AgentSkillsCN

sourcetype-fields

为fake_tshrt索引中的所有FAKE:sourcetypes提供完整的字段参考。在编写SPL查询、构建仪表板,或理解数据模型时使用此功能。

SKILL.md
--- frontmatter
name: sourcetype-fields
description: Complete field reference for all FAKE: sourcetypes in the fake_tshrt index. Use when writing SPL queries, building dashboards, or understanding the data model.

Sourcetype Field Reference

Complete field inventory for all sourcetypes in index=fake_tshrt. Data spans January 2026 (~11.2M events, 40 sourcetypes, 511 hosts).

Common fields on ALL sourcetypes: host, source, sourcetype, index (fake_tshrt), _time Scenario tagging: IDX_demo_id (indexed), demo_id (search-time) - values: exfil, ransomware_attempt, memory_leak, cpu_runaway, disk_filling, firewall_misconfig, certificate_expiry

SPL Quoting Rule for Nested Fields: When using eval, where, if, case, or search with dotted field names (e.g., properties.status.errorCode, requestParameters.bucketName), you MUST wrap the field name in single quotes:

  • | eval status=if('properties.status.errorCode'=0, "Success", "Failed")
  • | eval status=if(properties.status.errorCode=0, "Success", "Failed")

This applies to ALL fields with dots — Splunk treats unquoted dots as sub-search operators. Commands like stats, table, and fields handle dotted fields without quotes, but eval/where/if/case do not.

Quick Reference

#SourcetypeCategoryFieldsHost(s)vendor_product
1FAKE:cisco:asaNetwork115FW-EDGE-01Cisco ASA
2FAKE:meraki:securityappliancesNetwork41MX-BOS-01, MX-ATL-01, MX-AUS-01Cisco Meraki MX
3FAKE:meraki:accesspointsNetwork44AP-- (36 APs)Cisco Meraki MR
4FAKE:meraki:switchesNetwork39MS-- (11 switches)Cisco Meraki MS
5FAKE:meraki:camerasNetwork41MV-- (19 cameras)Cisco Meraki MV
6FAKE:meraki:sensorsNetwork41MT-- (14 sensors)Cisco Meraki MT
7FAKE:meraki:accesspoints:healthNetwork49AP--Cisco Meraki MR
8FAKE:meraki:switches:healthNetwork50MS--Cisco Meraki MS
9FAKE:aws:cloudtrailCloud55awsAWS CloudTrail
10FAKE:azure:aad:signinCloud54azure_entraidMicrosoft Entra ID
11FAKE:azure:aad:auditCloud40azure_entraidMicrosoft Entra ID
12FAKE:azure:aad:riskDetectionCloud39azure_entraidMicrosoft Entra ID
13FAKE:google:gcp:pubsub:audit:admin_activity:demoCloud55faketshirtcompany-prod-01Google Cloud Platform
14FAKE:google:gcp:pubsub:audit:data_access:demoCloud45faketshirtcompany-prod-01Google Cloud Platform
15FAKE:cisco:webex:meetingsCollab45webexCisco Webex Meetings API
16FAKE:cisco:webex:meetings:history:meetingusagehistoryCollab47webexCisco Webex Meetings
17FAKE:cisco:webex:meetings:history:meetingattendeehistoryCollab42webexCisco Webex Meetings
18FAKE:cisco:webex:admin:audit:eventsCollab45webexCisco Webex Admin Audit
19FAKE:cisco:webex:security:audit:eventsCollab39webexCisco Webex Security Audit
20FAKE:cisco:webex:meeting:qualitiesCollab65webexCisco Webex Meeting Quality
21FAKE:cisco:webex:call:detailed_historyCollab48webexCisco Webex Calling
22FAKE:o365:reporting:messagetraceEmail58exchangeMicrosoft Office 365 MessageTrace
23FAKE:Perfmon:ProcessorWindows2927 servers + workstationsWindows Perfmon
24FAKE:Perfmon:MemoryWindows2927 servers + workstationsWindows Perfmon
25FAKE:Perfmon:LogicalDiskWindows2927 servers + workstationsWindows Perfmon
26FAKE:Perfmon:Network_InterfaceWindows2927 servers + workstationsWindows Perfmon
27FAKE:WinEventLogWindows6314 serversMicrosoft Windows
28FAKE:XmlWinEventLog:SysmonWindows4727 servers + workstationsMicrosoft Sysmon
29FAKE:cpuLinux295 Linux hosts-
30FAKE:vmstatLinux285 Linux hosts-
31FAKE:dfLinux305 Linux hosts-
32FAKE:iostatLinux285 Linux hosts-
33FAKE:interfacesLinux285 Linux hosts-
34FAKE:access_combinedWeb29WEB-01Apache
35FAKE:online:orderRetail0-NO DATA
36FAKE:online:order:registryRetail32WEB-01Retail Order System
37FAKE:azure:servicebusRetail0-NO DATA
38FAKE:servicenow:incidentITSM52servicenowServiceNow
39FAKE:servicenow:cmdbITSM0-NO DATA
40FAKE:servicenow:changeITSM50servicenowServiceNow
41FAKE:mssql:errorlogDatabase30SQL-PROD-01Microsoft SQL Server
-FAKE:cisco:webex:eventsCollab0-NO DATA

