Catch All : Level 2 (LST: Syslog - Symantec ICDX CEF)

https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/endpoint-security-and-management/integrated-cyber-defense-exchange/generated-pdfs/ICDx_1.4.1_Administration_Guide.pdf

Catch All : Level 2

Base Rule

General Information

Information

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

Version

N/A

N/A

N/A

Vendor

N/A

N/A

N/A

Device Product

N/A

N/A

N/A

Device Version

<version>

Number

N/A

Device Event Class_ID

<vmid>

Text/String

The number representing the type of the event. If translation is used, the type enum name is defined by the ICD Schema.

Name

<vendorinfo>

Text/String

The description of the event. If the message attribute is missing and translation is used, the name is generated using the type_id and id enum names.

Severity

<severity>

Number

The severity of the event, mapped as follows:

• ICD Severity = CEF Severity

• 0 (Unknown or missing) = Unknown

• 1 (Informational) = 1

• 2 (Warning) = 3

• 3 (Minor) = 6

• 4 (Major) = 8

• 5 (Critical) = 9

• 6 (Fatal) = 10