Anomalies Audit Log Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
Anomalies Audit Log Messages | Base Rule | General Audit Messages | Information |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
N/A | N/A | N/A | Format |
N/A | N/A | N/A | Device Vendor |
N/A | N/A | N/A | Device Product |
N/A | N/A | N/A | Device Version |
N/A | <vmid> | Text/String | Device Event Class ID |
N/A | <vendorinfo> | Text/String | Name |
N/A | N/A | N/A | Severity |
start | N/A | N/A | N/A |
suser | <login>, <domainorigin> | Text/String | N/A |
activityName | N/A | N/A | N/A |
actorIdType | N/A | N/A | N/A |
classificationNames | N/A | N/A | N/A |
incidentId | N/A | N/A | N/A |
riskSeverity | <severity> | Text/String | N/A |
incidentRiskSeverityId | N/A | N/A | N/A |
informationAccountId | N/A | N/A | N/A |
informationCategory | <objecttype> | Text/String | N/A |
informationConfigType | <sessiontype> | Text/String | N/A |
informationContentItemCreatedOn | N/A | N/A | N/A |
contentItemId | N/A | N/A | N/A |
contentItemName | N/A | N/A | N/A |
contentItemType | N/A | N/A | N/A |
informationEventId | N/A | N/A | N/A |
informationHistoricalUserRiskScore | N/A | N/A | N/A |
policyId | N/A | N/A | N/A |
policyName | <policy> | Text/String | N/A |
informationRegion | N/A | N/A | N/A |
informationScanName | N/A | N/A | N/A |
informationScanRunDate | N/A | N/A | N/A |
instanceId | N/A | N/A | N/A |
instanceName | <objectname> | Text/String | N/A |
response | <result> | Text/String | N/A |
serviceNames | <parentprocessname> | Text/String | N/A |
significantlyUpdatedAt | N/A | N/A | N/A |
status | <status> | Text/String | N/A |
updatedOn | N/A | N/A | N/A |