Network

FAKE:cisco:asa

Host: FW-EDGE-01 | vendor_product: Cisco ASA | ~115 fields

FieldTypeDistinctTop Values
actionstr4allowed (486), teardown (446), built (465), deny (9)
lactionstr4built (465), teardown (446), deny (9), executed (6)
Cisco_ASA_message_idnum13302014 (232), 302016 (214), 302013 (232), 302015 (214), 106023 (9)
message_idnum13same as Cisco_ASA_message_id
src / src_ipstr4581.1.1.1, 8.8.8.8, 203.0.113.51, 10.30.30.160
dest / dest_ipstr41310.10.20.10, 172.16.1.10, 10.10.20.50, 10.30.30.20
src_portnum47853 (79), 80 (10), 443 (9), ephemeral ports
dest_portnum100443 (345), 80 (156), 53 (79), 8080 (23), 22 (13)
transportstr2TCP (841), UDP (79)
protocolstr1ip
src_interfacestr5outside (555), inside (228), aus (54), atl (44), bos (39)
dest_interfacestr6dmz (463), outside (228), inside (92), atl (58), aus (43), bos (36)
src_zonestr5same as src_interface
dest_zonestr6same as dest_interface
directionstr2inbound (292), outbound (132)
session_idnum425random 6-digit numbers
durationnum730-578 sec, mean 30.7
bytes_innum1640-976,028, mean 30,469
bytes_outnum1650-1,000,000, mean 29,629
log_levelnum36 (919), 5 (72), 4 (9)
severity_levelstr3informational (919), notification (72), warning (9)
reasonstr4TCP Reset-I (100), TCP Reset-O (96), TCP FINs (85), idle timeout (61)
userstr24VPN users - alex.miller, john.smith, etc.
groupstr1Remote-Workers
rulestr3acl_outside, implicit-deny, outside_access_in
dvcstr1FW-EDGE-01
ids_typestr1network
vendorstr1Cisco
productstr1ASA

FAKE:meraki:securityappliances

Hosts: MX-BOS-01, MX-ATL-01, MX-AUS-01 | vendor_product: Cisco Meraki MX | 41 fields

FieldTypeDistinctTop Values
typestr6firewall (576), url (209), sd_wan_health (98), vpn_connectivity_change (49), vpn_tunnel_status (36), security_event (32)
categorystr1appliance
descriptionstr78Firewall flow allowed (549), SD-WAN wan1 health: active (56), VPN tunnel status changed (49)
deviceNamestr3MX-BOS-01 (537), MX-ATL-01 (267), MX-AUS-01 (196)
networkIdstr3N_FakeTShirtCo_BOS (537), N_FakeTShirtCo_ATL (267), N_FakeTShirtCo_AUS (196)
eventData.srcstr500Internal IPs (10.10/20/30.30.x)
eventData.dststr500172.217.14.78, 54.239.28.85, 52.169.118.173, 140.82.121.4
eventData.sportnum500Ephemeral ports
eventData.dportnum88080 (79), 443 (77), 25 (76), 587 (74), 3389 (73)
eventData.protocolstr2tcp (303), udp (273)
eventData.patternstr2allow all (549), deny all (27)
eventData.macstr500Client MAC addresses
eventData.urlstr74google.com, slack.com, api.service.com, github.com, microsoft.com
eventData.methodstr1GET
eventData.statusstr3active (80), up (36), degraded (18)
eventData.wanstr2wan1 (65), wan2 (33)
eventData.latency_msnum8513-27ms range
eventData.jitter_msnum601-4ms range
eventData.loss_pctnum530.3-0.5% range
eventData.vpn_typestr2site-to-site (26), client (23)
eventData.connectivitystr2true (35), false (14)
eventData.peerstr2MX-AUS-01 (24), MX-ATL-01 (12)
subtypestr3content_filtering (22), amp_malware_blocked (7), client_isolation (3)
eventData.category (content)str7Gambling (7), Botnets (4), Social Networking (4), Streaming Media (3)
eventData.threatNamestr5Doc.Dropper.Generic, JS.Downloader.Generic, Win.Ransomware.Locky

FAKE:meraki:accesspoints

Hosts: 36 APs (AP-BOS-/AP-ATL-/AP-AUS-*) | vendor_product: Cisco Meraki MR | 44 fields

FieldTypeDistinctTop Values
typestr6association (489), disassociation (248), 8021x_eap_success (172), wpa_auth (81), 8021x_eap_failure (9), rogue_ssid_detected (1)
descriptionstr6802.11 association, 802.11 disassociation, 802.1X EAP authentication succeeded, WPA authentication
categorystr1wireless
deviceNamestr36AP-BOS-3F-06 (45), AP-BOS-2F-02 (42), etc.
networkIdstr3N_FakeTShirtCo_BOS (525), N_FakeTShirtCo_ATL (261), N_FakeTShirtCo_AUS (214)
clientIpstr50010.10/20/30.30.x range
clientMacstr500Unique MAC addresses
eventData.radiostr21 (722), 0 (277)
eventData.channelnum111, 6, 11, 36, 40, 44, 48, 149, 153, 157, 161
eventData.rssinum5120-70 range, mean 43.9
eventData.vapnum40, 1, 2, 3
eventData.identitystr108employee emails @theFakeTshirtCompany.com
eventData.durationnum24872-28764 seconds
eventData.reasonnum51, 3, 4, 8, 23
ssidNumbernum40-3

