{ "modelName": "Endpoint", "displayName": "Endpoint", "description": "Endpoint Data Model", "editable": false, "objects": [ { "comment": { "tags": [ "listening", "port" ] }, "objectName": "Ports", "displayName": "Ports", "parentName": "BaseSearch", "fields": [ { "comment": { "description": "The time at which the network port started listening on the endpoint." }, "fieldName": "creation_time", "displayName": "creation_time", "type": "timestamp", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_bunit", "displayName": "dest_bunit", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_category", "displayName": "dest_category", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "Network port listening on the endpoint, such as 53.", "recommended": true }, "fieldName": "dest_port", "displayName": "dest_port", "type": "number", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_priority", "displayName": "dest_priority", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_requires_av", "displayName": "dest_requires_av", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_should_timesync", "displayName": "dest_should_timesync", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_should_update", "displayName": "dest_should_update", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The globally unique identifier of the process assigned by the vendor_product." }, "fieldName": "process_guid", "displayName": "process_guid", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The numeric identifier of the process assigned by the operating system." }, "fieldName": "process_id", "displayName": "process_id", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "src_bunit", "displayName": "src_bunit", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "src_category", "displayName": "src_category", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "src_priority", "displayName": "src_priority", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "src_requires_av", "displayName": "src_requires_av", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "src_should_timesync", "displayName": "src_should_timesync", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "src_should_update", "displayName": "src_should_update", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The status of the listening port, such as established, listening, etc." }, "fieldName": "state", "displayName": "state", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.", "ta_relevant": false }, "fieldName": "tag", "displayName": "tag", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "The network transport protocol associated with the listening port, such as tcp, udp, etc.", "recommended": true }, "fieldName": "transport", "displayName": "transport", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "Calculated as transport\/dest_port, such as tcp\/53.", "ta_relevant": false }, "fieldName": "transport_dest_port", "displayName": "transport_dest_port", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "user_bunit", "displayName": "user_bunit", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "user_category", "displayName": "user_category", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "user_priority", "displayName": "user_priority", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "calculations": [ { "calculationID": "Endpoint_Ports_fillnull_src", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The \"remote\" system connected to the listening port (if applicable).", "recommended": true }, "fieldName": "src", "displayName": "src", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(src) OR src=\"\",\"unknown\",src)" }, { "calculationID": "Endpoint_Ports_fillnull_src_port", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The \"remote\" port connected to the listening port (if applicable).", "recommended": true }, "fieldName": "src_port", "displayName": "src_port", "type": "number", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnum(src_port),src_port,0)" }, { "calculationID": "Endpoint_Ports_fillnull_dest", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The endpoint for which the port is listening on.", "recommended": true }, "fieldName": "dest", "displayName": "dest", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(dest) OR dest=\"\",\"unknown\",dest)" }, { "calculationID": "Endpoint_Ports_fillnull_user", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The user account associated with the listening port.", "recommended": true }, "fieldName": "user", "displayName": "user", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(user) OR user=\"\",\"unknown\",user)" }, { "calculationID": "Endpoint_Ports_vendor_product", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data.", "recommended": true }, "fieldName": "vendor_product", "displayName": "vendor_product", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "case(isnotnull(vendor_product),vendor_product,isnotnull(vendor) AND vendor!=\"unknown\" AND isnotnull(product) AND product!=\"unknown\",vendor.\" \".product,isnotnull(vendor) AND vendor!=\"unknown\" AND (isnull(product) OR product=\"unknown\"),vendor.\" unknown\",(isnull(vendor) OR vendor=\"unknown\") AND isnotnull(product) AND product!=\"unknown\",\"unknown \".product,isnotnull(sourcetype),sourcetype,1=1,\"unknown\")" } ], "constraints": [ ], "baseSearch": "(`cim_Endpoint_indexes`) tag=listening tag=port | eval transport=if(isnull(transport) OR transport=\"\",\"unknown\",transport),dest_port=if(isnull(dest_port) OR dest_port=\"\",0,dest_port),transport_dest_port=mvzip(transport,dest_port,\"\/\") | mvexpand transport_dest_port", "children": [ ] }, { "comment": { "tags": [ "process", "report" ] }, "objectName": "Processes", "displayName": "Processes", "parentName": "BaseSearch", "fields": [ { "comment": { "description": "The action taken by the endpoint." }, "fieldName": "action", "displayName": "action", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "CPU load consumed by the process (in percent)." }, "fieldName": "cpu_load_percent", "displayName": "cpu_load_percent", "type": "number", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_bunit", "displayName": "dest_bunit", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_category", "displayName": "dest_category", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_is_expected", "displayName": "dest_is_expected", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_priority", "displayName": "dest_priority", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_requires_av", "displayName": "dest_requires_av", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_should_timesync", "displayName": "dest_should_timesync", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_should_update", "displayName": "dest_should_update", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "Memory used by the process (in bytes)." }, "fieldName": "mem_used", "displayName": "mem_used", "type": "number", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The operating system of the resource, such as Microsoft Windows Server 2008r2." }, "fieldName": "os", "displayName": "os", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The executable name of the parent process." }, "fieldName": "parent_process_exec", "displayName": "parent_process_exec", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The digest(s) of the parent process, such as , , etc." }, "fieldName": "parent_process_hash", "displayName": "parent_process_hash", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "The numeric identifier of the parent process assigned by the operating system." }, "fieldName": "parent_process_id", "displayName": "parent_process_id", "type": "number", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The globally unique identifier of the parent process assigned by the vendor_product." }, "fieldName": "parent_process_guid", "displayName": "parent_process_guid", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The file path of the parent process, such as C:\\Windows\\System32\\notepad.exe." }, "fieldName": "parent_process_path", "displayName": "parent_process_path", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The current working directory used to spawn the process." }, "fieldName": "process_current_directory", "displayName": "process_current_directory", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The executable name of the process." }, "fieldName": "process_exec", "displayName": "process_exec", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The digest(s) of the process, such as , , etc." }, "fieldName": "process_hash", "displayName": "process_hash", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "The globally unique identifier of the process assigned by the vendor_product." }, "fieldName": "process_guid", "displayName": "process_guid", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The numeric identifier of the process assigned by the operating system." }, "fieldName": "process_id", "displayName": "process_id", "type": "number", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The integrity level of the process.", "expected_values": [ "system", "high", "medium", "low", "untrusted" ] }, "fieldName": "process_integrity_level", "displayName": "process_integrity_level", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The file path of the process, such as C:\\Windows\\System32\\notepad.exe." }, "fieldName": "process_path", "displayName": "process_path", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.", "ta_relevant": false }, "fieldName": "tag", "displayName": "tag", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "The unique identifier of the user account which spawned the process." }, "fieldName": "user_id", "displayName": "user_id", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "user_bunit", "displayName": "user_bunit", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "user_category", "displayName": "user_category", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "user_priority", "displayName": "user_priority", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "calculations": [ { "calculationID": "Endpoint_Processes_fillnull_dest", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The endpoint for which the process was spawned.", "recommended": true }, "fieldName": "dest", "displayName": "dest", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(dest) OR dest=\"\",\"unknown\",dest)" }, { "calculationID": "Endpoint_Processes_fillnull_loaded_file", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The file that was loaded.", "recommended": true }, "fieldName": "loaded_file", "displayName": "loaded_file", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(loaded_file) OR loaded_file=\"\",\"unknown\",loaded_file)" }, { "calculationID": "Endpoint_Processes_fillnull_original_file_name", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "Original name of the file not including path.", "recommended": true }, "fieldName": "original_file_name", "displayName": "original_file_name", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(original_file_name) OR original_file_name=\"\",\"unknown\",original_file_name)" }, { "calculationID": "Endpoint_Processes_fillnull_parent_process", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The full command string of the parent process", "recommended": true }, "fieldName": "parent_process", "displayName": "parent_process", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(parent_process) OR parent_process=\"\",\"unknown\",parent_process)" }, { "calculationID": "Endpoint_Processes_fillnull_parent_process_name", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The friendly name of the parent process, such as notepad.exe.", "recommended": true }, "fieldName": "parent_process_name", "displayName": "parent_process_name", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "case(isnotnull(parent_process_name) AND parent_process_name!=\"\",parent_process_name,isnotnull(parent_process) AND parent_process!=\"\",replace(parent_process,\"^\\s*([^\\s]+).*\",\"\\1\"),1=1,\"unknown\")" }, { "calculationID": "Endpoint_Processes_fillnull_process", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The full command string of the spawned process. Such as C:\\WINDOWS\\system32\\cmd.exe \/c \"\"C:\\Program Files\\SplunkUniversalForwarder\\etc\\system\\bin\\powershell.cmd\" --scheme\"", "recommended": true }, "fieldName": "process", "displayName": "process", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(process) OR process=\"\",\"unknown\",process)" }, { "calculationID": "Endpoint_Processes_fillnull_process_name", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The friendly name of the process, such as notepad.exe.", "recommended": true }, "fieldName": "process_name", "displayName": "process_name", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "case(isnotnull(process_name) AND process_name!=\"\",process_name,isnotnull(process) AND process!=\"\",replace(process,\"^\\s*([^\\s]+).*\",\"\\1\"),1=1,\"unknown\")" }, { "calculationID": "Endpoint_Processes_fillnull_user", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The user account which spawned the process.", "recommended": true }, "fieldName": "user", "displayName": "user", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(user) OR user=\"\",\"unknown\",user)" }, { "calculationID": "Endpoint_Processes_vendor_product", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data.", "recommended": true }, "fieldName": "vendor_product", "displayName": "vendor_product", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "case(isnotnull(vendor_product),vendor_product,isnotnull(vendor) AND vendor!=\"unknown\" AND isnotnull(product) AND product!=\"unknown\",vendor.\" \".product,isnotnull(vendor) AND vendor!=\"unknown\" AND (isnull(product) OR product=\"unknown\"),vendor.\" unknown\",(isnull(vendor) OR vendor=\"unknown\") AND isnotnull(product) AND product!=\"unknown\",\"unknown \".product,isnotnull(sourcetype),sourcetype,1=1,\"unknown\")" } ], "constraints": [ ], "baseSearch": "(`cim_Endpoint_indexes`) tag=process tag=report | eval process_integrity_level=lower(process_integrity_level)", "children": [ ] }, { "comment": { "tags": [ "service", "report" ] }, "objectName": "Services", "displayName": "Services", "parentName": "BaseSearch", "fields": [ { "comment": { "description": "The description of the service." }, "fieldName": "description", "displayName": "description", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_bunit", "displayName": "dest_bunit", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_category", "displayName": "dest_category", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_is_expected", "displayName": "dest_is_expected", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_priority", "displayName": "dest_priority", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_requires_av", "displayName": "dest_requires_av", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_should_timesync", "displayName": "dest_should_timesync", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_should_update", "displayName": "dest_should_update", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The globally unique identifier of the process assigned by the vendor_product." }, "fieldName": "process_guid", "displayName": "process_guid", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The numeric identifier of the process assigned by the operating system." }, "fieldName": "process_id", "displayName": "process_id", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The dynamic link library associated with the service." }, "fieldName": "service_dll", "displayName": "service_dll", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The file path to the dynamic link library assocatied with the service, such as C:\\Windows\\System32\\comdlg32.dll." }, "fieldName": "service_dll_path", "displayName": "service_dll_path", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The digest(s) of the dynamic link library associated with the service, such as , , etc." }, "fieldName": "service_dll_hash", "displayName": "service_dll_hash", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "Whether or not the dynamic link library associated with the service has a digitally signed signature." }, "fieldName": "service_dll_signature_exists", "displayName": "service_dll_signature_exists", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "Whether or not the dynamic link library associated with the service has had it's digitally signed signature verified." }, "fieldName": "service_dll_signature_verified", "displayName": "service_dll_signature_verified", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The executable name of the service." }, "fieldName": "service_exec", "displayName": "service_exec", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The digest(s) of the service, such as , , etc." }, "fieldName": "service_hash", "displayName": "service_hash", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "The file path of the service, such as C:\\WINDOWS\\system32\\svchost.exe." }, "fieldName": "service_path", "displayName": "service_path", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "Whether or not the service has a digitally signed signature." }, "fieldName": "service_signature_exists", "displayName": "service_signature_exists", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "Whether or not the service has had it's digitally signed signature verified." }, "fieldName": "service_signature_verified", "displayName": "service_signature_verified", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.", "ta_relevant": false }, "fieldName": "tag", "displayName": "tag", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "user_bunit", "displayName": "user_bunit", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "user_category", "displayName": "user_category", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "user_priority", "displayName": "user_priority", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "calculations": [ { "calculationID": "Endpoint_Services_fillnull_dest", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The endpoint for which the service is installed.", "recommended": true }, "fieldName": "dest", "displayName": "dest", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(dest) OR dest=\"\",\"unknown\",dest)" }, { "calculationID": "Endpoint_Services_fillnull_service", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The full service name.", "recommended": true }, "fieldName": "service", "displayName": "service", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(service) OR service=\"\",\"unknown\",service)" }, { "calculationID": "Endpoint_Services_fillnull_service_name", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The friendly service name.", "recommended": true }, "fieldName": "service_name", "displayName": "service_name", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(service_name) OR service_name=\"\",\"unknown\",service_name)" }, { "calculationID": "Endpoint_Services_fillnull_service_id", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The unique identifier of the service assigned by the operating system..", "recommended": true }, "fieldName": "service_id", "displayName": "service_id", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(service_id) OR service_id=\"\",\"unknown\",service_id)" }, { "calculationID": "Endpoint_Services_fillnull_start_mode", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The start mode for the service.", "expected_values": [ "disabled", "manual", "auto" ], "recommended": true }, "fieldName": "start_mode", "displayName": "start_mode", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(start_mode) OR start_mode=\"\",\"unknown\",start_mode)" }, { "calculationID": "Endpoint_Services_fillnull_status", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The status of the service.", "expected_values": [ "critical", "started", "stopped", "warning" ], "recommended": true }, "fieldName": "status", "displayName": "status", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(status) OR status=\"\",\"unknown\",status)" }, { "calculationID": "Endpoint_Services_fillnull_user", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The user account associated with the service.", "recommended": true }, "fieldName": "user", "displayName": "user", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(user) OR user=\"\",\"unknown\",user)" }, { "calculationID": "Endpoint_Services_vendor_product", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data.", "recommended": true }, "fieldName": "vendor_product", "displayName": "vendor_product", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "case(isnotnull(vendor_product),vendor_product,isnotnull(vendor) AND vendor!=\"unknown\" AND isnotnull(product) AND product!=\"unknown\",vendor.\" \".product,isnotnull(vendor) AND vendor!=\"unknown\" AND (isnull(product) OR product=\"unknown\"),vendor.\" unknown\",(isnull(vendor) OR vendor=\"unknown\") AND isnotnull(product) AND product!=\"unknown\",\"unknown \".product,isnotnull(sourcetype),sourcetype,1=1,\"unknown\")" } ], "constraints": [ ], "baseSearch": "(`cim_Endpoint_indexes`) tag=service tag=report", "children": [ ] }, { "comment": { "tags": [ "endpoint", "filesystem" ] }, "objectName": "Filesystem", "displayName": "Filesystem", "parentName": "BaseSearch", "fields": [ { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_bunit", "displayName": "dest_bunit", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_category", "displayName": "dest_category", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_priority", "displayName": "dest_priority", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_requires_av", "displayName": "dest_requires_av", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_should_timesync", "displayName": "dest_should_timesync", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_should_update", "displayName": "dest_should_update", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The time the file (the object of the event) was accessed.", "recommended": true }, "fieldName": "file_access_time", "displayName": "file_access_time", "type": "timestamp", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The time the file (the object of the event) was created.", "recommended": true }, "fieldName": "file_create_time", "displayName": "file_create_time", "type": "timestamp", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The time the file (the object of the event) was altered.", "recommended": true }, "fieldName": "file_modify_time", "displayName": "file_modify_time", "type": "timestamp", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The globally unique identifier of the process assigned by the vendor_product." }, "fieldName": "process_guid", "displayName": "process_guid", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The numeric identifier of the process assigned by the operating system." }, "fieldName": "process_id", "displayName": "process_id", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.", "ta_relevant": false }, "fieldName": "tag", "displayName": "tag", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "user_bunit", "displayName": "user_bunit", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "user_category", "displayName": "user_category", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "user_priority", "displayName": "user_priority", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "calculations": [ { "calculationID": "Endpoint_Filesystem_fillnull_action", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The action performed on the resource.", "expected_values": [ "acl_modified", "created", "deleted", "modified", "read" ], "recommended": true }, "fieldName": "action", "displayName": "action", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(action) OR action=\"\",\"unknown\",action)" }, { "calculationID": "Endpoint_Filesystem_fillnull_dest", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The endpoint pertaining to the filesystem activity.", "recommended": true }, "fieldName": "dest", "displayName": "dest", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(dest) OR dest=\"\",\"unknown\",dest)" }, { "calculationID": "Endpoint_Filesystem_eval_file_hash", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "A cryptographic identifier assigned to the file object affected by the event.", "recommended": true }, "fieldName": "file_hash", "displayName": "file_hash", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(file_hash) OR file_hash=\"\",\"unknown\",file_hash)" }, { "calculationID": "Endpoint_Filesystem_eval_file_name", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The name of the file, such as notepad.exe.", "recommended": true }, "fieldName": "file_name", "displayName": "file_name", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(file_name) OR file_name=\"\",\"unknown\",file_name)" }, { "calculationID": "Endpoint_Filesystem_eval_file_path", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The path of the file, such as C:\\Windows\\System32\\notepad.exe.", "recommended": true }, "fieldName": "file_path", "displayName": "file_path", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(file_path) OR file_path=\"\",\"unknown\",file_path)" }, { "calculationID": "Endpoint_Filesystem_eval_file_acl", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "Access controls associated with the file affected by the event.", "recommended": true }, "fieldName": "file_acl", "displayName": "file_acl", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(file_acl) OR file_acl=\"\",\"unknown\",file_acl)" }, { "calculationID": "Endpoint_Filesystem_eval_file_size", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The size of the file that is the object of the event, in kilobytes.", "recommended": true }, "fieldName": "file_size", "displayName": "file_size", "type": "number", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnum(file_size),file_size,null())" }, { "calculationID": "Endpoint_Filesystem_fillnull_user", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The user account associated with the filesystem access.", "recommended": true }, "fieldName": "user", "displayName": "user", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(user) OR user=\"\",\"unknown\",user)" }, { "calculationID": "Endpoint_Filesystem_vendor_product", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data.", "recommended": true }, "fieldName": "vendor_product", "displayName": "vendor_product", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "case(isnotnull(vendor_product),vendor_product,isnotnull(vendor) AND vendor!=\"unknown\" AND isnotnull(product) AND product!=\"unknown\",vendor.\" \".product,isnotnull(vendor) AND vendor!=\"unknown\" AND (isnull(product) OR product=\"unknown\"),vendor.\" unknown\",(isnull(vendor) OR vendor=\"unknown\") AND isnotnull(product) AND product!=\"unknown\",\"unknown \".product,isnotnull(sourcetype),sourcetype,1=1,\"unknown\")" } ], "constraints": [ ], "baseSearch": "(`cim_Endpoint_indexes`) tag=endpoint tag=filesystem", "children": [ ] }, { "comment": { "tags": [ "endpoint", "registry" ] }, "objectName": "Registry", "displayName": "Registry", "parentName": "BaseSearch", "fields": [ { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_bunit", "displayName": "dest_bunit", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_category", "displayName": "dest_category", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_priority", "displayName": "dest_priority", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_requires_av", "displayName": "dest_requires_av", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_should_timesync", "displayName": "dest_should_timesync", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "dest_should_update", "displayName": "dest_should_update", "type": "boolean", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The globally unique identifier of the process assigned by the vendor_product." }, "fieldName": "process_guid", "displayName": "process_guid", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The numeric identifier of the process assigned by the operating system." }, "fieldName": "process_id", "displayName": "process_id", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The logical grouping of registry keys, subkeys, and values.", "expected_values": [ "HKEY_CURRENT_CONFIG", "HKEY_CURRENT_USER", "HKEY_LOCAL_MACHINE\\SAM", "HKEY_LOCAL_MACHINE\\Security", "HKEY_LOCAL_MACHINE\\Software", "HKEY_LOCAL_MACHINE\\System", "HKEY_USERS\\.DEFAULT" ], "ta_relevant": false }, "fieldName": "registry_hive", "displayName": "registry_hive", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The textual representation of registry_value_data (if applicable)." }, "fieldName": "registry_value_text", "displayName": "registry_value_text", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "The outcome of the registry action.", "expected_values": [ "failure", "success" ], "ta_relevant": false }, "fieldName": "status", "displayName": "status", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.", "ta_relevant": false }, "fieldName": "tag", "displayName": "tag", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "user_bunit", "displayName": "user_bunit", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "user_category", "displayName": "user_category", "type": "string", "fieldSearch": "", "required": false, "multivalue": true, "hidden": false }, { "comment": { "description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.", "ta_relevant": false }, "fieldName": "user_priority", "displayName": "user_priority", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "calculations": [ { "calculationID": "Endpoint_Registry_fillnull_action", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The action performed on the resource.", "expected_values": [ "created", "deleted", "modified", "read" ], "recommended": true }, "fieldName": "action", "displayName": "action", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(action) OR action=\"\",\"unknown\",action)" }, { "calculationID": "Endpoint_Registry_fillnull_dest", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The endpoint pertaining to the registry events.", "recommended": true }, "fieldName": "dest", "displayName": "dest", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(dest) OR dest=\"\",\"unknown\",dest)" }, { "calculationID": "Endpoint_Registry_fillnull_registry_path", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The path to the registry value, such as \\win\\directory\\directory2\\{676235CD-B656-42D5-B737-49856E97D072}\\PrinterDriverData.", "recommended": true }, "fieldName": "registry_path", "displayName": "registry_path", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(registry_path) OR registry_path=\"\",\"unknown\",registry_path)" }, { "calculationID": "Endpoint_Registry_fillnull_registry_key_name", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The name of the registry key, such as PrinterDriverData.", "recommended": true }, "fieldName": "registry_key_name", "displayName": "registry_key_name", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(registry_key_name) OR registry_key_name=\"\",\"unknown\",registry_key_name)" }, { "calculationID": "Endpoint_Registry_fillnull_registry_value_data", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The unaltered registry value.", "recommended": true }, "fieldName": "registry_value_data", "displayName": "registry_value_data", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(registry_value_data) OR registry_value_data=\"\",\"unknown\",registry_value_data)" }, { "calculationID": "Endpoint_Registry_fillnull_registry_value_name", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The name of the registry value.", "recommended": true }, "fieldName": "registry_value_name", "displayName": "registry_value_name", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(registry_value_name) OR registry_value_name=\"\",\"unknown\",registry_value_name)" }, { "calculationID": "Endpoint_Registry_fillnull_registry_value_type", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The type of the registry value.", "expected_values": [ "REG_BINARY", "REG_DWORD", "REG_DWORD_LITTLE_ENDIAN", "REG_DWORD_BIG_ENDIAN", "REG_EXPAND_SZ", "REG_LINK", "REG_MULTI_SZ", "REG_NONE", "REG_QWORD", "REG_QWORD_LITTLE_ENDIAN", "REG_SZ" ], "recommended": true }, "fieldName": "registry_value_type", "displayName": "registry_value_type", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(registry_value_type) OR registry_value_type=\"\",\"unknown\",registry_value_type)" }, { "calculationID": "Endpoint_Registry_fillnull_user", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The user account associated with the registry access.", "recommended": true }, "fieldName": "user", "displayName": "user", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "if(isnull(user) OR user=\"\",\"unknown\",user)" }, { "calculationID": "Endpoint_Registry_vendor_product", "calculationType": "Eval", "outputFields": [ { "comment": { "description": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data.", "recommended": true }, "fieldName": "vendor_product", "displayName": "vendor_product", "type": "string", "fieldSearch": "", "required": false, "multivalue": false, "hidden": false } ], "expression": "case(isnotnull(vendor_product),vendor_product,isnotnull(vendor) AND vendor!=\"unknown\" AND isnotnull(product) AND product!=\"unknown\",vendor.\" \".product,isnotnull(vendor) AND vendor!=\"unknown\" AND (isnull(product) OR product=\"unknown\"),vendor.\" unknown\",(isnull(vendor) OR vendor=\"unknown\") AND isnotnull(product) AND product!=\"unknown\",\"unknown \".product,isnotnull(sourcetype),sourcetype,1=1,\"unknown\")" } ], "constraints": [ ], "baseSearch": "(`cim_Endpoint_indexes`) tag=endpoint tag=registry", "children": [ ] } ] }