |
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| 持續時間 | network.session_duration |
| file_hash | about.file.sha256、about.file.md5、about.file.sha1 |
| file_name | about.labels.key/value (已淘汰) additional.fields |
| file_size | about.file.size |
| internal_message_id | metadata.product_log_id |
| message_id | network.email.mail_id |
| message_info | about.labels.key/value (已淘汰) additional.fields |
| orig_dest | target.labels.key/value (已淘汰) additional.fields |
| orig_recipient | about.labels.key/value (已淘汰) additional.fields |
| orig_src | network.email.from |
| 反向擴散程序 | principal.process.command_line |
| process_id | principal.process.pid |
| 通訊協定 | network.application_protocol |
| 收件者 | network.email.to |
| recipient_count | about.labels.key/value (已淘汰) additional.fields |
| recipient_domain | about.labels.key/value (已淘汰) additional.fields |
| recipient_status | about.labels.key/value (已淘汰) additional.fields |
| response_time | about.labels.key/value (已淘汰) additional.fields |
| retries | about.labels.key/value (已淘汰) additional.fields |
| return_addr | about.labels.key/value (已淘汰) additional.fields |
| 大小 | about.labels.key/value (已淘汰) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value (已淘汰) |
| src_bunit | principal.labels.key/value (已淘汰) additional.fields |
| src_category | principal.labels.key/value (已淘汰) additional.fields |
| src_priority | principal.labels.key/value (已淘汰) additional.fields |
| src_user | principal.user.email_addresses |
| src_user_bunit | principal.labels.key/value (已淘汰) additional.fields |
| src_user_category | principal.labels.key/value (已淘汰) additional.fields |
| src_user_domain | principal.administrative_domain |
| src_user_priority | principal.labels.key/value (已淘汰) additional.fields |
| status_code | about.labels.key/value (已淘汰) additional.fields |
| 主旨 | network.email.subject(repeated) |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
| 網址 | about.url |
| 使用者 | principal.user.user_display_name |
| user_bunit | about.labels.key/value (已淘汰) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value (已淘汰) additional.fields |
| xdelay | about.labels.key/value (已淘汰) additional.fields |
| xref | about.labels.key/value (已淘汰) additional.fields |
篩選
下表列出 Splunk 資料集篩選的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| filter_action | about.labels.key/value (已淘汰) additional.fields |
| filter_score | about.labels.key/value (已淘汰) additional.fields |
| 簽名 | metadata.description |
| signature_extra | about.labels.key/value (已淘汰) additional.fields |
| signature_id | metadata.product_event_type |
通訊埠
下表列出 Splunk 資料集「Ports」的記錄檔欄位和對應的 UDM 對應項:
| 記錄欄位 | UDM 對應 |
|---|---|
| creation_time | about.labels.key/value (已淘汰) additional.fields |
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_port | target.port |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| dest_requires_av | target.labels.key/value (已淘汰) additional.fields |
| dest_should_timesync | target.labels.key/value (已淘汰) additional.fields |
| dest_should_update | target.labels.key/value (已淘汰) additional.fields |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| src | principal.ip principal.hostname principal.labels.key/value (已淘汰) |
| src_category | principal.labels.key/value (已淘汰) additional.fields |
| src_priority | principal.labels.key/value (已淘汰) additional.fields |
| src_port | principal.port |
| src_requires_av | principal.labels.key/value (已淘汰) additional.fields |
| src_should_timesync | principal.labels.key/value (已淘汰) additional.fields |
| src_should_update | principal.labels.key/value (已淘汰) additional.fields |
| state | about.labels.key/value (已淘汰) additional.fields |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
| transport | network.ip_protocol |
| transport_dest_port | target.labels.key/value (已淘汰) additional.fields |
| 使用者 | principal.user.user_display_name |
| user_bunit | about.labels.key/value (已淘汰) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
程序
下表列出 Splunk 資料集「Processes」的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| 動作 | security_result.action_details security_result.action |
| cpu_load_percent | about.labels.key/value (已淘汰) additional.fields |
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_is_expected | target.labels.key/value (已淘汰) additional.fields |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| dest_requires_av | target.labels.key/value (已淘汰) additional.fields |
| dest_should_timesync | target.labels.key/value (已淘汰) additional.fields |
| dest_should_update | target.labels.key/value (已淘汰) additional.fields |
| mem_used | about.labels.key/value (已淘汰) additional.fields |
| original_file_name | src.file.full_path |
| os | principal.asset.platform_software.platform_version |
| parent_process | about.labels.key/value (已淘汰) additional.fields |
| parent_process_exec | about.labels.key/value (已淘汰) additional.fields |
| parent_process_id | principal.process.parent_process.parent_pid |
| parent_process_guid | principal.process.parent_process.product_specific_process_id |
| parent_process_name | about.labels.key/value (已淘汰) additional.fields |
| parent_process_path | principal.process.parent_process.command_line |
| 反向擴散程序 | about.labels.key/value (已淘汰) additional.fields |
| process_current_directory | about.labels.key/value (已淘汰) additional.fields |
| process_exec | about.labels.key/value (已淘汰) additional.fields |
