admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2444c9a8a5'
${ noResults }
Deploiement_Server/deployment-apps/Splunk_SA_CIM/default/data/models/DLP.json

591 lines
21 KiB
Raw Blame History

{
"modelName": "DLP",
"displayName": "Data Loss Prevention",
"description": "Data Loss Prevention Data Model",
"editable": false,
"objects": [
{
"comment": {
"tags": [
"dlp",
"incident"
]
},
"objectName": "DLP_Incidents",
"displayName": "DLP Incidents",
"parentName": "BaseEvent",
"fields": [
{
"comment": {
"description": "The application involved in the event."
},
"fieldName": "app",
"displayName": "app",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The business unit of the DLP target. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "dest_bunit",
"displayName": "dest_bunit",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The category of the DLP target. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "dest_category",
"displayName": "dest_category",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": true,
"hidden": false
},
{
"comment": {
"description": "The priority of the DLP target. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "dest_priority",
"displayName": "dest_priority",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The zone of the DLP target."
},
"fieldName": "dest_zone",
"displayName": "dest_zone",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The business unit of the DLP device. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "dvc_bunit",
"displayName": "dvc_bunit",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The category of the DLP device. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "dvc_category",
"displayName": "dvc_category",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": true,
"hidden": false
},
{
"comment": {
"description": "The priority of the DLP device. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "dvc_priority",
"displayName": "dvc_priority",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The zone of the DLP device."
},
"fieldName": "dvc_zone",
"displayName": "dvc_zone",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The numeric or vendor specific severity indicator corresponding to the event severity."
},
"fieldName": "severity_id",
"displayName": "severity_id",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The unique identifier or event code of the event signature."
},
"fieldName": "signature_id",
"displayName": "signature_id",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The business unit of the DLP source. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "src_bunit",
"displayName": "src_bunit",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The category of the DLP source. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "src_category",
"displayName": "src_category",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": true,
"hidden": false
},
{
"comment": {
"description": "The priority of the DLP source. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "src_priority",
"displayName": "src_priority",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The zone of the DLP source."
},
"fieldName": "src_zone",
"displayName": "src_zone",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The business unit of the DLP source user. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "src_user_bunit",
"displayName": "src_user_bunit",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The category of the DLP source user. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "src_user_category",
"displayName": "src_user_category",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": true,
"hidden": false
},
{
"comment": {
"description": "The priority of the DLP source user. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "src_user_priority",
"displayName": "src_user_priority",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.",
"ta_relevant": false
},
"fieldName": "tag",
"displayName": "tag",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": true,
"hidden": false
},
{
"comment": {
"description": "The business unit of the DLP user. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "user_bunit",
"displayName": "user_bunit",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The category of the DLP user. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "user_category",
"displayName": "user_category",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": true,
"hidden": false
},
{
"comment": {
"description": "The priority of the DLP user. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "user_priority",
"displayName": "user_priority",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"calculations": [
{
"calculationID": "DLP_Incidents_fillnull_action",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The action taken by the DLP device.",
"recommended": true
},
"fieldName": "action",
"displayName": "action",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(action) OR action=\"\",\"unknown\",action)"
},
{
"calculationID": "DLP_Incidents_fillnull_category",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The category of the DLP event.",
"recommended": true
},
"fieldName": "category",
"displayName": "category",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(object_category) OR object_category=\"\",\"unknown\",object_category)"
},
{
"calculationID": "DLP_Incidents_fillnull_dvc",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The device that reported the DLP event.",
"recommended": true
},
"fieldName": "dvc",
"displayName": "dvc",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(dvc) OR dvc=\"\",\"unknown\",dvc)"
},
{
"calculationID": "DLP_incidents_fillnull_dlp_type",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The type of DLP system that generated the event.",
"recommended": true
},
"fieldName": "dlp_type",
"displayName": "dlp_type",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(dlp_type) OR dlp_type=\"\",\"unknown\",dlp_type)"
},
{
"calculationID": "DLP_Incidents_fillnull_object",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The name of the affected object.",
"recommended": true
},
"fieldName": "object",
"displayName": "object",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(object) OR object=\"\",\"unknown\",object)"
},
{
"calculationID": "DLP_Incidents_fillnull_object_path",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The path of the affected object.",
"recommended": true
},
"fieldName": "object_path",
"displayName": "object_path",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(object_path) OR object_path=\"\",\"unknown\",object_path)"
},
{
"calculationID": "DLP_Incidents_fillnull_object_category",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The category of the affected object.",
"recommended": true
},
"fieldName": "object_category",
"displayName": "object_category",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(object_category) OR object_category=\"\",\"unknown\",object_category)"
},
{
"calculationID": "DLP_Incidents_fillnull_signature",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The name of the DLP event.",
"recommended": true
},
"fieldName": "signature",
"displayName": "signature",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(signature) OR signature=\"\",\"unknown\",signature)"
},
{
"calculationID": "DLP_Incidents_fillnull_severity",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The severity of the DLP event.",
"recommended": true
},
"fieldName": "severity",
"displayName": "severity",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(severity) OR severity=\"\",\"unknown\",severity)"
},
{
"calculationID": "DLP_Incidents_fillnull_src",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The source of the DLP event.",
"recommended": true
},
"fieldName": "src",
"displayName": "src",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(src) OR src=\"\",\"unknown\",src)"
},
{
"calculationID": "DLP_Incidents_fillnull_src_user",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The source user of the DLP event.",
"recommended": true
},
"fieldName": "src_user",
"displayName": "src_user",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(src_user) OR user=\"\",\"unknown\",src_user)"
},
{
"calculationID": "DLP_Incidents_fillnull_dest",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The target of the DLP event.",
"recommended": true
},
"fieldName": "dest",
"displayName": "dest",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(dest) OR dest=\"\",\"unknown\",dest)"
},
{
"calculationID": "DLP_Incidents_fillnull_user",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The target user of the DLP event.",
"recommended": true
},
"fieldName": "user",
"displayName": "user",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(user) OR user=\"\",\"unknown\",user)"
},
{
"calculationID": "DLP_Incidents_vendor_product",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The vendor and product name of the DLP system.",
"recommended": true
},
"fieldName": "vendor_product",
"displayName": "vendor_product",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "case(isnotnull(vendor_product),vendor_product,isnotnull(vendor) AND vendor!=\"unknown\" AND isnotnull(product) AND product!=\"unknown\",vendor.\" \".product,isnotnull(vendor) AND vendor!=\"unknown\" AND (isnull(product) OR product=\"unknown\"),vendor.\" unknown\",(isnull(vendor) OR vendor=\"unknown\") AND isnotnull(product) AND product!=\"unknown\",\"unknown \".product,isnotnull(sourcetype),sourcetype,1=1,\"unknown\")"
}
],
"constraints": [
{
"search": "(`cim_DLP_indexes`) tag=dlp tag=incident"
}
],
"children": [
]
}
]
}
Reference in new issue View Git Blame Copy Permalink