收集 Splunk CIM 日志

支持的平台:

本文档介绍了如何通过配置 Splunk 和 Google 安全运营转发器来收集 Splunk 通用信息模型 (CIM) 日志。本文档还列出了受支持的日志类型和受支持的 Splunk 版本。

如需了解详情,请参阅将数据提取到 Google 安全运营中心

概览

下图展示了 Splunk 代理如何配置为将日志发送到 Google 安全运营团队。每个客户部署都可能与此表示法不同,并且可能更复杂。

部署架构

架构图显示了以下组件:

  • 数据源:安装了 Splunk 的要监控的系统。

  • Splunk:从数据源收集信息,并将信息转发到 Google Security Operations 转发器。

  • Google Security Operations 转发器:一种部署在客户网络中的轻量级软件组件,用于将日志转发到 Google Security Operations。

  • Google Security Operations:保留和分析来自 Fleet 服务器的日志。

提取标签用于标识将原始日志数据标准化为结构化 UDM 格式的解析器。本文档中的信息适用于具有 SPLUNK 注入标签的解析器。

准备工作

  • 使用 Google Security Operations 解析器支持的 Splunk 版本 5.0。

  • 确保部署架构中的所有系统都使用世界协调时间 (UTC) 时区进行配置。

配置 Splunk 代理和 Google 安全运营转发器

  1. 设置 Splunk 企业版

  2. Splunkbase 安装符合 CIM 规范的代理。

  3. 设置 Google Security Operations 转发器

  4. 配置 Google Security Operations 转发器,将日志推送到 Google Security Operations 系统。以下是 Google 安全运营转发器配置示例:

      - splunk:
          common:
            enabled: true
            data_type: SPLUNK
            batch_n_seconds: 10
            batch_n_bytes: 819200
          url: <SPLUNK_URL>
          query_cim: true
          is_ignore_cert: true
          query_string: datamodel Network_Traffic All_Traffic flat
    

编写 Splunk 搜索查询时的注意事项

Splunk 有自己的搜索语言,该语言类似于 SQL。请确保您使用的是正确的搜索查询语法。创建查询时,请考虑以下搜索特性:

转义字符

如果字符串值包含双引号 ",请使用反斜杠字符转义引号。否则,搜索会误解字符串值的末尾。

例如:如需搜索字符串 WHERE _raw="The user "vpatel" isn't authenticated.",您必须使用序列 \" 搜索字面量双引号。

请按以下格式编写搜索字符串:

WHERE _raw="The user \"vpatel\" isn't authenticated."

如需转义反斜杠字符 \ ,请使用序列 \\ 搜索反斜杠。

例如,如果有 C:\user\abc 这样的字符串,则必须将其写为 C:\\user\\abc

如果查询的某个部分无效,系统不会评估整个查询,并会显示错误消息。

请考虑以下示例,其中查询中缺少搜索模式选项:

multisearch [|datamodel Network_Traffic All_Traffic] [|datamodel Network_Sessions All_Sessions flat]

在此示例中,查询中缺少搜索模式选项。这会导致以下错误:

Error in 'multisearch' command: Multisearch sub searches might only contain purely streaming operations. The search job has failed due to an error.

支持多种数据模型

Splunk 支持跨数据模型的单个大型查询。以下搜索查询会从多个数据模型中提取数据:

multisearch [|datamodel Network_Traffic All_Traffic flat] [|datamodel Network_Sessions All_Sessions flat]

以下是跨数据模型的此查询的组成部分:

Multisearch:查询必须以 multisearch 开头。对数据模型的查询必须用方括号 [ ] 括起来,并以竖线 | 字符开头。

Network_Traffic:数据模型的名称。

All_TrafficNetwork_Traffic 数据模型的数据集。

flat:搜索模式。其他选项包括 searchacceleration_search

我们建议您使用以下 Splunk 查询进行多数据模型搜索:

multisearch [|datamodel Network_Traffic All_Traffic flat] [|datamodel Network_Sessions All_Sessions flat]

支持的日志类型和数据模型

Splunk 数据模型 支持
提醒
应用状态(已废弃)
Authentication
证书
更改
更改分析(已弃用)
数据访问
数据库
数据泄露防护
电子邮件
端点
事件签名
进程间消息传递
入侵检测
广告资源
Java 虚拟机 (JVM)
恶意软件
网络解析 (DNS)
网络会话
网络流量
性能
Splunk 审核日志
工单管理
更新
漏洞
网站

字段映射参考文档

本部分介绍 Google Security Operations 解析器如何将 Splunk 日志字段映射到数据集的 Google Security Operations 统一数据模型 (UDM) 字段。如需了解详情,请参阅 5.0.1 版的 Splunk 文档。

提醒

下表列出了 Splunk 数据集提醒的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
应用 observer.application
说明 security_result.description
dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_priority

target.labels.key/value(已废弃)

additional.fields

dest_type target.resource.resource_type
id metadata.product_log_id
mitre_technique_id security_result.detection_fields.labels.key/value
和程度上减少 security_result.severity
severity_id

about.labels.key/value(已废弃)

additional.fields

signature metadata.description
signature_id security_result.rule_name
src

principal.ip

principal.hostname

principal.labels.key/value(已废弃)

src_bunit

principal.labels.key/value(已废弃)

additional.fields

src_category

principal.labels.key/value(已废弃)

additional.fields

src_priority

principal.labels.key/value(已废弃)

additional.fields

src_type principal.resource.resource_type
标记

about.labels.key/value(已废弃)

additional.fields

类型 security_result.alert_state
用户 principal.user.user_display_name
user_bunit

about.labels.key/value(已废弃)

additional.fields

user_category principal.user.attribute.labels.key/value
user_name principal.user.userid
user_priority principal.user.attribute.label.键值对
vendor_account

about.labels.key/value(已废弃)

additional.fields

vendor_region about.location.country_or_region

身份验证

下表列出了 Splunk 数据集 Authentication 的日志字段和对应的 UDM 映射:

日志字段 UDM 映射
操作 security_result.action_details
security_result.action
应用 target.application
authentication_method

about.labels.key/value(已废弃)

additional.fields

authentication_service extension.auth.auth_details
dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_nt_domain

target.labels.key/value(已废弃)

additional.fields

dest_priority

target.labels.key/value(已废弃)

additional.fields

时长 network.session_duration
原因 security_result.summary
response_time

about.labels.key/value(已废弃)

additional.fields

signature metadata.description
signature_id metadata.product_event_type
src

principal.ip

principal.hostname

principal.labels.key/value(已废弃)

src_bunit

principal.labels.key/value(已废弃)

additional.fields

src_category

principal.labels.key/value(已废弃)

additional.fields

src_nt_domain

principal.labels.key/value(已废弃)

additional.fields

src_priority

principal.labels.key/value(已废弃)

additional.fields

src_user principal.user.user_display_name
src_user_bunit

principal.labels.key/value(已废弃)

additional.fields

src_user_category

principal.labels.key/value(已废弃)

additional.fields

src_user_id principal.user.userid
src_user_priority

principal.labels.key/value(已废弃)

additional.fields

src_user_role principal.user.attribute.roles.name(重复)
src_user_type principal.user.attribute.roles.type
标记

about.labels.key/value(已废弃)

additional.fields

用户 principal.user.user_display_name
user_agent network.http.user_agent
user_bunit

about.labels.key/value(已废弃)

additional.fields

user_category principal.user.attribute.labels.key/value
user_id principal.user.userid
user_priority principal.user.attribute.label.键值对
user_role principal.user.attribute.roles.name(重复)
user_type principal.user.attribute.roles.type
vendor_account

about.labels.key/value(已废弃)

additional.fields

All_Certificates

下表列出了 Splunk 数据集 All_Certificates 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_port target.port
dest_priority

target.labels.key/value(已废弃)

additional.fields

时长 network.session_duration
response_time

about.labels.key/value(已废弃)

additional.fields

src

principal.ip

principal.hostname

principal.labels.key/value(已废弃)

src_bunit

principal.labels.key/value(已废弃)

