CIM
The Common Information Model (CIM) is a standardized data model developed by Splunk. It provides:
Common Fields:
| Field Category | Fields | Description |
|---|---|---|
| Base Fields | source, sourcetype, timestamp, host, index | Core fields for event identification and source tracking |
| Identity Fields | user, src_user, dest_user | User identification and authentication tracking |
| Network Fields | src_ip, dest_ip, src_port, dest_port | Network communication endpoints |
Data Models:
| Model Type | Fields | Purpose |
|---|---|---|
| Authentication | action, app, status, auth_method | Track authentication events and access control |
| Network Traffic | bytes, protocol, direction, tcp_flags | Monitor network communications and traffic patterns |
| Vulnerability | severity, signature, vulnerability_id | Track security vulnerabilities and risks |
| Changes | - | Track system and configuration changes |
| Intrusion Detection | - | Monitor security threats and intrusions |
Event Categories:
| Category | Event Types | Description |
|---|---|---|
| Authentication | success, failure, logout | Authentication-related events and outcomes |
| Network | connection, alert, traffic | Network activity and communications |
| System | change, status, error | System-level events and status changes |
| Security | - | Security-related events and alerts |