https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-security-What-is-tag-ids-for-cim-Intrusion/m-p/418166#M5094 <P>That really depends on the TA. For proper tagging and event typing, you need the data normalised.</P> <P>This means, in the first step, that all information from the events is extracted as required by a certain data model. Tags get applied after the field extractions. These are kind of the categorisation you were talking about.</P> <P>For further info, look at the <A href="https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Searchtimeoperationssequence">order of search time operations</A> in the docs. </P> <P>Skalli</P> Thu, 08 Aug 2019 10:20:01 GMT skalliger 2019-08-08T10:20:01Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-security-What-is-tag-ids-for-cim-Intrusion/m-p/418162#M5090 <P>In ES, the constraint for Intrusion Detection is <STRONG>(<CODE>cim_Intrusion_Detection_indexes</CODE>) tag=ids tag=attack</STRONG>. </P> <P>What is the <CODE>tag=ids</CODE> part?</P> Tue, 30 Jul 2019 19:24:57 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-security-What-is-tag-ids-for-cim-Intrusion/m-p/418162#M5090 danielbb 2019-07-30T19:24:57Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-security-What-is-tag-ids-for-cim-Intrusion/m-p/418163#M5091 <P>Just found out that the following speaks about it - <A href="https://docs.splunk.com/Documentation/PCI/3.8.0/Install/IDSIPSAlertActivity">IDS/IPS Alert Activity</A></P> <P>I - Intrusion, D - detection. Not sure about the S...</P> <P>It says to use - <CODE>tag=ids tag=attack</CODE> or <CODE>ids_attack</CODE>.</P> Wed, 31 Jul 2019 14:03:33 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-security-What-is-tag-ids-for-cim-Intrusion/m-p/418163#M5091 danielbb 2019-07-31T14:03:33Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-security-What-is-tag-ids-for-cim-Intrusion/m-p/418164#M5092 <P>What's your problem? Do you just want to understand what the tag ids is there for? IDS usually stands for Intrusion Detection System (which may also be an IPS - intrusion prevention system). This tag gets applied by a TA which has normalized the data.</P> <P>Skalli</P> Wed, 31 Jul 2019 15:09:02 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-security-What-is-tag-ids-for-cim-Intrusion/m-p/418164#M5092 skalliger 2019-07-31T15:09:02Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-security-What-is-tag-ids-for-cim-Intrusion/m-p/418165#M5093 <P>"Just" trying to understand ES...</P> <P>You are saying -<BR /> -- This tag gets applied by a TA which has normalized the data.</P> <P>Does the TA normalize the data or <EM>only</EM> categorize it by applying the proper tags? </P> Wed, 07 Aug 2019 17:12:24 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-security-What-is-tag-ids-for-cim-Intrusion/m-p/418165#M5093 danielbb 2019-08-07T17:12:24Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-security-What-is-tag-ids-for-cim-Intrusion/m-p/418166#M5094 <P>That really depends on the TA. For proper tagging and event typing, you need the data normalised.</P> <P>This means, in the first step, that all information from the events is extracted as required by a certain data model. Tags get applied after the field extractions. These are kind of the categorisation you were talking about.</P> <P>For further info, look at the <A href="https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Searchtimeoperationssequence">order of search time operations</A> in the docs. </P> <P>Skalli</P> Thu, 08 Aug 2019 10:20:01 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-security-What-is-tag-ids-for-cim-Intrusion/m-p/418166#M5094 skalliger 2019-08-08T10:20:01Z