FAKE:meraki:switches

Hosts: 11 switches (MS-BOS-/MS-ATL-/MS-AUS-*) | vendor_product: Cisco Meraki MS | 39 fields

FieldTypeDistinctTop Values
typestr4port_status (614), stp_topology_change (208), 8021x_port_auth (178)
descriptionstr32Port 5 link up at 1 Gbps, STP topology change detected, etc.
deviceNamestr11MS-BOS-CORE-01, MS-ATL-CORE-01, MS-BOS-1F-01, etc.
eventData.portstr31Port 1-48
eventData.speedstr31 Gbps, 10 Gbps, 100 Mbps
eventData.statusstr2up, down
eventData.client_macstr500MAC addresses
eventData.vlannum1410, 20, 30, 100, 200, 300
eventData.identitystr92Employee emails

FAKE:meraki:cameras

Hosts: 19 cameras (MV-BOS-/MV-ATL-/MV-AUS-*) | vendor_product: Cisco Meraki MV | 41 fields

FieldTypeDistinctTop Values
typestr4motion_detection (425), person_detection (342), analytics (160), health_status (73)
descriptionstr400+Motion detected in zone..., Person detected..., etc.
eventData.zonestr6entrance, lobby, parking, hallway, server_room, loading_dock
eventData.confidencenum5260-99% range
eventData.people_countnum100-15 people
eventData.motion_scorenum6615-100%

FAKE:meraki:sensors

Hosts: 14 sensors (MT-*) | vendor_product: Cisco Meraki MT | 41 fields

FieldTypeDistinctTop Values
typestr4temperature (485), humidity (260), door (185), water_leak (70)
eventData.temperature_cnum12519.8-28.5C range
eventData.humidity_pctnum6035-65% range
eventData.door_statusstr2open, closed
eventData.water_detectedstr2false (majority), true (rare)
eventData.locationstr10Server Room A, Server Room B, MDF, IDF-*, Data Center

FAKE:meraki:accesspoints:health

Hosts: 36 APs | vendor_product: Cisco Meraki MR | 49 fields

FieldTypeDistinctTop Values
metrics.channel_utilizationnum~5015-85%
metrics.client_countnum~300-45 clients
metrics.noise_floornum~15-95 to -80 dBm
metrics.power_levelnum38, 11, 14 dBm
metrics.bandstr25GHz, 2.4GHz
statusstr2online (majority), degraded

FAKE:meraki:switches:health

Hosts: 11 switches | vendor_product: Cisco Meraki MS | 50 fields

FieldTypeDistinctTop Values
metrics.cpu_pctnum~5010-60%
metrics.memory_pctnum~4030-70%
metrics.port_errorsnum~200-50
metrics.power_draw_wattsnum~10050-400W
metrics.temperature_cnum~3030-55C
metrics.uptime_secondsnum500High values (weeks)
statusstr2online, degraded

Cloud

FAKE:aws:cloudtrail

Host: aws | vendor_product: AWS CloudTrail | 55 fields

FieldTypeDistinctTop Values
eventName / actionstr8GetObject (257), PutObject (212), Invoke (190), DescribeInstances (147), ListUsers (97)
eventSourcestr5s3.amazonaws.com (469), lambda.amazonaws.com (190), ec2.amazonaws.com (147), iam.amazonaws.com (99), sts.amazonaws.com (95)
awsRegion / deststr1us-east-1
eventTypestr1AwsApiCall
sourceIPAddress / srcstr11lambda.amazonaws.com (166), 10.20.30.15 (126), 10.10.30.182 (118)
userIdentity.typestr2IAMUser (701), AssumedRole (299)
userIdentity.userName / userstr8jessica.brown (126), patrick.gonzalez (118), carlos.martinez (114), david.robinson (111), brandon.turner (104)
userIdentity.arnstr11IAM users + assumed roles (DataPipelineRole, DeploymentPipelineRole, BackupServiceRole)
userIdentity.accountId / recipientAccountIdnum1123456789012
requestParameters.bucketNamestr4faketshirtcompany-backups (153), faketshirtcompany-prod-data (148), faketshirtcompany-logs (141), faketshirtco-financial-reports (27)
requestParameters.keystr442confidential/customer-database.csv, confidential/employee-salaries.csv, reports/, financial/
requestParameters.functionNamestr4api-handler, process-orders, send-notifications, data-transform
requestParameters.instancesSet.items{}.instanceIdstr3i-0def789abc012, i-0123456789abc, i-0abc123def456
resources{}.typestr4AWS::S3::Object (469), AWS::S3::Bucket (442), AWS::Lambda::Function (190), AWS::EC2::Instance (147)
userAgentstr7console.aws.amazon.com (573), lambda.amazonaws.com (166), aws-cli/2.15.0 (99), s3.amazonaws.com (85)
readOnlystr2true (596), false (402)
appstr1aws

