Alarm Messages
Vendor Documentation
https://marketplace.microfocus.com/arcsight/content/lancope-stealthwatch-r https://www.dropbox.com/s/mbwlv9f2t1si5d4/Lancope_StealthWatch_6_6_CEF_Config_Guide_2015.pdf?dl=0 |
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| Base Rule | Entered Alarm State / Alarm Raised | Operations | |
| High Total Traffic | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
| High Traffic | Sub Rule | Suspicious Network Activity | Suspicious |
| Half Open Attack | Sub Rule | General Attack Activity | Attack |
| ICMP Flood | Sub Rule | General Attack Activity | Attack |
| SYN Flood | Sub Rule | General Attack Activity | Attack |
| Brute Force Login | Sub Rule | Brute Force Activity | Attack |
| Data Exfiltration | Sub Rule | Data Loss Alert : High | Critical |
| Data Hoarding | Sub Rule | Data Loss Prevention Activity | Activity |
| Suspect Data Hoarding | Sub Rule | Data Loss Prevention Activity | Activity |
| Target Data Hoarding | Sub Rule | Data Loss Prevention Activity | Activity |
| Bot Infected Host - Attempted C&C Activity | Sub Rule | Detected Botnet Activity | Malware |
| Bot Infected Host - Successful C&C Activity | Sub Rule | Detected Botnet Activity | Malware |
| Bot Command & Control Server | Sub Rule | Detected Botnet Activity | Malware |
| Worm Activity | Sub Rule | Detected Worm Activity | Malware |
| Worm Propagation | Sub Rule | Detected Worm Activity | Malware |
| SMC Disk Space Low | Sub Rule | Disk / Storage Full | Critical |
| FlowCollector RAID Failure | Sub Rule | Disk Drive Failure | Critical |
| FlowCollector RAID Rebuilding | Sub Rule | Disk Drive Failure | Critical |
| FlowCollector Performance Degraded | Sub Rule | Disk Drive Failure | Critical |
| SMC RAID Failure | Sub Rule | Disk Drive Failure | Critical |
| SMC RAID Rebuilding | Sub Rule | Disk Drive Failure | Critical |
| New Host Active | Sub Rule | Evaluated New Host | Information |
| FlowSensor VE Configuration Error | Sub Rule | Flow manager error | Error |
| FlowSensor Traffic Lost | Sub Rule | Flow manager error | Error |
| FlowSensor RAID Failure | Sub Rule | Flow manager error | Error |
| FlowSensor RAID Rebuilding | Sub Rule | Flow manager error | Error |
| FlowSensor Time Mismatch | Sub Rule | Flow manager error | Error |
| FlowSensor Management Channel Down | Sub Rule | Flow manager error | Error |
| Short Fragments | Sub Rule | Fragmented Packet Received | Network Traffic |
| UDP Flood | Sub Rule | General Attack Activity | Attack |
| Port Flood | Sub Rule | General Attack Activity | Attack |
| Packet Flood | Sub Rule | General Attack Activity | Attack |
| Relationship SYN Flood | Sub Rule | General Attack Activity | Attack |
| Relationship UDP Flood | Sub Rule | General Attack Activity | Attack |
| Relationship ICMP Flood | Sub Rule | General Attack Activity | Attack |
| Suspect Data Loss | Sub Rule | General Data Loss Message | Information |
| V-Motion | Sub Rule | General VMware Server Information | Information |
| Fake Application Detected | Sub Rule | Host Compromised | Compromise |
| Scanner Talking | Sub Rule | Host Compromised | Compromise |
| Bad Host | Sub Rule | Host Compromised | Compromise |
| High DDoS Target Index | Sub Rule | Host Distributed Denial Of Service | Denial of Service |
| High DDoS Source Index | Sub Rule | Host Distributed Denial Of Service | Denial of Service |
| ICMP Received | Sub Rule | ICMP Flow Events | Network Traffic |
| MAC Address Violation | Sub Rule | Invalid MAC Address | Error |
| License Corrupted | Sub Rule | License Error | Error |
| Unlicensed Feature | Sub Rule | License Error | Error |
| StealthWatch Flow License Exceeded | Sub Rule | License Exceeded | Critical |
| FlowCollector Flow Data Lost | Sub Rule | Lost Flow Detail Records | Network Traffic |
| FlowCollector Data Deleted | Sub Rule | Lost Flow Detail Records | Network Traffic |
| FlowCollector Log Retention Reduced | Sub Rule | Lost Flow Detail Records | Network Traffic |
| FlowCollector Exporter Count Exceeded | Sub Rule | Lost Flow Detail Records | Network Traffic |
| FlowCollector FlowSensor VE Count Exceeded | Sub Rule | Lost Flow Detail Records | Network Traffic |
| FlowCollector Flow Rate Exceeded | Sub Rule | Lost Flow Detail Records | Network Traffic |
| FlowCollector Time Mismatch | Sub Rule | Lost Flow Detail Records | Network Traffic |
| Malformed Fragments | Sub Rule | Malformed Object | Suspicious |
| Interface Utilization Exceeded Inbound | Sub Rule | Max Flow Limit Reached | Network Traffic |
| Interface Utilization Exceeded Outbound | Sub Rule | Max Flow Limit Reached | Network Traffic |
| NAT IP | Sub Rule | NAT Detection Status | Network Traffic |
| Slow Connection Flood | Sub Rule | Network Denial Of Service | Denial Of Service |
| SLIC Channel Down | Sub Rule | Network Interface Changed State To Down | Information |
| Identity Channel Down | Sub Rule | Network Interface Changed State To Down | Information |
