Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
Alarm Messages |
Base Rule |
Entered Alarm State / Alarm Raised |
Operations |
|
High Total Traffic |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
High Traffic |
Sub Rule |
Suspicious Network Activity |
Suspicious |
|
Half Open Attack |
Sub Rule |
General Attack Activity |
Attack |
|
ICMP Flood |
Sub Rule |
General Attack Activity |
Attack |
|
SYN Flood |
Sub Rule |
General Attack Activity |
Attack |
|
Brute Force Login |
Sub Rule |
Brute Force Activity |
Attack |
|
Data Exfiltration |
Sub Rule |
Data Loss Alert : High |
Critical |
|
Data Hoarding |
Sub Rule |
Data Loss Prevention Activity |
Activity |
|
Suspect Data Hoarding |
Sub Rule |
Data Loss Prevention Activity |
Activity |
|
Target Data Hoarding |
Sub Rule |
Data Loss Prevention Activity |
Activity |
|
Bot Infected Host - Attempted C&C Activity |
Sub Rule |
Detected Botnet Activity |
Malware |
|
Bot Infected Host - Successful C&C Activity |
Sub Rule |
Detected Botnet Activity |
Malware |
|
Bot Command & Control Server |
Sub Rule |
Detected Botnet Activity |
Malware |
|
Worm Activity |
Sub Rule |
Detected Worm Activity |
Malware |
|
Worm Propagation |
Sub Rule |
Detected Worm Activity |
Malware |
|
SMC Disk Space Low |
Sub Rule |
Disk / Storage Full |
Critical |
|
FlowCollector RAID Failure |
Sub Rule |
Disk Drive Failure |
Critical |
|
FlowCollector RAID Rebuilding |
Sub Rule |
Disk Drive Failure |
Critical |
|
FlowCollector Performance Degraded |
Sub Rule |
Disk Drive Failure |
Critical |
|
SMC RAID Failure |
Sub Rule |
Disk Drive Failure |
Critical |
|
SMC RAID Rebuilding |
Sub Rule |
Disk Drive Failure |
Critical |
|
New Host Active |
Sub Rule |
Evaluated New Host |
Information |
|
FlowSensor VE Configuration Error |
Sub Rule |
Flow manager error |
Error |
|
FlowSensor Traffic Lost |
Sub Rule |
Flow manager error |
Error |
|
FlowSensor RAID Failure |
Sub Rule |
Flow manager error |
Error |
|
FlowSensor RAID Rebuilding |
Sub Rule |
Flow manager error |
Error |
|
FlowSensor Time Mismatch |
Sub Rule |
Flow manager error |
Error |
|
FlowSensor Management Channel Down |
Sub Rule |
Flow manager error |
Error |
|
Short Fragments |
Sub Rule |
Fragmented Packet Received |
Network Traffic |
|
UDP Flood |
Sub Rule |
General Attack Activity |
Attack |
|
Port Flood |
Sub Rule |
General Attack Activity |
Attack |
|
Packet Flood |
Sub Rule |
General Attack Activity |
Attack |
|
Relationship SYN Flood |
Sub Rule |
General Attack Activity |
Attack |
|
Relationship UDP Flood |
Sub Rule |
General Attack Activity |
Attack |
|
Relationship ICMP Flood |
Sub Rule |
General Attack Activity |
Attack |
|
Suspect Data Loss |
Sub Rule |
General Data Loss Message |
Information |
|
V-Motion |
Sub Rule |
General VMware Server Information |
Information |
|
Fake Application Detected |
Sub Rule |
Host Compromised |
Compromise |
|
Scanner Talking |
Sub Rule |
Host Compromised |
Compromise |
|
Bad Host |
Sub Rule |
Host Compromised |
Compromise |
|
High DDoS Target Index |
Sub Rule |
Host Distributed Denial Of Service |
Denial of Service |
|
High DDoS Source Index |
Sub Rule |
Host Distributed Denial Of Service |
Denial of Service |
|
ICMP Received |
Sub Rule |
ICMP Flow Events |
Network Traffic |
|
MAC Address Violation |
Sub Rule |
Invalid MAC Address |
Error |
|
License Corrupted |
Sub Rule |
License Error |
Error |
|
Unlicensed Feature |
Sub Rule |
License Error |
Error |
|
StealthWatch Flow License Exceeded |
Sub Rule |
License Exceeded |
Critical |
|
FlowCollector Flow Data Lost |
Sub Rule |
Lost Flow Detail Records |
Network Traffic |
|
FlowCollector Data Deleted |
Sub Rule |
Lost Flow Detail Records |
Network Traffic |
|
FlowCollector Log Retention Reduced |
Sub Rule |
Lost Flow Detail Records |
Network Traffic |
|
FlowCollector Exporter Count Exceeded |
Sub Rule |
Lost Flow Detail Records |
Network Traffic |
|
FlowCollector FlowSensor VE Count Exceeded |
Sub Rule |
Lost Flow Detail Records |
Network Traffic |
|
FlowCollector Flow Rate Exceeded |
Sub Rule |
Lost Flow Detail Records |
Network Traffic |
|
FlowCollector Time Mismatch |
Sub Rule |
Lost Flow Detail Records |
Network Traffic |
|
Malformed Fragments |
Sub Rule |
Malformed Object |
Suspicious |
|
Interface Utilization Exceeded Inbound |
Sub Rule |
Max Flow Limit Reached |
Network Traffic |
|
Interface Utilization Exceeded Outbound |
Sub Rule |
Max Flow Limit Reached |
Network Traffic |
|
NAT IP |
Sub Rule |
NAT Detection Status |
Network Traffic |
|
Slow Connection Flood |
Sub Rule |
Network Denial Of Service |
Denial Of Service |
|
SLIC Channel Down |
Sub Rule |
Network Interface Changed State To Down |
Information |
|
Identity Channel Down |
Sub Rule |
Network Interface Changed State To Down |
Information |
|
SMC Failover Channel Down |
Sub Rule |
Network Interface Changed State To Down |
Information |
|
SMC Duplicate Primary |
Sub Rule |
Network Management Warning |
Warning |
|
SMC System Expired |
Sub Rule |
Network Management Warning |
Warning |
|
SMC Maintenance Expired |
Sub Rule |
Network Management Warning |
Warning |
|
SMC Invalid License File |
Sub Rule |
Network Management Warning |
Warning |
|
Port Scan |
Sub Rule |
Port Scan |
Reconnaissance |
|
Exploitation |
Sub Rule |
Potential Vulnerability Exploit Allowed |
Activity |
|
FlowCollector Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
Cisco ISE Management Channel Down |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
FlowCollector Management Channel Down |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
Anomaly |
Sub Rule |
Protocol Anomaly |
Attack |
|
Recon |
Sub Rule |
Reconnaissance Activity |
Reconnaissance |
|
Policy Violation |
Sub Rule |
Security Policy Violation |
Warning |
|
Spam Source |
Sub Rule |
Spam Detected |
Activity |
|
SSH Reverse Shell |
Sub Rule |
SSH Potentially Serious Problem |
Warning |
|
New VM |
Sub Rule |
Status For Virtual Machine Set |
Information |
|
Host Lock Violation |
Sub Rule |
Suspicious Host Activity |
Suspicious |
|
Touched |
Sub Rule |
Suspicious Host Activity |
Suspicious |
|
Trapped Host |
Sub Rule |
Suspicious Host Activity |
Suspicious |
|
Beaconing Host |
Sub Rule |
Suspicious Host Activity |
Suspicious |
|
Low Traffic |
Sub Rule |
Suspicious Network Activity |
Suspicious |
|
Suspect Long Flow |
Sub Rule |
Suspicious Network Activity |
Suspicious |
|
Command and Control |
Sub Rule |
Suspicious Network Activity |
Suspicious |
|
Suspect Quiet Long Flow |
Sub Rule |
Suspicious Network Activity |
Suspicious |
|
Relationship High Total Traffic |
Sub Rule |
Suspicious Network Activity |
Suspicious |
|
Relationship High Traffic |
Sub Rule |
Suspicious Network Activity |
Suspicious |
|
Relationship Low Traffic |
Sub Rule |
Suspicious Network Activity |
Suspicious |
|
Relationship Max Flows |
Sub Rule |
Suspicious Network Activity |
Suspicious |
|
Relationship New Flows |
Sub Rule |
Suspicious Network Activity |
Suspicious |
|
Relationship Round Trip Time |
Sub Rule |
Suspicious Network Activity |
Suspicious |
|
Relationship Server Response Time |
Sub Rule |
Suspicious Network Activity |
Suspicious |
|
Relationship TCP Retransmission Ratio |
Sub Rule |
Suspicious Network Activity |
Suspicious |
|
High Traffic |
Sub Rule |
Suspicious Network Activity |
Suspicious |
|
Suspect UDP Activity |
Sub Rule |
Suspicious Network Activity |
Suspicious |
|
Unknown OS |
Sub Rule |
System Software Warning |
Warning |
|
Multiple OS |
Sub Rule |
System Software Warning |
Warning |
|
SYNs Received |
Sub Rule |
TCP SYN Received |
Network Traffic |
|
High Concern Index |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
High File Sharing Index |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
High Target Index |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
High Total Traffic |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
Max Flows Initiated |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
Max Flows Served |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
New Flows Initiated |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
New Flows Served |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
High Volume Email |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
UDP Received |
Sub Rule |
UDP Flow Events |
Network Traffic |
|
Mail Rejects |
Sub Rule |
Unauthorized E-mail |
Misuse |
|
Hi SMB Peers |
Sub Rule |
Vuln Low Severity : SMB / NETBIOS |
Vulnerability |
|
Mail Relay |
Sub Rule |
Vuln Medium Severity : Mail Services |
Vulnerability |
|
Watch Port Active |
Sub Rule |
Watchlist Hit |
Activity |
|
Watch Host Active |
Sub Rule |
Watchlist Hit |
Activity |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
|---|---|---|
|
Device Vendor |
<version> |
Number/String |
|
High Concern Index |
<threatname>, <command> |
Text/String |
|
Notification |
<vmid> |
Number |
|
Severity |
<severity> |
Number |
|
msg |
<subject> |
Text/String |
|
dst |
<dip> |
Number |
|
src |
<sip> |
Number |
|
start |
N/A |
N/A |
|
end |
N/A |
N/A |
|
externalId |
N/A |
N/A |
|
cs3 |
N/A |
N/A |
|
cs3Label |
N/A |
N/A |
|
cs4 |
N/A |
N/A |
|
cs4Label |
N/A |
N/A |
|
cs5 |
<url> |
Text/String |
|
cs5Label |
N/A |
N/A |
|
cs6 |
N/A |
N/A |
|
cs6Label |
N/A |
N/A |
|
dpt |
<dport> |
Number |
|
proto |
<protnum> |
Number |
|
dvchost |
N/A |
N/A |
|
dvc |
N/A |
N/A |
|
dvcpid |
N/A |
N/A |
|
deviceExternalId |
N/A |
N/A |
|
cs2 |
N/A |
N/A |
|
cs2Label |
N/A |
N/A |
|
spt |
N/A |
N/A |
|
destinationTranslatedAddress |
N/A |
N/A |
|
destinationTranslatedPort |
N/A |
N/A |
|
sourceTranslatedAddress |
N/A |
N/A |
|
sourceTranslatedPort |
N/A |
N/A |