additional.fields

src_category

principal.labels.key/value(已废弃)

additional.fields

src_port principal.port
src_priority

principal.labels.key/value(已废弃)

additional.fields

标记

about.labels.key/value(已废弃)

additional.fields

transport network.ip_protocol

SSL

下表列出了 Splunk 数据集 SSL 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
ssl_end_time network.tls.server.certificate.not_after
ssl_engine

about.labels.key/value(已废弃)

additional.fields

ssl_hash

about.labels.key/value(已废弃)

additional.fields

ssl_is_valid

about.labels.key/value(已废弃)

additional.fields

ssl_issuer network.tls.server.certificate.issuer
ssl_issuer_common_name

about.labels.key/value(已废弃)

additional.fields

ssl_issuer_email

about.labels.key/value(已废弃)

additional.fields

ssl_issuer_email_domain

about.labels.key/value(已废弃)

additional.fields

ssl_issuer_locality

about.labels.key/value(已废弃)

additional.fields

ssl_issuer_organization

about.labels.key/value(已废弃)

additional.fields

ssl_issuer_state

about.labels.key/value(已废弃)

additional.fields

ssl_issuer_street

about.labels.key/value(已废弃)

additional.fields

ssl_issuer_unit

about.labels.key/value(已废弃)

additional.fields

ssl_name

about.labels.key/value(已废弃)

additional.fields

ssl_policies

about.labels.key/value(已废弃)

additional.fields

ssl_publickey

about.labels.key/value(已废弃)

additional.fields

ssl_publickey_algorithm

about.labels.key/value(已废弃)

additional.fields

ssl_serial network.tls.server.certificate.serial
ssl_session_id network.session_id
ssl_signature_algorithm

about.labels.key/value(已废弃)

additional.fields

ssl_start_time network.tls.server.certificate.not_before
ssl_subject network.tls.server.certificate.subject
ssl_subject_common_name

about.labels.key/value(已废弃)

additional.fields

ssl_subject_email

about.labels.key/value(已废弃)

additional.fields

ssl_subject_email_domain

about.labels.key/value(已废弃)

additional.fields

ssl_subject_locality

about.labels.key/value(已废弃)

additional.fields

ssl_subject_organization

about.labels.key/value(已废弃)

additional.fields

ssl_subject_state

about.labels.key/value(已废弃)

additional.fields

ssl_subject_street

about.labels.key/value(已废弃)

additional.fields

ssl_subject_unit

about.labels.key/value(已废弃)

additional.fields

ssl_validity_window

about.labels.key/value(已废弃)

additional.fields

ssl_version network.tls.server.certificate.version

All_Changes

下表列出了 Splunk 数据集 All_Changes 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
操作 security_result.action_details
security_result.action
change_type security_result.category_details
命令 principal.process.command_line
dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_priority

target.labels.key/value(已废弃)

additional.fields

dvc principal.asset.hostname、principal.asset.ip
对象 target.resource.name
object_attrs

about.labels.key/value(已废弃)

additional.fields

object_category

about.labels.key/value(已废弃)

additional.fields

object_id target.user.product_object_id
object_path target.file.full_path
结果 metadata.description
result_id metadata.product_event_type
src

principal.ip

principal.hostname

principal.labels.key/value(已废弃)

src_bunit

principal.labels.key/value(已废弃)

additional.fields

src_category

principal.labels.key/value(已废弃)

additional.fields

src_priority

principal.labels.key/value(已废弃)

additional.fields

状态 security_result.summary
标记

about.labels.key/value(已废弃)

additional.fields

用户 target.user.userid
user_agent network.http.user_agent
user_name principal.user.user_display_name、target.labels.key/value
user_type principal.user.attribute.roles.type, target.user.attribute.roles.type
vendor_account

about.labels.key/value(已废弃)

additional.fields

vendor_product

about.labels.key/value(已废弃)

additional.fields

vendor_region about.location.country_or_region

Account_Management

下表列出了 Splunk 数据集 Account_Management 的日志字段和对应的 UDM 映射:

日志字段 UDM 映射
dest_nt_domain target.administrative_domain
src_nt_domain principal.administrative_domain
src_user principal.user.userid
src_user_bunit

principal.labels.key/value(已废弃)

additional.fields

src_user_category

principal.labels.key/value(已废弃)

additional.fields

src_user_priority

principal.labels.key/value(已废弃)

additional.fields

src_user_name

principal.labels.key/value(已废弃)

additional.fields

src_user_type principal.user.attribute.roles.type

Instance_Changes

下表列出了 Splunk 数据集 Instance_Changes 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
image_id principal.asset_id
instance_type

about.labels.key/value(已废弃)

additional.fields

network_Changes

下表列出了 Splunk 数据集 network_Changes 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
dest_ip_range

target.labels.key/value(已废弃)

additional.fields

dest_port_range

target.labels.key/value(已废弃)

additional.fields

方向 network.direction
协议 network.ip_protocol
rule_action security_result.action_details
security_result.action
src_ip_range

principal.labels.key/value(已废弃)

additional.fields

src_port_range

principal.labels.key/value(已废弃)

additional.fields

Data_Access

下表列出了 Splunk 数据集 Data_Access 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
操作 security_result.action_details
security_result.action
应用 target.application
app_id metadata.product_log_id
dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_name target.administrative_domain
dest_url target.url
dvc principal.asset.hostname、principal.asset.ip
电子邮件 principal.user.email_addresses
对象 target.resource.name
object_category

about.labels.key/value(已废弃)

additional.fields

object_id target.user.product_object_id
object_path target.file.full_path
object_size target.file.size
所有者

about.labels.key/value(已废弃)

additional.fields

owner_email

about.labels.key/value(已废弃)

additional.fields

owner_id principal.user.userid
parent_object target.resource.parent
parent_object_id

about.labels.key/value(已废弃)

additional.fields

parent_object_category

about.labels.key/value(已废弃)

additional.fields

src

principal.ip

principal.hostname

principal.labels.key/value(已废弃)

tenant_id

about.labels.key/value(已废弃)

additional.fields

用户 principal.user.user_display_name
user_agent network.http.user_agent
user_group principal.user.group_identifiers(repeated)
user_role principal.user.attribute.roles.name(重复)
vendor_product

about.labels.key/value(已废弃)

additional.fields

vendor_product_id

about.labels.key/value(已废弃)

additional.fields

All_Databases

下表列出了 Splunk 数据集 All_Databases 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_priority

target.labels.key/value(已废弃)

additional.fields

时长 network.session_duration
对象 target.resource.name
response_time

about.labels.key/value(已废弃)

additional.fields

src

principal.ip

principal.hostname

principal.labels.key/value(已废弃)

src_bunit

principal.labels.key/value(已废弃)

additional.fields

src_category

principal.labels.key/value(已废弃)

additional.fields

src_priority

principal.labels.key/value(已废弃)

additional.fields

标记

about.labels.key/value(已废弃)

additional.fields

用户 principal.user.user_display_name
user_bunit

about.labels.key/value(已废弃)

additional.fields

user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.键值对
vendor_product

about.labels.key/value(已废弃)

additional.fields

Database_Instance

下表列出了 Splunk 数据集 Database_Instance 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
instance_name target.resource.attributes.key/value
instance_version target.resource.attributes.key/value
process_limit

about.labels.key/value(已废弃)

additional.fields

session_limit

about.labels.key/value(已废弃)

additional.fields

Database_Query

下表列出了 Splunk 数据集 Database_Query 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
查询

about.labels.key/value(已废弃)

additional.fields

query_id

about.labels.key/value(已废弃)

additional.fields

query_time

about.labels.key/value(已废弃)

additional.fields

records_affected

about.labels.key/value(已废弃)

additional.fields

Instance_Stats

下表列出了 Splunk 数据集 Instance_Stats 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
库存状况

about.labels.key/value(已废弃)

additional.fields

avg_executions

about.labels.key/value(已废弃)

additional.fields

dump_area_used

about.labels.key/value(已废弃)

