Data models used by ES
Was this page helpful?
Was this page helpful?
On this page
Splunk Enterprise Security leverages many of the data models in the Splunk Common Information Model. See Overview of the Common Information Model in the Common Information Model Add-on Manual for an introduction to these data models and full reference information about the fields and tags they use.
In addition to the data models available as part of the Common Information Model add-on, Splunk Enterprise Security implements and uses custom data models.
- Assets and Identities
- Domain Analysis
- Incident Management
- Risk Analysis
- Threat Intelligence
- User and Entity Behavior Analytics
See Configure data models in the Installation and Upgrade Manual for information about how Splunk Enterprise Security accelerates and uses both CIM and custom data models.
Assets and Identities
The fields in the Assets and Identities (Identity_Management) data model describe data generated by the asset and identity framework in Enterprise Security. This data model does not employ any tags.
| Dataset name | Field name | Data type | Description |
|---|---|---|---|
| All_Assets | For a list of extracted fields, see Asset lookup fields in the Enterprise Security User manual. | ||
| All_Identities | For a list of extracted fields, see Identity lookup fields in the Enterprise Security User manual. | ||
| All_Identities | employedDays | number | A calculated field based upon the identity startDate field. |
| All_Identities | expiredDays | number | A calculated field based upon the identity endDate field. |
| Expired_Identity_Activity | src_user | string | The source user name. |
| Expired_Identity_Activity | src_user_endDate | time | The source identity's end date. |
| Expired_Identity_Activity | user | string | The source user name. |
| Expired_Identity_Activity | user_endDate | time | The source identity's end date. |
Domain Analysis
The fields in the Domain Analysis data model describe data generated by the WHOIS modular input. This data model does not employ any tags.
| Dataset name | Field name | Data type | Description |
|---|---|---|---|
| All_Domains | created | time | The date when the domain was registered. |
| All_Domains | expires | time | The date when the domain will expire. |
| All_Domains | retrieved | time | The date when the domain information was retrieved. |
| All_Domains | tag | string | Tags associated with the domain analysis events. |
| All_Domains | updated | time | The date when the domain registration was updated. |
| All_Domains | domain | string | The domain or IP that was scanned. |
| All_Domains | nameservers | string | The list of authoritative name servers for the domain. |
| All_Domains | registrant | string | The name of the organization or individual that registered the domain name with the registrar. |
| All_Domains | registrar | string | The name of the organization or individual that maintains the domain name registration. |
| All_Domains | resolved_domain | string | The domain name that a scanned IP address resolved to. |
Incident Management
The fields in the Incident Management data model describe data generated by the notable event framework in Enterprise Security. This data model does not employ any tags.
| Dataset name | Field name | Data type | Description |
|---|---|---|---|
| Notable_Events_Meta | tag | string | Splunk tags associated with the notable event. |
| Notable_Events_Meta | rule_id | string | The rule_id of the notable event. |
| Notable_Events_Meta | orig_tag | string | Splunk tags associated with the original events that contributed to the notable event. |
| Notable_Events | owner | string | The Splunk ID of the owner of the notable event. |
| Notable_Events | owner_realname | string | The real name of the owner of the notable event in Enterprise Security. |
| Notable_Events | rule_name | string | The rule name of the notable event. |
| Notable_Events | security_domain | string | The security domain of the notable event. |
| Notable_Events | status | string | The status id of the notable event. |
| Notable_Events | status_group | string | The status group of the notable event. |
| Notable_Events | tag | string | Splunk tags associated with the notable event. |
| Notable_Events | urgency | ||
| Notable_Events | urgencystring | string | The urgency of the notable event. |
| Notable_Events | dest | string | The dest of the notable event. |
| Notable_Events | src | string | The src of of the notable event. |
| Suppressed_Notable_Events | rule_name | string | The rule_name of the suppressed notable event. |
| Suppressed_Notable_Events | security_domain | string | The security_domain of the suppressed notable event. |
| Suppressed_Notable_Events | suppression | string | The name of the suppression that suppressed this notable event. |
| Suppressed_Notable_Events | tag | string | Splunk tags associated with the suppressed notable event. |
| Suppressed_Notable_Events | urgency | string | The urgency of the notable event. |
| Suppressed_Notable_Events | dest | string | The dest of the notable event. |
| Suppressed_Notable_Events | src | string | The src of the notable event. |
| Incident_Review | comment | string | The review comment. |
| Incident_Review | owner | string | The owner of the notable event. |
| Incident_Review | reviewer | string | The reviewer of the notable event. |
| Incident_Review | rule_id | string | The rule_id of the notable event. |
| Incident_Review | security_domain | string | The security domain of the notable event. |
| Incident_Review | status | string | The status of the notable event. |
| Incident_Review | status_group | string | The status_group of the notable event. |
| Incident_Review | tag | string | The Splunk tags associated with the notable event. |
| Incident_Review | urgency | string | The urgency of the notable event. |
| Correlation_ | See correlationsearches.conf.spec for descriptions of these fields. | ||
| Correlation_ | owner | string | The Splunk user ID of a potential notable owner. |
| Correlation_ | owner_realname | string | The real name of a potential notable event owner in Enterprise Security. |
| Correlation_ | See reviewstatuses.conf.spec for descriptions of these fields. | ||
| Correlation_ | is_enabled | boolean | Whether or not the security domain is enabled. |
| Correlation_ | is_expected | boolean | Whether or not the security domain is expected. |
| Correlation_ | is_ignored | boolean | Whether or not the security domain is ignored. |
| Correlation_ | security_domain | string | The security domain label. |
| Correlation_ | priority | string | The priority of the notable event. |
| Correlation_ | severity | string | The severity of the notable event. |
| Correlation_ | urgency | string | The urgency of the notable event, calculated based on the priority and severity. |
| Notable_ | action | string | The action performed on the suppression (enable/disable). |
| Notable_ | signature | string | The signature of the suppression audit event. |
| Notable_ | status | string | The status of the suppression audit event (success/failure). |
| Notable_ | suppression | string | The name of the suppression. |
| Notable_ | user | string | The user who performed the CRUD operation on suppression. |
| Notable_ | signature | string | The signature of the suppression audit event. |
| Notable_ | suppression | string | The name of the suppression. |
