How to use event.category intrusion_detection

How can I activate intrusion_detection in auditbeat event.category?

When debugging, log.logger occurs as a publisher and the event.category includes intrusion_detection, but when the daemon service is run, the intrusion_detection is not output and only the process is output.

#### intrusion_detection[edit](https://github.com/elastic/ecs/edit/8.4/docs/fields/field-values.asciidoc)

Relating to intrusion detections from IDS/IPS systems and functions, both network and host-based. Use this category to visualize and analyze intrusion detection alerts from systems such as Snort, Suricata, and Palo Alto threat detections.

**Expected event types for category intrusion_detection:**

allowed, denied, info
https://www.elastic.co/guide/en/ecs/8.4/ecs-allowed-values-event-category.html

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.