| process_hash | principal.process.file.sha256/principal.process.file.md5/principal..process.file.sha1 |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| process_integrity_level | security_result.severity |
| process_name | principal.process.command_line |
| process_path | principal.process.file.full_path |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
| 使用者 | principal.user.user_display_name |
| user_id | principal.user.userid |
| user_bunit | about.labels.key/value (已淘汰) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value (已淘汰) additional.fields |
服務
下表列出 Splunk 資料集服務的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| 說明 | security_result.description |
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_is_expected | target.labels.key/value (已淘汰) additional.fields |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| dest_requires_av | target.labels.key/value (已淘汰) additional.fields |
| dest_should_timesync | target.labels.key/value (已淘汰) additional.fields |
| dest_should_update | target.labels.key/value (已淘汰) additional.fields |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| 服務 | target.application |
| service_dll | about.labels.key/value (已淘汰) additional.fields |
| service_dll_path | about.file.full_path |
| service_dll_hash | about.labels.key/value (已淘汰) additional.fields |
| service_dll_signature_exists | about.labels.key/value (已淘汰) additional.fields |
| service_dll_signature_verified | about.labels.key/value (已淘汰) additional.fields |
| service_exec | target.process.file.full_path |
| service_hash | about.labels.key/value (已淘汰) additional.fields |
| service_id | about.labels.key/value (已淘汰) additional.fields |
| service_name | about.labels.key/value (已淘汰) additional.fields |
| service_path | about.labels.key/value (已淘汰) additional.fields |
| service_signature_exists | about.labels.key/value (已淘汰) additional.fields |
| service_signature_verified | about.labels.key/value (已淘汰) additional.fields |
| start_mode | about.labels.key/value (已淘汰) additional.fields |
| 狀態 | security_result.summary |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
| 使用者 | principal.user.user_display_name |
| user_bunit | about.labels.key/value (已淘汰) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value (已淘汰) additional.fields |
檔案系統
下表列出 Splunk 資料集「Filesystem」的記錄檔欄位和對應的 UDM 對映:
| 記錄欄位 | UDM 對應 |
|---|---|
| 動作 | security_result.action_details security_result.action |
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| dest_requires_av | target.labels.key/value (已淘汰) additional.fields |
| dest_should_timesync | target.labels.key/value (已淘汰) additional.fields |
| dest_should_update | target.labels.key/value (已淘汰) additional.fields |
| file_access_time | about.labels.key/value (已淘汰) additional.fields |
| file_create_time | target.asset.attribute.creation_time |
| file_hash | target.file.sha256、target.file.md5、target.file.sha1 |
| file_modify_time | about.labels.key/value (已淘汰) additional.fields |
| file_name | about.labels.key/value (已淘汰) additional.fields |
| file_path | target.file.full_path |
| file_acl | about.labels.key/value (已淘汰) additional.fields |
| file_size | target.file.size |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
| 使用者 | principal.user.user_display_name |
| user_bunit | about.labels.key/value (已淘汰) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value (已淘汰) additional.fields |
登錄檔
下表列出 Splunk 資料集登錄檔的記錄檔欄位和對應的 UDM 對應項:
| 記錄欄位 | UDM 對應 |
|---|---|
| 動作 | security_result.action_details security_result.action |
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| dest_requires_av | target.labels.key/value (已淘汰) additional.fields |
| dest_should_timesync | target.labels.key/value (已淘汰) additional.fields |
| dest_should_update | target.labels.key/value (已淘汰) additional.fields |
| process_guid | principal.process.product_specific_process_id |
| process_id | principal.process.pid |
| registry_hive | about.labels.key/value (已淘汰) additional.fields |
| registry_path | about.labels.key/value (已淘汰) additional.fields |
| registry_key_name | target.registry.registry_key |
| registry_value_data | target.registry.registry_value_data |
| registry_value_name | target.registry.registry_value_name |
| registry_value_text | about.labels.key/value (已淘汰) additional.fields |
| registry_value_type | about.labels.key/value (已淘汰) additional.fields |
| 狀態 | security_result.summary |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
| 使用者 | principal.user.user_display_name |
| user_bunit | about.labels.key/value (已淘汰) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value (已淘汰) additional.fields |
簽名
下表列出 Splunk 資料集「簽章」的記錄欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| 簽名 | metadata.description |
| signature_id | metadata.product_event_type |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
Signatures_vendor_product
下表列出 Splunk 資料集 Signatures_vendor_product 的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| vendor_product | about.labels.key/value (已淘汰) additional.fields |
All_Interprocess_Messaging
下表列出 Splunk 資料集 All_Interprocess_Messaging 的記錄欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| 持續時間 | network.session_duration |
| endpoint | about.labels.key/value (已淘汰) additional.fields |
| endpoint_version | about.labels.key/value (已淘汰) additional.fields |
| 訊息 | about.labels.key/value (已淘汰) additional.fields |
| message_consumed_time | about.labels.key/value (已淘汰) additional.fields |
| message_correlation_id | about.labels.key/value (已淘汰) additional.fields |
| message_delivered_time | about.labels.key/value (已淘汰) additional.fields |
