{ "modelName": "Malware", "displayName": "Malware", "description": "Malware Data Model", "editable": false, "objects": [ { "comment": { "tags": [ "malware", "attack" ] }, "objectName": "Malware_Attacks", "displayName": "Malware Attacks", "parentName": "BaseEvent", "fields": [ { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_bunit", "displayName": "dest_bunit", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_category", "displayName": "dest_category", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_priority", "displayName": "dest_priority", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_requires_av", "displayName": "dest_requires_av", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The hash of the file with suspected malware." }, "fieldName": "file_hash", "displayName": "file_hash", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The name of the file with suspected malware." }, "fieldName": "file_name", "displayName": "file_name", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The full file path of the file with suspected malware." }, "fieldName": "file_path", "displayName": "file_path", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The numeric or vendor specific severity indicator corresponding to the event severity." }, "fieldName": "severity_id", "displayName": "severity_id", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The unique identifier or event code of the event signature." }, "fieldName": "signature_id", "displayName": "signature_id", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The source of the endpoint event, such as a DAT file relay server. You can alias this from more specific fields, such as src_host, src_ip, or src_name." }, "fieldName": "src", "displayName": "src", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The business unit of the source.", "ta_relevant": false }, "fieldName": "src_bunit", "displayName": "src_bunit", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The category of the source.", "ta_relevant": false }, "fieldName": "src_category", "displayName": "src_category", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "The priority of the source.", "ta_relevant": false }, "fieldName": "src_priority", "displayName": "src_priority", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The reported sender of an email-based attack." }, "fieldName": "src_user", "displayName": "src_user", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.", "ta_relevant": false }, "fieldName": "tag", "displayName": "tag", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "A URL containing more information about the vulnerability." }, "fieldName": "url", "displayName": "url", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "user_bunit", "displayName": "user_bunit", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "user_category", "displayName": "user_category", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "user_priority", "displayName": "user_priority", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "calculations": [ { "calculationID": "Malware_Attacks_fillnull_action", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The action taken by the reporting device.", "expected_values": [ "allowed", "blocked", "deferred" ], "recommended": true }, "fieldName": "action", "displayName": "action", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(action) OR action=\"\",\"unknown\",action)" }, { "calculationID": "Malware_Attacks_fillnull_category", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The category of the malware event, such as keylogger or ad-supported program. Note: This is a string value. Use category_id for category ID fields that are integer data types. The category_id field is optional, so it is not included in the data model.", "recommended": true }, "fieldName": "category", "displayName": "category", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(category) OR category=\"\",\"unknown\",category)" }, { "calculationID": "Malware_Attacks_date", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The date of the malware event.", "recommended": true }, "fieldName": "date", "displayName": "date", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "strftime(_time, \"%m-%d-%Y\")" }, { "calculationID": "Malware_Attacks_fillnull_dest", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The system that was affected by the malware event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.", "recommended": true }, "fieldName": "dest", "displayName": "dest", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(dest) OR dest=\"\",\"unknown\",dest)" }, { "calculationID": "Malware_Attacks_fillnull_dest_nt_domain", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The NT domain of the destination, if applicable.", "recommended": true }, "fieldName": "dest_nt_domain", "displayName": "dest_nt_domain", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(dest_nt_domain) OR dest_nt_domain=\"\",\"unknown\",dest_nt_domain)" }, { "calculationID": "Malware_Attacks_fillnull_severity", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The severity of the network protection event. Note: This field is a string. Use severity_id for severity ID fields that are integer data types. The severity_id field is optional, so it is not included in the model. Also, specific values are required for this field. Use vendor_severity for the vendor's own human readable severity strings, such as Good, Bad, and Really Bad.", "expected_values": [ "critical", "high", "medium", "low", "informational" ], "recommended": true }, "fieldName": "severity", "displayName": "severity", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(severity) OR