NSX-T Data Center REST API

PolicyIdsEventFlowData (schema)

IDS event flow data

IDS event flow data specific to each IDS
event. The data includes source ip, source
port, destination ip, destination port,
protocol, rule id, profile id, and the
action.

Name Description Type Notes
action_type IDS Event action

The action pertaining to the detected intrusion. Possible values are ALERT, DROP, REJECT, and INVALID. ALERT - If there is a signature match on the packet, it is allowed to pass but a notification is sent to the user notifying an intrusion was detected. DROP - On a signature match, the packet is silently dropped. An alert is sent to the user that an intrusion was detected. REJECT - On a signature match, the packet is dropped and TCP RST or ICMP error messages (for non-TCP pkts) are sent to the endpoints. An alert is sent to the user that an intrusion was detected. INVALID - If the action doesn't belong to any of the above mentioned categories, it is marked as INVALID.
string Readonly
Enum: ALERT, DROP, REJECT, INVALID
attacker IP address of the attacker

IP address of the attacker VM on the intrusion flow.
string Readonly
bytes_toclient Bytes to client

Bytes sent to client.
integer Readonly
bytes_toserver Bytes to server

Bytes sent to server.
integer Readonly
client_ip IP address of the client VM

IP address of the VM that initiated the communication.
string Readonly
destination_ip Attacker Destination IP.

Destination IP address of attacker.
string Readonly
destination_port Attacker Destination port

Destination port of attacker.
integer Readonly
flow_destination_ip IP address of the destination VM

IP address of the destination VM on the intrusion flow.
string Readonly
flow_destination_port Destination port

Port on the destination VM where the traffic was sent to.
integer Readonly
flow_source_ip IP address of the source VM

IP address of the source VM on the intrusion flow.
string Readonly
flow_source_port Source port

Port on the source VM where traffic was initiated.
integer Readonly
gateway Gateway where the intrusion was detected at

Name of the gateway on which this intrusion was detected.
string Readonly
gateway_tags Tags associated with the gateway

Tags associated with the gateway on which this intrusion was detected.
array of Tag Readonly
host Host where intrusion was seen

Name of the host on which this intrusion was detected.
string Readonly
local_vm_ip IP address of the local VM

IP address of VM on the host where IDS engine is running.
string Readonly
profile_id IDS profile id

The IDS profile id that is associated with the IDS rule pertaining to the intrusion event detected.
string Readonly
protocol Traffic protocol pertaining to the intrusion

Traffic protocol pertaining to the detected intrusion, could be TCP/UDP etc.
string Readonly
rule_id IDS Rule id of detected intrusion

The IDS Rule id pertaining to the detected intrusion.
integer Readonly
source_ip Attacker Source IP

Source IP address of attacker.
string Readonly
source_port Attacker Source port

Source port of attacker.
integer Readonly
target IP address of the target VM

IP address of the target VM on the intrusion flow.
string Readonly
traffic_type IDS event detection source

The source where the intrusion was detected. Possible values are GATEWAY and HOST.
string Readonly
Enum: GATEWAY, HOST