Blocked Host Log Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
Blocked Host Log Messages | Base Rule | Threat Blocked | Failed Activity |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
N/A | N/A | N/A | CEF and Syslog format version |
N/A | N/A | N/A | Device Vendor |
N/A | <vendorinfo> | Text/String | Device Product |
N/A | <version> | Text/String | Device Version |
N/A | <object> | Text/String | Integer or string to identify alert that generated the notification |
N/A | <objecttype> | Text/String | Name of the alert type |
Severity | <severity> | Number | Severity level; in the range from 1 to 10 (critical). |
rt | N/A | N/A | Time stamp of the event that generated the alert |
src | <sip> | IP Address | IP Address for the host that sent blocked traffic |
cs3Label | N/A | N/A | Corresponding label for the cs3Label field |
dpt | <dport> | Number | Port number on the host to which the blocked traffic was sent |
cn2 | N/A | N/A | Protection Group ID |
proto | <protname> | Text/String | Protocol that associated with the blocked host |
dst | <dip> | IP Address | IP Address for the host to which blocked traffic was sent |
cn1 | N/A | N/A | Element ID |
spt | <sport> | Number | Port number on the host that sent blocked traffic |
cs2Label | N/A | N/A | Corresponding label for the cs2Label field |
cs1Label | N/A | N/A | Corresponding label for the cs1Label field |
cn1Label | N/A | N/A | Corresponding label for the cn1Label field |
cn2Label | N/A | N/A | Corresponding label for the cn2Label field |
cs7Label | N/A | N/A | Corresponding label for the cs7Label field |
cs7 | N/A | N/A | Threat Category |
cs6 | <threatname> | Text/String | Threat Name |
cs1 | N/A | N/A | IOC Pattern |
cs6Label | N/A | N/A | Corresponding label for the cs6Label field |
cs3 | N/A | N/A | Match Type |
cs2 | <group> | Text/String | Protection Group Name |