Attack Anomaly
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| Attack Anomaly | Base Rule | General Attack Activity | Attack |
| Attack Anomaly (TCP/UDP) | Sub Rule | General Attack Activity | Attack |
| Attack Anomaly (ICMP) | Sub Rule | General Attack Activity | Attack |
Mapping with LogRhythm Schema
| Device Key in Log Message | Log Value | LogRhythm Schema | Data Type | Schema Description |
| logid | N/A | <vmid> | Number | Each log entry contains a Level (level) field that indicates the estimated severity of the event that caused the log entry, |
| severity | N/A | <severity> | Text/String | Each log entry contains a Level (level) field that indicates the estimated severity of the event that caused the log entry, |
| srcip | N/A | <sip> | IP Address | IP address of the traffic’s origin |
| dstip | N/A | <dip> | IP Address | Destination IP address for the web |
| srcport | N/A | <sport> | Number | Port number of the traffic's origin |
| dstport | N/A | <dport> | Number | Port number of the traffic's destination. |
| srcintf | N/A | <sinterface> | Text/String | Interface name of the traffic's origin. |
| proto | N/A | <protnum> | Number | The protocol used by web traffic (tcp by default) |
| vd | N/A | <domainorigin> | Text\String | Name of the virtual domain in which the log message was recorded. |
| sessionid | N/A | <session> | Number | ID for the session. |
| attackid | N/A | <processid> | Number | N/A |
| attack | N/A | <object> | Text\String | N/A |
| msg | N/A | <subject> | Text\String | N/A |
| ref | N/A | <url> | Text\String | N/A |
| action | N/A | <command> | Text\String | N/A |
| count | N/A | <quantity> | Number | N/A |