Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
CRED Messages |
Base Rule |
System Audit Event |
Other Audit |
|
CRED ACQ Messages |
Sub Rule |
System Audit Event |
Other Audit |
|
CRED DISP Messages |
Sub Rule |
System Audit Event |
Other Audit |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
type |
<vmid> |
Text/String |
Type of the record. |
|
msg |
<serialnumber> |
Number |
Records a time stamp and a unique ID of the record in the form audit(time_stamp:ID). |
|
pid |
<processid> |
Number |
Records the Process ID (PID). |
|
uid |
<login> |
Number |
Records the real user ID of the user who started the analyzed process. |
|
auid |
N/A |
N/A |
Records the Audit user ID. |
|
ses |
<session> |
Number |
Records the session ID of the session from which the analyzed process was invoked. |
|
op |
<action> |
Text/String |
Records the operation performed |
|
grantors |
N/A |
N/A |
Records the module or service granting, verifying, or revoking the credential. |
|
acct |
<account> |
Text/String |
Record the user account name under which the process was executed. |
|
exe |
<parentprocesspath> |
Text/String |
Records the path to the executable that was used to invoke the analyzed process. |
|
hostname |
<sname> |
Text/String |
Records the host name. |
|
addr |
<sip> |
IP Address |
Records the IPv4 or IPv6 address. This field usually follows a hostname field and contains the address the host name resolves to. |
|
terminal |
<sessiontype> |
Text/String |
Records the terminal name (without |
|
res |
<result> |
Text/String |
Records the result of the operation that triggered the Audit event. |