admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
Deploiement_Server/deployment-apps/Splunk_SA_CIM/default/data/models/Malware.json

723 lines
24 KiB
Raw Permalink Blame History

{
"modelName": "Malware",
"displayName": "Malware",
"description": "Malware Data Model",
"editable": false,
"objects": [
{
"comment": {
"tags": [
"malware",
"attack"
]
},
"objectName": "Malware_Attacks",
"displayName": "Malware Attacks",
"parentName": "BaseEvent",
"fields": [
{
"comment": {
"description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "dest_bunit",
"displayName": "dest_bunit",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "dest_category",
"displayName": "dest_category",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": true,
"hidden": false
},
{
"comment": {
"description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "dest_priority",
"displayName": "dest_priority",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "dest_requires_av",
"displayName": "dest_requires_av",
"type": "boolean",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The hash of the file with suspected malware."
},
"fieldName": "file_hash",
"displayName": "file_hash",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The name of the file with suspected malware."
},
"fieldName": "file_name",
"displayName": "file_name",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The full file path of the file with suspected malware."
},
"fieldName": "file_path",
"displayName": "file_path",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The numeric or vendor specific severity indicator corresponding to the event severity."
},
"fieldName": "severity_id",
"displayName": "severity_id",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The unique identifier or event code of the event signature."
},
"fieldName": "signature_id",
"displayName": "signature_id",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The source of the endpoint event, such as a DAT file relay server. You can alias this from more specific fields, such as src_host, src_ip, or src_name."
},
"fieldName": "src",
"displayName": "src",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The business unit of the source.",
"ta_relevant": false
},
"fieldName": "src_bunit",
"displayName": "src_bunit",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The category of the source.",
"ta_relevant": false
},
"fieldName": "src_category",
"displayName": "src_category",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": true,
"hidden": false
},
{
"comment": {
"description": "The priority of the source.",
"ta_relevant": false
},
"fieldName": "src_priority",
"displayName": "src_priority",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The reported sender of an email-based attack."
},
"fieldName": "src_user",
"displayName": "src_user",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": true,
"hidden": false
},
{
"comment": {
"description": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.",
"ta_relevant": false
},
"fieldName": "tag",
"displayName": "tag",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": true,
"hidden": false
},
{
"comment": {
"description": "A URL containing more information about the vulnerability."
},
"fieldName": "url",
"displayName": "url",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "user_bunit",
"displayName": "user_bunit",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "user_category",
"displayName": "user_category",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": true,
"hidden": false
},
{
"comment": {
"description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "user_priority",
"displayName": "user_priority",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"calculations": [
{
"calculationID": "Malware_Attacks_fillnull_action",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The action taken by the reporting device.",
"expected_values": [
"allowed",
"blocked",
"deferred"
],
"recommended": true
},
"fieldName": "action",
"displayName": "action",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(action) OR action=\"\",\"unknown\",action)"
},
{
"calculationID": "Malware_Attacks_fillnull_category",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The category of the malware event, such as keylogger or ad-supported program. Note: This is a string value. Use category_id for category ID fields that are integer data types. The category_id field is optional, so it is not included in the data model.",
"recommended": true
},
"fieldName": "category",
"displayName": "category",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(category) OR category=\"\",\"unknown\",category)"
},
{
"calculationID": "Malware_Attacks_date",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The date of the malware event.",
"recommended": true
},
"fieldName": "date",
"displayName": "date",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "strftime(_time, \"%m-%d-%Y\")"
},
{
"calculationID": "Malware_Attacks_fillnull_dest",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The system that was affected by the malware event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.",
"recommended": true
},
"fieldName": "dest",
"displayName": "dest",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(dest) OR dest=\"\",\"unknown\",dest)"
},
{
"calculationID": "Malware_Attacks_fillnull_dest_nt_domain",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The NT domain of the destination, if applicable.",
"recommended": true
},
"fieldName": "dest_nt_domain",
"displayName": "dest_nt_domain",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(dest_nt_domain) OR dest_nt_domain=\"\",\"unknown\",dest_nt_domain)"
},
{
"calculationID": "Malware_Attacks_fillnull_severity",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The severity of the network protection event. Note: This field is a string. Use severity_id for severity ID fields that are integer data types. The severity_id field is optional, so it is not included in the model. Also, specific values are required for this field. Use vendor_severity for the vendor's own human readable severity strings, such as Good, Bad, and Really Bad.",