| message_delivery_mode | about.labels.key/value (已淘汰) additional.fields |
| message_expiration_time | about.labels.key/value (已淘汰) additional.fields |
| message_id | metadata.product.log_id |
| message_priority | about.labels.key/value (已淘汰) additional.fields |
| message_properties | about.labels.key/value (已淘汰) additional.fields |
| message_received_time | about.labels.key/value (已淘汰) additional.fields |
| message_redelivered | about.labels.key/value (已淘汰) additional.fields |
| message_reply_dest | target.labels.key/value (已淘汰) additional.fields |
| message_type | about.labels.key/value (已淘汰) additional.fields |
| 參數 | about.labels.key/value (已淘汰) additional.fields |
| 酬載 | about.labels.key/value (已淘汰) additional.fields |
| payload_type | about.labels.key/value (已淘汰) additional.fields |
| request_payload | about.labels.key/value (已淘汰) additional.fields |
| request_payload_type | about.labels.key/value (已淘汰) additional.fields |
| request_sent_time | about.labels.key/value (已淘汰) additional.fields |
| response_code | network.http.response_code |
| response_payload_type | about.labels.key/value (已淘汰) additional.fields |
| response_received_time | about.labels.key/value (已淘汰) additional.fields |
| response_time | about.labels.key/value (已淘汰) additional.fields |
| return_message | about.labels.key/value (已淘汰) additional.fields |
| rpc_protocol | network.application_protocol |
| 狀態 | security_result.summary |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
IDS_Attacks
下表列出 Splunk 資料集 IDS_Attacks 的記錄欄位和對應的 UDM 對應項:
| 記錄欄位 | UDM 對應 |
|---|---|
| 動作 | security_result.action_details security_result.action |
| category | security_result.category_details |
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| dvc | principal.asset.hostname、principal.asset.ip |
| dvc_bunit | about.labels.key/value (已淘汰) additional.fields |
| dvc_category | about.labels.key/value (已淘汰) additional.fields |
| dvc_priority | about.labels.key/value (已淘汰) additional.fields |
| file_hash | target.file.sha256、target.file.md5、target.file.sha1 |
| file_name | about.labels.key/value (已淘汰) additional.fields |
| file_path | target.file.full_path |
| ids_type | about.labels.key/value (已淘汰) additional.fields |
| 嚴重性 | security_result.severity |
| severity_id | about.labels.key/value (已淘汰) additional.fields |
| 簽名 | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip principal.hostname principal.labels.key/value (已淘汰) |
| src_bunit | principal.labels.key/value (已淘汰) additional.fields |
| src_category | principal.labels.key/value (已淘汰) additional.fields |
| src_priority | principal.labels.key/value (已淘汰) additional.fields |
| src_port | principal.port |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
| transport | network.ip_protocol |
| 使用者 | principal.user.user_display_name |
| user_bunit | about.labels.key/value (已淘汰) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value (已淘汰) additional.fields |
DS_Attacks
下表列出 Splunk 資料集 DS_Attacks 的記錄檔欄位和對應的 UDM 對應項:
| 記錄欄位 | UDM 對應 |
|---|---|
| dest_port | target.port |
All_Inventory
下表列出 Splunk 資料集 All_Inventory 的記錄欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| 說明 | security_result.description |
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| 已啟用 | about.labels.key/value (已淘汰) additional.fields |
| 系列 | about.labels.key/value (已淘汰) additional.fields |
| hypervisor_id | about.labels.key/value (已淘汰) additional.fields |
| serial | principal.asset.hardware.serial_number |
| 狀態 | security_result.summary |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
| vendor_product | about.labels.key/value (已淘汰) additional.fields |
| version | about.labels.key/value (已淘汰) additional.fields |
CPU
下表列出 Splunk 資料集 CPU 的記錄欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| cpu_cores | principal.asset.hardware.cpu_number_cores |
| cpu_count | about.labels.key/value (已淘汰) additional.fields |
| cpu_mhz | principal.asset.hardware.cpu_clock_speed |
| cpu_load_mhz | principal.asset.hardware.cpu_clock_speed |
| cpu_load_percent | about.labels.key/value (已淘汰) additional.fields |
| cpu_time | about.labels.key/value (已淘汰) additional.fields |
| cpu_user_percent | about.labels.key/value (已淘汰) additional.fields |
記憶體
下表列出 Splunk 資料集「記憶體」的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| 記憶體 | principal.asset.hardware.ram |
| heap_committed | about.labels.key/value (已淘汰) additional.fields |
| heap_initial | about.labels.key/value (已淘汰) additional.fields |
| heap_max | about.labels.key/value (已淘汰) additional.fields |
| heap_used | about.labels.key/value (已淘汰) additional.fields |
| non_heap_committed | about.labels.key/value (已淘汰) additional.fields |
| non_heap_initial | about.labels.key/value (已淘汰) additional.fields |
| non_heap_max | about.labels.key/value (已淘汰) additional.fields |
| non_heap_used | about.labels.key/value (已淘汰) additional.fields |
| objects_pending | about.labels.key/value (已淘汰) additional.fields |
| 記憶體 | principal.asset.hardware.ram |
| mem_committed | about.labels.key/value (已淘汰) additional.fields |
| mem_free | about.labels.key/value (已淘汰) additional.fields |
| mem_used | about.labels.key/value (已淘汰) additional.fields |
| 交換 | about.labels.key/value (已淘汰) additional.fields |
| swap_free | about.labels.key/value (已淘汰) additional.fields |
| swap_used | about.labels.key/value (已淘汰) additional.fields |
網路
下表列出 Splunk 資料集網路的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| dest_ip | target.ip |
