IPS Log Formats
IPS logs show traffic, events, and possible threats detected by Umbrella's Intrusion Prevention System.
Table of Contents
Examples
"2024-09-11 23:17:13","Firewall Tunnel Name","Network Tunnels","1","16606","SERVER-ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt","50516","HIGH","Attempted User Privilege Gain","cve-2009-1016","TCP","12345","123.123.123.123","80","1.1.1.1","40762","Would Block","IDS","50516","S2C","21171","PROFILE","eu-central-2b","","","","8151514"
The example entry is 353 bytes. To estimate the size of your S3 Logs, see Estimate the Size of Your Logs.
Order of Fields in the IPS Log
<timestamp><identities><identity types><generator id><signature id><signature message><signature list id><severity><attach classification><CVEs><IP protocol><session ID><source IP><source port><destination IP><destination port><action><operation mode><policy resource ID><direction><firewall rule ID><IPS config type><AWS region><Application ID><CASI Category IDs><Data Center><Organization ID>
- Timestamp—When this request was made in UTC.
- Identities—All tunnel identities associated with this request.
- Identity Types—The type of identity associated with this request.
- Generator ID—Unique ID assigned to the part of the IPS which generated the event.
- Signature ID—Used to uniquely identify signatures.
- Signature Message—A brief description of the signature.
- Signature List ID—Unique ID assigned to a Default or Custom Signature List.
- Severity—The severity level of the rule, such as High, Medium, Low, and Very Low.
- Attack Classification—The category of attack detected by a rule that is part of a more general type of attack class, such as trojan-activity, attempted-user, and unknown.
- CVEs—A list of information about security vulnerabilities and exposures.
- IP Protocol—The actual protocol of the traffic, such as TCP, UDP, ICMP.
- Session ID—The unique identifier of a session, which is used to group the correlated events between various services.
- Source IP—The IP of the computer making the request.
- Source Port—The port the request was made on.
- Destination IP—The destination IP requested.
- Destination Port—The destination port the request was made on.
- Action—The action performed when criteria meets a rule, such as block, warn, and would_block.
- Operation Mode— The mode of operation chosen when enabling IPS (detection or prevention). Possibilities: IDS, IPS, UNKNOWN (v9).
- Policy Resource ID—The ID identifies the IPS policy resource (ex. Signature List). (v9)
- Direction—Direction of the packet that matched the signature. Possibilities: S2C, C2S, UNKNOWN. (v9)
- Firewall Rule ID—The rule ID matching the firewall session. (v9)
- IPS Config Type—Possibilities: CONFIG, PROFILE, UNKNOWN. (v9)
- AWS Region—AWS region from where the log was sent. (v9)
- Application ID—The ID of the destination application. (v10)
- CASI Category IDs—The name of the Application category to which the App ID belongs. (v10)
- Data Center—The name of the data center that processed the user-generated traffic. (v10)
- Organization ID—The Umbrella organization ID. For more information, see Find Your Organization ID. (v10)
DNS log Formats < IPS Log Formats > Web Log Formats
Updated 22 days ago