Splunk Enterprise Security

Splunk Enterprise security: What is tag=ids for cim_Intrusion_Detection_indexes?

danielbb
Motivator

In ES, the constraint for Intrusion Detection is (cim_Intrusion_Detection_indexes) tag=ids tag=attack.

What is the tag=ids part?

0 Karma
1 Solution

skalliger
SplunkTrust
SplunkTrust

What's your problem? Do you just want to understand what the tag ids is there for? IDS usually stands for Intrusion Detection System (which may also be an IPS - intrusion prevention system). This tag gets applied by a TA which has normalized the data.

Skalli

View solution in original post

0 Karma

skalliger
SplunkTrust
SplunkTrust

What's your problem? Do you just want to understand what the tag ids is there for? IDS usually stands for Intrusion Detection System (which may also be an IPS - intrusion prevention system). This tag gets applied by a TA which has normalized the data.

Skalli

View solution in original post

0 Karma

danielbb
Motivator

"Just" trying to understand ES...

You are saying -
-- This tag gets applied by a TA which has normalized the data.

Does the TA normalize the data or only categorize it by applying the proper tags?

0 Karma

skalliger
SplunkTrust
SplunkTrust

That really depends on the TA. For proper tagging and event typing, you need the data normalised.

This means, in the first step, that all information from the events is extracted as required by a certain data model. Tags get applied after the field extractions. These are kind of the categorisation you were talking about.

For further info, look at the order of search time operations in the docs.

Skalli

0 Karma

danielbb
Motivator

Just found out that the following speaks about it - IDS/IPS Alert Activity

I - Intrusion, D - detection. Not sure about the S...

It says to use - tag=ids tag=attack or ids_attack.

0 Karma