https://community.splunk.com/t5/Getting-Data-In/Intrusion-Detection-data-model-Is-host-not-really-a-tag-but/m-p/212177#M41746 <P>tmkunte -- thanks for pointing this out. That is a docs bug. We should only be referring to ids and attack as tags. The additional constraint for a host intrusion detection is the presence of that ids_type field with a value of host, as you point out. We'll get it fixed! </P> Thu, 16 Jun 2016 23:09:43 GMT rpille_splunk 2016-06-16T23:09:43Z https://community.splunk.com/t5/Getting-Data-In/Intrusion-Detection-data-model-Is-host-not-really-a-tag-but/m-p/212176#M41745 <P>This is more of question for my understanding...</P> <P>In the examples section of CIM Add-on manual (for OSSEC) there is a statement that the Intrusion Detection data model requires the tags ids, attack, and host</P> <P>If you look at the intrusion detection data model, the constraint is <CODE>ids_type="host"</CODE></P> <P>So host is not really a tag, but it is treated as such with regards to the data model?</P> <P>thanks</P> Thu, 16 Jun 2016 20:25:27 GMT https://community.splunk.com/t5/Getting-Data-In/Intrusion-Detection-data-model-Is-host-not-really-a-tag-but/m-p/212176#M41745 tmkunte 2016-06-16T20:25:27Z https://community.splunk.com/t5/Getting-Data-In/Intrusion-Detection-data-model-Is-host-not-really-a-tag-but/m-p/212177#M41746 <P>tmkunte -- thanks for pointing this out. That is a docs bug. We should only be referring to ids and attack as tags. The additional constraint for a host intrusion detection is the presence of that ids_type field with a value of host, as you point out. We'll get it fixed! </P> Thu, 16 Jun 2016 23:09:43 GMT https://community.splunk.com/t5/Getting-Data-In/Intrusion-Detection-data-model-Is-host-not-really-a-tag-but/m-p/212177#M41746 rpille_splunk 2016-06-16T23:09:43Z