Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Intrusion Detection

The fields in the Intrusion Detection data model describe attack detection events gathered by network monitoring devices and apps.

Note: A dataset is a component of a data model. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.

Tags used with Intrusion Detection event datasets

The following tags act as constraints to identify your events as being relevant to this data model. For more information, see How to use these reference tables.

Dataset name Tag name
IDS_Attacks ids
attack

Fields for Intrusion Detection event datasets

The following table lists the extracted and calculated fields for the event datasets in the model. Note that it does not include any inherited fields. For more information, see How to use these reference tables.

Dataset name Field name Data type Description Abbreviated list of example values
IDS_Attacks action string The action taken by the intrusion detection system (IDS).
IDS_Attacks category string The vendor-provided category of the triggered signature, such as spyware.

This field is a string. Use a category_id field (not included in this data model) for category ID fields that are integer data types.
IDS_Attacks dest string The destination of the attack detected by the intrusion detection system (IDS). You can alias this from more specific fields not included in this data model, such as dest_host, dest_ip, or dest_name.
IDS_Attacks dest_bunit string These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons.
IDS_Attacks dest_category string
IDS_Attacks dest_priority string
IDS_Attacks dest_port number The destination port of the intrusion.
IDS_Attacks dvc string The device that detected the intrusion event. You can alias this from more specific fields not included in this data model, such as dvc_host, dvc_ip, or dvc_name.
IDS_Attacks dvc_bunit string These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons.
IDS_Attacks dvc_category string
IDS_Attacks dvc_priority string
IDS_Attacks ids_type string The type of IDS that generated the event. network, host, application, wireless
IDS_Attacks severity string The severity of the network protection event.

This field is a string. Use a severity_id field (not included in this data model) for severity ID fields that are integer data types. Also, specific values are required for this field. Use vendor_severity for the vendor's own human readable severity strings, such as Good, Bad, and Really Bad.
ES expects:
critical, high

Other:
medium, low, informational

IDS_Attacks signature string The name of the intrusion detected on the client (the src), such as PlugAndPlay_BO and JavaScript_Obfuscation_Fre.

This is a string value. Use a signature_id field (not included in this data model) for numeric indicators.
IDS_Attacks src string The source involved in the attack detected by the IDS. You can alias this from more specific fields not included in this data model, such as src_host, src_ip, or src_name.
IDS_Attacks src_bunit string These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons.
IDS_Attacks src_category string
IDS_Attacks src_priority string
IDS_Attacks tag string This automatically generated field is used to access tags from within datamodels. Do not define extractions for this field when writing add-ons.
IDS_Attacks transport string The OSI layer 4 (transport) protocol of the intrusion, in lower case.
IDS_Attacks user string The user involved with the intrusion detection event.
IDS_Attacks user_bunit string These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons.
IDS_Attacks user_category string
IDS_Attacks user_priority string
IDS_Attacks vendor_product string The vendor and product name of the IDS or IPS system that detected the vulnerability, such as HP Tipping Point. This field can be automatically populated by vendor and product fields in your data.
Last modified on 28 June, 2019
PREVIOUS
Interprocess Messaging
  NEXT
Inventory

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.9.0, 4.9.1, 4.10.0, 4.11.0, 4.12.0, 4.13.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters