Event : Endpoint 1
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| Event : Endpoint | Base Rule | General Endpoint Message | Information |
| Event : Endpoint : FortiClient Connection Closed | Sub Rule | Client Connection Closed | Other Audit Success |
| Event : Endpoint : Add A FortiClient Connection | Sub Rule | Connection Built | Network Traffic |
| Event : Endpoint : FortiClient Registration Renew | Sub Rule | Registration | Information |
| Event : Endpoint : FortiClient Registration Renew | Sub Rule | Configuration Information | Information |
| Event : Endpoint Vulnerbility Scan | Sub Rule | General Critical Log Message | Critical |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
| logid | <vmid> | Number | The ID (logid) is a 10-digit field. It is a unique identifier for that specific log. |
| level | <severity> | Text\String | Each log entry contains a Level (level) field that indicates the estimated severity of the event that caused the log entry. |
| logdesc | <vendorinfo> | Text\String | N/A |
| ip | <sip> | IP Address | IP address of the traffic’s origin |
| name | <sname> | Text\String | N/A |
| srcmac | <smac> | Text\String | N/A |
| user | <login> | Text\String | N/A |
| vd | <domainorigin> | Text\String | N/A |
| connection_type | <sessiontype> | Text\String | N/A |
| vulncat | <objecttype> | Text\String | N/A |
| vulnname | <objectname> | Text\String | N/A |
| subtype | <subject> | Text\String | N/A |
| vendorurl | <url> | Text\String | N/A |
| type | <policy> | Text\String | N/A |
| action | <action> | Text\String | N/A |
| msg | <result> | Text\String | N/A |
| status | <status> | Text\String | N/A |
| count | <quantity> | Number | N/A |