Guides
ProductDeveloperPartnerPersonal
Guides
ProductDeveloperPartnerPersonal

IPS Log Formats

Suggest Edits

IPS logs show traffic, events, and possible threats detected by Umbrella's Intrusion Prevention System.

Table of Contents

Examples

"2024-09-11 23:17:13","Firewall Tunnel Name","Network Tunnels","1","16606","SERVER-ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt","50516","HIGH","Attempted User Privilege Gain","cve-2009-1016","TCP","12345","123.123.123.123","80","1.1.1.1","40762","Would Block","IDS","50516","S2C","21171","PROFILE","eu-central-2b","","","","8151514"

The example entry is 353 bytes. To estimate the size of your S3 Logs, see Estimate the Size of Your Logs.

Order of Fields in the IPS Log

<timestamp><identities><identity types><generator id><signature id><signature message><signature list id><severity><attach classification><CVEs><IP protocol><session ID><source IP><source port><destination IP><destination port><action><operation mode><policy resource ID><direction><firewall rule ID><IPS config type><AWS region><Application ID><CASI Category IDs><Data Center><Organization ID>

Optional V11 Log Header Format

The CSV fields in the header row of the Optional Log Header.

"Timestamp","Identities","Identity Types","Generator ID","Signature ID","Signature Message","Signature List ID","Severity","Attack Classification","CVEs","IP Protocol","Session ID","Source IP","Source Port","Destination IP","Destination Port","Action","Operation Mode","Policy Resource ID","Direction","Firewall Rule ID","IPS Config Type","AWS Region","Application ID","CASI Category IDs","Data Center","Organization ID"
  • Timestamp—When this request was made in UTC.
  • Identities—All tunnel identities associated with this request.
  • Identity Types—The type of identity associated with this request.
  • Generator ID—Unique ID assigned to the part of the IPS which generated the event.
  • Signature ID—Used to uniquely identify signatures.
  • Signature Message—A brief description of the signature.
  • Signature List ID—Unique ID assigned to a Default or Custom Signature List.
  • Severity—The severity level of the rule, such as High, Medium, Low, and Very Low.
  • Attack Classification—The category of attack detected by a rule that is part of a more general type of attack class, such as trojan-activity, attempted-user, and unknown.
  • CVEs—A list of information about security vulnerabilities and exposures.
  • IP Protocol—The actual protocol of the traffic, such as TCP, UDP, ICMP.
  • Session ID—The unique identifier of a session, which is used to group the correlated events between various services.
  • Source IP—The IP of the computer making the request.
  • Source Port—The port the request was made on.
  • Destination IP—The destination IP requested.
  • Destination Port—The destination port the request was made on.
  • Action—The action performed when criteria meets a rule, such as block, warn, and would_block.
  • Operation Mode— The mode of operation chosen when enabling IPS (detection or prevention). Possibilities: IDS, IPS, UNKNOWN (v9).
  • Policy Resource ID—The ID identifies the IPS policy resource (ex. Signature List). (v9)
  • Direction—Direction of the packet that matched the signature. Possibilities: S2C, C2S, UNKNOWN. (v9)
  • Firewall Rule ID—The rule ID matching the firewall session. (v9)
  • IPS Config Type—Possibilities: CONFIG, PROFILE, UNKNOWN. (v9)
  • AWS Region—AWS region from where the log was sent. (v9)
  • Application ID—The ID of the destination application. (v10)
  • CASI Category IDs—The name of the Application category to which the App ID belongs. (v10)
  • Data Center—The name of the data center that processed the user-generated traffic. (v10)
  • Organization ID—The Umbrella organization ID. For more information, see Find Your Organization ID. (v10)

DNS log Formats < IPS Log Formats > Web Log Formats

Updated 29 days ago