| Notable_ | start_time | time | The start time of the suppression. |
| Notable_ | end_time | time | The end time of the suppression. |
| Notable_ | description | string | The description of the suppression. |
| Notable_ | disabled | boolean | If the suppression is enabled or disabled. |
| Notable_ | search | string | The notable event suppression search. |
| Notable_ | suppression | string | The notable event suppression name. |
Risk Analysis
The fields in the Risk Analysis data model describe data generated by the risk framework in Enterprise Security. This data model does not employ any tags.
| Dataset name | Field name | Data type | Description |
|---|---|---|---|
| All_Risk | annotations | string | If you are using security framework annotations, this field is automatically provided by correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | annotations._all | string | If you are using security framework annotations, this field is automatically provided by correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | annotations._frameworks | string | If you are using security framework annotations, this field is automatically provided by correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | annotations.cis20 | string | If you are using security framework annotations, this field is automatically provided by correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | annotations.kill_chain_phases | string | If you are using security framework annotations, this field is automatically provided by correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | annotations.mitre_attack | string | If you are using security framework annotations, this field is automatically provided by correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | annotations.mitre_attack.mitre_description | string | If you are using security framework annotations, this field is automatically provided by correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | annotations.mitre_attack.mitre_detection | string | If you are using security framework annotations, this field is automatically provided by correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | annotations.mitre_attack.mitre_tactic | string | If you are using security framework annotations, this field is automatically provided by correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | annotations.mitre_attack.mitre_tactic_id | string | If you are using security framework annotations, this field is automatically provided by correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | annotations.mitre_attack.mitre_technique | string | If you are using security framework annotations, this field is automatically provided by correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | annotations.mitre_attack.mitre_technique_id | string | If you are using security framework annotations, this field is automatically provided by correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | annotations.mitre_attack.mitre_threat_group_name | string | If you are using security framework annotations, this field is automatically provided by correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | annotations.nist | string | If you are using security framework annotations, this field is automatically provided by correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | calculated_risk_score | number | The expression that calculates the risk_score, risk_factor_add, and risk_factor_mult fields for a total score. This is derived from the fields in the data model. |
| All_Risk | control | string | The value is assigned with PCI-specific risk base searches. For example, control=1.2.3 for the search of PCI - 1.2.3 - Unauthorized Wireless Device Detected - Rule. |
| All_Risk | creator | string | If the modifier was created ad-hoc, this is the Splunk user ID that created the modifier. |
| All_Risk | description | string | The description of the risk modifier as specified by the creator or the saved search. |
| All_Risk | dest | string | The object that is the target of the risk event. |
| All_Risk | dest_bunit | string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | dest_category | string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | dest_priority | string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | governance | string | The value is assigned with PCI-specific risk base searches. For example, governance=pci for the search of PCI - 1.2.3 - Unauthorized Wireless Device Detected - Rule. |
| All_Risk | risk_factor_add | number | The expression that calculates the addition for risk factors. |
| All_Risk | risk_factor_add_matched | number | The human readable names of the risk factors that matched for the risk_factor_add field. |
| All_Risk | risk_factor_mult | number | The expression that calculates the multiplication for risk factors. |
| All_Risk | risk_factor_mult_matched | number | The human readable names of the risk factors that matched for the risk_factor_mult field. |
| All_Risk | risk_message | string | This field provides a way for customizing risk created from a search. |
| All_Risk | risk_object | string | The object for which the risk modifier applies. |
| All_Risk | risk_object_bunit | string | The business unit of the risk_object involved in the event, or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | risk_object_category | string | The category of the risk_object involved in the event, or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | risk_object_priority | string | The priority of the risk_object involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user priority targeted by the escalation. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | risk_object_type | string | The type of object for which the risk modifier applies (system, user, other). |
| All_Risk | risk_score | number | The risk score associated with the risk modifier. This is stored in the original risk event. |
| All_Risk | savedsearch_description | string | Used for calculating the description field. |
| All_Risk | src | string | The object that is the source of the risk event. |
| All_Risk | src_bunit | string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | src_category | string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | src_priority | string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | tag | string | Splunk tags associated with the risk modifiers. |
| All_Risk | threat_object | string | The field in the search results that contains a potential indicator of compromise, such as a malicious process, file hash, url, domain, ip, command line, registry entry, and so on. |
| All_Risk | threat_object_type | string | The category of threat object, which is typically the same type provided by the ES threat intelligence framework, such as file_hash, domain, ip, and so on. |
| All_Risk | user | string | The user involved in the risk event. |
| All_Risk | user_bunit | string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | user_category | string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
| All_Risk | user_priority | string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
Threat Intelligence
The fields in the Threat Intelligence data model describe data generated by the threat intelligence framework in Enterprise Security. This data model does not employ any tags.
