Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
DNS Audit Events |
Base Rule |
General Audit Message |
Other Audit |
|
EVID 513: Zone Delete |
Sub Rule |
Zone Object Deleted |
Information |
|
EVID 514: Zone Updated |
Sub Rule |
Zone Update |
Information |
|
EVID 515: Record Create |
Sub Rule |
Object Created |
Access Success |
|
EVID 516: Record Delete |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
EVID 517: RRSET Delete |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
EVID 518: Node Delete |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
EVID 519: Record Create - Dynamic Update |
Sub Rule |
Object Created |
Access Success |
|
EVID 520: Record Delete - Dynamic Update |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
EVID 521: Record Scavenge |
Sub Rule |
General Information Log Message |
Information |
|
EVID 522: Zone Scope Create |
Sub Rule |
Object Created |
Access Success |
|
EVID 523: Zone Scope Delete |
Sub Rule |
Zone Object Deleted |
Information |
|
EVID 525: Zone Sign |
Sub Rule |
General Information Log Message |
Information |
|
EVID 526: Zone Unsign |
Sub Rule |
General Information Log Message |
Information |
|
EVID 527: Zone Re-sign |
Sub Rule |
General Information Log Message |
Information |
|
EVID 528: Key Rollover Start |
Sub Rule |
Service Start |
Startup and Shutdown |
|
EVID 529: Key Rollover End |
Sub Rule |
Session Ended |
Other Audit Success |
|
EVID 530: Key Retire |
Sub Rule |
Session Ended |
Other Audit Success |
|
EVID 531: Key Rollover Triggered |
Sub Rule |
General Information Log Message |
Information |
|
EVID 533: Key Poke Rollover |
Sub Rule |
General Information Log Message |
Information |
|
EVID 534: Export DNSSEC |
Sub Rule |
General Information Log Message |
Information |
|
EVID 535: Import DNSSEC |
Sub Rule |
General Information Log Message |
Information |
|
EVID 536: Cache Purge |
Sub Rule |
Cache Information |
Information |
|
EVID 537: Forwarder Reset |
Sub Rule |
General Information Log Message |
Information |
|
EVID 540: Root Hints |
Sub Rule |
General Information Log Message |
Information |
|
EVID 541: Server Setting |
Sub Rule |
Server Must Process Message |
Information |
|
EVID 542: Server Scope Create |
Sub Rule |
Object Created |
Access Success |
|
EVID 543: Server Scope Delete |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
EVID 544: Add Trust Point DNSKEY |
Sub Rule |
General Information Log Message |
Information |
|
EVID 545: Add Trust Point DS |
Sub Rule |
Domain Trust Information |
Information |
|
EVID 546: Remove Trust Point |
Sub Rule |
Domain Trust Information |
Information |
|
EVID 547: Add Trust Point Root |
Sub Rule |
Domain Trust Information |
Information |
|
EVID 548: Restart Server |
Sub Rule |
General Server Information |
Information |
|
EVID 549: Clear Debug Logs |
Sub Rule |
General Debug Message |
Information |
|
EVID 550: Write Dirty Zones |
Sub Rule |
General Information Log Message |
Information |
|
EVID 551: Clear Statistics |
Sub Rule |
General Information Log Message |
Information |
|
EVID 552: Start Scavenging |
Sub Rule |
Session Started |
Other Audit Success |
|
EVID 553: Enlist Directory Partition |
Sub Rule |
General Information Log Message |
Information |
|
EVID 554: Abort Scavenging |
Sub Rule |
General Information Log Message |
Information |
|
EVID 555: Prepare For Demotion |
Sub Rule |
General Information Log Message |
Information |
|
EVID 556: Write Root Hints |
Sub Rule |
General Information Log Message |
Information |
|
EVID 557: Listen Address |
Sub Rule |
General Information Log Message |
Information |
|
EVID 558: Active Refresh Trust Points |
Sub Rule |
General Information Log Message |
Information |
|