| dns | about.labels.key/value (已淘汰) additional.fields |
| inline_nat | about.labels.key/value (已淘汰) additional.fields |
| 介面 | about.labels.key/value (已淘汰) additional.fields |
| ip | principal.asset.ip |
| lb_method | about.labels.key/value (已淘汰) additional.fields |
| mac | principal.asset.mac |
| 名稱 | principal.resource.name |
| 節點 | about.labels.key/value (已淘汰) additional.fields |
| node_port | target.port |
| src_ip | principal.ip |
| vip_port | about.labels.key/value (已淘汰) additional.fields |
| thruput | about.labels.key/value (已淘汰) additional.fields |
| thruput_max | about.labels.key/value (已淘汰) additional.fields |
作業系統
下表列出 Splunk 資料集 OS 的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| os | principal.asset.platform_software.platform_version |
| committed_memory | about.labels.key/value (已淘汰) additional.fields |
| cpu_time | about.labels.key/value (已淘汰) additional.fields |
| free_physical_memory | about.labels.key/value (已淘汰) additional.fields |
| free_swap | about.labels.key/value (已淘汰) additional.fields |
| max_file_descriptors | about.labels.key/value (已淘汰) additional.fields |
| open_file_descriptors | about.labels.key/value (已淘汰) additional.fields |
| os | principal.asset.platform_software.platform_version |
| os_architecture | about.labels.key/value (已淘汰) additional.fields |
| os_version | about.labels.key/value (已淘汰) additional.fields |
| physical_memory | about.labels.key/value (已淘汰) additional.fields |
| swap_space | about.labels.key/value (已淘汰) additional.fields |
| system_load | about.labels.key/value (已淘汰) additional.fields |
| total_processors | about.labels.key/value (已淘汰) additional.fields |
| 簽名 | metadata.description |
| signature_id | metadata.product_event_type |
儲存空間
下表列出 Splunk 資料集「Storage」的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| 陣列 | about.labels.key/value (已淘汰) additional.fields |
| blocksize | about.labels.key/value (已淘汰) additional.fields |
| 叢集 | about.resource.resource_type = "CLUSTER" |
| fd_max | about.labels.key/value (已淘汰) additional.fields |
| 延遲 | about.labels.key/value (已淘汰) additional.fields |
| 掛接 | principal.resource.attribute.labels.key/value |
| parent | principal.resource.parent |
| read_blocks | about.labels.key/value (已淘汰) additional.fields |
| read_latency | about.labels.key/value (已淘汰) additional.fields |
| read_ops | about.labels.key/value (已淘汰) additional.fields |
| 儲存空間 | about.labels.key/value (已淘汰) additional.fields |
| write_blocks | about.labels.key/value (已淘汰) additional.fields |
| write_latency | about.labels.key/value (已淘汰) additional.fields |
| write_ops | about.labels.key/value (已淘汰) additional.fields |
| 陣列 | about.labels.key/value (已淘汰) additional.fields |
| blocksize | about.labels.key/value (已淘汰) additional.fields |
| 叢集 | about.resource.resource_type = "CLUSTER" |
| fd_max | about.labels.key/value (已淘汰) additional.fields |
| fd_used | about.labels.key/value (已淘汰) additional.fields |
| 延遲 | about.labels.key/value (已淘汰) additional.fields |
| 掛接 | about.labels.key/value (已淘汰) additional.fields |
| parent | principal.resource.parent |
| read_blocks | about.labels.key/value (已淘汰) additional.fields |
| read_latency | about.labels.key/value (已淘汰) additional.fields |
| read_ops | about.labels.key/value (已淘汰) additional.fields |
| 儲存空間 | about.labels.key/value (已淘汰) additional.fields |
| storage_free | about.labels.key/value (已淘汰) additional.fields |
| storage_free_percent | about.labels.key/value (已淘汰) additional.fields |
| storage_used | about.labels.key/value (已淘汰) additional.fields |
| storage_used_percent | about.labels.key/value (已淘汰) additional.fields |
| write_blocks | about.labels.key/value (已淘汰) additional.fields |
| write_latency | about.labels.key/value (已淘汰) additional.fields |
| write_ops | about.labels.key/value (已淘汰) additional.fields |
| error_code | security_result.description |
| 作業 | about.labels.key/value (已淘汰) additional.fields |
| storage_name | about.resource.name |
使用者
下表列出 Splunk 資料集「User」的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| interactive | about.labels.key/value (已淘汰) additional.fields |
| 密碼 | about.labels.key/value (已淘汰) additional.fields |
| 殼層 | about.labels.key/value (已淘汰) additional.fields |
| 使用者 | principal.user.user_display_name |
| user_bunit | about.labels.key/value (已淘汰) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_id | principal.user.userid |
| user_priority | principal.user.attribute.label.key/value |
Virtual_OS
下表列出 Splunk 資料集 Virtual_OS 的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| 管理程序 | about.labels.key/value (已淘汰) additional.fields |
快照
下表列出 Splunk 資料集 Snapshot 的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| 大小 | about.file.size |
| 快照 | about.labels.key/value (已淘汰) additional.fields |
| 時間 | about.labels.key/value (已淘汰) additional.fields |
JVM
下表列出 Splunk 資料集 JVM 的記錄檔欄位和對應的 UDM 對應項:
| 記錄欄位 | UDM 對應 |
|---|---|
| jvm_description | security_result.description |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
執行緒
下表列出 Splunk 資料集「Threading」的記錄檔欄位和對應的 UDM 對應項:
| 記錄欄位 | UDM 對應 |
|---|---|
| cm_enabled | about.labels.key/value (已淘汰) additional.fields |
| cm_supported | about.labels.key/value (已淘汰) additional.fields |
| cpu_time_enabled | about.labels.key/value (已淘汰) additional.fields |
| cpu_time_supported | about.labels.key/value (已淘汰) additional.fields |
| current_cpu_time | about.labels.key/value (已淘汰) additional.fields |
| current_user_time | about.labels.key/value (已淘汰) additional.fields |