FAKE:azure:aad:signin

Host: azure_entraid | vendor_product: Microsoft Entra ID | 54 fields

FieldTypeDistinctTop Values
properties.userPrincipalNamestr182claire.roberts@, lucy.rogers@, madison.quinn@, nicholas.kelly@
identitystr183Display names: Claire Roberts, Lucy Rogers, Madison Quinn
properties.ipAddress / callerIpAddress / srcstr19210.10.30/31.x, 10.20.30.x, 10.30.30.x
properties.status.errorCodenum50 (934 success), 50126 (28 bad password), 53003 (15 CA blocked), 50076 (12 MFA), 50074 (11)
properties.status.failureReasonstr4Invalid username or password (28), Blocked by Conditional Access (15), MFA required (12)
properties.conditionalAccessStatusstr3success (934), failure (49), notApplied (17)
properties.appDisplayNamestr8Custom HR App (142), SharePoint Online (142), Microsoft Graph (136), Custom Finance App (135), Microsoft Teams (129)
properties.clientAppUsedstr3Browser (751), Mobile Apps and Desktop clients (222), Other clients (27)
properties.deviceDetail.operatingSystemstr6Windows 11 (501), macOS (229), Windows 10 (204), iOS (25), Android (24)
properties.deviceDetail.browserstr3Chrome 120.0 (451), Edge 120.0 (202), Safari 17.2 (81)
properties.deviceDetail.displayNamestr175Workstation names (BOS-WS-, ATL-WS-, AUS-WS-*)
properties.deviceDetail.isCompliantstr2true (934), false (17)
properties.location.citystr10Boston (521), Atlanta (235), Austin (227), Sao Paulo (4)
properties.location.countryOrRegion / locationstr7US (986), BR (4), CN (3), DE (2), FR (2)
properties.mfaDetail.authMethodstr5Microsoft Authenticator (312), Previously satisfied (189), Phone call (151), Mobile app verification code (142), FIDO2 security key (140)
properties.authenticationRequirementstr1multiFactorAuthentication
properties.isInteractivestr1true
properties.riskStatestr1none
tenantIdstr1af23e456-7890-1234-5678-abcdef012345
categorystr1SignInLogs
actionstr1failure

FAKE:azure:aad:audit

Host: azure_entraid | vendor_product: Microsoft Entra ID | 40 fields | 627 events

FieldTypeDistinctTop Values
operationName / properties.activityDisplayNamestr16Self-service password reset flow activity progress (192), Add member to group (98), Update user (95), Remove member from group (86), Update group (78)
properties.initiatedBy.user.displayName / identitystr140IT Admin (142), Security Admin (118), Helpdesk Admin (106), + individual employees
properties.initiatedBy.user.userPrincipalNamestr140it.admin@, sec.admin@, helpdesk@, + employee UPNs
callerIpAddress / srcstr24310.20.30.10 (142), 10.10.10.50 (118), 10.10.10.51 (106)
properties.result / resultTypestr2success/Success (583), failure/Failure (44)
properties.categorystr4UserManagement (621), ApplicationManagement (4), Policy (1), RoleManagement (1)
properties.loggedByServicestr3Core Directory (366), Self-service Password Management (260), Authentication Methods (1)
properties.targetResources{}.displayNamestr177Target user display names
properties.targetResources{}.typestr5User (621), Other (2), ServicePrincipal (2), Application (1), Policy (1)
properties.operationTypestr2Update (626), Add (1)
tenantIdstr1af23e456-7890-1234-5678-abcdef012345
categorystr1AuditLogs

FAKE:azure:aad:riskDetection

Host: azure_entraid | vendor_product: Microsoft Entra ID | 39 fields | 69 events

FieldTypeDistinctTop Values
properties.riskEventType / properties.riskTypestr7maliciousIPAddress (24), unfamiliarFeatures (18), impossibleTravel (7), passwordSpray (6), leakedCredentials (5)
properties.riskLevelstr3medium (36), high (19), low (14)
properties.riskStatestr1atRisk
properties.riskDetailstr7Sign-in from a malicious IP address (24), Sign-in with unfamiliar properties (18)
properties.userPrincipalName / userstr32alex.miller@ (29), jessica.brown@ (9), monique.wright@ (2)
properties.ipAddress / callerIpAddress / srcstr32185.220.101.42 (38 - threat actor), 102.67.x.x (random)
properties.location.citystr2Frankfurt (38), Unknown (31)
properties.location.countryOrRegionstr2Germany (38), Unknown (31)
properties.sourcestr1IdentityProtection
properties.activitystr1signin
properties.detectionTimingTypestr1realtime
appstr1azure:aad

FAKE:google:gcp:pubsub:audit:admin_activity:demo

Host: faketshirtcompany-prod-01 | 55 fields

FieldTypeDistinctTop Values
protoPayload.methodNamestr8compute.instances.list, storage.objects.get, jobcompleted, CloudFunctionsService.CallFunction, storage.objects.create, SetIamPolicy, CreateServiceAccount, CreateServiceAccountKey
protoPayload.serviceNamestr6storage (346), compute (242), bigquery (210), cloudfunctions (199), iam (2), cloudresourcemanager (1)
protoPayload.authenticationInfo.principalEmailstr4svc-storage (357), svc-compute (334), svc-functions (306), alex.miller (3)
protoPayload.requestMetadata.callerIpstr500Internal IPs, including 185.220.101.42 (threat actor)
resource.typestr6gcs_bucket, gce_instance, bigquery_dataset, cloud_function, service_account, project
resource.labels.project_idstr1faketshirtcompany-prod-01
severitystr2INFO (997), NOTICE (3)
logNamestr1cloudaudit.googleapis.com%2Factivity
demo_idstr1exfil (170)