"expected_values": [
"critical",
"high",
"medium",
"low",
"informational"
],
"recommended": true
},
"fieldName": "severity",
"displayName": "severity",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(severity) OR severity=\"\",\"unknown\",severity)"
},
{
"calculationID": "Malware_Attacks_fillnull_signature",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The name of the malware infection detected on the client (the dest), such as Trojan.Vundo, Spyware.Gaobot, and W32.Nimbda. Note: This is a string value. Use signature_id for signature ID fields that are integer data types. The signature_id field is optional, so it is not included in the data model.",
"recommended": true
},
"fieldName": "signature",
"displayName": "signature",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(signature) OR signature=\"\",\"unknown\",signature)"
},
{
"calculationID": "Malware_Attacks_fillnull_user",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The user involved in the malware event.",
"recommended": true
},
"fieldName": "user",
"displayName": "user",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(user) OR user=\"\",\"unknown\",user)"
},
{
"calculationID": "Malware_Attacks_vendor_product",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The vendor and product name of the endpoint protection system, such as Symantec AntiVirus. This field can be automatically populated by vendor and product fields in your data.",
"recommended": true
},
"fieldName": "vendor_product",
"displayName": "vendor_product",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "case(isnotnull(vendor_product),vendor_product,isnotnull(vendor) AND vendor!=\"unknown\" AND isnotnull(product) AND product!=\"unknown\",vendor.\" \".product,isnotnull(vendor) AND vendor!=\"unknown\" AND (isnull(product) OR product=\"unknown\"),vendor.\" unknown\",(isnull(vendor) OR vendor=\"unknown\") AND isnotnull(product) AND product!=\"unknown\",\"unknown \".product,isnotnull(sourcetype),sourcetype,1=1,\"unknown\")"
}
],
"constraints": [
{
"search": "(`cim_Malware_indexes`) tag=malware tag=attack"
}
],
"children": [
]
},
{
"comment": {
"tags": [
"malware",
"attack"
]
},
"objectName": "Allowed_Malware",
"displayName": "Allowed Malware",
"parentName": "Malware_Attacks",
"fields": [
],
"calculations": [
],
"constraints": [
{
"search": "action=\"allowed\""
}
],
"children": [
]
},
{
"comment": {
"tags": [
"malware",
"attack"
]
},
"objectName": "Blocked_Malware",
"displayName": "Blocked Malware",
"parentName": "Malware_Attacks",
"fields": [
],
"calculations": [
],
"constraints": [
{
"search": "action=\"blocked\""
}
],
"children": [
]
},
{
"comment": {
"tags": [
"malware",
"attack"
]
},
"objectName": "Deferred_Malware",
"displayName": "Quarantined Malware",
"parentName": "Malware_Attacks",
"fields": [
],
"calculations": [
],
"constraints": [
{
"search": "action=\"deferred\""
}
],
"children": [
]
},
{
"comment": {
"tags": [
"malware",
"operations"
]
},
"objectName": "Malware_Operations",
"displayName": "Malware Operations",
"parentName": "BaseSearch",
"fields": [
{
"comment": {
"description": "The event timestamp expressed in Unix time.",
"ta_relevant": false
},
"fieldName": "_time",
"displayName": "_time",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "dest_bunit",
"displayName": "dest_bunit",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "dest_category",
"displayName": "dest_category",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": true,
"hidden": false
},
{
"comment": {
"description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "dest_priority",
"displayName": "dest_priority",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "dest_requires_av",
"displayName": "dest_requires_av",
"type": "boolean",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The product version of the malware operations product.",
"recommended": true
},
"fieldName": "product_version",
"displayName": "product_version",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The version of the malware signature bundle in a signature update operations event.",
"recommended": true
},
"fieldName": "signature_version",
"displayName": "signature_version",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.",
"ta_relevant": false
},
"fieldName": "tag",
"displayName": "tag",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": true,
"hidden": false
}
],
"calculations": [
{
"calculationID": "Malware_Operations_fillnull_dest",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The system where the malware operations event occurred.",
"recommended": true
},
"fieldName": "dest",
"displayName": "dest",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(dest) OR dest=\"\",\"unknown\",dest)"
},
{
"calculationID": "Malware_Operations_fillnull_dest_nt_domain",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The NT domain of the dest system, if applicable.",
"recommended": true
},
"fieldName": "dest_nt_domain",
"displayName": "dest_nt_domain",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(dest_nt_domain) OR dest_nt_domain=\"\",\"unknown\",dest_nt_domain)"
},
{
"calculationID": "Malware_Operations_vendor_product",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The vendor product name of the malware operations product.",
"recommended": true
},
"fieldName": "vendor_product",
"displayName": "vendor_product",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "case(isnotnull(vendor_product),vendor_product,isnotnull(vendor) AND vendor!=\"unknown\" AND isnotnull(product) AND product!=\"unknown\",vendor.\" \".product,isnotnull(vendor) AND vendor!=\"unknown\" AND (isnull(product) OR product=\"unknown\"),vendor.\" unknown\",(isnull(vendor) OR vendor=\"unknown\") AND isnotnull(product) AND product!=\"unknown\",\"unknown \".product,isnotnull(sourcetype),sourcetype,1=1,\"unknown\")"
}
],
"constraints": [
],
"baseSearch": "(`cim_Malware_indexes`) tag=malware tag=operations | tags outputfield=tag",
"children": [
]
}
]
}
Reference in new issue View Git Blame Copy Permalink