Deny List Transaction Event
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| Deny List Transaction Event | Base Rule | Access Success | Object Modified |
| Deny List Updated : Object Added | Sub Rule | Access Success | Object Added |
| Deny List Updated : Object Removed | Sub Rule | Access Success | Object Deleted/Removed |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Header (logVer) | N/A | N/A | CEF format version |
| Header (vendor) | N/A | N/A | Appliance vendor |
| Header (pname) | N/A | N/A | Appliance product |
| Header (pver) | N/A | N/A | Appliance version |
| Header (eventid) | <vmid> | Number | Event ID |
| Header (eventName) | <vendorinfo> | Text/String | Description |
| Header (severity) | N/A | N/A | Severity |
| deviceExternalId | N/A | N/A | ID |
| act | <action> <tag1> | Text/String | The action in the event |
| cs1 | <policy> | Text/String | Type |
| cs1Label | N/A | N/A | Type label |
| cs2 | <severity> | Text/String | Risk level |
| cs2Label | N/A | N/A | Risk level label |
| deviceExternalId | N/A | N/A | Appliance GUID |
| dhost | <dname> | Text/String | Destination host name |
| dpt | <dport> | Number | Destination port |
| dst | <dip> | IP | Destination IP address |
| dvc | N/A | N/A | Appliance IP address |
| dvchost | N/A | N/A | Appliance host name |
| dvcmac | N/A | N/A | Appliance MAC address |
| end | N/A | N/A | Report end time Format: Unix timestamp (number of milliseconds since Jan 01 1970 UTC) |
| fileHash | <hash> | Text/String | SHA1 |
| request | <url> | Text/String | URL |
| rt | N/A | N/A | Analysis time Format: Unix timestamp (number of milliseconds since Jan 01 1970 UTC) |