FAKE:google:gcp:pubsub:audit:data_access:demo

Host: faketshirtcompany-prod-01 | 45 fields | 407 events

FieldTypeDistinctTop Values
protoPayload.methodNamestr3storage.objects.get (405), storage.buckets.getIamPolicy (1), storage.objects.list (1)
protoPayload.serviceNamestr1storage.googleapis.com
protoPayload.authenticationInfo.principalEmailstr6svc-functions (135), svc-compute (131), svc-storage (126), compute-admin (13), alex.miller (1)
protoPayload.resourceNamestr398Includes confidential bucket objects: finance/budget, hr/salary-data, legal/contracts, executive/board-minutes, strategy/roadmap
resource.labels.bucket_namestr1faketshirtco-confidential (15 events only)
resource.typestr1gcs_bucket
demo_idstr1exfil (203)

Collaboration

FAKE:cisco:webex:meetings

Host: webex | vendor_product: Cisco Webex Meetings API | 45 fields | 436 events

FieldTypeDistinctTop Values
titlestr10Weekly Team Sync, Sprint Planning, etc.
hostDisplayNamestr158Employee display names
hostEmailstr~158employee@theFakeTshirtCompany.com
meetingTypestr1scheduledMeeting
statestr1ended
siteUrlstr1theFakeTshirtCompany.webex.com
timezonestr1America/New_York
vendorstr1Cisco
productstr1Webex

FAKE:cisco:webex:meetings:history:meetingusagehistory

Host: webex | vendor_product: Cisco Webex Meetings | 47 fields | 343 events

FieldTypeDistinctTop Values
confNamestr18Meeting types (team syncs, standups, reviews, etc.)
hostEmailstr157Employee emails
meetingTypestr4TC, EC, SC, MC
durationnum-15-120 minutes
peakAttendeenum-1-40
totalParticipantsnum-3-41

FAKE:cisco:webex:meetings:history:meetingattendeehistory

Host: webex | vendor_product: Cisco Webex Meetings | 42 fields

FieldTypeDistinctTop Values
attendeeEmailstr238Employee + external emails
attendeeNamestr198Attendee display names
confNamestr18Meeting types
hostEmailstr94Meeting hosts
clientOSstr7Windows, macOS, iOS, Android, etc.
clientTypestr6Desktop App, Browser, Mobile, etc.
participantTypestr3ATTENDEE, HOST, GUEST
ipAddressstr500Attendee IP addresses

FAKE:cisco:webex:admin:audit:events

Host: webex | vendor_product: Cisco Webex Admin Audit | 45 fields | 367 events

FieldTypeDistinctTop Values
data.actorEmailstr2jessica.brown (exfil actor), mike.johnson (CTO)
data.actorNamestr2Jessica Brown, Mike Johnson
data.eventCategorystr5COMPLIANCE, MEETINGS, GROUPS, USERS, DEVICES
data.eventDescriptionstr17Various admin audit actions
data.targetNamestr152Target resources
data.actionTextstr357Unique action descriptions
demo_idstr1exfil (161)

FAKE:cisco:webex:security:audit:events

Host: webex | vendor_product: Cisco Webex Security Audit | 39 fields

FieldTypeDistinctTop Values
data.eventDescriptionstr2A user logged out (569), A user logged in (431)
data.eventCategorystr1LOGINS
data.actorEmailstr167All employee emails
data.actorIpstr167Employee IP addresses

FAKE:cisco:webex:meeting:qualities

Host: webex | vendor_product: Cisco Webex Meeting Quality | 65 fields

FieldTypeDistinctTop Values
clientTypestr4Webex Desktop (564), Web Browser (193), Mobile iOS (137), Mobile Android (106)
osTypestr4Windows (464), macOS (293), iOS (137), Android (106)
networkTypestr3wifi (485), ethernet (391), cellular (124)
hardwareTypestr12HP EliteBook, Dell Latitude, Lenovo ThinkPad, MacBook Pro/Air, iPhone 14/15, iPad Pro, Samsung Galaxy, Google Pixel
audioIn{}.codecstr3G.711, opus, G.722
audioIn{}.latency{}num-30-80ms
audioIn{}.jitter{}num-2-15ms
audioIn{}.packetLoss{}num-0.0-2.0%
audioIn{}.transportTypestr2TCP, UDP
videoIn{}.codecstr3H.264, VP8, VP9
videoIn{}.frameRate{}num224, 30 fps
videoIn{}.resolutionHeight{}num2720, 1080
videoIn{}.packetLoss{}num-0.0-3.0%
joinMeetingTimenum-3-15 seconds
serverRegionstr4APAC, US West, EU West, US East
resources.processAverageCPU{}num-10-30%
resources.systemAverageCPU{}num-30-60%
webexUserEmailstr175All employee emails
publicIPstr252203.0.113.x range
localIPstr175Internal IPs

FAKE:cisco:webex:call:detailed_history

Host: webex | vendor_product: Cisco Webex Calling | 48 fields | 599 events

FieldTypeDistinctTop Values
Call typestr3SIP_ENTERPRISE (220), SIP_NATIONAL (215), WEBEX_CALLING (164)
Call outcomestr2Success (526), NoAnswer (73)
Answeredstr2true (526), false (73)
Directionstr1ORIGINATING
Durationnum-0-599 seconds, mean 277
Userstr171employee@theFakeTshirtCompany.com
Called numberstr-+1555xxxxxxx format
Dialed digitsstr-555xxxx
Client typestr4Desktop, mobile, etc.
User typestr1User
productstr1Webex Calling

Email

FAKE:o365:reporting:messagetrace

Host: exchange | vendor_product: Microsoft Office 365 MessageTrace | 58 fields

FieldTypeDistinctTop Values
SenderAddress / src_userstr236facilities@, noreply@github.com, communications@, ceo-office@, splunk-alerts@
RecipientAddress / recipientstr221boston-all@, employee emails, distribution lists (hr-team, finance, engineering)
Subject / subjectstr300Team Lunch Friday? (55), Quick Question (47), RE: Action Items, FW: Customer Feedback, meeting invites
Status / status_codestr2Delivered (988), FilteredAsSpam (12)
actionstr2delivered (988), blocked (12)
FromIP / srcstr23810.10.20.51 (396), 10.10.20.50 (368), external IPs
ToIP / deststr13410.10.20.50 (449), 10.10.20.51 (419)
Size / sizenum5002KB-2MB, mean 324KB
MessageTraceIdstr500Unique UUIDs
src_user_domainstr24theFakeTshirtCompany.com (761), fabrikam.com, adventureworks.com, contoso.com, gmail.com
recipient_domainstr16theFakeTshirtCompany.com (860), outlook.com, gmail.com, northwindtraders.com
recipient_countnum11
SystemNamestr7GitHub (14), Splunk (11), Jira (9), Azure (8), ServiceNow (7), Slack (6), AWS (4)

Windows

FAKE:Perfmon:Processor

Hosts: 27 (servers + workstations) | vendor_product: Windows Perfmon | 29 fields

FieldTypeDistinctTop Values
collectionstr1Processor
objectstr1Processor
counterstr3% Processor Time, % Idle Time, % Interrupt Time
instancestr1_Total
Valuenum5000.0-100.0 (% values)
demo_hoststr27SQL-PROD-01, DC-BOS-01, WEB-01, BOS-WS-, ATL-WS-, AUS-WS-*

FAKE:Perfmon:Memory

Hosts: 27 | vendor_product: Windows Perfmon | 29 fields

FieldTypeDistinctTop Values
collectionstr1Memory
objectstr1Memory
counterstr4Available MBytes, % Committed Bytes In Use, Pages/sec, Pool Nonpaged Bytes
Valuenum500Varies by counter (MBytes, %, pages/sec)
demo_hoststr27Same hosts as Processor

FAKE:Perfmon:LogicalDisk

Hosts: 27 | vendor_product: Windows Perfmon | 29 fields

FieldTypeDistinctTop Values
collectionstr1LogicalDisk
objectstr1LogicalDisk
counterstr4% Free Space, Free Megabytes, Disk Read Bytes/sec, Disk Write Bytes/sec
instancestr2C:, D:
Valuenum500Varies by counter
demo_hoststr27Same hosts

FAKE:Perfmon:Network_Interface

Hosts: 27 | vendor_product: Windows Perfmon | 29 fields

FieldTypeDistinctTop Values
collectionstr1Network Interface
objectstr1Network Interface
counterstr4Bytes Received/sec, Bytes Sent/sec, Packets Received/sec, Packets Sent/sec
instancestr1Intel[R] Ethernet Connection I219-LM
Valuenum500Bytes/sec or packets/sec
demo_hoststr27Same hosts

FAKE:WinEventLog

Hosts: 14 servers | vendor_product: Microsoft Windows | 63 fields

FieldTypeDistinctTop Values
EventCode / signature_idnum127036 (430), 4624 (142), 10016 (140), 37 (132), 1014 (99)
LogNamestr3System (842), Security (154), Application (4)
SourceNamestr9Service Control Manager (430), Microsoft-Windows-Security-Auditing (154), Microsoft-Windows-DistributedCOM (140), Microsoft-Windows-Time-Service (132), Microsoft-Windows-DNS-Client (99)
ComputerName / dvcstr14DC-ATL-01, DC-BOS-02, BACKUP-ATL-01, APP-BOS-01, DC-BOS-01, SQL-PROD-01, FILE-BOS-01
Typestr2Information (761), Warning (239)
Keywordsstr3Classic (846), Audit Success (150), Audit Failure (4)
TaskCategory / categorystr4None (846), Logon (146), Special Logon (5), Process Creation (3)
actionstr2success (753), failure (243)
severitystr2informational (761), medium (239)
signaturestr9Service entered the running/stopped state, An account was successfully logged on, Application-specific permission settings...
Logon_Typenum310-Remote (61), 3-Network (47), 2-Interactive (38)
Account_Namestr101Employee account names
Account_Domainstr2FAKETSHIRTCO, -
Source_Network_Addressstr99Internal IPs
Workstation_Namestr86Employee workstation names
New_Process_Namestr2powershell.exe, curl.exe (exfil)
Process_Command_Linestr3Exfil commands (Compress-Archive, Base64, curl upload)
Failure_Reasonstr1Unknown user name or bad password
RecordNumbernum500Sequential event records
appstr1windows

FAKE:XmlWinEventLog:Sysmon

Hosts: 27 (servers + workstations) | vendor_product: Microsoft Sysmon | 47 fields

