GIM Category: detection
The Detection category represents findings generated by security products that identify potential malicious or policy-violating activity. These events originate from technologies such as intrusion detection and prevention systems (IDS/IPS), endpoint protection platforms (EPP/EDR), data loss prevention tools (DLP), and file integrity monitors (FIM).
Detections differ from SIEM alerts in that they are created by external security controls and represent observed conditions or rule matches at the source system. Monitoring these detections enables correlation across multiple technologies and supports threat hunting, incident triage, and long-term analytics.
network_detection
Detections generated by network-based security controls such as intrusion detection or prevention systems (IDS/IPS), firewalls with inspection capabilities, network DLP systems, or packet inspection tools. These detections identify suspicious or policy-violating activity within network traffic, typically based on signatures, behavioral heuristics, or data exfiltration patterns.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
300000 |
detection |
detection.network_detection |
ids_detection |
A detection message generated by a network intrusion detection or prevention system (IDS/IPS). |
|
|
300001 |
detection |
detection.network_detection |
network_detection |
A detection message generated by a network traffic inspection or analytics product. |
|
|
300002 |
detection |
detection.network_detection |
network_dlp_detection |
A detection message generated by a network data loss prevention (DLP) product. |
host_detection
Detections generated by endpoint or host-based security agents such as antivirus, EDR, HIPS, or DLP products. These events indicate that a host-level control detected potentially malicious, suspicious, or policy-violating activity. They often include contextual data such as the affected process, file, user, or registry object.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
301000 |
detection |
detection.host_detection |
host_malware_detection |
Detection message generated by a host-based antivirus or malware protection component. |
|
|
301001 |
detection |
detection.host_detection |
host_dlp_detection |
Detection message generated by a host-based data loss prevention component. |
|
|
301002 |
detection |
detection.host_detection |
hips_detection |
Detection message generated by a host intrusion prevention or detection system (HIPS/HIDS). |
|
|
301003 |
detection |
detection.host_detection |
fim_detection |
Detection message generated by a file integrity monitoring (FIM) product. |
default
General detection events that do not fit into a more specific category, such as detections from aggregate analytics, correlation engines, or vendor-agnostic detection frameworks. This ensures all externally generated detection messages are captured, even when detailed classification is not available.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
309999 |
detection |
detection.default |
detection_message |
Generic detection event generated by an external security control or analytic system. |