additional.fields

instance_reads

about.labels.key/value(已废弃)

additional.fields

instance_writes

about.labels.key/value(已废弃)

additional.fields

number_of_users

about.labels.key/value(已废弃)

additional.fields

进程

about.labels.key/value(已废弃)

additional.fields

专题演讲

about.labels.key/value(已废弃)

additional.fields

sga_buffer_cache_size

about.labels.key/value(已废弃)

additional.fields

sga_buffer_hit_limit

about.labels.key/value(已废弃)

additional.fields

sga_data_dict_hit_ratio

about.labels.key/value(已废弃)

additional.fields

sga_fixed_area_size

about.labels.key/value(已废弃)

additional.fields

sga_free_memory

about.labels.key/value(已废弃)

additional.fields

sga_library_cache_size

about.labels.key/value(已废弃)

additional.fields

sga_redo_log_buffer_size

about.labels.key/value(已废弃)

additional.fields

sga_shared_pool_size

about.labels.key/value(已废弃)

additional.fields

sga_sql_area_size

about.labels.key/value(已废弃)

additional.fields

start_time

about.labels.key/value(已废弃)

additional.fields

tablespace_used

about.labels.key/value(已废弃)

additional.fields

Session_Info

下表列出了 Splunk 数据集 Session_Info 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
buffer_cache_hit_ratio

about.labels.key/value(已废弃)

additional.fields

项提交

about.labels.key/value(已废弃)

additional.fields

cpu_used

about.labels.key/value(已废弃)

additional.fields

cursor

about.labels.key/value(已废弃)

additional.fields

elapsed_time

about.labels.key/value(已废弃)

additional.fields

logical_reads

about.labels.key/value(已废弃)

additional.fields

机器 about.hostname
memory_sorts

about.labels.key/value(已废弃)

additional.fields

physical_reads

about.labels.key/value(已废弃)

additional.fields

seconds_in_wait

about.labels.key/value(已废弃)

additional.fields

session_id network.session_id
session_status

about.labels.key/value(已废弃)

additional.fields

table_scans

about.labels.key/value(已废弃)

additional.fields

wait_state

about.labels.key/value(已废弃)

additional.fields

wait_time

about.labels.key/value(已废弃)

additional.fields

Lock_Info

下表列出了 Splunk 数据集 Lock_Info 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
last_call_minute

about.labels.key/value(已废弃)

additional.fields

lock_mode

about.labels.key/value(已废弃)

additional.fields

lock_session_id

about.labels.key/value(已废弃)

additional.fields

logon_time

about.labels.key/value(已废弃)

additional.fields

obj_name

about.labels.key/value(已废弃)

additional.fields

os_pid target.process.pid
serial_num target.resource.product_object_id

表空间

下表列出了 Splunk 数据集 Tablespace 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
free_bytes about.file.size
tablespace_name about.resource.name
tablespace_reads

about.labels.key/value(已废弃)

additional.fields

tablespace_status

about.labels.key/value(已废弃)

additional.fields

tablespace_writes

about.labels.key/value(已废弃)

additional.fields

Query_Stats

下表列出了 Splunk 数据集 Query_Stats 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
indexes_hit

about.labels.key/value(已废弃)

additional.fields

query_plan_hit

about.labels.key/value(已废弃)

additional.fields

stored_procedures_called

about.labels.key/value(已废弃)

additional.fields

tables_hit

about.labels.key/value(已废弃)

additional.fields

DLP_Incidents

下表列出了 Splunk 数据集 DLP_Incidents 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
操作 security_result.action_details
security_result.action
应用 target.application
类别 security_result.category_details
dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_priority

target.labels.key/value(已废弃)

additional.fields

dest_zone target.location.country_or_origin
dlp_type

about.labels.key/value(已废弃)

additional.fields

dvc principal.asset.hostname、principal.asset.ip
dvc_bunit

about.labels.key/value(已废弃)

additional.fields

dvc_category

about.labels.key/value(已废弃)

additional.fields

dvc_priority

about.labels.key/value(已废弃)

additional.fields

dvc_zone principal.asset.location.country_or_region
对象 target.resource.name
object_category

about.labels.key/value(已废弃)

additional.fields

object_path target.file.full_path
和程度上减少 security_result.severity
severity_id

about.labels.key/value(已废弃)

additional.fields

signature metadata.description
signature_id metadata.product_event_type
src

principal.ip

principal.hostname

principal.labels.key/value(已废弃)

src_bunit

principal.labels.key/value(已废弃)

additional.fields

src_category

principal.labels.key/value(已废弃)

additional.fields

src_priority

principal.labels.key/value(已废弃)

additional.fields

src_user principal.user.user_display_name
src_user_bunit

principal.labels.key/value(已废弃)

additional.fields

src_user_category

principal.labels.key/value(已废弃)

additional.fields

src_user_priority

principal.labels.key/value(已废弃)

additional.fields

src_zone principal.location.country_or_origin
标记

about.labels.key/value(已废弃)

additional.fields

用户 principal.user.user_display_name
user_bunit

about.labels.key/value(已废弃)

additional.fields

user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.键值对
vendor_product

about.labels.key/value(已废弃)

additional.fields

All_Email

下表列出了 Splunk 数据集 All_Email 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
操作 security_result.action_details
security_result.action
delay

about.labels.key/value(已废弃)

additional.fields

dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_priority

target.labels.key/value(已废弃)

additional.fields

时长 network.session_duration
file_hash about.file.sha256、about.file.md5、about.file.sha1
file_name

about.labels.key/value(已废弃)

additional.fields

file_size about.file.size
internal_message_id metadata.product_log_id
message_id network.email.mail_id
message_info

about.labels.key/value(已废弃)

additional.fields

orig_dest

target.labels.key/value(已废弃)

additional.fields

orig_recipient

about.labels.key/value(已废弃)

additional.fields

orig_src network.email.from
原始事件 principal.process.command_line
process_id principal.process.pid
协议 network.application_protocol
收件人 network.email.to
recipient_count

about.labels.key/value(已废弃)

additional.fields

recipient_domain

about.labels.key/value(已废弃)

additional.fields

recipient_status

about.labels.key/value(已废弃)

additional.fields

response_time

about.labels.key/value(已废弃)

additional.fields

retries

about.labels.key/value(已废弃)

additional.fields

return_addr

about.labels.key/value(已废弃)

additional.fields

大小

about.labels.key/value(已废弃)

additional.fields

src

principal.ip

principal.hostname

principal.labels.key/value(已废弃)

src_bunit

principal.labels.key/value(已废弃)

additional.fields

src_category

principal.labels.key/value(已废弃)

additional.fields

src_priority

principal.labels.key/value(已废弃)

additional.fields

src_user principal.user.email_addresses
src_user_bunit

principal.labels.key/value(已废弃)

additional.fields

src_user_category

principal.labels.key/value(已废弃)

additional.fields

src_user_domain principal.administrative_domain
src_user_priority

principal.labels.key/value(已废弃)

additional.fields

status_code

about.labels.key/value(已废弃)

additional.fields

subject network.email.subject(repeated)
标记

about.labels.key/value(已废弃)

additional.fields

网址 about.url
用户 principal.user.user_display_name
user_bunit

about.labels.key/value(已废弃)

additional.fields

user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.键值对
vendor_product

about.labels.key/value(已废弃)

additional.fields

xdelay

about.labels.key/value(已废弃)

additional.fields

xref

about.labels.key/value(已废弃)

additional.fields

过滤

下表列出了 Splunk 数据集“过滤”的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
filter_action

about.labels.key/value(已废弃)

additional.fields

filter_score

about.labels.key/value(已废弃)

additional.fields

signature metadata.description
signature_extra

about.labels.key/value(已废弃)

additional.fields

signature_id metadata.product_event_type

端口

下表列出了 Splunk 数据集“端口”的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
creation_time

about.labels.key/value(已废弃)

additional.fields

dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_port target.port
dest_priority

target.labels.key/value(已废弃)

additional.fields

dest_requires_av

target.labels.key/value(已废弃)

