{
"additionalProperties": false,
"description": "IDS event flow data specific to each IDS event. The data includes source ip, source port, destination ip, destination port, protocol, rule id, profile id, and the action.",
"id": "PolicyIdsEventFlowData",
"module_id": "PolicyIDSMetrics",
"properties": {
"action_type": {
"description": "The action pertaining to the detected intrusion. Possible values are ALERT, DROP, REJECT, and INVALID. ALERT - If there is a signature match on the packet, it is allowed to pass but a notification is sent to the user notifying an intrusion was detected. DROP - On a signature match, the packet is silently dropped. An alert is sent to the user that an intrusion was detected. REJECT - On a signature match, the packet is dropped and TCP RST or ICMP error messages (for non-TCP pkts) are sent to the endpoints. An alert is sent to the user that an intrusion was detected. INVALID - If the action doesn't belong to any of the above mentioned categories, it is marked as INVALID.",
"enum": [
"ALERT",
"DROP",
"REJECT",
"INVALID"
],
"readonly": true,
"required": false,
"title": "IDS Event action",
"type": "string"
},
"bytes_toclient": {
"description": "Bytes sent to client.",
"readonly": true,
"required": false,
"title": "Bytes to client",
"type": "integer"
},
"bytes_toserver": {
"description": "Bytes sent to server.",
"readonly": true,
"required": false,
"title": "Bytes to server",
"type": "integer"
},
"client_ip": {
"description": "IP address of the VM that initiated the communication.",
"readonly": true,
"required": false,
"title": "IP address of the client VM",
"type": "string"
},
"destination_ip": {
"description": "IP address of the destination VM on the intrusion flow.",
"readonly": true,
"required": false,
"title": "IP address of the destination VM",
"type": "string"
},
"destination_port": {
"description": "Port on the destination VM where the traffic was sent to.",
"readonly": true,
"required": false,
"title": "Destination port",
"type": "integer"
},
"gateway": {
"description": "Name of the gateway on which this intrusion was detected.",
"readonly": true,
"required": false,
"title": "Gateway where the intrusion was detected at",
"type": "string"
},
"gateway_tags": {
"description": "Tags associated with the gateway on which this intrusion was detected.",
"items": {
"$ref": "Tag
},
"readonly": true,
"required": false,
"title": "Tags associated with the gateway",
"type": "array"
},
"host": {
"description": "Name of the host on which this intrusion was detected.",
"readonly": true,
"required": false,
"title": "Host where intrusion was seen",
"type": "string"
},
"local_vm_ip": {
"description": "IP address of VM on the host where IDS engine is running.",
"readonly": true,
"required": false,
"title": "IP address of the local VM",
"type": "string"
},
"profile_id": {
"description": "The IDS profile id that is associated with the IDS rule pertaining to the intrusion event detected.",
"readonly": true,
"required": false,
"title": "IDS profile id",
"type": "string"
},
"protocol": {
"description": "Traffic protocol pertaining to the detected intrusion, could be TCP/UDP etc.",
"readonly": true,
"required": false,
"title": "Traffic protocol pertaining to the intrusion",
"type": "string"
},
"rule_id": {
"description": "The IDS Rule id pertaining to the detected intrusion.",
"readonly": true,
"required": false,
"title": "IDS Rule id of detected intrusion",
"type": "integer"
},
"source_ip": {
"description": "IP address of the source VM on the intrusion flow.",
"readonly": true,
"required": false,
"title": "IP address of the source VM",
"type": "string"
},
"source_port": {
"description": "Source port through which traffic was initiated that caused the intrusion to be detected.",
"readonly": true,
"required": false,
"title": "Source port",
"type": "integer"
},
"traffic_type": {
"description": "The source where the intrusion was detected. Possible values are GATEWAY and HOST.",
"enum": [
"GATEWAY",
"HOST"
],
"readonly": true,
"required": false,
"title": "IDS event detection source",
"type": "string"
}
},
"title": "IDS event flow data",
"type": "object"
}