Intrusion detection and prevention data (IDS and IPS)
IDS and IPS are complementary, parallel security systems that supplement firewalls – IDS by exposing successful network and server attacks that penetrate a firewall, and IPS by providing more advanced defenses against sophisticated attacks.
IDS is typically placed at the network edge, just inside a perimeter firewall, although some organizations also put a system outside the firewall to provide greater intelligence about all attacks. IDS logs provide security teams detailed records of attacks including the type, source, destination and port(s) used that provide an overall attack signature.
Likewise, IPS is typically placed at the network perimeter, although it also may be used in layers at other points inside the network or on individual servers. IPS usually works by dropping packets, resetting network connections and blacklisting specific IP addresses or ranges. IPS logs provide the same set of attack signature data, but also may include a threat analysis of bad network packets and detection of lateral movement. This data can also detect command and control traffic, DDoS traffic, and malicious or unknown domain traffic.
In the Common Information Model, intrusion detection and prevention data is typically mapped to the Intrusion Detection data model.
Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: