Non-CIM complaint mapping for cloud storage data
Use the following table to map the Splunk CIM field name to the non-CIM field name for cloud storage data. You can use the impala field names to validate the mapping values. The SPL examples show how to adjust field names and values to get cloud storage data into Splunk UBA correctly:
| Splunk CIM field name | Non-CIM field name example | Impala table field (fileaccess_s) | Example values ((Field_name, Filed_value) | SPL example |
|---|---|---|---|---|
| file_size | FILE_SIZE_BYTE | resourcesize | (FILE_SIZE_BYTE: 10280) | rename FILE_SIZE_BYTE as file_size
|
| object | SOURCE_FILE_NAME | resourcename | (SOURCE_FILE_NAME,'this_picture.png') | rename SOURCE_FILE_NAME as object
|
| object_type | ITEM_TYPE | resourcetype | ITEM_TYPE, 'File')(ITEM_TYPE, 'Folder')(ITEM_TYPE, 'Document')(ITEM_TYPE, 'Image') | rename ITEM_TYPE as object_type
|
| file_hash | ITEM_UNIQUE_ID | resourceid | (ITEM_UNIQUE_ID, '17283982137') | rename ITEM_UNIQUE_ID as file_hash
|
| object_path | FILE_PATH | source | (FILE_PATH, '/bpatinho/photos') | rename FilePath as object_path
|
| parent_category | PARENT_RS_TYPE | parentpathtype | (PARENT_RS_TYPE, 'Folder')(PARENT_RS_TYPE, 'Link') | rename PARENT_RS_TYPE as parent_category
|
| parent_hash | PARENT_HASH_ID | parentpathid | (PARENT_HASH_ID, '9864239674') | rename PARENT_HASH_ID as parent_hash
|
| src_user | SRC_USER | source | (SRC_USER, 'user1')(SRC_USER,'user2') | rename SRC_USER as src_user
|
| change_type | OPERATION | evcls | (Operation,' FileDownload')(OPERATION,'FILEPREVIEW')
(OPERATION,'FILEDELETE') (OPERATION,'FILECREATE') (OPERATION,'FILEEDIT') |
|
| app | APP_NAME | servicename | (APP_NAME,'Box')(APP_NAME,' Office365')(APP_NAME,' Google Drive') | rename APP_NAME as app
|
| dest_user | DEST_USER | destinationusername | (DEST_USER, 'Cronaldo') | rename DEST_USER as dest_user
|