Splunk Enterprise Security

Why aren't my IDS logs populating the Intrusion Detection data model?

DEAD_BEEF
Builder

I am using Splunk ES and trying to match my IDS logs to the Intrusion Detection data model. I thought I did all preparatory steps required but when clicking in the ES app Search > Datasets > Intrusion Detection > IDS Attacks > Summarize Fields nearly all the of the fields are listed as "null or empty" and the few that are populated contain "unknown" in them.

Here is what I have done so far:

  1. Created event type search to identify the logs and tag them as "ids" and "attack" per CIM docs (shared globally)
  2. Created field aliases (shared globally) as most of my existing logs are named something other than the expected datamodel field name

alt text
3. Validating the data per step 6A
4. End result mostly null or unknownalt text

0 Karma
1 Solution

DEAD_BEEF
Builder

The way to fix this is I had to rename the field aliases to the data model field name that's listed in the docs (go figure) rather than what was showing up in search (see below)
alt text

View solution in original post

DEAD_BEEF
Builder

The way to fix this is I had to rename the field aliases to the data model field name that's listed in the docs (go figure) rather than what was showing up in search (see below)
alt text

Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...