Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|
|
Catch-All : Level 2 |
Base Rule |
Operations : Information |
General Information |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
CEF:Version |
N/A |
N/A |
Identifies the version of the CEF format. |
|
Device Vendor |
N/A |
N/A |
Identifies the vendor of the sending device. |
|
Device Product |
N/A |
N/A |
Identifies the product of the sending device. |
|
Device Version |
N/A |
N/A |
Identifies the version of the sending device. |
|
Signature ID |
N/A |
N/A |
Unique event-type identifier. |
|
Name |
N/A |
N/A |
Description of the event. |
|
Severity |
<severity> |
Number |
Reflects the importance of the event. |
|
Extension |
N/A |
N/A |
Collection of key-value pairs. |
|
content |
N/A |
N/A |
Detailed description of the event. |
|
asset_ip |
N/A |
N/A |
Asset IP address for single asset events. |
|
asset_hostname |
N/A |
N/A |
Asset hostname(s) for single asset events. |
|
dst_asset_ip |
N/A |
N/A |
Destination asset IP address for multiple asset events. |
|
dst_asset_hostname |
N/A |
N/A |
Destination asset host names for directional events. |
|
dst_asset_mac |
N/A |
N/A |
Destination asset MAC address for multiple asset events. |
|
dst_asset_domain |
N/A |
N/A |
Destination asset domain names for directional events. |
|
src_asset_ip |
N/A |
N/A |
Destination asset IP address for multiple asset events. |
|
src_asset_hostname |
N/A |
N/A |
Destination asset host names for directional events. |
|
src_asset_mac |
N/A |
N/A |
Destination asset MAC address for multiple asset events. |
|
src_asset_domain |
N/A |
N/A |
Destination asset domain names for directional events. |
|
id |
N/A |
N/A |
Unique ID for the event. |
|
asset_domain |
N/A |
N/A |
Asset domain names for single asset events. |
|
asset_id |
N/A |
N/A |
Dragos system asset ID for single asset events. |
|
asset_mac |
N/A |
N/A |
Asset MAC address for single asset events. |
|
createdAt |
N/A |
N/A |
Date and time when the event was created (not the same as the transmission time sent in syslog). |
|
detection quad |
<objecttype> |
String |
Name of the quad in the four types of detection quad used in the Dragos platform. |
|
detectorid |
N/A |
N/A |
Unique ID of the collector that originated the event. |
|
dst_asset_id |
N/A |
N/A |
Dragos system destination asset ID for multiple asset events. |
|
matchedRuleId |
N/A |
N/A |
Dragos notification rule that triggered sending the alert over syslog. |
|
occurredAt |
N/A |
N/A |
Date and time the event occurred at based off the record(s) processed by the sensor. |
|
originalSeverity |
N/A |
N/A |
Original Dragos severity; some events become higher severity if they are repeated over time. |
|
reviewed |
N/A |
N/A |
True if the event has been marked reviewed by a human. |
|
src_asset_id |
N/A |
N/A |
Dragos system destination asset ID for multiple asset events. |
|
type |
N/A |
N/A |
Type of event; this field is free form so the values can be inconsistent at times. |