| daemon_thread_count | about.labels.key/value (已淘汰) additional.fields |
| omu_supported | about.labels.key/value (已淘汰) additional.fields |
| peak_thread_count | about.labels.key/value (已淘汰) additional.fields |
| synch_supported | about.labels.key/value (已淘汰) additional.fields |
| thread_count | about.labels.key/value (已淘汰) additional.fields |
| threads_started | about.labels.key/value (已淘汰) additional.fields |
執行階段
下表列出 Splunk 資料集「Runtime」的記錄欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| process_name | principal.process.command_line |
| start_time | about.labels.key/value (已淘汰) additional.fields |
| 運作時間 | about.labels.key/value (已淘汰) additional.fields |
| vendor_product | about.labels.key/value (已淘汰) additional.fields |
| version | about.labels.key/value (已淘汰) additional.fields |
編譯
下表列出 Splunk 資料集編譯的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| compilation_time | about.labels.key/value (已淘汰) additional.fields |
類別載入
下表列出 Splunk 資料集 Classloading 的記錄檔欄位和對應的 UDM 對應項:
| 記錄欄位 | UDM 對應 |
|---|---|
| current_loaded | about.labels.key/value (已淘汰) additional.fields |
| total_loaded | about.labels.key/value (已淘汰) additional.fields |
| total_unloaded | about.labels.key/value (已淘汰) additional.fields |
Malware_Attacks
下表列出 Splunk 資料集 Malware_Attacks 的記錄檔欄位和對應的 UDM 對應項:
| 記錄欄位 | UDM 對應 |
|---|---|
| 動作 | security_result.action_details security_result.action |
| category | security_result.category_details |
| 日期 | about.labels.key/value (已淘汰) additional.fields |
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_nt_domain | target.administrative_domain |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| dest_requires_av | target.labels.key/value (已淘汰) additional.fields |
| file_hash | target.file.sha256、target.file.md5、target.file.sha1 |
| file_name | about.labels.key/value (已淘汰) additional.fields |
| file_path | target.file.full_path |
| 嚴重性 | security_result.severity |
| severity_id | about.labels.key/value (已淘汰) additional.fields |
| 簽名 | metadata.description |
| signature_id | metadata.product_event_type |
| src | principal.ip principal.hostname principal.labels.key/value (已淘汰) |
| src_bunit | principal.labels.key/value (已淘汰) additional.fields |
| src_category | principal.labels.key/value (已淘汰) additional.fields |
| src_priority | principal.labels.key/value (已淘汰) additional.fields |
| src_user | principal.user.user_display_name |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
| 使用者 | principal.user.user_display_name |
| user_bunit | about.labels.key/value (已淘汰) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| 網址 | about.url |
| vendor_product | about.labels.key/value (已淘汰) additional.fields |
Malware_Operations
下表列出 Splunk 資料集 Malware_Operations 的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_nt_domain | target.labels.key/value (已淘汰) additional.fields |
| dest_nt_domain | target.labels.key/value (已淘汰) additional.fields |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| dest_requires_av | target.labels.key/value (已淘汰) additional.fields |
| product_version | about.labels.key/value (已淘汰) additional.fields |
| signature_version | security_result.rule_version |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
| vendor_product | about.labels.key/value (已淘汰) additional.fields |
Malware_Operations
下表列出 Splunk 資料集 Malware_Operations 的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| dest_category | target.labels.key/value (已淘汰) additional.fields |
DNS
下表列出 Splunk 資料集 DNS 的記錄欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| additional_answer_count | about.labels.key/value (已淘汰) additional.fields |
| 解答 | network.dns.answer.data |
| answer_count | about.labels.key/value (已淘汰) additional.fields |
| authority_answer_count | about.labels.key/value (已淘汰) additional.fields |
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_port | target.port |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| 持續時間 | network.session_duration |
| message_type | about.labels.key/value (已淘汰) additional.fields |
| 名稱 | about.labels.key/value (已淘汰) additional.fields |
| 查詢 | network.dns.questions.name |
| query_count | about.labels.key/value (已淘汰) additional.fields |
| query_type | network.dns.questions.type |
| record_type | network.dns.answer.type(uint32) |
| reply_code | about.labels.key/value (已淘汰) additional.fields |
| reply_code_id | network.dns.response_code |
| response_time | about.labels.key/value (已淘汰) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value (已淘汰) |
| src_bunit | principal.labels.key/value (已淘汰) additional.fields |
| src_category | principal.labels.key/value (已淘汰) additional.fields |
| src_port | principal.port |
| src_priority | principal.labels.key/value (已淘汰) additional.fields |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
| transaction_id | network.dns.id |
| transport | network.ip_protocol |
| ttl | about.labels.key/value (已淘汰) additional.fields |
| vendor_product | about.labels.key/value (已淘汰) additional.fields |
All_Sessions
下表列出 Splunk 資料集 All_Sessions 的記錄檔欄位和對應的 UDM 對映:
| 記錄欄位 | UDM 對應 |
|---|---|
| 動作 | security_result.action_details security_result.action |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_dns | target.labels.key/value (已淘汰) additional.fields |
| dest_ip | network.dhcp.ciaddr |
| dest_mac | network.dhcp.chaddr |
| dest_nt_host | target.labels.key/value (已淘汰) additional.fields |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| 持續時間 | network.session_duration |