additional.fields

dest_should_timesync

target.labels.key/value(已废弃)

additional.fields

dest_should_update

target.labels.key/value(已废弃)

additional.fields

process_guid principal.process.product_specific_process_id
process_id principal.process.pid
src

principal.ip

principal.hostname

principal.labels.key/value(已废弃)

src_category

principal.labels.key/value(已废弃)

additional.fields

src_priority

principal.labels.key/value(已废弃)

additional.fields

src_port principal.port
src_requires_av

principal.labels.key/value(已废弃)

additional.fields

src_should_timesync

principal.labels.key/value(已废弃)

additional.fields

src_should_update

principal.labels.key/value(已废弃)

additional.fields

state

about.labels.key/value(已废弃)

additional.fields

标记

about.labels.key/value(已废弃)

additional.fields

transport network.ip_protocol
transport_dest_port

target.labels.key/value(已废弃)

additional.fields

用户 principal.user.user_display_name
user_bunit

about.labels.key/value(已废弃)

additional.fields

user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.键值对

进程

下表列出了 Splunk 数据集“进程”的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
操作 security_result.action_details
security_result.action
cpu_load_percent

about.labels.key/value(已废弃)

additional.fields

dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_is_expected

target.labels.key/value(已废弃)

additional.fields

dest_priority

target.labels.key/value(已废弃)

additional.fields

dest_requires_av

target.labels.key/value(已废弃)

additional.fields

dest_should_timesync

target.labels.key/value(已废弃)

additional.fields

dest_should_update

target.labels.key/value(已废弃)

additional.fields

mem_used

about.labels.key/value(已废弃)

additional.fields

original_file_name src.file.full_path
os principal.asset.platform_software.platform_version
parent_process

about.labels.key/value(已废弃)

additional.fields

parent_process_exec

about.labels.key/value(已废弃)

additional.fields

parent_process_id principal.process.parent_process.parent_pid
parent_process_guid principal.process.parent_process.product_specific_process_id
parent_process_name

about.labels.key/value(已废弃)

additional.fields

parent_process_path principal.process.parent_process.command_line
原始事件

about.labels.key/value(已废弃)

additional.fields

process_current_directory

about.labels.key/value(已废弃)

additional.fields

process_exec

about.labels.key/value(已废弃)

additional.fields

process_hash principal.process.file.sha256/principal.process.file.md5/principal..process.file.sha1
process_guid principal.process.product_specific_process_id
process_id principal.process.pid
process_integrity_level security_result.severity
process_name principal.process.command_line
process_path principal.process.file.full_path
标记

about.labels.key/value(已废弃)

additional.fields

用户 principal.user.user_display_name
user_id principal.user.userid
user_bunit

about.labels.key/value(已废弃)

additional.fields

user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.键值对
vendor_product

about.labels.key/value(已废弃)

additional.fields

服务

下表列出了 Splunk 数据集服务的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
说明 security_result.description
dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_is_expected

target.labels.key/value(已废弃)

additional.fields

dest_priority

target.labels.key/value(已废弃)

additional.fields

dest_requires_av

target.labels.key/value(已废弃)

additional.fields

dest_should_timesync

target.labels.key/value(已废弃)

additional.fields

dest_should_update

target.labels.key/value(已废弃)

additional.fields

process_guid principal.process.product_specific_process_id
process_id principal.process.pid
服务 target.application
service_dll

about.labels.key/value(已废弃)

additional.fields

service_dll_path about.file.full_path
service_dll_hash

about.labels.key/value(已废弃)

additional.fields

service_dll_signature_exists

about.labels.key/value(已废弃)

additional.fields

service_dll_signature_verified

about.labels.key/value(已废弃)

additional.fields

service_exec target.process.file.full_path
service_hash

about.labels.key/value(已废弃)

additional.fields

service_id

about.labels.key/value(已废弃)

additional.fields

service_name

about.labels.key/value(已废弃)

additional.fields

service_path

about.labels.key/value(已废弃)

additional.fields

service_signature_exists

about.labels.key/value(已废弃)

additional.fields

service_signature_verified

about.labels.key/value(已废弃)

additional.fields

start_mode

about.labels.key/value(已废弃)

additional.fields

状态 security_result.summary
标记

about.labels.key/value(已废弃)

additional.fields

用户 principal.user.user_display_name
user_bunit

about.labels.key/value(已废弃)

additional.fields

user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.键值对
vendor_product

about.labels.key/value(已废弃)

additional.fields

文件系统

下表列出了 Splunk 数据集“文件系统”的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
操作 security_result.action_details
security_result.action
dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_priority

target.labels.key/value(已废弃)

additional.fields

dest_requires_av

target.labels.key/value(已废弃)

additional.fields

dest_should_timesync

target.labels.key/value(已废弃)

additional.fields

dest_should_update

target.labels.key/value(已废弃)

additional.fields

file_access_time

about.labels.key/value(已废弃)

additional.fields

file_create_time target.asset.attribute.creation_time
file_hash target.file.sha256、target.file.md5、target.file.sha1
file_modify_time

about.labels.key/value(已废弃)

additional.fields

file_name

about.labels.key/value(已废弃)

additional.fields

file_path target.file.full_path
file_acl

about.labels.key/value(已废弃)

additional.fields

file_size target.file.size
process_guid principal.process.product_specific_process_id
process_id principal.process.pid
标记

about.labels.key/value(已废弃)

additional.fields

用户 principal.user.user_display_name
user_bunit

about.labels.key/value(已废弃)

additional.fields

user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.键值对
vendor_product

about.labels.key/value(已废弃)

additional.fields

Registry

下表列出了 Splunk 数据集注册表的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
操作 security_result.action_details
security_result.action
dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_priority

target.labels.key/value(已废弃)

additional.fields

dest_requires_av

target.labels.key/value(已废弃)

additional.fields

dest_should_timesync

target.labels.key/value(已废弃)

additional.fields

dest_should_update

target.labels.key/value(已废弃)

additional.fields

process_guid principal.process.product_specific_process_id
process_id principal.process.pid
registry_hive

about.labels.key/value(已废弃)

additional.fields

registry_path

about.labels.key/value(已废弃)

additional.fields

registry_key_name target.registry.registry_key
registry_value_data target.registry.registry_value_data
registry_value_name target.registry.registry_value_name
registry_value_text

about.labels.key/value(已废弃)

additional.fields

registry_value_type

about.labels.key/value(已废弃)

additional.fields

状态 security_result.summary
标记

about.labels.key/value(已废弃)

additional.fields

用户 principal.user.user_display_name
user_bunit

about.labels.key/value(已废弃)

additional.fields

user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.键值对
vendor_product

about.labels.key/value(已废弃)

additional.fields

签名

下表列出了 Splunk 数据集“Signatures”的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_priority

target.labels.key/value(已废弃)

additional.fields

signature metadata.description
signature_id metadata.product_event_type
标记

about.labels.key/value(已废弃)

additional.fields

Signatures_vendor_product

下表列出了 Splunk 数据集 Signatures_vendor_product 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
vendor_product

about.labels.key/value(已废弃)

additional.fields

All_Interprocess_Messaging

下表列出了 Splunk 数据集 All_Interprocess_Messaging 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_priority

target.labels.key/value(已废弃)

additional.fields

时长 network.session_duration
端点

about.labels.key/value(已废弃)

additional.fields

endpoint_version

about.labels.key/value(已废弃)

additional.fields

消息

about.labels.key/value(已废弃)

additional.fields

message_consumed_time

about.labels.key/value(已废弃)

additional.fields

message_correlation_id

about.labels.key/value(已废弃)

additional.fields

message_delivered_time

about.labels.key/value(已废弃)

additional.fields

message_delivery_mode

about.labels.key/value(已废弃)

additional.fields

message_expiration_time

about.labels.key/value(已废弃)

additional.fields

message_id metadata.product.log_id
message_priority

about.labels.key/value(已废弃)

additional.fields

message_properties

about.labels.key/value(已废弃)

additional.fields

message_received_time

about.labels.key/value(已废弃)