severity=\"\",\"unknown\",severity)" }, { "calculationID": "Malware_Attacks_fillnull_signature", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The name of the malware infection detected on the client (the dest), such as Trojan.Vundo, Spyware.Gaobot, and W32.Nimbda. Note: This is a string value. Use signature_id for signature ID fields that are integer data types. The signature_id field is optional, so it is not included in the data model.", "recommended": true }, "fieldName": "signature", "displayName": "signature", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(signature) OR signature=\"\",\"unknown\",signature)" }, { "calculationID": "Malware_Attacks_fillnull_user", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The user involved in the malware event.", "recommended": true }, "fieldName": "user", "displayName": "user", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(user) OR user=\"\",\"unknown\",user)" }, { "calculationID": "Malware_Attacks_vendor_product", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The vendor and product name of the endpoint protection system, such as Symantec AntiVirus. This field can be automatically populated by vendor and product fields in your data.", "recommended": true }, "fieldName": "vendor_product", "displayName": "vendor_product", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "case(isnotnull(vendor_product),vendor_product,isnotnull(vendor) AND vendor!=\"unknown\" AND isnotnull(product) AND product!=\"unknown\",vendor.\" \".product,isnotnull(vendor) AND vendor!=\"unknown\" AND (isnull(product) OR product=\"unknown\"),vendor.\" unknown\",(isnull(vendor) OR vendor=\"unknown\") AND isnotnull(product) AND product!=\"unknown\",\"unknown \".product,isnotnull(sourcetype),sourcetype,1=1,\"unknown\")" } ], "constraints": [ { "search": "(`cim_Malware_indexes`) tag=malware tag=attack" } ], "children": [ ] }, { "comment": { "tags": [ "malware", "attack" ] }, "objectName": "Allowed_Malware", "displayName": "Allowed Malware", "parentName": "Malware_Attacks", "fields": [ ], "calculations": [ ], "constraints": [ { "search": "action=\"allowed\"" } ], "children": [ ] }, { "comment": { "tags": [ "malware", "attack" ] }, "objectName": "Blocked_Malware", "displayName": "Blocked Malware", "parentName": "Malware_Attacks", "fields": [ ], "calculations": [ ], "constraints": [ { "search": "action=\"blocked\"" } ], "children": [ ] }, { "comment": { "tags": [ "malware", "attack" ] }, "objectName": "Deferred_Malware", "displayName": "Quarantined Malware", "parentName": "Malware_Attacks", "fields": [ ], "calculations": [ ], "constraints": [ { "search": "action=\"deferred\"" } ], "children": [ ] }, { "comment": { "tags": [ "malware", "operations" ] }, "objectName": "Malware_Operations", "displayName": "Malware Operations", "parentName": "BaseSearch", "fields": [ { "comment": { "description": "The event timestamp expressed in Unix time.", "ta_relevant": false }, "fieldName": "_time", "displayName": "_time", "type": "timestamp", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_bunit", "displayName": "dest_bunit", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_category", "displayName": "dest_category", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_priority", "displayName": "dest_priority", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_requires_av", "displayName": "dest_requires_av", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The product version of the malware operations product.", "recommended": true }, "fieldName": "product_version", "displayName": "product_version", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The version of the malware signature bundle in a signature update operations event.", "recommended": true }, "fieldName": "signature_version", "displayName": "signature_version", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.", "ta_relevant": false }, "fieldName": "tag", "displayName": "tag", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false } ], "calculations": [ { "calculationID": "Malware_Operations_fillnull_dest", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The system where the malware operations event occurred.", "recommended": true }, "fieldName": "dest", "displayName": "dest", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(dest) OR dest=\"\",\"unknown\",dest)" }, { "calculationID": "Malware_Operations_fillnull_dest_nt_domain", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The NT domain of the dest system, if applicable.", "recommended": true }, "fieldName": "dest_nt_domain", "displayName": "dest_nt_domain", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(dest_nt_domain) OR dest_nt_domain=\"\",\"unknown\",dest_nt_domain)" }, { "calculationID": "Malware_Operations_vendor_product", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The vendor product name of the malware operations product.", "recommended": true }, "fieldName": "vendor_product", "displayName": "vendor_product", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "case(isnotnull(vendor_product),vendor_product,isnotnull(vendor) AND vendor!=\"unknown\" AND isnotnull(product) AND product!=\"unknown\",vendor.\" \".product,isnotnull(vendor) AND vendor!=\"unknown\" AND (isnull(product) OR product=\"unknown\"),vendor.\" unknown\",(isnull(vendor) OR vendor=\"unknown\") AND isnotnull(product) AND product!=\"unknown\",\"unknown \".product,isnotnull(sourcetype),sourcetype,1=1,\"unknown\")" } ], "constraints": [ ], "baseSearch": "(`cim_Malware_indexes`) tag=malware tag=operations | tags outputfield=tag", "children": [ ] } ] }