EVID 559: Pause Zone |
Sub Rule |
General ZONE Message |
Information |
|
EVID 560: Resume Zone |
Sub Rule |
General ZONE Message |
Information |
|
EVID 561: Reload Zone |
Sub Rule |
General ZONE Message |
Information |
|
EVID 562: Refresh Zone |
Sub Rule |
General ZONE Message |
Information |
|
EVID 563: Expire Zone |
Sub Rule |
General ZONE Message |
Information |
|
EVID 564: Update From DS |
Sub Rule |
Zone Update |
Information |
|
EVID 565: Write And Notify |
Sub Rule |
BGP Notify Msg |
Activity |
|
EVID 566: Force Aging |
Sub Rule |
General Information Log Message |
Information |
|
EVID 567: Scavenge Servers |
Sub Rule |
General Information Log Message |
Information |
|
EVID 568: Transfer Key Master |
Sub Rule |
General Information Log Message |
Information |
|
EVID 569: Add SKD |
Sub Rule |
General Information Log Message |
Information |
|
EVID 570: Modify SKD |
Sub Rule |
General Information Log Message |
Information |
|
EVID 571: Delete SKD |
Sub Rule |
General Information Log Message |
Information |
|
EVID 572: Modify SKD State |
Sub Rule |
General Information Log Message |
Information |
|
EVID 573: Add Delegation |
Sub Rule |
General Information Log Message |
Information |
|
EVID 574: Create Client Subnet Record |
Sub Rule |
Object Created |
Access Success |
|
EVID 575: Delete Client Subnet Record |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
EVID 576: Update Client Subnet Record |
Sub Rule |
Update |
Information |
|
EVID 577: Create Server Level Policy |
Sub Rule |
General Server Information |
Information |
|
EVID 578: Create Zone Level Policy |
Sub Rule |
Zone Update |
Information |
|
EVID 579: Create Forwarding Policy |
Sub Rule |
Policy Status |
Other Audit |
|
EVID 580: Delete Server Level Policy |
Sub Rule |
General Server Information |
Information |
|
EVID 581: Delete Zone Level Policy |
Sub Rule |
Zone Object Deleted |
Information |
|
EVID 582: Delete Forwarding Policy |
Sub Rule |
Policy Status |
Other Audit |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
Provider Name |
N/A |
N/A |
Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events; otherwise, the EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. |
|
EventID |
<vmid>
|
Number |
The identifier that the provider used to identify the event. |
|
Version |
N/A |
N/A |
The version number of the event's definition. |
|
Level |
<severity> |
Text/String |
The severity level defined in the event. |
|
Task |
<vendorinfo> |
Text/String |
The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. |
|
Opcode |
N/A |
N/A |
The opcode defined in the event. Task and opcode are typcially used to identify the location in the application from where the event was logged. |
|
Keywords |
<result> |
Text/String |
A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data). |
|
TimeCreated |
N/A |
N/A |
The time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute. |
|
EventRecordID |
N/A |
N/A |
The record number assigned to the event when it was logged. |
|
Correlation |
N/A |
N/A |
The activity identifiers that consumers can use to group related events together. |
|
Execution |
N/A |
N/A |
Contains information about the process and thread that logged the event. |
|
Channel |
N/A |
N/A |
The channel to which the event was logged. |
|
Computer |
<dname> |
Text/String |
The name of the computer on which the event occurred. |
|
Security |
<login>
|
Text/String |
N/A |
|
RuleName |
<policy> |
Text/String |
N/A |
|
Type |
N/A |
N/A |
N/A |
|
NAME |
<sname> |
Text/String |
N/A |
|
TTL |
N/A |
N/A |
N/A |
|
BufferSize |
N/A |
N/A |
N/A |
|
RDATA |
N/A |
N/A |
N/A |
|
Zone |
N/A |
N/A |
N/A |
|
ZoneScope |
N/A |
N/A |
N/A |
|
Source |
<sip> |
IP Address |
N/A |