Add Device to Zone (Device Event) | LogRhythm Documentation

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field	LogRhythm Default	LogRhythm Default v2.0
N/A	<severity>	N/A
Agent Version	N/A	N/A
Device Message	N/A	<vendorinfo>
Device Name	<dname>	N/A
Event Name	<vmid>	<action>, <tag1>
Event Type	N/A	<vmid>
IP Address	N/A	<dip>
Logged On Users	N/A	<domainorigin>, <login>
MAC Address	N/A	<dmac>
OS	N/A	N/A
Policy Change	N/A	N/A
Policy Name	N/A	N/A
Renamed	N/A	N/A
User	<login>	<login>
Zones Added	N/A	N/A
Zone Name	<group>	N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID	Rule Name	Rule Type	Common Events	Classifications
1008220	Add Device to Zone	Base Rule	System Added to Group	Access Granted

LogRhythm Default v2.0

Regex ID	Rule Name	Rule Type	Common Events	Classifications
1011402	V 2.0 : Cylance Protect : Device Events	Base Rule	General Information Log Message	Information
	V 2.0 : Cylance Protect : Policy Assigned	Sub Rule	Policy Enabled : Object	Policy
	V 2.0 : Cylance Protect : Device Removed	Sub Rule	Object Deleted/Removed	Access Success
	V 2.0 : Cylance Protect : Device Updated	Sub Rule	Object Attribute Modified	Access Success
	V 2.0 : Cylance Protect : Zone Assigned	Sub Rule	Object Attribute Modified	Access Success
	V 2.0 : Cylance Protect : Device Registered	Sub Rule	Device Registered	Other Audit Success
	V 2.0 : Cylance Protect : System Security	Sub Rule	General Authentication Event	Other Audit