Network intrusion detection data is generated by an IDS/IPS appliance or software application that performs intrusion detection and intrusion prevention observations and operations on network traffic, typically at an ingress point of the network boundary. Some administrators might also leverage host-based IDS.
Data visibility
Intrusion detection/prevention data provides information critical to the identification, containment, and remediation of a network breach. The value of ingesting IDS/IPS data is in the ability to quickly pivot and correlate data provided in IDS data with other critical data sets, such as user and DNS data, in order to assess the extent of an intrusion or infection. Often, the speed at which this initial assessment takes place has a defining impact on the effectiveness of incident response.
High-value fields
In the Common Information Model, network intrusion detection data is typically mapped to the Intrusion Detection Data model. This data type has many available fields, but users typically derive the most value out of the fields listed here.
file_hash
Cryptographic identifier assigned to the file object affected by the event.
file_name
Name of the file, such as notepad.exe.
file_path
Path of the file, such as C:\\Windows\\System32\\notepad.exe.
ids_type
Type of IDS that generated the event.
severity
Severity of the network protection event. This field is a string. The severity_id field (not available in this data model) is for severity fields that are integer data types. Specific values, such as vendor_severity, are required.
Known data sources and source types
Guidance for onboarding data can be found in the Splunk documentation, Getting Data In.
Data Source |
Sourcetype |
Recommend Add-Ons |
---|---|---|
Cisco |
sourcetype=”cisco:sourcefire” sourcetype=”eStreamer” sourcetype=”snort” |
|
Suricata |
sourcetype=”suricata” |
Comments
0 comments
Article is closed for comments.