CIM Mapping
PCE events are mapped to multiple Common Information Model (CIM) data models as shown in the following table.
Event Type | CIM Data Model | CIM Field | Illumio Field |
|---|---|---|---|
sourcetype="illumio:pce" category = "auditable" event_type="user.sign_in" OR event_type="user.login" | Authentication | src | src_ip |
user | created_by.user.username | ||
app | "Illumio" | ||
action | "failure" OR "success" | ||
sourcetype="illumio:pce" category = "auditable" event_type="agent.tampering" OR event_type="agent.firewall_config" | Network Changes | action | "modified" |
status | status | ||
vendor_product | "illumio:pce" | ||
change_type | change_type | ||
src | src_ip | ||
user | created_by.user.username | ||
sourcetype="illumio:pce" category = "auditable" (event_type="*.create" OR event_type="*.delete" OR event_type="*.update") (event_type!="user.*") | Auditing Changes | action | "created" OR "deleted" OR "modified" |
src | src_ip | ||
status | status | ||
vendor_product | "illumio:pce" | ||
user | created_by.user.username | ||
change_type | change_type | ||
sourcetype="illumio:pce" category = "auditable" event_type="user.create" OR event_type="user.update" OR event_type="user.delete" | Account Management Changes | action | "created" OR "deleted" OR "modified" |
src | src_ip | ||
status | status | ||
vendor_product | "illumio:pce" | ||
src_user | created_by.user.username | ||
change_type | change_type | ||
user | resources_changes.resource.username | ||
sourcetype="illumio:pce:collector" | Network Traffic | action | pd |
bytes | tbi + tbo | ||
bytes_in | tbi | ||
bytes_out | tbo | ||
dest | dst_ip | ||
dest_ip | dst_ip | ||
dest_port | dst_port | ||
src | src_ip | ||
protocol | proto |