| response_time | about.labels.key/value (已淘汰) additional.fields |
| 簽名 | metadata.description |
| signature_id | metadata.product_event_type |
| src_bunit | principal.labels.key/value (已淘汰) additional.fields |
| src_category | principal.labels.key/value (已淘汰) additional.fields |
| src_dns | principal.labels.key/value (已淘汰) additional.fields |
| src_ip | principal.ip |
| src_mac | principal.mac |
| src_nt_host | principal.labels.key/value (已淘汰) additional.fields |
| src_priority | principal.labels.key/value (已淘汰) additional.fields |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
| 使用者 | principal.user.user_display_name |
| user_bunit | about.labels.key/value (已淘汰) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value (已淘汰) additional.fields |
DHCP
下表列出 Splunk 資料集 DHCP 的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| lease_duration | network.dhcp.lease_time_second |
| lease_scope | about.labels.key/value (已淘汰) additional.fields |
All_Traffic
下表列出 Splunk 資料集 All_Traffic 的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| 動作 | security_result.action_details security_result.action |
| 應用程式 | network.application_protocol |
| 位元組 | about.labels.key/value (已淘汰) additional.fields |
| bytes_in | network.received_bytes |
| bytes_out | network.sent_bytes |
| 頻道 | about.labels.key/value (已淘汰) additional.fields |
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_interface | target.labels.key/value (已淘汰) additional.fields |
| dest_ip | target.ip |
| dest_mac | target.mac |
| dest_port | target.port |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| dest_translated_ip | target.nat_ip |
| dest_translated_port | target.nat_port |
| dest_zone | target.location.country_or_origin |
| 方向 | network.direction |
| 持續時間 | network.session_duration |
| dvc | principal.asset.hostname、principal.asset.ip |
| dvc_bunit | about.labels.key/value (已淘汰) additional.fields |
| dvc_category | about.labels.key/value (已淘汰) additional.fields |
| dvc_ip | about.labels.key/value (已淘汰) additional.fields |
| dvc_mac | principal.asset.mac |
| dvc_priority | about.labels.key/value (已淘汰) additional.fields |
| dvc_zone | principal.asset.location.country_or_region |
| flow_id | about.labels.key/value (已淘汰) additional.fields |
| icmp_code | about.labels.key/value (已淘汰) additional.fields |
| icmp_type | about.labels.key/value (已淘汰) additional.fields |
| 封包 | about.labels.key/value (已淘汰) additional.fields |
| packets_in | about.labels.key/value (已淘汰) additional.fields |
| packets_out | about.labels.key/value (已淘汰) additional.fields |
| 通訊協定 | about.labels.key/value (已淘汰) additional.fields |
| protocol_version | about.labels.key/value (已淘汰) additional.fields |
| response_time | about.labels.key/value (已淘汰) additional.fields |
| 規則 | security_result.rule_id |
| session_id | network.session_id |
| src | principal.ip principal.hostname principal.labels.key/value (已淘汰) |
| src_bunit | principal.labels.key/value (已淘汰) additional.fields |
| src_category | principal.labels.key/value (已淘汰) additional.fields |
| src_interface | principal.labels.key/value (已淘汰) additional.fields |
| src_ip | principal.ip |
| src_mac | principal.mac |
| src_port | principal.port |
| src_priority | principal.labels.key/value (已淘汰) additional.fields |
| src_translated_ip | principal.nat_ip |
| src_translated_port | principal.nat_port |
| src_zone | principal.location.country_or_origin |
| ssid | about.labels.key/value (已淘汰) additional.fields |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
| tcp_flag | about.labels.key/value (已淘汰) additional.fields |
| transport | network.ip_protocol |
| tos | about.labels.key/value (已淘汰) additional.fields |
| ttl | network.dns.additional.ttl |
| 使用者 | principal.user.userid |
| user_bunit | about.labels.key/value (已淘汰) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_account | about.labels.key/value (已淘汰) additional.fields |
| vendor_product | about.labels.key/value (已淘汰) additional.fields |
| vlan | about.labels.key/value (已淘汰) additional.fields |
| Wi-Fi | about.labels.key/value (已淘汰) additional.fields |
All_Performance
下表列出 Splunk 資料集 All_Performance 的記錄檔欄位和對應的 UDM 對應項:
| 記錄欄位 | UDM 對應 |
|---|---|
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| dest_should_timesync | target.labels.key/value (已淘汰) additional.fields |
| dest_should_update | target.labels.key/value (已淘汰) additional.fields |
| hypervisor_id | about.labels.key/value (已淘汰) additional.fields |
| resource_type | about.labels.key/value (已淘汰) additional.fields |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
設施
下表列出 Splunk 資料集「設施」的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| fan_speed | about.labels.key/value (已淘汰) additional.fields |
| power | about.labels.key/value (已淘汰) additional.fields |
| 溫度 | about.labels.key/value (已淘汰) additional.fields |
Timesync
下表列出 Splunk 資料集 Timesync 的記錄欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| 動作 | security_result.action_details security_result.action |
運作時間
下表列出 Splunk 資料集 Uptime 的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| 運作時間 | about.labels.key/value (已淘汰) additional.fields |
View_Activity
下表列出 Splunk 資料集 View_Activity 的記錄欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| 應用程式 | target.application |
| 支出 | about.labels.key/value (已淘汰) additional.fields |
| uri | about.labels.key/value (已淘汰) additional.fields |
| 使用者 | principal.user.user_display_name |
| 查看 | about.labels.key/value (已淘汰) additional.fields |
Datamodel_Acceleration
