Intrusion Detection
The fields in the Intrusion Detection data model describe attack detection events gathered by network monitoring devices and apps.
Note: A dataset is a component of a data model. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.
Tags used with Intrusion Detection event datasets
The following tags act as constraints to identify your events as being relevant to this data model. For more information, see How to use these reference tables.
Dataset name | Tag name |
---|---|
IDS_Attacks | ids |
attack |
Fields for Intrusion Detection event datasets
The following table lists the extracted and calculated fields for the event datasets in the model. Note that it does not include any inherited fields. For more information, see How to use these reference tables.
Dataset name | Field name | Data type | Description | Possible values |
---|---|---|---|---|
IDS_Attacks | action
|
string | The action taken by the intrusion detection system (IDS). | |
IDS_Attacks | category
|
string | The vendor-provided category of the triggered signature, such as spyware .Note: This field is a string. Use a category_id field for category ID fields that are integer data types (category_id fields are optional, so they are not included in this table).
| |
IDS_Attacks | dest
|
string | The destination of the attack detected by the intrusion detection system (IDS). You can alias this from more specific fields, such as dest_host , dest_ip , or dest_name .
|
|
IDS_Attacks | dest_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like Splunk Enterprise Security. They should be left blank when writing add-ons. | |
IDS_Attacks | dest_category
|
string | ||
IDS_Attacks | dest_priority
|
string | ||
IDS_Attacks | dvc
|
string | The device that detected the intrusion event. You can alias this from more specific fields, such as dvc_host , dvc_ip , or dvc_name .
|
|
IDS_Attacks | dvc_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like Splunk Enterprise Security. They should be left blank when writing add-ons. | |
IDS_Attacks | dvc_category
|
string | ||
IDS_Attacks | dvc_priority
|
string | ||
IDS_Attacks | ids_type
|
string | The type of IDS that generated the event. | network , host , application
|
IDS_Attacks | severity
|
string | The severity of the network protection event. Note: This field is a string. Please use a severity_id field for severity ID fields that are integer data types (severity_id fields are optional, so they are not included in this table). Also, specific values are required for this field. Use vendor_severity for the vendor's own human readable severity strings (such as Good , Bad , and Really Bad ).
|
critical , high , medium , low , informational , unknown
|
IDS_Attacks | signature
|
string | The name of the intrusion detected on the client (the src ), such as PlugAndPlay_BO and JavaScript_Obfuscation_Fre .Note: This is a string value; please use signature_id for numeric indicators (signature_id fields are optional, so they are not included in this table).
|
|
IDS_Attacks | src
|
string | The source involved in the attack detected by the IDS. You can alias this from more specific fields, such as src_host , src_ip , or src_name .
|
|
IDS_Attacks | src_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like Splunk Enterprise Security. They should be left blank when writing add-ons. | |
IDS_Attacks | src_category
|
string | ||
IDS_Attacks | src_priority
|
string | ||
IDS_Attacks | tag
|
string | This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it. | |
IDS_Attacks | user
|
string | The user involved with the intrusion detection event. | |
IDS_Attacks | user_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like Splunk Enterprise Security. They should be left blank when writing add-ons. | |
IDS_Attacks | user_category
|
string | ||
IDS_Attacks | user_priority
|
string | ||
IDS_Attacks | vendor_product
|
string | The vendor and product name of the IDS or IPS system that detected the vulnerability, such as HP Tipping Point . This field can be automatically populated by vendor and product fields in your data.
|
Interprocess Messaging | Inventory |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.0.0, 4.1.0, 4.1.1, 4.2.0, 4.3.0, 4.3.1, 4.4.0, 4.5.0, 4.6.0, 4.7.0
Feedback submitted, thanks!