Splunk CIM Authentication Mapping

When LoginID events are forwarded to Splunk through the Splunk Connector, LoginID automatically enriches each event with fields from Splunk's Authentication Common Information Model (CIM).

This allows LoginID events to integrate directly with Splunk's built-in authentication dashboards, searches, and reporting tools without requiring additional field extraction or transformation.

All original LoginID event fields are preserved. CIM fields are added alongside the original payload. Where a LoginID field name would conflict with a CIM field, the original LoginID field is renamed.

Direct Field Mappings

The following fields are mapped directly from LoginID events into the Splunk Authentication CIM model.

LoginID Field	CIM Field	Notes
eventId	signature
msg	desc
defaultSeverity	severity
uuid	event_id
(constant)	cim_model	Always set to authentication
action	lid_action	Renamed to avoid collision with the CIM action field
username	user	Only added when present
userId	user_id	Only added when present
srcAddr	src
appId	app
userAgent	http_user_agent
responseTimeUsec ÷ 1,000,000	duration	Converted from microseconds to seconds
webhookLatencyUsec ÷ 1,000,000	duration	Converted from microseconds to seconds
(constant)	authentication_service	Always set to loginid

Derived Field: action

The CIM action field represents the authentication outcome.

This value is derived from the LoginID eventId and is not copied from the original LoginID action field. The original field is preserved as lid_action.

Condition	action
eventId contains .error	error
eventId contains failed or blocked	failure
All other events	success

Examples

Event ID	action
fido2.user.authenticated	success
fido2.user.authenticate.failed	failure
fido2.passkey.reg.aaguid.blocked	failure
fido2.client.error	error

Derived Field: authentication_method

The authentication_method field describes both the authentication flow type and the operation being performed.

The value is derived from the LoginID eventId.

Flow Detection

Pattern	Meaning
eventId starts with fido2.mfa.	MFA passkey flow
All other events	Standard passkey flow

Operation Detection

Pattern	Meaning
Contains .reg. or .registered	Registration
Contains .auth., .authenticated, or .authenticate.	Authentication
Contains .tx.	Transaction signing

Resulting Values

Standard Passkey Flows

Operation	authentication_method
Registration	passkey_registration
Authentication	passkey_authentication
Transaction	passkey_tx
Other	passkey

MFA Passkey Flows

Operation	authentication_method
Registration	passkey_mfa_registration
Authentication	passkey_mfa_authentication
Transaction	passkey_mfa_tx
Other	passkey_mfa

Examples

Event ID	authentication_method
fido2.user.authenticated	passkey_authentication
fido2.passkey.registered	passkey_registration
fido2.passkey.tx.completed	passkey_tx
fido2.mfa.passkey.authenticated	passkey_mfa_authentication
fido2.mfa.passkey.registered	passkey_mfa_registration
fido2.mfa.passkey.tx.completed	passkey_mfa_tx

Original Event Preservation

LoginID preserves all original event fields when applying CIM mappings.

The only field name modification is:

Original Field	Stored Field
action	lid_action

This ensures the Splunk CIM action field can be used consistently for authentication outcomes while preserving the original LoginID workflow action value.

Example Event

Original LoginID Event

{
  "eventId": "fido2.user.authenticated",
  "username": "alice",
  "userId": "PFEPLBWCX0BF3GVO9S6JBIMV1",
  "srcAddr": "203.0.113.10",
  "responseTimeUsec": 125000
}

Event After CIM Enrichment

{
  "eventId": "fido2.user.authenticated",
  "username": "alice",
  "userId": "PFEPLBWCX0BF3GVO9S6JBIMV1",
  "srcAddr": "203.0.113.10",
  "responseTimeUsec": 125000,
  "signature": "fido2.user.authenticated",
  "user": "alice",
  "user_id": "PFEPLBWCX0BF3GVO9S6JBIMV1",
  "src": "203.0.113.10",
  "duration": 0.125,
  "action": "success",
  "authentication_method": "passkey_authentication",
  "authentication_service": "loginid",
  "cim_model": "authentication"
}