Common Information Model Mapping
Fields from the input types of this add-on are mapped to the Splunk Common Information Model (CIM), a set of field names and tags from preconfigured data models, that can be used to normalize and validate data.
FortiNDR Cloud Detections
CIM Data Model Source(s)
- Splunk CIM – Alerts
Mapped Fields
- uuid > id
- rule_name > subject
- rule_description > body
- rule_category > type
- rule_severity > severity
FortiNDR Cloud Events
CIM Data Model Source(s)
- Splunk CIM – Session Start
- Splunk CIM – Session End
- Splunk CIM – DHCP
- Splunk CIM – DNS
- Splunk CIM – Network
- Splunk CIM – All Traffic
- Splunk CIM – Traffic by Actions
- Splunk CIM – Allowed Traffic
- Splunk CIM – Blocked Traffic
Mapped Fields
- dst.ip > dest_ip
- dst.port > dest_port
- username > user
- proto > protocol
- src.ip > src_ip
- src.port > src_port
- total_pkts > packets
- total_ip_bytes > bytes
- service{} > tos
- answers{} > answer
- qtype_name > name
- qtype > query_type
FortiNDR Cloud Entities
CIM Data Model Source(s)
- Splunk CIM – DNS
Mapped Fields
- pdns{}.record_type > record_type