IDS Event Search

You can search for IDS events in the improved Get Started with Search experience in the Alert Logic console. You have the ability to search for IDS event data across managed accounts and access to IDS event information, including source host and destination host details, signature details and content, and header and payload information. You can also share and export data, schedule and save IDS event searches, and create incidents.

Analyzing IDS event data is a critical part to maintaining your environment's security posture. IDS event data can alert you to suspicious activity that is identified by finding patterns in network traffic, commonly known as "signature" network patterns. Network traffic is the machine-to-machine activity to and from your environment, and it is monitored by the Network IDS appliance. IDS signatures recognize a specific type of activity to generate events. Analytics evaluate these events to generate incidents and observations, which means you have access to details about suspicious activity before it can potentially become a threat.

To get started on searching for IDS event data, you must access the Search page. Click Searchin the Alert Logic console, and then click the Search tab.

Search for IDS event data

In the Search page, you can search for IDS event data in Simple mode or Expert mode. Click the drop-down list to alternate between Expert Mode and Simple Mode. The mode you want to use depends on how you change the data type to IDS event and build your query.

Simple mode provides a graphical interface that allows you to add or remove conditions and fields, aggregate or add a function to predefined expressions, and determine sorting and order. Expert mode, on the other hand, allows you to create your own SQL searches and aggregations where you can combine search terms using nested logical expressions. You can also start a query in Simple mode, make changes to any of the fields, including the data type, and then switch to Expert mode. You can continue making changes to the query in Expert mode.

You can search for IDS event data across your managed accounts. The current Search experience can search IDS event data for up to 200 managed accounts and 30 day increments. Alert Logic stores data for the last 13 months which you can search for, but you can only access the data in 30 days increments.

Search ids data in Simple mode

To search for IDS event data in Simple mode:

  1. In the Search page, on the right, click the drop-down list and select Simple Mode.
  2. If you want to search your managed accounts, turn on the Search Managed Accounts option.
  3. In the FROM field, click the drop-down list and select IDS event.
  4. Change the other fields and add fields as required for your search. To learn more about Simple mode, see Search Simple Mode.
  5. Click SEARCH to run your search when you have adjusted and added all your required fields.

Search IDS event data in Expert mode

To search for IDS event data in Expert mode:

In the Search page, on the right, click the drop-down list and select Expert Mode.

  1. If you want to search your managed accounts, turn on the Search Managed Accounts option.
  2. In the query box, in the FROM field, replace the existing gray text with idsmsgs.
  3. Changes the other fields and add fields as required for your search. To learn more about Simple mode, see Search Expert Mode.
  4. Click SEARCH to run your search when you have entered your query.

For aliases and field names, you must use double quotes, and for a strings, you must use single quotes.

Below is an example of what a basic IDS event query with payload can look like in Expert mode:

SELECT 
  ts, ts_us,
  event_id, sig_id, 
  CAST(ip_src, 'ip') AS "Source", 
  srcport,
  CAST(ip_dst, 'ip') AS "Destination", 
  dstport, 
  payload[*].data AS "Payloads"
FROM idsmsgs
WHERE EXISTS (ts)
ORDER BY ts DESC
LIMIT 10000

Other Search features

After you conduct the search, you can take advantage of several features in both Simple mode and Expert mode that can facilitate your search experience, including saving and scheduling searches, exporting data, creating manual incidents, and more. Refer to the documentation below:

View IDS event details

In the search results, you can click on a row to expand details on an IDS event or click OPEN to go to the details page in a new tab.

Expanded details in search results

From the expanded details in the search results, you can see the following information when you click on an IDS event:

  • Date—The date and time the IDS event was tracked
  • Name—The name of the IDS event
  • Source—The source host IP the network traffic originates from
  • Source port—The source port the network traffic originates from
  • Destination—The destination host IP the network traffic originates from
  • Destination port—The destination port the network traffic originates from
  • Class—The type of event classification

From the expanded details view, you can Create an incident from an IDS event. You can also COPY ASCII or COPY HEX for the first packet of payload data dumps from the expanded details view.