| Dataset name | Field name | Data type | Description |
|---|---|---|---|
| Threat_Activity | dest_bunit | string | The destination asset business unit. |
| Threat_Activity | dest_category | string | The destination asset category. |
| Threat_Activity | dest_priority | string | The destination asset priority. |
| Threat_Activity | src_bunit | string | The source asset business unit. |
| Threat_Activity | src_category | string | The source asset category. |
| Threat_Activity | src_priority | string | The source asset priority. |
| Threat_Activity | threat_match_field | string | The name of the field for which Enterprise Security found a threat match. |
| Threat_Activity | threat_match_value | string | The value Enterprise Security matched on. |
| Threat_Activity | threat_collection | string | The collection of intelligence Enterprise Security matched on. |
| Threat_Activity | threat_collection_key | string | The KV store key of the intelligence Enterprise Security matched on. |
| Threat_Activity | threat_key | string | The key for the threat attribution associated with the intelligence Enterprise matched on. |
| Threat_Activity | dest | string | The destination of the event that Enterprise Security matched on. |
| Threat_Activity | orig_sourcetype | string | The original sourcetype of the event Enterprise Security matched on. |
| Threat_Activity | src | string | The source of the event that we matched on. |
This datamodel also contains all of the fields in the threat intelligence KV store collections.
User and Entity Behavior Analytics
The fields in the User and Entity Behavior Analytics (UEBA) data model describes the data communicated by Splunk UBA for use in Enterprise Security. This data model does not employ any tags. To see this data model in your instance, enable SA-UEBA on the Manage Apps page in Splunk Web.
For more information, see About Splunk User Behavior Analytics.
| Dataset name | Field name | Data type | Description |
|---|---|---|---|
| All_UEBA_Events | action | string | The recommended action to take in response to a threat in Splunk UBA. |
| All_UEBA_Events | app | string | A multi-value attribute with the names of all the applications associated with the anomaly or threat. |
| All_UEBA_Events | category | string | The category or categories associated with an anomaly. |
| All_UEBA_Events | description | string | The long description of an anomaly. |
| All_UEBA_Events | dvc | string | A multi-value attribute with the names of all devices associated with an anomaly or threat. |
| All_UEBA_Events | link | string | The link to view the anomaly or threat in Splunk UBA. |
| All_UEBA_Events | severity | string | The severity level of an anomaly or threat. Based on the risk score in Splunk UBA. |
| All_UEBA_Events | severity_id | number | The severity id of an anomaly or threat. |
| All_UEBA_Events | signature | string | The internal name of a threat or anomaly. |
| All_UEBA_Events | threat_category | string | The category of a threat in Splunk UBA. |
| All_UEBA_Events | uba_event_id | string | The internal id for an anomaly or threat in Splunk UBA. |
| All_UEBA_Events | uba_event_type | string | An anomaly or threat. |
| All_UEBA_Events | uba_host | string | The UBA host sending the threats and anomalies. |
| All_UEBA_Events | url | string | A multi-value attribute with the names of all domains associated with an anomaly. |
| All_UEBA_Events | user | string | A multi-value attribute with the names of all users associated with an anomaly. |
| All_UEBA_Events | uba_time | time | The time the anomaly or threat was forwarded to Enterprise Security. |
| All_UEBA_Events | modify_time | time | The time an anomaly or threat was last modified by Splunk UBA. |
| All_UEBA_Events | start_time | time | The time an anomaly or threat was first identified by Splunk UBA. |
| All_UEBA_Events.UEBA_Anomalies | uba_model | time | The name of the Splunk UBA model that detected the anomaly. |
| All_UEBA_Events.UEBA_Anomalies | uba_model_version | string | The version of the Splunk UBA model that detected the anomaly. |