admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
Deploiement_Server/deployment-apps/Splunk_SA_CIM/default/data/models/Alerts.json

467 lines
16 KiB
Raw Permalink Blame History

{
"modelName": "Alerts",
"displayName": "Alerts",
"description": "Alerts Data Model",
"editable": false,
"objects": [
{
"comment": {
"tags": [
"alert"
]
},
"objectName": "Alerts",
"displayName": "Alerts",
"parentName": "BaseEvent",
"fields": [
{
"comment": {
"description": "This field is deprecated in favor of 'description'."
},
"fieldName": "body",
"displayName": "body",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The description of the alert event."
},
"fieldName": "description",
"displayName": "description",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The business unit associated with the destination. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "dest_bunit",
"displayName": "dest_bunit",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The category of the destination. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "dest_category",
"displayName": "dest_category",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": true,
"hidden": false
},
{
"comment": {
"description": "The priority of the destination. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "dest_priority",
"displayName": "dest_priority",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The type of the destination object, such as 'instance', 'storage', 'firewall'."
},
"fieldName": "dest_type",
"displayName": "dest_type",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The unique identifier of the alert event."
},
"fieldName": "id",
"displayName": "id",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The MITRE ATT&CK technique ID of the alert event, searchable at https:\/\/attack.mitre.org\/techniques"
},
"fieldName": "mitre_technique_id",
"displayName": "mitre_technique_id",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": true,
"hidden": false
},
{
"comment": {
"description": "The numeric or vendor specific severity indicator corresponding to the event severity."
},
"fieldName": "severity_id",
"displayName": "severity_id",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The human-friendly title of the alert event, such as 'API GetAccountPasswordPolicy was invoked using root credentials.' Split by signature_id when aggregating alert events by types."
},
"fieldName": "signature",
"displayName": "signature",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The business unit associated with the source. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "src_bunit",
"displayName": "src_bunit",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The category of the source. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "src_category",
"displayName": "src_category",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": true,
"hidden": false
},
{
"comment": {
"description": "The priority of the source. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "src_priority",
"displayName": "src_priority",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The type of the source object, such as 'instance', 'storage', 'firewall'."
},
"fieldName": "src_type",
"displayName": "src_type",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "This field is deprecated in favor of 'signature'."
},
"fieldName": "subject",
"displayName": "subject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.",
"ta_relevant": false
},
"fieldName": "tag",
"displayName": "tag",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": true,
"hidden": false
},
{
"comment": {
"description": "The business unit of the user involved in the alert event. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "user_bunit",
"displayName": "user_bunit",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The category of the user involved in the alert event. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "user_category",
"displayName": "user_category",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": true,
"hidden": false
},
{
"comment": {
"description": "The priority of the user involved in the alert event. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "user_priority",
"displayName": "user_priority",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The account associated with the alert event."
},
"fieldName": "vendor_account",
"displayName": "vendor_account",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The data center region involved in the alert event, such as us-west-2."
},
"fieldName": "vendor_region",
"displayName": "vendor_region",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"calculations": [
{
"calculationID": "Alerts_fillnull_app",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The system, service, or application that generated the alert event. Examples include, but are not limited to the following: GuardDuty, SecurityCenter, 3rd party services, win:app:trendmicro, vmware, nagios.",
"recommended": true
},
"fieldName": "app",
"displayName": "app",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(app) OR app=\"\",sourcetype,app)"
},
{
"calculationID": "Alerts_fillnull_dest",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The object that is the 'target' of the alert event. Examples include an email address, SNMP trap, or virtual machine id. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.",
"recommended": true
},
"fieldName": "dest",
"displayName": "dest",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(dest) OR dest=\"\",\"unknown\",dest)"
},
{
"calculationID": "Alerts_fillnull_severity",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The severity of the alert event. Note: This field is a string. Specific values are required. Use the severity_id field for severity ID fields that are integer data types. Use vendor_severity for the vendor's own human readable strings (such as 'Good', 'Bad', 'Really Bad').",
"expected_values": [
"critical",
"high",
"medium",
"low",
"informational",
"unknown"
],
"recommended": true
},
"fieldName": "severity",
"displayName": "severity",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(severity) OR severity=\"\",\"unknown\",severity)"
},
{
"calculationID": "Alerts_fillnull_signature_id",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The vendor specific policy or rule that generated the alert event, such as 'Policy:IAMUser/RootCredentialUsage.'",
"recommended": true
},
"fieldName": "signature_id",
"displayName": "signature_id",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(signature_id) OR signature_id=\"\",\"unknown\",signature_id)"
},
{
"calculationID": "Alerts_fillnull_src",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The object that is the 'actor' of the alert event. You can alias or extract this from more specific fields, such as src_host, src_ip, or src_name.",
"recommended": true
},
"fieldName": "src",
"displayName": "src",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(src) OR src=\"\",\"unknown\",src)"
},
{
"calculationID": "Alerts_fillnull_type",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The alert event type.",
"expected_values": [
"alarm",
"alert",
"event",
"task",
"warning",
"unknown"
],
"recommended": true
},
"fieldName": "type",
"displayName": "type",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(type) OR type=\"\",\"unknown\",type)"
},
{
"calculationID": "Alerts_fillnull_user",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The user involved in the alert event.",
"recommended": true
},
"fieldName": "user",
"displayName": "user",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(user) OR user=\"\",\"unknown\",user)"
},
{
"calculationID": "Alerts_fillnull_user_name",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The user_name of user involved in the alert event."
},
"fieldName": "user_name",
"displayName": "user_name",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(user_name) OR user_name=\"\",\"unknown\",user_name)"
}
],
"constraints": [
{
"search": "(`cim_Alerts_indexes`) tag=alert"
}
],
"children": [
]
}
]
}
Reference in new issue View Git Blame Copy Permalink