The Intrusion section is designed for monitoring threats and their sources and targets.
- Number of unique source IP addresses of threats
- Number of unique target IP addresses of threats
- Total number of unique addresses
- Threat statistics by type
- Statistics by user agents
- Number of events by source
- Threat dynamics
- TOP-10 sources of threats by number of intrusion attempts
- TOP-10 targets of threats by number of intrusion attempts
- Intrusion Detection: Overview
- Intrusion Detection: Threat Source Profile
- Intrusion Detection: Threat Destination Profile
The section uses the data source fields described below. Alias used: sm_cs_threat_indeces.
Categorization fields are not used by this section.
| Field Name | Value | Usage in Dashboards |
|---|
observer.vendor | Information about the manufacturer of the intrusion detection system or network equipment that generated the event. | Allows users to identify which system generates the most events. |
| Field Name | Value | Usage in Dashboards |
|---|
source.ip | IP address of the threat source. | Used to count the number of unique attackers aggs count by source.ip. Used as a link to the source profile from table rows. |
source.address | The physical or logical address of the source. | Displayed in the target details table. |
source.port | The source port. | Displayed in the targets table (column name: Source Port). |
| Field Name | Value | Usage in Dashboards |
|---|
destination.ip | IP address of the authentication destination. | Primary filter $dest_ip$. Used to select a specific node for event analysis. |
destination.port | The target port. | Displayed in the Target Information table (column name: Target Port). |
| Field Name | Value | Usage in Dashboards |
|---|
rule.category | Type of threat source/target. | Used in pie charts and bar graphs to analyze the distribution of threat types. |
| Field Name | Value | Usage in Dashboards |
|---|
user_agent.name | The user agent information. | Used in visualizations. |
Dictionaries are not used by this section.