Entity Audit Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
Entity Audit Messages | Base Rule | General Audit Messages | Information |
Entity Audit Created | Sub Rule | Group Created | Account Created |
Entity Audit Deleted | Sub Rule | Group Deleted | Account Deleted |
Entity Audit Updated | Sub Rule | Group Attribute Modified | Account Modified |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
Version | N/A | N/A | N/A |
Vendor | N/A | N/A | N/A |
Device Product | N/A | N/A | N/A |
Device Version | <version> | Numbers | N/A |
Device Event Class_ID | <vmid> | Text/String | The number representing the type of the event. If translation is used, the type enum name is defined by the ICD Schema. |
Name | <vendorinfo> | Text/String | The description of the event. If the message attribute is missing and translation is used, the name is generated using the type_id and id enum names. |
Severity | <severity> | Numbers | The severity of the event, mapped as follows:
|
act | <result> <tag1> | Text/String | The outcome of the event. It is either a numeric value or text when translation is used. |
cat | <objecttype> | Text/String | The event type category. It is either a numeric value or text when translation is used. |
cnt | N/A | N/A | For aggregated events, the number of times that the event occurred. |
dtz | N/A | N/A | The time zone of the event’s Device Time, converted from minutes ahead or behind UTC to a standard time zone identifier. |
externalId | N/A | N/A | A positive number that indicates the order of events sent by a client. |
rt | N/A | N/A | The time that the ICDx system collected the event, expressed as the number of milliseconds since 01/01/1970 00:00:00 UTC. |
deviceCustomDate1 | N/A | N/A | N/A |
deviceCustomDate1Label | N/A | N/A | N/A |
start | N/A | N/A | The number of milliseconds since 01/01/1970 00:00:00 UTC. |
agt | N/A | N/A | The IP address of the collector device, if in IPv4 format. |
ahost | N/A | N/A | The host name of the collector device. |
aid | N/A | N/A | The unique identifier of the collector. |
cs6 | N/A | N/A | N/A |
cs6Label | N/A | N/A | N/A |
suser | <login> | Text/String | The source user by name. |
symcICDxLogName | <object> | Text/String | The ICDx archive name (log_name). |
symcICDxUUID | N/A | N/A | The JSON-encoded event data that was not mapped to any CEF attributes. |
symcICDxData | <subject> | Text/String | N/A |