Catch All : Level 2 1
Vendor Documentation
Classification
| Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| Catch-All : Level 2 | Base Rule | Operations : Information | General Information |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| CEF:Version | N/A | N/A | Identifies the version of the CEF format. |
| Device Vendor | N/A | N/A | Identifies the vendor of the sending device. |
| Device Product | N/A | N/A | Identifies the product of the sending device. |
| Device Version | N/A | N/A | Identifies the version of the sending device. |
| Signature ID | N/A | N/A | Unique event-type identifier. |
| Name | N/A | N/A | Description of the event. |
| Severity | <severity> | Number | Reflects the importance of the event. |
| Extension | N/A | N/A | Collection of key-value pairs. |
| content | N/A | N/A | Detailed description of the event. |
| asset_ip | N/A | N/A | Asset IP address for single asset events. |
| asset_hostname | N/A | N/A | Asset hostname(s) for single asset events. |
| dst_asset_ip | N/A | N/A | Destination asset IP address for multiple asset events. |
| dst_asset_hostname | N/A | N/A | Destination asset host names for directional events. |
| dst_asset_mac | N/A | N/A | Destination asset MAC address for multiple asset events. |
| dst_asset_domain | N/A | N/A | Destination asset domain names for directional events. |
| src_asset_ip | N/A | N/A | Destination asset IP address for multiple asset events. |
| src_asset_hostname | N/A | N/A | Destination asset host names for directional events. |
| src_asset_mac | N/A | N/A | Destination asset MAC address for multiple asset events. |
| src_asset_domain | N/A | N/A | Destination asset domain names for directional events. |
| id | N/A | N/A | Unique ID for the event. |
| asset_domain | N/A | N/A | Asset domain names for single asset events. |
| asset_id | N/A | N/A | Dragos system asset ID for single asset events. |
| asset_mac | N/A | N/A | Asset MAC address for single asset events. |
| createdAt | N/A | N/A | Date and time when the event was created (not the same as the transmission time sent in syslog). |
| detection quad | <objecttype> | String | Name of the quad in the four types of detection quad used in the Dragos platform. |
| detectorid | N/A | N/A | Unique ID of the collector that originated the event. |
| dst_asset_id | N/A | N/A | Dragos system destination asset ID for multiple asset events. |
| matchedRuleId | N/A | N/A | Dragos notification rule that triggered sending the alert over syslog. |
| occurredAt | N/A | N/A | Date and time the event occurred at based off the record(s) processed by the sensor. |
| originalSeverity | N/A | N/A | Original Dragos severity; some events become higher severity if they are repeated over time. |
| reviewed | N/A | N/A | True if the event has been marked reviewed by a human. |
| src_asset_id | N/A | N/A | Dragos system destination asset ID for multiple asset events. |
| type | N/A | N/A | Type of event; this field is free form so the values can be inconsistent at times. |