additional.fields

message_redelivered

about.labels.key/value(已废弃)

additional.fields

message_reply_dest

target.labels.key/value(已废弃)

additional.fields

message_type

about.labels.key/value(已废弃)

additional.fields

参数

about.labels.key/value(已废弃)

additional.fields

payload

about.labels.key/value(已废弃)

additional.fields

payload_type

about.labels.key/value(已废弃)

additional.fields

request_payload

about.labels.key/value(已废弃)

additional.fields

request_payload_type

about.labels.key/value(已废弃)

additional.fields

request_sent_time

about.labels.key/value(已废弃)

additional.fields

response_code network.http.response_code
response_payload_type

about.labels.key/value(已废弃)

additional.fields

response_received_time

about.labels.key/value(已废弃)

additional.fields

response_time

about.labels.key/value(已废弃)

additional.fields

return_message

about.labels.key/value(已废弃)

additional.fields

rpc_protocol network.application_protocol
状态 security_result.summary
标记

about.labels.key/value(已废弃)

additional.fields

IDS_Attacks

下表列出了 Splunk 数据集 IDS_Attacks 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
操作 security_result.action_details
security_result.action
类别 security_result.category_details
dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_priority

target.labels.key/value(已废弃)

additional.fields

dvc principal.asset.hostname、principal.asset.ip
dvc_bunit

about.labels.key/value(已废弃)

additional.fields

dvc_category

about.labels.key/value(已废弃)

additional.fields

dvc_priority

about.labels.key/value(已废弃)

additional.fields

file_hash target.file.sha256、target.file.md5、target.file.sha1
file_name

about.labels.key/value(已废弃)

additional.fields

file_path target.file.full_path
ids_type

about.labels.key/value(已废弃)

additional.fields

和程度上减少 security_result.severity
severity_id

about.labels.key/value(已废弃)

additional.fields

signature metadata.description
signature_id metadata.product_event_type
src

principal.ip

principal.hostname

principal.labels.key/value(已废弃)

src_bunit

principal.labels.key/value(已废弃)

additional.fields

src_category

principal.labels.key/value(已废弃)

additional.fields

src_priority

principal.labels.key/value(已废弃)

additional.fields

src_port principal.port
标记

about.labels.key/value(已废弃)

additional.fields

transport network.ip_protocol
用户 principal.user.user_display_name
user_bunit

about.labels.key/value(已废弃)

additional.fields

user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.键值对
vendor_product

about.labels.key/value(已废弃)

additional.fields

DS_Attacks

下表列出了 Splunk 数据集 DS_Attacks 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
dest_port target.port

All_Inventory

下表列出了 Splunk 数据集 All_Inventory 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
说明 security_result.description
dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_priority

target.labels.key/value(已废弃)

additional.fields

已启用

about.labels.key/value(已废弃)

additional.fields

系列

about.labels.key/value(已废弃)

additional.fields

hypervisor_id

about.labels.key/value(已废弃)

additional.fields

serial principal.asset.hardware.serial_number
状态 security_result.summary
标记

about.labels.key/value(已废弃)

additional.fields

vendor_product

about.labels.key/value(已废弃)

additional.fields

version

about.labels.key/value(已废弃)

additional.fields

CPU

下表列出了 Splunk 数据集 CPU 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
cpu_cores principal.asset.hardware.cpu_number_cores
cpu_count

about.labels.key/value(已废弃)

additional.fields

cpu_mhz principal.asset.hardware.cpu_clock_speed
cpu_load_mhz principal.asset.hardware.cpu_clock_speed
cpu_load_percent

about.labels.key/value(已废弃)

additional.fields

cpu_time

about.labels.key/value(已废弃)

additional.fields

cpu_user_percent

about.labels.key/value(已废弃)

additional.fields

内存

下表列出了 Splunk 数据集“内存”的日志字段及其对应的 UDM 映射:

日志字段 UDM 映射
内存 principal.asset.hardware.ram
heap_committed

about.labels.key/value(已废弃)

additional.fields

heap_initial

about.labels.key/value(已废弃)

additional.fields

heap_max

about.labels.key/value(已废弃)

additional.fields

heap_used

about.labels.key/value(已废弃)

additional.fields

non_heap_committed

about.labels.key/value(已废弃)

additional.fields

non_heap_initial

about.labels.key/value(已废弃)

additional.fields

non_heap_max

about.labels.key/value(已废弃)

additional.fields

non_heap_used

about.labels.key/value(已废弃)

additional.fields

objects_pending

about.labels.key/value(已废弃)

additional.fields

内存 principal.asset.hardware.ram
mem_committed

about.labels.key/value(已废弃)

additional.fields

mem_free

about.labels.key/value(已废弃)

additional.fields

mem_used

about.labels.key/value(已废弃)

additional.fields

交换空间

about.labels.key/value(已废弃)

additional.fields

swap_free

about.labels.key/value(已废弃)

additional.fields

swap_used

about.labels.key/value(已废弃)

additional.fields

network

下表列出了 Splunk 数据集网络的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
dest_ip target.ip
dns

about.labels.key/value(已废弃)

additional.fields

inline_nat

about.labels.key/value(已废弃)

additional.fields

接口

about.labels.key/value(已废弃)

additional.fields

ip principal.asset.ip
lb_method

about.labels.key/value(已废弃)

additional.fields

mac principal.asset.mac
name principal.resource.name
节点

about.labels.key/value(已废弃)

additional.fields

node_port target.port
src_ip principal.ip
vip_port

about.labels.key/value(已废弃)

additional.fields

thruput

about.labels.key/value(已废弃)

additional.fields

thruput_max

about.labels.key/value(已废弃)

additional.fields

操作系统

下表列出了 Splunk 数据集操作系统的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
os principal.asset.platform_software.platform_version
committed_memory

about.labels.key/value(已废弃)

additional.fields

cpu_time

about.labels.key/value(已废弃)

additional.fields

free_physical_memory

about.labels.key/value(已废弃)

additional.fields

free_swap

about.labels.key/value(已废弃)

additional.fields

max_file_descriptors

about.labels.key/value(已废弃)

additional.fields

open_file_descriptors

about.labels.key/value(已废弃)

additional.fields

os principal.asset.platform_software.platform_version
os_architecture

about.labels.key/value(已废弃)

additional.fields

os_version

about.labels.key/value(已废弃)

additional.fields

physical_memory

about.labels.key/value(已废弃)

additional.fields

swap_space

about.labels.key/value(已废弃)

additional.fields

system_load

about.labels.key/value(已废弃)

additional.fields

total_processors

about.labels.key/value(已废弃)

additional.fields

signature metadata.description
signature_id metadata.product_event_type

存储

下表列出了 Splunk 数据集存储的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
数组

about.labels.key/value(已废弃)

additional.fields

blocksize

about.labels.key/value(已废弃)

additional.fields

集群 about.resource.resource_type = "CLUSTER"
fd_max

about.labels.key/value(已废弃)

additional.fields

延时

about.labels.key/value(已废弃)

additional.fields

mount principal.resource.attribute.labels.key/value
父级 principal.resource.parent
read_blocks

about.labels.key/value(已废弃)

additional.fields

read_latency

about.labels.key/value(已废弃)

additional.fields

read_ops

about.labels.key/value(已废弃)

additional.fields

存储

about.labels.key/value(已废弃)

additional.fields

write_blocks

about.labels.key/value(已废弃)

additional.fields

write_latency

about.labels.key/value(已废弃)

additional.fields

write_ops

about.labels.key/value(已废弃)

additional.fields

数组

about.labels.key/value(已废弃)

additional.fields

blocksize

about.labels.key/value(已废弃)

additional.fields

集群 about.resource.resource_type = "CLUSTER"
fd_max

about.labels.key/value(已废弃)

additional.fields

fd_used

about.labels.key/value(已废弃)

additional.fields

延时

about.labels.key/value(已废弃)

additional.fields

mount

about.labels.key/value(已废弃)

additional.fields

父级 principal.resource.parent
read_blocks

about.labels.key/value(已废弃)