| SMC Failover Channel Down | Sub Rule | Network Interface Changed State To Down | Information |
| SMC Duplicate Primary | Sub Rule | Network Management Warning | Warning |
| SMC System Expired | Sub Rule | Network Management Warning | Warning |
| SMC Maintenance Expired | Sub Rule | Network Management Warning | Warning |
| SMC Invalid License File | Sub Rule | Network Management Warning | Warning |
| Port Scan | Sub Rule | Port Scan | Reconnaissance |
| Exploitation | Sub Rule | Potential Vulnerability Exploit Allowed | Activity |
| FlowCollector Stopped | Sub Rule | Process/Service Stopped | Startup and Shutdown |
| Cisco ISE Management Channel Down | Sub Rule | Process/Service Stopped | Startup and Shutdown |
| FlowCollector Management Channel Down | Sub Rule | Process/Service Stopped | Startup and Shutdown |
| Anomaly | Sub Rule | Protocol Anomaly | Attack |
| Recon | Sub Rule | Reconnaissance Activity | Reconnaissance |
| Policy Violation | Sub Rule | Security Policy Violation | Warning |
| Spam Source | Sub Rule | Spam Detected | Activity |
| SSH Reverse Shell | Sub Rule | SSH Potentially Serious Problem | Warning |
| New VM | Sub Rule | Status For Virtual Machine Set | Information |
| Host Lock Violation | Sub Rule | Suspicious Host Activity | Suspicious |
| Touched | Sub Rule | Suspicious Host Activity | Suspicious |
| Trapped Host | Sub Rule | Suspicious Host Activity | Suspicious |
| Beaconing Host | Sub Rule | Suspicious Host Activity | Suspicious |
| Low Traffic | Sub Rule | Suspicious Network Activity | Suspicious |
| Suspect Long Flow | Sub Rule | Suspicious Network Activity | Suspicious |
| Command and Control | Sub Rule | Suspicious Network Activity | Suspicious |
| Suspect Quiet Long Flow | Sub Rule | Suspicious Network Activity | Suspicious |
| Relationship High Total Traffic | Sub Rule | Suspicious Network Activity | Suspicious |
| Relationship High Traffic | Sub Rule | Suspicious Network Activity | Suspicious |
| Relationship Low Traffic | Sub Rule | Suspicious Network Activity | Suspicious |
| Relationship Max Flows | Sub Rule | Suspicious Network Activity | Suspicious |
| Relationship New Flows | Sub Rule | Suspicious Network Activity | Suspicious |
| Relationship Round Trip Time | Sub Rule | Suspicious Network Activity | Suspicious |
| Relationship Server Response Time | Sub Rule | Suspicious Network Activity | Suspicious |
| Relationship TCP Retransmission Ratio | Sub Rule | Suspicious Network Activity | Suspicious |
| High Traffic | Sub Rule | Suspicious Network Activity | Suspicious |
| Suspect UDP Activity | Sub Rule | Suspicious Network Activity | Suspicious |
| Unknown OS | Sub Rule | System Software Warning | Warning |
| Multiple OS | Sub Rule | System Software Warning | Warning |
| SYNs Received | Sub Rule | TCP SYN Received | Network Traffic |
| High Concern Index | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
| High File Sharing Index | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
| High Target Index | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
| High Total Traffic | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
| Max Flows Initiated | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
| Max Flows Served | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
| New Flows Initiated | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
| New Flows Served | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
| High Volume Email | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
| UDP Received | Sub Rule | UDP Flow Events | Network Traffic |
| Mail Rejects | Sub Rule | Unauthorized E-mail | Misuse |
| Hi SMB Peers | Sub Rule | Vuln Low Severity : SMB / NETBIOS | Vulnerability |
| Mail Relay | Sub Rule | Vuln Medium Severity : Mail Services | Vulnerability |
| Watch Port Active | Sub Rule | Watchlist Hit | Activity |
| Watch Host Active | Sub Rule | Watchlist Hit | Activity |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type |
|---|---|---|
| Device Vendor | <version> | Number/String |
| High Concern Index | <threatname>, <command> | Text/String |
| Notification | <vmid> | Number |
| Severity | <severity> | Number |
| msg | <subject> | Text/String |
| dst | <dip> | Number |
| src | <sip> | Number |
| start | N/A | N/A |
| end | N/A | N/A |
| externalId | N/A | N/A |
| cs3 | N/A | N/A |
| cs3Label | N/A | N/A |
| cs4 | N/A | N/A |
| cs4Label | N/A | N/A |
| cs5 | <url> | Text/String |
| cs5Label | N/A | N/A |
| cs6 | N/A | N/A |
| cs6Label | N/A | N/A |
| dpt | <dport> | Number |
| proto | <protnum> | Number |
| dvchost | N/A | N/A |
| dvc | N/A | N/A |
| dvcpid | N/A | N/A |
| deviceExternalId | N/A | N/A |
| cs2 | N/A | N/A |
| cs2Label | N/A | N/A |
| spt | N/A | N/A |
| destinationTranslatedAddress | N/A | N/A |
| destinationTranslatedPort | N/A | N/A |
| sourceTranslatedAddress | N/A | N/A |
| sourceTranslatedPort | N/A | N/A |