In ES, the constraint for Intrusion Detection is (cim_Intrusion_Detection_indexes
) tag=ids tag=attack.
What is the tag=ids
part?
What's your problem? Do you just want to understand what the tag ids is there for? IDS usually stands for Intrusion Detection System (which may also be an IPS - intrusion prevention system). This tag gets applied by a TA which has normalized the data.
Skalli
What's your problem? Do you just want to understand what the tag ids is there for? IDS usually stands for Intrusion Detection System (which may also be an IPS - intrusion prevention system). This tag gets applied by a TA which has normalized the data.
Skalli
"Just" trying to understand ES...
You are saying -
-- This tag gets applied by a TA which has normalized the data.
Does the TA normalize the data or only categorize it by applying the proper tags?
That really depends on the TA. For proper tagging and event typing, you need the data normalised.
This means, in the first step, that all information from the events is extracted as required by a certain data model. Tags get applied after the field extractions. These are kind of the categorisation you were talking about.
For further info, look at the order of search time operations in the docs.
Skalli
Just found out that the following speaks about it - IDS/IPS Alert Activity
I - Intrusion, D - detection. Not sure about the S...
It says to use - tag=ids tag=attack
or ids_attack
.