additional.fields

read_latency

about.labels.key/value(已废弃)

additional.fields

read_ops

about.labels.key/value(已废弃)

additional.fields

存储

about.labels.key/value(已废弃)

additional.fields

storage_free

about.labels.key/value(已废弃)

additional.fields

storage_free_percent

about.labels.key/value(已废弃)

additional.fields

storage_used

about.labels.key/value(已废弃)

additional.fields

storage_used_percent

about.labels.key/value(已废弃)

additional.fields

write_blocks

about.labels.key/value(已废弃)

additional.fields

write_latency

about.labels.key/value(已废弃)

additional.fields

write_ops

about.labels.key/value(已废弃)

additional.fields

error_code security_result.description
操作

about.labels.key/value(已废弃)

additional.fields

storage_name about.resource.name

用户

下表列出了 Splunk 数据集“用户”的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
interactive

about.labels.key/value(已废弃)

additional.fields

密码

about.labels.key/value(已废弃)

additional.fields

shell

about.labels.key/value(已废弃)

additional.fields

用户 principal.user.user_display_name
user_bunit

about.labels.key/value(已废弃)

additional.fields

user_category principal.user.attribute.labels.key/value
user_id principal.user.userid
user_priority principal.user.attribute.label.键值对

Virtual_OS

下表列出了 Splunk 数据集 Virtual_OS 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
管理程序

about.labels.key/value(已废弃)

additional.fields

快照

下表列出了 Splunk 数据集快照的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
大小 about.file.size
快照

about.labels.key/value(已废弃)

additional.fields

时间

about.labels.key/value(已废弃)

additional.fields

JVM

下表列出了 Splunk 数据集 JVM 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
jvm_description security_result.description
标记

about.labels.key/value(已废弃)

additional.fields

线程处理

下表列出了 Splunk 数据集 Threading 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
cm_enabled

about.labels.key/value(已废弃)

additional.fields

cm_supported

about.labels.key/value(已废弃)

additional.fields

cpu_time_enabled

about.labels.key/value(已废弃)

additional.fields

cpu_time_supported

about.labels.key/value(已废弃)

additional.fields

current_cpu_time

about.labels.key/value(已废弃)

additional.fields

current_user_time

about.labels.key/value(已废弃)

additional.fields

daemon_thread_count

about.labels.key/value(已废弃)

additional.fields

omu_supported

about.labels.key/value(已废弃)

additional.fields

peak_thread_count

about.labels.key/value(已废弃)

additional.fields

synch_supported

about.labels.key/value(已废弃)

additional.fields

thread_count

about.labels.key/value(已废弃)

additional.fields

threads_started

about.labels.key/value(已废弃)

additional.fields

运行时

下表列出了 Splunk 数据集运行时的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
process_name principal.process.command_line
start_time

about.labels.key/value(已废弃)

additional.fields

uptime

about.labels.key/value(已废弃)

additional.fields

vendor_product

about.labels.key/value(已废弃)

additional.fields

version

about.labels.key/value(已废弃)

additional.fields

编译

下表列出了 Splunk 数据集“编译”的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
compilation_time

about.labels.key/value(已废弃)

additional.fields

类加载

下表列出了 Splunk 数据集 Classloading 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
current_loaded

about.labels.key/value(已废弃)

additional.fields

total_loaded

about.labels.key/value(已废弃)

additional.fields

total_unloaded

about.labels.key/value(已废弃)

additional.fields

Malware_Attacks

下表列出了 Splunk 数据集 Malware_Attacks 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
操作 security_result.action_details
security_result.action
类别 security_result.category_details
日期

about.labels.key/value(已废弃)

additional.fields

dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_nt_domain target.administrative_domain
dest_priority

target.labels.key/value(已废弃)

additional.fields

dest_requires_av

target.labels.key/value(已废弃)

additional.fields

file_hash target.file.sha256、target.file.md5、target.file.sha1
file_name

about.labels.key/value(已废弃)

additional.fields

file_path target.file.full_path
和程度上减少 security_result.severity
severity_id

about.labels.key/value(已废弃)

additional.fields

signature metadata.description
signature_id metadata.product_event_type
src

principal.ip

principal.hostname

principal.labels.key/value(已废弃)

src_bunit

principal.labels.key/value(已废弃)

additional.fields

src_category

principal.labels.key/value(已废弃)

additional.fields

src_priority

principal.labels.key/value(已废弃)

additional.fields

src_user principal.user.user_display_name
标记

about.labels.key/value(已废弃)

additional.fields

用户 principal.user.user_display_name
user_bunit

about.labels.key/value(已废弃)

additional.fields

user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.键值对
网址 about.url
vendor_product

about.labels.key/value(已废弃)

additional.fields

Malware_Operations

下表列出了 Splunk 数据集 Malware_Operations 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_nt_domain

target.labels.key/value(已废弃)

additional.fields

dest_nt_domain

target.labels.key/value(已废弃)

additional.fields

dest_priority

target.labels.key/value(已废弃)

additional.fields

dest_requires_av

target.labels.key/value(已废弃)

additional.fields

product_version

about.labels.key/value(已废弃)

additional.fields

signature_version security_result.rule_version
标记

about.labels.key/value(已废弃)

additional.fields

vendor_product

about.labels.key/value(已废弃)

additional.fields

Malware_Operations

下表列出了 Splunk 数据集 Malware_Operations 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
dest_category

target.labels.key/value(已废弃)

additional.fields

DNS

下表列出了 Splunk 数据集 DNS 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
additional_answer_count

about.labels.key/value(已废弃)

additional.fields

答案 network.dns.answer.data
answer_count

about.labels.key/value(已废弃)

additional.fields

authority_answer_count

about.labels.key/value(已废弃)

additional.fields

dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_port target.port
dest_priority

target.labels.key/value(已废弃)

additional.fields

时长 network.session_duration
message_type

about.labels.key/value(已废弃)

additional.fields

name

about.labels.key/value(已废弃)

additional.fields

查询 network.dns.questions.name
query_count

about.labels.key/value(已废弃)

additional.fields

query_type network.dns.questions.type
record_type network.dns.answer.type(uint32)
reply_code

about.labels.key/value(已废弃)

additional.fields

reply_code_id network.dns.response_code
response_time

about.labels.key/value(已废弃)

additional.fields

src

principal.ip

principal.hostname

principal.labels.key/value(已废弃)

src_bunit

principal.labels.key/value(已废弃)

additional.fields

src_category

principal.labels.key/value(已废弃)

additional.fields

src_port principal.port
src_priority

principal.labels.key/value(已废弃)

additional.fields

标记

about.labels.key/value(已废弃)

additional.fields

transaction_id network.dns.id
transport network.ip_protocol
ttl

about.labels.key/value(已废弃)

additional.fields

vendor_product

about.labels.key/value(已废弃)

additional.fields

All_Sessions

下表列出了 Splunk 数据集 All_Sessions 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
操作 security_result.action_details
security_result.action
dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_dns

target.labels.key/value(已废弃)

additional.fields

dest_ip network.dhcp.ciaddr
dest_mac network.dhcp.chaddr
dest_nt_host

target.labels.key/value(已废弃)

additional.fields

dest_priority

target.labels.key/value(已废弃)

additional.fields

时长 network.session_duration
response_time

about.labels.key/value(已废弃)

additional.fields

signature metadata.description
signature_id metadata.product_event_type
src_bunit

principal.labels.key/value(已废弃)

additional.fields

src_category

principal.labels.key/value(已废弃)

additional.fields

src_dns

principal.labels.key/value(已废弃)

additional.fields

src_ip principal.ip
src_mac principal.mac
src_nt_host

principal.labels.key/value(已废弃)

additional.fields

src_priority

principal.labels.key/value(已废弃)

additional.fields

标记

about.labels.key/value(已废弃)

additional.fields

用户 principal.user.user_display_name
user_bunit

about.labels.key/value(已废弃)

additional.fields

user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.键值对
vendor_product

about.labels.key/value(已废弃)

