Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|
|
Drago Alerts |
Base Rule |
Operations : Information |
General Alert Message |
|
Configuration Quad Alert |
Sub Rule |
Security : Activity
|
General Activity |
|
Indicator Quad Alert |
Sub Rule |
Security : Attack |
General Attack Activity |
|
Modeling Quad Alert |
Sub Rule |
Security : Attack |
General Attack Activity |
|
Threat Behavior Quad Alert |
Sub Rule |
Security : Attack |
General Attack Activity |
|
Unassigned Quad Alert |
Sub Rule |
Security : Activity
|
General Activity |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
CEF:Version |
N/A |
N/A |
Identifies the version of the CEF format. |
|
Device Vendor |
N/A |
N/A |
Identifies the vendor of the sending device. |
|
Device Product |
N/A |
N/A |
Identifies the product of the sending device. |
|
Device Version |
<version> |
Number |
Identifies the version of the sending device. |
|
Signature ID |
N/A |
N/A |
Unique event-type identifier. |
|
Name |
<vmid> |
String |
Description of the event. |
|
Severity |
<severity> |
Number |
Reflects the importance of the event. |
|
Extension |
N/A |
N/A |
Collection of key-value pairs. |
|
content |
<vendorinfo> |
String |
Detailed description of the event. |
|
asset_ip |
N/A |
N/A |
Asset IP address for single asset events. |
|
asset_hostname |
N/A |
N/A |
Asset hostname(s) for single asset events. |
|
dst_asset_ip |
<dip> |
IP Address |
Destination asset IP address for multiple asset events. |
|
dst_asset_hostname |
<dname> |
String |
Destination asset host names for directional events. |
|
dst_asset_mac |
<dmac> |
String |
Destination asset MAC address for multiple asset events. |
|
dst_asset_domain |
N/A |
N/A |
Destination asset domain names for directional events. |
|
src_asset_ip |
<sip> |
IP Address |
Destination asset IP address for multiple asset events. |
|
src_asset_hostname |
<sname> |
String |
Destination asset host names for directional events. |
|
src_asset_mac |
<smac> |
String |
Destination asset MAC address for multiple asset events. |
|
src_asset_domain |
N/A |
N/A |
Destination asset domain names for directional events. |
|
id |
<session> |
Number |
Unique ID for the event. |
|
asset_domain |
N/A |
N/A |
Asset domain names for single asset events. |
|
asset_id |
N/A |
N/A |
Dragos system asset ID for single asset events. |
|
asset_mac |
N/A |
N/A |
Asset MAC address for single asset events. |
|
createdAt |
N/A |
N/A |
Date and time when the event was created (not the same as the transmission time sent in syslog). |
|
detection quad |
<tag1>,<objecttype> |
String |
Name of the quad in the four types of detection quad used in the Dragos platform. |
|
detectorid |
<object> |
String |
Unique ID of the collector that originated the event. |
|
dst_asset_id |
N/A |
N/A |
Dragos system destination asset ID for multiple asset events. |
|
matchedRuleId |
N/A |
N/A |
Dragos notification rule that triggered sending the alert over syslog. |
|
occurredAt |
N/A |
N/A |
Date and time the event occurred at based off the record(s) processed by the sensor. |
|
originalSeverity |
N/A |
N/A |
Original Dragos severity; some events become higher severity if they are repeated over time. |
|
reviewed |
N/A |
N/A |
True if the event has been marked reviewed by a human. |
|
src_asset_id |
N/A |
N/A |
Dragos system destination asset ID for multiple asset events. |
|
type |
N/A |
N/A |
Type of event; this field is free form so the values can be inconsistent at times. |