Classification
|
Rule Name |
Rule Type |
Classification |
Common event |
|---|---|---|---|
|
Audit Events 2 |
Base Rule |
General Auditing Message |
Other Audit |
|
System Configuration Change Failed |
Sub Rule |
Modify Object Failure |
Access Failure |
|
System Configuration Changed |
Sub Rule |
Configuration Modified : System |
Configuration |
|
User Role Change Failed |
Sub Rule |
Command Execution Failure |
Access Failure |
|
User Role Change |
Sub Rule |
Role Attribute Modified |
Account Modified |
|
Authentication Check Failed |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
Authentication Check |
Sub Rule |
Authentication Activity |
Authentication Success |
|
User Access Vector Cache Message |
Sub Rule |
General Audit Message |
Other Audit |
|
Mandatory Access Control Status |
Sub Rule |
Security Status |
Activity |
|
Policy Loaded |
Sub Rule |
Policy Enabled : System |
Policy |
|
Configuration Changed |
Sub Rule |
Configuration Modified : System |
Configuration |
|
Security Label Set |
Sub Rule |
Object Attribute Modified |
Access Success |
|
Abnormal Process Termination |
Sub Rule |
Suspicious Activity |
Suspicious |
|
User Command Failed |
Sub Rule |
Command Execution Failure |
Access Failure |
|
User Command |
Sub Rule |
Command Executed |
Access Success |
|
Access Vector Cache Message |
Sub Rule |
Object Read |
Access Success |
|
User Login Failed |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
Configuration Change |
Sub Rule |
Configuration Modified : System |
Configuration |
|
Credentials Acquired |
Sub Rule |
Authentication Activity |
Authentication Success |
|
Credentials Dispensed |
Sub Rule |
Authentication Activity |
Authentication Success |
|
Credentials Set |
Sub Rule |
Authentication Activity |
Authentication Success |
|
Working Directory Changed |
Sub Rule |
Command Executed |
Access Success |
|
Service Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
Service Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
Login |
Sub Rule |
User Logon |
Authentication Success |
|
Object Path Opened |
Sub Rule |
Object Read |
Access Success |
|
System Call |
Sub Rule |
System Call |
Other Audit Success |
|
File Opened |
Sub Rule |
Object Read |
Access Success |
|
File Permissions Set |
Sub Rule |
Policy Enabled : Object |
Policy |
|
File Owner Changed |
Sub Rule |
Object Attribute Modified |
Access Success |
|
File Group Changed |
Sub Rule |
Object Modified |
Access Success |
|
Directory Created |
Sub Rule |
Object Created |
Access Success |
|
Link To File Created |
Sub Rule |
Object Created |
Access Success |
|
User Account Summary |
Sub Rule |
General Auditing Message |
Other Audit |
|
Authentication |
Sub Rule |
Authentication Activity |
Authentication Success |
|
Session Closed For User |
Sub Rule |
Session Closed For User |
Other Audit Success |
|
User Login |
Sub Rule |
User Logon |
Authentication Success |
|
Session Started For User |
Sub Rule |
User Logon |
Authentication Success |
|
Configuration Change Failed |
Sub Rule |
Modify Object Failure |
Access Failure |
|
Credentials Acquire Failed |
Sub Rule |
Failed To Acquire Credentials |
Error |
|
Credentials Dispense Failed |
Sub Rule |
Failed To Dispense Credentials |
Error |
|
Credentials Set Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
Working Directory Change Failed |
Sub Rule |
Read Object Failure |
Access Failure |
|
Service Stop Failed |
Sub Rule |
Service Stop Failed |
Error |
|
Service Started Failed |
Sub Rule |
Service Start Failure |
Error |
|
Login Attempt Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
System Call Failed |
Sub Rule |
Failed System Call |
Error |
|
Object Opened Failed |
Sub Rule |
Access Object Failure |
Access Failure |
|
File Permissions Set Failed |
Sub Rule |
Modify Object Failure |
Access Failure |
|
File Ownership Change Failed |
Sub Rule |
Modify Object Failure |
Access Failure |
|
Set Group ID Failed |
Sub Rule |
Modify Object Failure |
Access Failure |
|
Directory Creation Failed |
Sub Rule |
Create Object Failure |
Access Failure |
|
Link To File Failed |
Sub Rule |
Link To File Failed |
Error |
|
User Account Summary Failed |
Sub Rule |
General Audit Failure |
Error |
|
Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
Close Session Failed |
Sub Rule |
Close Session Failed |
Error |
|
Create Session Command Failed |
Sub Rule |
Command Execution Failure |
Access Failure |
|
User Error |
Sub Rule |
User Error |
Error |
|
Command Executed |
Sub Rule |
Command Executed |
Access Success |
|
End Of Event Message |
Sub Rule |
General Information Log Message |
Information |
|
Object Process ID |
Sub Rule |
Object Process ID Information |
Other Audit |
|
File Descriptor Pair |
Sub Rule |
General Auditing Message |
Other Audit |
|
User Logout |
Sub Rule |
User Logoff |
Authentication Success |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
|---|---|---|
|
type |
<vmid> |
Text/String |
|
msg |
<subject> |
Number/String |
|
auid |
<account> |
Number |
|
pid |
<process> |
Number |
|
cwd |
<object> |
Text/String |
|
syscall |
<tag3> |
Text/String |
|
success |
<tag2> |
Text/String |
|
ogid |
<group> |
Text/String |
|
hostname |
<sname> |
Number |
|
addr |
<sip> |
Number |
|
terminal |
<session> |
Text/String |
|
op |
<tag1> |
Text/String |