FieldTypeDistinctTop Values
Event.System.EventIDnum51-ProcessCreate (341), 3-NetworkConnect (251), 22-DNSQuery (156), 11-FileCreate (146), 13-RegistryValueSet (106)
Event.System.Computerstr27FQDN hostnames (.theFakeTshirtCompany.com)
Event.System.Channelstr1Microsoft-Windows-Sysmon/Operational
Event.System.Provider{@Name}str1Microsoft-Windows-Sysmon
Event.EventData.Datastr500+Process paths, usernames, IPs, registry keys (multivalue)
Event.EventData.Data{@Name}str43Image, ProcessGuid, ProcessId, RuleName, User, UtcTime, Hashes, CommandLine, Company, CurrentDirectory, ParentImage, DestinationIp, DestinationPort, QueryName, TargetFilename, TargetObject
Event.System.EventRecordIDnum50036138-37146
Event.System.Levelnum14 (Information)
Event.System.Security{@UserID}str1S-1-5-18
vendorstr1Microsoft
productstr1Sysmon

Key EventIDs:

  • 1: Process Create - CommandLine, ParentImage, Company, FileVersion
  • 3: Network Connection - DestinationIp, DestinationPort, Protocol, SourcePort
  • 11: File Create - TargetFilename, CreationUtcTime
  • 13: Registry Value Set - TargetObject, Details, EventType
  • 22: DNS Query - QueryName, QueryResults, QueryStatus

Linux

FAKE:cpu

Hosts: DEV-ATL-01, DEV-ATL-02, MON-ATL-01, WEB-01, WEB-02 | 29 fields

FieldTypeDistinctTop Values
metric_namestr1cpu
cpu_load_percentnum31510.0-49.9%, mean 24.25
pctUsernum2347.0-34.9%, mean 16.98
pctSystemnum802.0-10.0%, mean 4.85
pctIOWaitnum411.0-5.0%, mean 2.43
pctIdlenum31550.1-90.0%, mean 75.75
cpu_countnum14
deststr5Equal distribution across 5 hosts

FAKE:vmstat

Hosts: Same 5 Linux hosts | 28 fields

FieldTypeDistinctTop Values
metric_namestr1memory
memTotalMBnum216384 (800), 65536 (200)
memUsedMBnum5004898-35389, mean 13389
memFreeMBnum5003290-32768, mean 12825
memCachedMBnum5001974-19660, mean 7695
pctUsednum36129.9-79.9%, mean 50.45

FAKE:df

Hosts: Same 5 Linux hosts | 30 fields

FieldTypeDistinctTop Values
metric_namestr1disk
TotalGBnum1500
UsedGBnum149200-349, mean 264
AvailGBnum149151-300, mean 236
UsedPctnum28740.1-70.0%, mean 52.87

FAKE:iostat

Hosts: Same 5 Linux hosts | 28 fields

FieldTypeDistinctTop Values
metric_namestr1disk_io
devicestr1sda
rkB_snum50017-4975, mean 1507
wkB_snum50010-1991, mean 596
awaitnum5000.56-18.35ms, mean 7.52
pctUtilnum2415.0-30.0%, mean 17.49

FAKE:interfaces

Hosts: Same 5 Linux hosts | 28 fields

FieldTypeDistinctTop Values
metric_namestr1network
rxKB_snum500157-49798, mean 14123
txKB_snum50042-19951, mean 5942
rxPacketsnum5002669-2363000, mean 433035
txPacketsnum500814-972400, mean 180714

Web / Retail

FAKE:access_combined

Host: WEB-01 | vendor_product: Apache | 29 fields

FieldTypeDistinctTop Values
http_method / methodstr2GET (913), POST (87)
http_status / statusnum5200 (954), 304 (17), 301 (15), 500 (9), 404 (5)
uri / urlstr144/ (83), /products/category/security (40), /checkout (39), /products/category/nerd (39), /cart (38)
clientip / srcstr253External IPs (108.28.x, 107.77.x, 174.63.x)
bytesnum500Response sizes
response_timenum14743-85ms typical
refererstr144google.com (90), theFakeTshirtCompany.com (67), /cart (39)
useragentstr11Chrome, Edge, Safari, Firefox, mobile browsers
session_idstr271sess_* format
customer_idstr69CUST-* or "-" (622 anonymous)
order_idstr14ORD-2026-* or "-" (987)
productstr46IT-themed product slugs
product_pricenum20$28-85
qtynum21 (108), 2 (30)
cart_itemsnum61-6 items
cart_totalnum34$28-485
qstr6Search terms: funny+it+tshirts (38), code (30), security (25), coffee (24), linux (23)
tshirtcidstr271UUID correlation IDs
http_versionstr1HTTP/1.1
appstr1apache

FAKE:online:order

NO DATA - This sourcetype has zero events in the index.

FAKE:online:order:registry

Host: WEB-01 | vendor_product: Retail Order System | 32 fields

FieldTypeDistinctTop Values
order_idstr500ORD-2026-* (unique per order)
customer_idstr400CUST-* format
session_idstr500sess_* format
products{}.slugstr72IT-themed product slugs (git-happens-hoodie, ai-overlords-tee, etc.)
products{}.pricenum20$28-85
products{}.qtynum21 (1400), 2 (365)
cart_totalnum209$28-485, mean $112
tshirtcidstr500UUID correlation IDs
scenariostr1null

FAKE:azure:servicebus

NO DATA - This sourcetype has zero events in the index.


