Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Intrusion Detection

The fields in the Intrusion Detection data model and Intrusion Detection/Prevention event category describe attack detection events gathered by network monitoring devices and apps.

Tags used with the Intrusion Detection/Prevention event category

Object name(s) Tag name Required?
IDS_Attacks ids YES
IDS_Attacks attack YES

Fields for the Intrusion Detection/Prevention event category

Object name(s) Field name Data type Description Possible values
IDS_Attacks category string The vendor-provided category of the triggered signature, such as spyware.

Note: This field is a string. Use a category_id field for category ID fields that are integer data types (category_id fields are optional, so they are not included in this table).
IDS_Attacks dest string The destination of the attack detected by the intrusion detection system (IDS). May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
IDS_Attacks dest_bunit string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
IDS_Attacks dest_category string
IDS_Attacks dvc string The device that detected the intrusion event. May be aliased from more specific fields, such as dvc_host, dvc_ip, or dvc_name.
IDS_Attacks dvc_bunit string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
IDS_Attacks dvc_category string
IDS_Attacks ids_type string The type of IDS that generated the event. network, host, application
IDS_Attacks product string The product name of the IDS or IPS system, such as ISS or Tipping Point. The product or service that detected the vulnerability. This field is used to automatically produce the vendor_product field used by data models.
IDS_Attacks severity string The severity of the network protection event.

Note: This field is a string. Please use a severity_id field for severity ID fields that are integer data types (severity_id fields are optional, so they are not included in this table). Also, specific values are required for this field. Use vendor_severity for the vendor's own human readable severity strings (such as Good, Bad, and Really Bad).
critical, high, medium, low, informational, unknown
IDS_Attacks signature string The name of the intrusion detected on the client (the src), such as PlugAndPlay_BO and JavaScript_Obfuscation_Fre.

Note: This is a string value; please use signature_id for numeric indicators (signature_id fields are optional, so they are not included in this table).
IDS_Attacks src string The source involved in the attack detected by the IDS. May be aliased from more specific fields, such as src_host, src_ip, or src_name.
IDS_Attacks src_bunit string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
IDS_Attacks src_category string
IDS_Attacks tag string This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it.
IDS_Attacks user string The user involved with the intrusion detection event.
IDS_Attacks user_bunit string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
IDS_Attacks user_category string
IDS_Attacks vendor string The vendor of the IDS or IPS, such as IBM or HP. This field is used to automatically produce the vendor_product field used by data models.
Last modified on 18 October, 2013
Inventory   Java Virtual Machines (JVM)

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 3.0, 3.0.1, 3.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters