Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
Blocked Host Log Messages |
Base Rule |
Threat Blocked |
Failed Activity |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
N/A |
N/A |
N/A |
CEF and Syslog format version |
|
N/A |
N/A |
N/A |
Device Vendor |
|
N/A |
<vendorinfo> |
Text/String |
Device Product |
|
N/A |
<version> |
Text/String |
Device Version |
|
N/A |
<object> |
Text/String |
Integer or string to identify alert that generated the notification |
|
N/A |
<objecttype> |
Text/String |
Name of the alert type |
|
Severity |
<severity> |
Number |
Severity level; in the range from 1 to 10 (critical). |
|
rt |
N/A |
N/A |
Time stamp of the event that generated the alert |
|
src |
<sip> |
IP Address |
IP Address for the host that sent blocked traffic |
|
cs3Label |
N/A |
N/A |
Corresponding label for the cs3Label field |
|
dpt |
<dport> |
Number |
Port number on the host to which the blocked traffic was sent |
|
cn2 |
N/A |
N/A |
Protection Group ID |
|
proto |
<protname> |
Text/String |
Protocol that associated with the blocked host |
|
dst |
<dip> |
IP Address |
IP Address for the host to which blocked traffic was sent |
|
cn1 |
N/A |
N/A |
Element ID |
|
spt |
<sport> |
Number |
Port number on the host that sent blocked traffic |
|
cs2Label |
N/A |
N/A |
Corresponding label for the cs2Label field |
|
cs1Label |
N/A |
N/A |
Corresponding label for the cs1Label field |
|
cn1Label |
N/A |
N/A |
Corresponding label for the cn1Label field |
|
cn2Label |
N/A |
N/A |
Corresponding label for the cn2Label field |
|
cs7Label |
N/A |
N/A |
Corresponding label for the cs7Label field |
|
cs7 |
N/A |
N/A |
Threat Category |
|
cs6 |
<threatname> |
Text/String |
Threat Name |
|
cs1 |
N/A |
N/A |
IOC Pattern |
|
cs6Label |
N/A |
N/A |
Corresponding label for the cs6Label field |
|
cs3 |
N/A |
N/A |
Match Type |
|
cs2 |
<group> |
Text/String |
Protection Group Name |