Intrusion Detection

The fields in the Intrusion Detection data model and Intrusion Detection/Prevention event category describe attack detection events gathered by network monitoring devices and apps.

Tags used with the Intrusion Detection/Prevention event category

Object name(s)	Tag name	Required?
IDS_Attacks	ids	YES
IDS_Attacks	attack	YES

Fields for the Intrusion Detection/Prevention event category

Object name(s)	Field name	Data type	Description	Possible values
IDS_Attacks	`category`	string	The vendor-provided category of the triggered signature, such as `spyware`. Note: This field is a string. Use a `category_id` field for category ID fields that are integer data types (`category_id` fields are optional, so they are not included in this table).
IDS_Attacks	`dest`	string	The destination of the attack detected by the intrusion detection system (IDS). May be aliased from more specific fields, such as `dest_host`, `dest_ip`, or `dest_name`.
IDS_Attacks	`dest_bunit`	string	These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
IDS_Attacks	`dest_category`	string
IDS_Attacks	`dvc`	string	The device that detected the intrusion event. May be aliased from more specific fields, such as `dvc_host`, `dvc_ip`, or `dvc_name`.
IDS_Attacks	`dvc_bunit`	string	These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
IDS_Attacks	`dvc_category`	string
IDS_Attacks	`ids_type`	string	The type of IDS that generated the event.	`network`, `host`, `application`
IDS_Attacks	`product`	string	The product name of the IDS or IPS system, such as `ISS` or `Tipping Point`. The product or service that detected the vulnerability. This field is used to automatically produce the `vendor_product` field used by data models.
IDS_Attacks	`severity`	string	The severity of the network protection event. Note: This field is a string. Please use a `severity_id` field for severity ID fields that are integer data types (`severity_id` fields are optional, so they are not included in this table). Also, specific values are required for this field. Use `vendor_severity` for the vendor's own human readable severity strings (such as `Good`, `Bad`, and `Really Bad`).	`critical`, `high`, `medium`, `low`, `informational`, `unknown`
IDS_Attacks	`signature`	string	The name of the intrusion detected on the client (the `src`), such as `PlugAndPlay_BO` and `JavaScript_Obfuscation_Fre`. Note: This is a string value; please use `signature_id` for numeric indicators (`signature_id` fields are optional, so they are not included in this table).
IDS_Attacks	`src`	string	The source involved in the attack detected by the IDS. May be aliased from more specific fields, such as `src_host`, `src_ip`, or `src_name`.
IDS_Attacks	`src_bunit`	string	These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
IDS_Attacks	`src_category`	string
IDS_Attacks	`tag`	string	This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it.
IDS_Attacks	`user`	string	The user involved with the intrusion detection event.
IDS_Attacks	`user_bunit`	string	These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
IDS_Attacks	`user_category`	string
IDS_Attacks	`vendor`	string	The vendor of the IDS or IPS, such as `IBM` or `HP`. This field is used to automatically produce the `vendor_product` field used by data models.

Related answers from Splunk Community

Intrusion Detection

Comments

Was this topic useful?