EVID:1092EPOEV - AccessProtectionViolationBlocked
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
---|---|---|---|
EVID:1092EPOEV - AccessProtectionViolationBlocked | Base Rule | Threat Blocked | Failed Activity |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
N/A | N/A | N/A | N/A |
MachineName | N/A | N/A | Name of the system hosting the detecting product. |
AgentGUID | N/A | N/A | Unique identifier of the agent that forwarded the event. |
IPAddress | <dip> | IP Address | IP address of the system hosting the detecting product (if given in the event). |
OSName | N/A | N/A | N/A |
UserName | N/A | N/A | N/A |
TimeZoneBias | N/A | N/A | N/A |
RawMACAddress | <dmac> | Text/String/Number | MAC address of the system hosting the detecting product. |
ProductName | <vendorinfo> | Text/String | Name of the detecting managed product. |
ProductVersion | <version> | Text/String/Number | Version number of the detecting product. |
ProductFamily | N/A | N/A | N/A |
Analyzer | N/A | N/A | N/A |
AnalyzerName | N/A | N/A | Name of the detecting managed product. |
AnalyzerVersion | N/A | N/A | Version number of the detecting product. |
AnalyzerHostName | N/A | N/A | Name of the system hosting the detecting product. |
AnalyzerDetectionMethod | N/A | N/A | The name of the task or task type that was responsible for detecting the threat. |
EventID | <vmid> | Number | Unique identifier of the event class. |
Severity | N/A | N/A | N/A |
GMTTime | N/A | N/A | N/A |
ThreatCategory | <subject> | Text/String | Category of the event. Possible categories depend on the product. |
ThreatEventID | N/A | N/A | Unique identifier of the event class. |
ThreatName | <threatname> | Text/String | Name of the threat. |
ThreatType | N/A | N/A | Class of the threat. |
DetectedUTC | N/A | N/A | N/A |
ThreatActionTaken | <action> | Text/String | The action taken by the product in response to the threat. |
ThreatHandled | <result> | Text/String | Specifies whether the action taken was successful. |
SourceUserName | <domainorigin> <login> | Text/String | User name from which the threat originated (if given in the event). |
SourceProcessName | <process> | Text/String | The process name from which the threat originated. |
TargetHostName | <dname> | Text/String | Name of the system that created the event. |
TargetUserName | <domainimpacted> <account> | Text/String | The threat source user name or email address. |
Target ProcessName | N/A | N/A | N/A |
Target FileName | <object> | Text/String | Location of the threat on the detecting system. |
ThreatSeverity | <severity> | Number | The severity of the detected threat as defined by each managed product. |
target | N/A | N/A | N/A |
BladeName | N/A | N/A | N/A |
AnalyzerContentVersion | N/A | N/A | N/A |
AnalyzerContentCreationDate | N/A | N/A | N/A |
AnalyzerRuleName | N/A | N/A | N/A |
SourceProcessHash | N/A | N/A | N/A |
SourceProcessSigned | N/A | N/A | N/A |
SourceProcessSigner | N/A | N/A | N/A |
SourceProcessTrusted | N/A | N/A | N/A |
SourceFilePath | N/A | N/A | N/A |
SourceFileSize | N/A | N/A | N/A |
SourceModifyTime | N/A | N/A | N/A |
SourceAccessTime | N/A | N/A | N/A |
SourceCreateTime | N/A | N/A | N/A |
TargetName | <objectname> | Text/String | N/A |
TargetPath | N/A | N/A | N/A |
TargetHash | <hash> | Text/String | N/A |
TargetSigned | N/A | N/A | N/A |
TargetSigner | N/A | N/A | N/A |
TargetTrusted | N/A | N/A | N/A |
TargetFileSize | N/A | N/A | N/A |
TargetModifyTime | N/A | N/A | N/A |
TargetAccessTime | N/A | N/A | N/A |
TargetCreateTime | N/A | N/A | N/A |
AttackVectorType | N/A | N/A | N/A |
DurationBeforeDetection | N/A | N/A | N/A |
NaturalLangDescription | N/A | N/A | N/A |
AccessRequested | N/A | N/A | N/A |