下表列出 Splunk 資料集 Datamodel_Acceleration 的記錄欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| access_count | about.labels.key/value (已淘汰) additional.fields |
| access_time | about.labels.key/value (已淘汰) additional.fields |
| 應用程式 | target.application |
| bucket | about.labels.key/value (已淘汰) additional.fields |
| buckets_size | about.labels.key/value (已淘汰) additional.fields |
| 完成 | about.labels.key/value (已淘汰) additional.fields |
| cron | about.labels.key/value (已淘汰) additional.fields |
| datamodel | about.labels.key/value (已淘汰) additional.fields |
| 摘要 | about.labels.key/value (已淘汰) additional.fields |
| 最早 | about.labels.key/value (已淘汰) additional.fields |
| is_inprogress | about.labels.key/value (已淘汰) additional.fields |
| last_error | about.labels.key/value (已淘汰) additional.fields |
| last_sid | about.labels.key/value (已淘汰) additional.fields |
| 最新 | about.labels.key/value (已淘汰) additional.fields |
| mod_time | about.labels.key/value (已淘汰) additional.fields |
| retention | about.labels.key/value (已淘汰) additional.fields |
| 大小 | about.file.size |
| summary_id | about.labels.key/value (已淘汰) additional.fields |
Search_Activity
下表列出 Splunk 資料集 Search_Activity 的記錄欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| 主機 | about.hostname |
| 資訊 | about.labels.key/value (已淘汰) additional.fields |
| 搜尋 | about.labels.key/value (已淘汰) additional.fields |
| search_et | about.labels.key/value (已淘汰) additional.fields |
| search_lt | about.labels.key/value (已淘汰) additional.fields |
| search_type | about.labels.key/value (已淘汰) additional.fields |
| 來源 | principal.labels.key/value (已淘汰) additional.fields |
| sourcetype | principal.labels.key/value (已淘汰) additional.fields |
| 使用者 | principal.user.user_display_name |
| user_bunit | about.labels.key/value (已淘汰) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
Scheduler_Activity
下表列出 Splunk 資料集 Scheduler_Activity 的記錄欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| 應用程式 | target.application |
| 主機 | about.hostname |
| savedsearch_name | about.labels.key/value (已淘汰) additional.fields |
| sid | about.labels.key/value (已淘汰) additional.fields |
| 來源 | principal.labels.key/value (已淘汰) additional.fields |
| sourcetype | principal.labels.key/value (已淘汰) additional.fields |
| splunk_server | principal.ip、principal.hostname |
| 狀態 | security_result.summary |
| 使用者 | principal.user.user_display_name |
Web_Service_Errors
下表列出 Splunk 資料集 Web_Service_Errors 的記錄檔欄位和對應的 UDM 對應項:
| 記錄欄位 | UDM 對應 |
|---|---|
| 主機 | about.hostname |
| 來源 | principal.labels.key/value (已淘汰) additional.fields |
| sourcetype | principal.labels.key/value (已淘汰) additional.fields |
| event_id | security_result.rule_name |
Modular_Actions
下表列出 Splunk 資料集 Modular_Actions 的記錄欄位和對應的 UDM 對映:
| 記錄欄位 | UDM 對應 |
|---|---|
| action_mode | about.labels.key/value (已淘汰) additional.fields |
| action_status | about.labels.key/value (已淘汰) additional.fields |
| 應用程式 | target.application |
| 持續時間 | network.session_duration |
| 元件 | about.labels.key/value (已淘汰) additional.fields |
| orig_rid | about.labels.key/value (已淘汰) additional.fields |
| orig_sid | about.labels.key/value (已淘汰) additional.fields |
| 去除 | about.labels.key/value (已淘汰) additional.fields |
| search_name | about.labels.key/value (已淘汰) additional.fields |
| action_name | security_result.action_details |
| 簽名 | metadata.description |
| sid | about.labels.key/value (已淘汰) additional.fields |
| 使用者 | about.labels.key/value (已淘汰) additional.fields |
All_Ticket_Management
下表列出 Splunk 資料集 All_Ticket_Management 的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| affect_dest | target.labels.key/value (已淘汰) additional.fields |
| 留言 | about.labels.key/value (已淘汰) additional.fields |
| 說明 | security_result.description |
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| 優先順序 | security_result.priority_details |
| 嚴重性 | security_result.severity |
| severity_id | about.labels.key/value (已淘汰) additional.fields |
| splunk_id | about.labels.key/value (已淘汰) additional.fields |
| splunk_realm | about.labels.key/value (已淘汰) additional.fields |
| src_user | principal.user.user_display_name |
| src_user_bunit | principal.labels.key/value (已淘汰) additional.fields |
| src_user_category | principal.labels.key/value (已淘汰) additional.fields |
| src_user_priority | principal.labels.key/value (已淘汰) additional.fields |
| 狀態 | security_result.summary |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
| ticket_id | target.user.attribute.label.ley/value |
| time_submitted | principal.user.attribute.creation_time |
| 使用者 | principal.user.user_display_name |
| user_bunit | about.labels.key/value (已淘汰) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
變更
下表列出 Splunk 資料集「變更」的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| 變更 | about.labels.key/value (已淘汰) additional.fields |
事件
下表列出 Splunk 資料集 Incident 的記錄欄位和對應的 UDM 對應項:
| 記錄欄位 | UDM 對應 |
|---|---|
| 事件 | about.labels.key/value (已淘汰) additional.fields |
問題
下表列出 Splunk 資料集「Problem」的記錄檔欄位和對應的 UDM 對應項:
| 記錄欄位 | UDM 對應 |
|---|---|
| 問題 | about.labels.key/value (已淘汰) additional.fields |
更新
下表列出 Splunk 資料集「更新」的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| dest_should_update | target.labels.key/value (已淘汰) additional.fields |
| dvc | principal.asset.hostname、principal.asset.ip |
| file_hash | target.file.sha256、target.file.md5、target.file.sha1 |
| file_name | about.labels.key/value (已淘汰) additional.fields |
| 嚴重性 | security_result.severity |
| severity_id | about.labels.key/value (已淘汰) additional.fields |
