Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|
|
Deny List Transaction Event |
Base Rule |
Access Success |
Object Modified |
|
Deny List Updated : Object Added |
Sub Rule |
Access Success |
Object Added |
|
Deny List Updated : Object Removed |
Sub Rule |
Access Success |
Object Deleted/Removed |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
Header (logVer) |
N/A |
N/A |
CEF format version |
|
Header (vendor) |
N/A |
N/A |
Appliance vendor |
|
Header (pname) |
N/A |
N/A |
Appliance product |
|
Header (pver) |
N/A |
N/A |
Appliance version |
|
Header (eventid) |
<vmid> |
Number |
Event ID |
|
Header (eventName) |
<vendorinfo> |
Text/String |
Description |
|
Header (severity) |
N/A |
N/A |
Severity |
|
deviceExternalId |
N/A |
N/A |
ID |
|
act |
<action>
|
Text/String |
The action in the event |
|
cs1 |
<policy> |
Text/String |
Type |
|
cs1Label |
N/A |
N/A |
Type label |
|
cs2 |
<severity> |
Text/String |
Risk level |
|
cs2Label |
N/A |
N/A |
Risk level label |
|
deviceExternalId |
N/A |
N/A |
Appliance GUID |
|
dhost |
<dname> |
Text/String |
Destination host name |
|
dpt |
<dport> |
Number |
Destination port |
|
dst |
<dip> |
IP |
Destination IP address |
|
dvc |
N/A |
N/A |
Appliance IP address |
|
dvchost |
N/A |
N/A |
Appliance host name |
|
dvcmac |
N/A |
N/A |
Appliance MAC address |
|
end |
N/A |
N/A |
Report end time
|
|
fileHash |
<hash> |
Text/String |
SHA1 |
|
request |
<url> |
Text/String |
URL |
|
rt |
N/A |
N/A |
Analysis time
|