ITSM

FAKE:servicenow:incident

Host: servicenow | vendor_product: ServiceNow | 52 fields

FieldTypeDistinctTop Values
number / ticket_idstr226INC0000001-INC0000226 (5 state transitions each)
state / statusstr4In Progress (371), Closed (226), Resolved (216), New (187)
priority / severity / urgencystr53-Moderate (76), 2-High (45), 4-Low (35), 1-Critical (16), 5-Planning (15)
impactstr44 (62), 2 (60), 3 (50), 1 (15)
categorystr6Hardware (51), Software (41), Infrastructure (36), Network (31), Account (25), Security (3)
subcategorystr32VPN (20), Peripheral (19), Laptop (13), etc.
short_description / descriptionstr54VPN connection slow (10), External monitor no signal (8), etc.
assignment_groupstr7Desktop Support (51), Application Support (41), Network Operations (32), Service Desk (26), Database Admins (24), Linux Admins (10), Security Operations (3)
assigned_tostr14desktop.tech1@, desktop.tech2@, app.support1@, etc.
caller_idstr110Employee emails
locationstr4Austin (59), Boston (55), Atlanta (54), Boston HQ (19)
close_codestr2Solved (113), Workaround (103)
close_notesstr40Resolution descriptions
work_notesstr10Awaiting vendor response (70), Escalating to next level support (59)
cmdb_cistr6MON-ATL-01, WEB-01, AUS-WS-BWHITE01, BOS-WS-AMILLER01, SQL-PROD-01, exchange
demo_idstr7disk_filling (29), memory_leak (23), cpu_runaway (14), certificate_expiry (10), ransomware_attempt (10), exfil (9), firewall_misconfig (1)
productstr1Incident Management

FAKE:servicenow:cmdb

NO DATA - This sourcetype has zero events in the index.

FAKE:servicenow:change

Host: servicenow | vendor_product: ServiceNow | 50 fields | 343 events

FieldTypeDistinctTop Values
number / ticket_idstr49CHG0000001-CHG0000049 (7 state transitions each)
state / statusstr7Assess, Authorize, Closed, Implement, New, Review, Scheduled (49 each)
typestr3standard (26), normal (18), emergency (5)
prioritystr23 (32), 2 (17)
riskstr3Low (26), Moderate (18), High (5)
categorystr6Infrastructure (18), Network (13), Database (7), Application (6), Security (3), Software (2)
short_descriptionstr41VLANs, firmware upgrades, DB maintenance, emergencies
assignment_groupstr6Linux Admins (14), Network Operations (14), Application Support (10), Database Admins (7), Desktop Support (2), Security Operations (2)
assigned_tostr12linux.admin2@, network.eng1@, etc.
close_codestr2Successful (48), Successful with issues (1)
close_notesstr8Change completed successfully (42), plus scenario-specific notes
cmdb_cistr6WEB-01, AUS-WS-BWHITE01, BOS-WS-AMILLER01, FW-EDGE-01, MON-ATL-01, SQL-PROD-01
demo_idstr7All 7 scenarios equally represented (7 each)
productstr1Change Management

Database

FAKE:mssql:errorlog

Host: SQL-PROD-01 | vendor_product: Microsoft SQL Server | 30 fields

FieldTypeDistinctTop Values
deststr1SQL-PROD-01
demo_idstr2cpu_runaway (58), exfil (36)
DISKstr1Backup file path (N'G:\Backup...)
NAMEstr1N'TShirtDB-Full Backup'
productstr1SQL Server
vendorstr1Microsoft
linecountnum21 (921), 2 (79) - some multiline entries

CIM Cross-Reference

Common CIM fields and which sourcetypes populate them:

CIM FieldSourcetypes
actioncisco:asa, azure:aad:signin, azure:aad:audit, access_combined, WinEventLog, o365:messagetrace
srccisco:asa, aws:cloudtrail, azure:aad:*, access_combined, o365:messagetrace, meraki:securityappliances
destcisco:asa, aws:cloudtrail, access_combined, meraki:securityappliances, linux (cpu/vmstat/df/iostat/interfaces), Perfmon:*, mssql:errorlog
usercisco:asa, aws:cloudtrail, azure:aad:riskDetection, access_combined, WinEventLog
dvccisco:asa, WinEventLog
vendor_productALL sourcetypes (except some Linux metrics)
demo_idcisco:asa, aws:cloudtrail, azure:aad:, gcp:, webex:, o365:, WinEventLog, Sysmon, Perfmon:, mssql:errorlog, servicenow:
severityWinEventLog, servicenow:incident
signatureWinEventLog
signature_idWinEventLog
appaws:cloudtrail (aws), azure:aad:riskDetection (azure:aad), WinEventLog (windows), access_combined (apache)
categoryWinEventLog, azure:aad:, meraki:

Sourcetypes With No Data

These sourcetypes are defined in props.conf/transforms.conf but have zero events:

  • FAKE:online:order - Orders expected via generate_orders.py
  • FAKE:azure:servicebus - ServiceBus expected via generate_servicebus.py
  • FAKE:servicenow:cmdb - CMDB CIs expected via generate_servicenow.py
  • FAKE:cisco:webex:events - Legacy webex events format