| 簽名 | metadata.description |
| signature_id | metadata.product_event_type |
| 狀態 | security_result.summary |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
| vendor_product | about.labels.key/value (已淘汰) additional.fields |
安全漏洞
下表列出 Splunk 資料集「Vulnerabilities」的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| bugtraq | about.labels.key/value (已淘汰) additional.fields |
| category | security_result.category_details |
| cert | about.labels.key/value (已淘汰) additional.fields |
| cve | vulnerabilites.cve_description |
| cvss | vulnerabilites.cvss_base_score |
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| dvc | principal.asset.hostname、principal.asset.ip |
| dvc_bunit | about.labels.key/value (已淘汰) additional.fields |
| dvc_category | about.labels.key/value (已淘汰) additional.fields |
| dvc_priority | about.labels.key/value (已淘汰) additional.fields |
| msft | about.labels.key/value (已淘汰) additional.fields |
| mskb | about.labels.key/value (已淘汰) additional.fields |
| 嚴重性 | extensions.vulns.vulnerabilites.severity |
| severity_id | about.labels.key/value (已淘汰) additional.fields |
| 簽名 | metadata.description |
| signature_id | metadata.product_event_type |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
| 網址 | extensions.vulns.vulnerabilites.about.url |
| 使用者 | extensions.vulns.vulnerabilites.about.user.user_display_name |
| user_bunit | about.labels.key/value (已淘汰) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value (已淘汰) additional.fields |
| xref | about.labels.key/value (已淘汰) additional.fields |
網頁
下表列出 Splunk 資料集「Web」的記錄檔欄位和對應的 UDM 對應:
| 記錄欄位 | UDM 對應 |
|---|---|
| 動作 | security_result.action_details security_result.action |
| 應用程式 | target.application |
| 位元組 | about.labels.key/value (已淘汰) additional.fields |
| bytes_in | network.received_bytes |
| bytes_out | network.sent_bytes |
| 已快取 | about.labels.key/value (已淘汰) additional.fields |
| category | security_result.category_details |
| 餅乾 | about.labels.key/value (已淘汰) additional.fields |
| dest | target.ip target.hostname target.labels.key/value (已淘汰) |
| dest_bunit | target.labels.key/value (已淘汰) additional.fields |
| dest_category | target.labels.key/value (已淘汰) additional.fields |
| dest_priority | target.labels.key/value (已淘汰) additional.fields |
| dest_port | target.port |
| 持續時間 | network.session_duration |
| http_content_type | about.labels.key/value (已淘汰) additional.fields |
| http_method | network.http.method |
| http_referrer | network.http.referral_url |
| http_referrer_domain | about.labels.key/value (已淘汰) additional.fields |
| http_user_agent | network.http.user_agent |
| http_user_agent_length | about.labels.key/value (已淘汰) additional.fields |
| response_time | about.labels.key/value (已淘汰) additional.fields |
| 網站 | about.labels.key/value (已淘汰) additional.fields |
| src | principal.ip principal.hostname principal.labels.key/value (已淘汰) |
| src_bunit | principal.labels.key/value (已淘汰) additional.fields |
| src_category | principal.labels.key/value (已淘汰) additional.fields |
| src_priority | principal.labels.key/value (已淘汰) additional.fields |
| 狀態 | network.http.response_code |
| 標記 | about.labels.key/value (已淘汰) additional.fields |
| uri_path | about.labels.key/value (已淘汰) additional.fields |
| uri_query | about.labels.key/value (已淘汰) additional.fields |
| 網址 | about.url |
| url_domain | about.asset.network_domain |
| url_length | about.labels.key/value (已淘汰) additional.fields |
| 使用者 | principal.user.user_display_name |
| user_bunit | about.labels.key/value (已淘汰) additional.fields |
| user_category | principal.user.attribute.labels.key/value |
| user_priority | principal.user.attribute.label.key/value |
| vendor_product | about.labels.key/value (已淘汰) additional.fields |
UDM 事件類型
下表列出 Splunk 標記和對應的 UDM 事件類型:
| 資料模型 | Splunk 標記 | UDM 事件類型 |
|---|---|---|
| 快訊 | 警示 | STATUS_UPDATE |
| 驗證 | 驗證 | USER_UNCATEGORIZED |
| 認證 | 憑證 | NETWORK_UNCATEGORIZED |
| 變更 | 變更 | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| 資料存取權 | 資料、存取權 | USER_RESOURCE_ACCESS |
| 資料庫 | 資料庫 | USER_RESOURCE_ACCESS |
| 資料庫 | 資料庫、執行個體、統計資料 | STATUS_UPDATE |
| 資料庫 | 資料庫、執行個體、狀態 | STATUS_UPDATE |
| 資料庫 | 資料庫、執行個體、鎖定 | STATUS_UPDATE |
| 資料庫 | 資料庫、查詢 | STATUS_UPDATE |
| 資料庫 | 資料庫、查詢、資料表空間 | STATUS_UPDATE |
| 資料庫 | 資料庫、查詢、統計資料 | STATUS_UPDATE |
| 資料遺失防護 | dlp、incident | SCAN_UNCATEGORIZED |
| 電子郵件 | 電子郵件地址 | EMAIL_UNCATEGORIZED |
| 電子郵件 | 電子郵件、傳送 | EMAIL_TRANSACTION |
| 端點 | listening, port | SERVICE_UNSPECIFIED |
| 端點 | 程序、報告 | PROCESS_UNCATEGORIZED |
| 端點 | 服務、報表 | SERVICE_UNSPECIFIED |
| 端點 | endpoint、filesystem | FILE_UNCATEGORIZED |
| 端點 | 端點、登錄檔 | REGISTRY_UNCATEGORIZED |
| 活動簽名 | track_event_signature | STATUS_UPDATE |
| 跨程序訊息傳遞 | 訊息 | STATUS_UPDATE |
| 入侵偵測 | ids, attack | SERVICE_UNSPECIFIED |
| 廣告空間 | 商品目錄 | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| Java 虛擬機器 (JVM) | jvm | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| 惡意軟體 | 惡意軟體 | STATUS_UPDATE |
| 網路解析(DNS) | network, resolution, dns | NETWORK_DNS |
| 網路工作階段 | 網路、工作階段 | NETWORK_CONNECTION |
| 網路工作階段 | network、session、dhcp | NETWORK_DHCP |
| 網路流量 | 網路,進行通訊 | NETWORK_CONNECTION |
| 成效 | 效能 | SERVICE_UNSPECIFIED |
| Splunk 稽核記錄 | modaction | STATUS_UPDATE |
| 票證管理 | 售票 | STATUS_UPDATE |
| 票證管理 | 售票、變更 | STATUS_UPDATE |
| 更新 | update | STATUS_UPDATE |
| 安全漏洞 | report, vulnerabilites | SCAN_UNCATEGORIZED |
| 網頁 | 網頁 | NETWORK_UNCATEGORIZED |
後續步驟
還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。