Identifying the Event Source Appliance

[sunilamin]

Scenario: AN environment has dozens of IDS appliances monitoring their network and they are all emitting detection events which I want to collect and map to Detection Finding.

Question: how would I identify exactly which IDS appliance was the source of the event?

Ideas I explored:

• device (using the Host profile): the data structure would be a good match, but the description is clear that this should describe the "affected device/host". So I don't think this is correct.
• metadata: this seems like a good spot as it contains other information like identifying the product but there is no where I can describe the source appliance identifying attributes like hostname and IP address.

Is there a location that I'm overlooking? or do we need to add a device object somewhere in metadata?

Any guidance would be appreciated.

[guy9001]

metadata.loggers has the device object inside, I think that could be a good spot if you're looking to add the "logging device" - what do you think?

[sunilamin]

Oh awesome! Thanks for pointing that out. I totally missed that.