Detection and response log data is a type of operating system data that is typically aggregated from endpoints in Host Intrusion Detection Systems (HIDS) and general Intrusion Detection Systems (IDS). Many modern HIDS/IDS can combine with other device functions—such as firewall, network intrusion detection, and proxy—to produce additional data for further enrichment and analysis in SIEMs, such as Splunk Enterprise Security.
Data visibility
HIDS/IDS data is a rich data source with cross functional value to the enterprise. HIDS/IDS monitor important operating system files for suspicious changes and all general files for virus signatures that indicate malware or other security breaches.
High-value fields
In the Common Information Model, detection and response log data is typically mapped to the Intrusion Detection Data model. This data type has many available fields, but users typically derive the most value out of the fields listed here.
action
The action taken by the IDS, allowed or blocked.
signature
The name of the intrusion detected on the client (the source). This field is a string. The signature_id field (not available in this data model) is for signature fields that are integer data types.
src
The source involved in the attack detected by the IDS.
Known data sources and source types
Guidance for onboarding data can be found in the Splunk documentation, Getting Data In.
|
Data Source |
Sourcetype |
Recommend Add-Ons |
|
Cisco |
sourcetype="cisco:sourcefire" sourcetype="eStreamer" sourcetype="snort" |
|
|
OSSEC |
sourcetype="ossec" |
Related Use Cases
Coming soon!
Comments
0 comments
Article is closed for comments.