additional.fields

DHCP

下表列出了 Splunk 数据集 DHCP 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
lease_duration network.dhcp.lease_time_second
lease_scope

about.labels.key/value(已废弃)

additional.fields

All_Traffic

下表列出了 Splunk 数据集 All_Traffic 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
操作 security_result.action_details
security_result.action
应用 network.application_protocol
字节

about.labels.key/value(已废弃)

additional.fields

bytes_in network.received_bytes
bytes_out network.sent_bytes
channel

about.labels.key/value(已废弃)

additional.fields

dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_interface

target.labels.key/value(已废弃)

additional.fields

dest_ip target.ip
dest_mac target.mac
dest_port target.port
dest_priority

target.labels.key/value(已废弃)

additional.fields

dest_translated_ip target.nat_ip
dest_translated_port target.nat_port
dest_zone target.location.country_or_origin
方向 network.direction
时长 network.session_duration
dvc principal.asset.hostname、principal.asset.ip
dvc_bunit

about.labels.key/value(已废弃)

additional.fields

dvc_category

about.labels.key/value(已废弃)

additional.fields

dvc_ip

about.labels.key/value(已废弃)

additional.fields

dvc_mac principal.asset.mac
dvc_priority

about.labels.key/value(已废弃)

additional.fields

dvc_zone principal.asset.location.country_or_region
flow_id

about.labels.key/value(已废弃)

additional.fields

icmp_code

about.labels.key/value(已废弃)

additional.fields

icmp_type

about.labels.key/value(已废弃)

additional.fields

数据包

about.labels.key/value(已废弃)

additional.fields

packets_in

about.labels.key/value(已废弃)

additional.fields

packets_out

about.labels.key/value(已废弃)

additional.fields

协议

about.labels.key/value(已废弃)

additional.fields

protocol_version

about.labels.key/value(已废弃)

additional.fields

response_time

about.labels.key/value(已废弃)

additional.fields

规则 security_result.rule_id
session_id network.session_id
src

principal.ip

principal.hostname

principal.labels.key/value(已废弃)

src_bunit

principal.labels.key/value(已废弃)

additional.fields

src_category

principal.labels.key/value(已废弃)

additional.fields

src_interface

principal.labels.key/value(已废弃)

additional.fields

src_ip principal.ip
src_mac principal.mac
src_port principal.port
src_priority

principal.labels.key/value(已废弃)

additional.fields

src_translated_ip principal.nat_ip
src_translated_port principal.nat_port
src_zone principal.location.country_or_origin
ssid

about.labels.key/value(已废弃)

additional.fields

标记

about.labels.key/value(已废弃)

additional.fields

tcp_flag

about.labels.key/value(已废弃)

additional.fields

transport network.ip_protocol
服务条款

about.labels.key/value(已废弃)

additional.fields

ttl network.dns.additional.ttl
用户 principal.user.userid
user_bunit

about.labels.key/value(已废弃)

additional.fields

user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.键值对
vendor_account

about.labels.key/value(已废弃)

additional.fields

vendor_product

about.labels.key/value(已废弃)

additional.fields

vlan

about.labels.key/value(已废弃)

additional.fields

Wi-Fi

about.labels.key/value(已废弃)

additional.fields

All_Performance

下表列出了 Splunk 数据集 All_Performance 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_priority

target.labels.key/value(已废弃)

additional.fields

dest_should_timesync

target.labels.key/value(已废弃)

additional.fields

dest_should_update

target.labels.key/value(已废弃)

additional.fields

hypervisor_id

about.labels.key/value(已废弃)

additional.fields

resource_type

about.labels.key/value(已废弃)

additional.fields

标记

about.labels.key/value(已废弃)

additional.fields

设施

下表列出了 Splunk 数据集设施的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
fan_speed

about.labels.key/value(已废弃)

additional.fields

power

about.labels.key/value(已废弃)

additional.fields

temperature

about.labels.key/value(已废弃)

additional.fields

Timesync

下表列出了 Splunk 数据集 Timesync 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
操作 security_result.action_details
security_result.action

正常运行时间

下表列出了 Splunk 数据集“正常运行时间”的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
uptime

about.labels.key/value(已废弃)

additional.fields

View_Activity

下表列出了 Splunk 数据集 View_Activity 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
应用 target.application
支出

about.labels.key/value(已废弃)

additional.fields

uri

about.labels.key/value(已废弃)

additional.fields

用户 principal.user.user_display_name
查看

about.labels.key/value(已废弃)

additional.fields

Datamodel_Acceleration

下表列出了 Splunk 数据集 Datamodel_Acceleration 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
access_count

about.labels.key/value(已废弃)

additional.fields

access_time

about.labels.key/value(已废弃)

additional.fields

应用 target.application
存储桶

about.labels.key/value(已废弃)

additional.fields

buckets_size

about.labels.key/value(已废弃)

additional.fields

完成

about.labels.key/value(已废弃)

additional.fields

cron

about.labels.key/value(已废弃)

additional.fields

datamodel

about.labels.key/value(已废弃)

additional.fields

摘要

about.labels.key/value(已废弃)

additional.fields

最早

about.labels.key/value(已废弃)

additional.fields

is_inprogress

about.labels.key/value(已废弃)

additional.fields

last_error

about.labels.key/value(已废弃)

additional.fields

last_sid

about.labels.key/value(已废弃)

additional.fields

最新

about.labels.key/value(已废弃)

additional.fields

mod_time

about.labels.key/value(已废弃)

additional.fields

保留

about.labels.key/value(已废弃)

additional.fields

大小 about.file.size
summary_id

about.labels.key/value(已废弃)

additional.fields

Search_Activity

下表列出了 Splunk 数据集 Search_Activity 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
主机 about.hostname
信息

about.labels.key/value(已废弃)

additional.fields

search

about.labels.key/value(已废弃)

additional.fields

search_et

about.labels.key/value(已废弃)

additional.fields

search_lt

about.labels.key/value(已废弃)

additional.fields

search_type

about.labels.key/value(已废弃)

additional.fields

来源

principal.labels.key/value(已废弃)

additional.fields

sourcetype

principal.labels.key/value(已废弃)

additional.fields

用户 principal.user.user_display_name
user_bunit

about.labels.key/value(已废弃)

additional.fields

user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.键值对

Scheduler_Activity

下表列出了 Splunk 数据集 Scheduler_Activity 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
应用 target.application
主机 about.hostname
savedsearch_name

about.labels.key/value(已废弃)

additional.fields

sid

about.labels.key/value(已废弃)

additional.fields

来源

principal.labels.key/value(已废弃)

additional.fields

sourcetype

principal.labels.key/value(已废弃)

additional.fields

splunk_server principal.ip、principal.hostname
状态 security_result.summary
用户 principal.user.user_display_name

Web_Service_Errors

下表列出了 Splunk 数据集 Web_Service_Errors 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
主机 about.hostname
来源

principal.labels.key/value(已废弃)

additional.fields

sourcetype

principal.labels.key/value(已废弃)

additional.fields

event_id security_result.rule_name

Modular_Actions

下表列出了 Splunk 数据集 Modular_Actions 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
action_mode

about.labels.key/value(已废弃)

additional.fields

action_status

about.labels.key/value(已废弃)

additional.fields

应用 target.application
时长 network.session_duration
组件

about.labels.key/value(已废弃)

additional.fields

orig_rid

about.labels.key/value(已废弃)

additional.fields

orig_sid

about.labels.key/value(已废弃)

additional.fields

rid

about.labels.key/value(已废弃)

additional.fields

search_name

about.labels.key/value(已废弃)

additional.fields

action_name security_result.action_details
signature metadata.description
sid

about.labels.key/value(已废弃)

additional.fields

用户

about.labels.key/value(已废弃)

additional.fields

All_Ticket_Management

下表列出了 Splunk 数据集 All_Ticket_Management 的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
affect_dest

target.labels.key/value(已废弃)

additional.fields

备注

about.labels.key/value(已废弃)

additional.fields

说明 security_result.description
dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_priority

target.labels.key/value(已废弃)

additional.fields

优先级 security_result.priority_details
和程度上减少 security_result.severity
severity_id

about.labels.key/value(已废弃)

additional.fields

splunk_id

about.labels.key/value(已废弃)

additional.fields

splunk_realm

about.labels.key/value(已废弃)

additional.fields

src_user principal.user.user_display_name
src_user_bunit

principal.labels.key/value(已废弃)

additional.fields

src_user_category

principal.labels.key/value(已废弃)

additional.fields

src_user_priority

principal.labels.key/value(已废弃)

additional.fields

状态 security_result.summary
标记

about.labels.key/value(已废弃)

additional.fields

ticket_id target.user.attribute.label.ley/value
time_submitted principal.user.attribute.creation_time
用户 principal.user.user_display_name
user_bunit

about.labels.key/value(已废弃)

additional.fields

user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.键值对

更改

下表列出了 Splunk 数据集“更改”的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
更改

about.labels.key/value(已废弃)

additional.fields

突发事件

下表列出了 Splunk 数据集“Incident”的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
事件

about.labels.key/value(已废弃)

additional.fields

问题

下表列出了 Splunk 数据集“问题”的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
问题

about.labels.key/value(已废弃)

additional.fields

更新

下表列出了 Splunk 数据集“更新”的日志字段及其对应的 UDM 映射:

日志字段 UDM 映射
dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_priority

target.labels.key/value(已废弃)

additional.fields

dest_should_update

target.labels.key/value(已废弃)

additional.fields

dvc principal.asset.hostname、principal.asset.ip
file_hash target.file.sha256、target.file.md5、target.file.sha1
file_name

about.labels.key/value(已废弃)

additional.fields

和程度上减少 security_result.severity
severity_id

about.labels.key/value(已废弃)

additional.fields

signature metadata.description
signature_id metadata.product_event_type
状态 security_result.summary
标记

about.labels.key/value(已废弃)

additional.fields

vendor_product

about.labels.key/value(已废弃)

additional.fields

漏洞

下表列出了 Splunk 数据集“漏洞”的日志字段及其对应的 UDM 映射:

日志字段 UDM 映射
bugtraq

about.labels.key/value(已废弃)

additional.fields

类别 security_result.category_details
cert

about.labels.key/value(已废弃)

additional.fields

cve vulnerabilites.cve_description
cvss vulnerabilites.cvss_base_score
dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_priority

target.labels.key/value(已废弃)

additional.fields

dvc principal.asset.hostname、principal.asset.ip
dvc_bunit

about.labels.key/value(已废弃)

additional.fields

dvc_category

about.labels.key/value(已废弃)

additional.fields

dvc_priority

about.labels.key/value(已废弃)

additional.fields

msft

about.labels.key/value(已废弃)

additional.fields

mskb

about.labels.key/value(已废弃)

additional.fields

和程度上减少 extensions.vulns.vulnerabilites.severity
severity_id

about.labels.key/value(已废弃)

additional.fields

signature metadata.description
signature_id metadata.product_event_type
标记

about.labels.key/value(已废弃)

additional.fields

网址 extensions.vulns.vulnerabilites.about.url
用户 extensions.vulns.vulnerabilites.about.user.user_display_name
user_bunit

about.labels.key/value(已废弃)

additional.fields

user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.键值对
vendor_product

about.labels.key/value(已废弃)

additional.fields

xref

about.labels.key/value(已废弃)

additional.fields

Web

下表列出了 Splunk 数据集“网站”的日志字段和相应的 UDM 映射:

日志字段 UDM 映射
操作 security_result.action_details
security_result.action
应用 target.application
字节

about.labels.key/value(已废弃)

additional.fields

bytes_in network.received_bytes
bytes_out network.sent_bytes
缓存

about.labels.key/value(已废弃)

additional.fields

类别 security_result.category_details
饼干

about.labels.key/value(已废弃)

additional.fields

dest

target.ip

target.hostname

target.labels.key/value(已废弃)

dest_bunit

target.labels.key/value(已废弃)

additional.fields

dest_category

target.labels.key/value(已废弃)

additional.fields

dest_priority

target.labels.key/value(已废弃)

additional.fields

dest_port target.port
时长 network.session_duration
http_content_type

about.labels.key/value(已废弃)

additional.fields

http_method network.http.method
http_referrer network.http.referral_url
http_referrer_domain

about.labels.key/value(已废弃)

additional.fields

http_user_agent network.http.user_agent
http_user_agent_length

about.labels.key/value(已废弃)

additional.fields

response_time

about.labels.key/value(已废弃)

additional.fields

网站

about.labels.key/value(已废弃)

additional.fields

src

principal.ip

principal.hostname

principal.labels.key/value(已废弃)

src_bunit

principal.labels.key/value(已废弃)

additional.fields

src_category

principal.labels.key/value(已废弃)

additional.fields

src_priority

principal.labels.key/value(已废弃)

additional.fields

状态 network.http.response_code
标记

about.labels.key/value(已废弃)

additional.fields

uri_path

about.labels.key/value(已废弃)

additional.fields

uri_query

about.labels.key/value(已废弃)

additional.fields

网址 about.url
url_domain about.asset.network_domain
url_length

about.labels.key/value(已废弃)

additional.fields

用户 principal.user.user_display_name
user_bunit

about.labels.key/value(已废弃)

additional.fields

user_category principal.user.attribute.labels.key/value
user_priority principal.user.attribute.label.键值对
vendor_product

about.labels.key/value(已废弃)

additional.fields

UDM 事件类型

下表列出了 Splunk 标记和相应的 UDM 事件类型:

数据模型 Splunk 代码 UDM 事件类型
提醒 alert STATUS_UPDATE
Authentication authentication USER_UNCATEGORIZED
证书 证书 NETWORK_UNCATEGORIZED
更改 更改 SYSTEM_AUDIT_LOG_UNCATEGORIZED
数据访问 数据、访问 USER_RESOURCE_ACCESS
数据库 数据库 USER_RESOURCE_ACCESS
数据库 数据库、实例、统计信息 STATUS_UPDATE
数据库 数据库、实例、状态 STATUS_UPDATE
数据库 数据库、实例、锁 STATUS_UPDATE
数据库 数据库、查询 STATUS_UPDATE
数据库 数据库、查询、表空间 STATUS_UPDATE
数据库 数据库、查询、统计信息 STATUS_UPDATE
数据泄露防护 dlp、incident SCAN_UNCATEGORIZED
电子邮件 电子邮件 EMAIL_UNCATEGORIZED
电子邮件 电子邮件、递送 EMAIL_TRANSACTION
端点 监听、端口 SERVICE_UNSPECIFIED
端点 处理、报告 PROCESS_UNCATEGORIZED
端点 service, report SERVICE_UNSPECIFIED
端点 端点、文件系统 FILE_UNCATEGORIZED
端点 端点、注册表 REGISTRY_UNCATEGORIZED
事件签名 track_event_signature STATUS_UPDATE
进程间消息传递 消息功能 STATUS_UPDATE
入侵检测 ids, attack SERVICE_UNSPECIFIED
广告资源 商品目录 SYSTEM_AUDIT_LOG_UNCATEGORIZED
Java 虚拟机 (JVM) jvm SYSTEM_AUDIT_LOG_UNCATEGORIZED
恶意软件 恶意软件 STATUS_UPDATE
网络解析(DNS) 网络、分辨率、DNS NETWORK_DNS
网络会话 网络、会话 NETWORK_CONNECTION
网络会话 网络、会话、DHCP NETWORK_DHCP
网络流量 网络、通信 NETWORK_CONNECTION
性能 性能 SERVICE_UNSPECIFIED
Splunk 审核日志 modaction STATUS_UPDATE
工单管理 票务 STATUS_UPDATE
工单管理 票务、更改 STATUS_UPDATE
更新 更新 STATUS_UPDATE
漏洞 报告、漏洞 SCAN_UNCATEGORIZED
网站 Web NETWORK_UNCATEGORIZED

后续步骤