Details view

To open a new tab with complete details on the IDS event, click OPEN from the expanded details view. From this page you can view more information on the event and:

  • view header and payload data dumps
  • view source host details
  • view destination host details
  • click share to copy a link
  • copy HEX or ASCII to copy data dumos
  • block hosts
  • create an incident

Event host details present information based on the current host associated with the IP, not the host associated with the IP at the time the event was generated.

You can see the following information in the details view:

  • Event ID—Unique ID assigned to the IDS event
  • Source—The source host IP the network traffic originates from; clicks to open the Source Host Details tab
  • Source Port—The source port the network traffic originates from
  • Appliance—Monitoring Network IDS appliance
  • Protocol—Network protocol used
  • Destination —The destination host IP the network traffic originates from; clicks to open the Destination Host Details tab
  • Destination Port—The destination port the network traffic originates from
  • Classification—The type of event
  • SID—Signature ID assigned to the signature; clicks to open to the IDS signatures Details page
  • Header—Header data dump, includes TCP options if present.
  • Signature Content—Data on the signature content

Header and Payload tab

You can copy payload reconstruction data for the main event and any response events. Click COPY HEX or COPY ASCII to copy a single packet of the data in that row.

To copy all packets in the IDS event, click the white icons for COPY HEX or COPY ASCII on the upper-right corner of the page.

Block host

You have the option to block the source IP address and/or the destination IP address for a specific time frame. You can use this feature if you want to take extra precaution and further prevent attackers from accessing your network. Blocking the source host means that incoming traffic sent from the source IP address is blocked at the firewall. Blocking the destination host means incoming traffic sent to the destination IP address is blocked at the firewall. You set the appropriate time frame for the duration of the blocking action. After this time expires, the block is automatically reverted, and traffic to or from these IP addresses (depending on your set up) will no longer be blocked at the firewall.

To block hosts:

  1. Click BLOCK HOST on the upper-right corner of the page.
  2. Under Block IPs, select which IP addresses (source and/or destination) you want to block.
  3. Under Time Frame, use the dropdown list to choose the unit of time (minutes, hours, weeks, or months).
  4. In the field next to the unit of time you chose, enter the duration of time (example: 3 weeks). After this time expires, the block is automatically reverted.

Source Host Details tab

The Source Host Details tab provides additional information based on the host currently associated with the IP address. Under Investigate, you can click links to be redirected to the Exposures, Health, and Topology pages that are already filtered with the respective filters so you can dig deeper and take action.

If your source is not part of the Alert Logic scope of protection, WHOIS information is provided in this tab.

Destination Host Details tab

The Destination Host Details tab provides additional information based on the host currently associated with the IP address. Under Investigate, you can click links to be redirected to the Exposures, Health, and Topology pages that are already filtered with the respective filters so you can dig deeper and take action.

If your destination is not part of the Alert Logic scope of protection, WHOIS information is provided in this tab.

Create an incident from an IDS event

You can create manual incidents from one or more IDS events (up to 99 events). Incidents created from IDS events are saved as evidence for the incident. Creating an incident allows you to track a potential threat until it is resolved in the Incidents page.

To create an incident from multiple IDS events:

At this time, Alert Logic does not support the creating an incident when with the Search Managed Account toggle on.

  1. From the list of search results, select the IDS events you want to create an incident from.
  2. Click CREATE INCIDENT .
  3. In the Summary field, provide a brief title for the incident.
  4. In the Description field, provide as much details as you wish.
  5. In the Classification field, choose how you want to classify the incident, which is how it can be filtered in the Incidents page.
  6. Click CREATE.

To create an incident from one IDS event:

  1. From the search results, click on row to expand details on an IDS event, and then click the CREATE INCIDENT. You can also click OPEN, and then in the Details page from the upper-right corner, click CREATE INCIDENT.
  2. In the Summary field, provide a brief title for the incident.
  3. In the Description field, provide as much details as you wish.
  4. In the Classification field, choose how you want to classify the incident, which is how it can be filtered in the Incidents page.
  5. Click CREATE.