EVID 430001: Intrusion Event | LogRhythm Documentation

Classification

Rule Name	Rule Type	Common Event	Classification
EVID 430001: Intrusion Event	Base Rule	Intrusion Monitor Message	Other Security
SID 16431 : Generic SQL Injection Attempt	Sub Rule	SQL Injection	Attack
SID 19438 : SQL URL Ending In Comment Characters	Sub Rule	SQL Injection	Attack
SID 19439 : SQL 1=1	Sub Rule	SQL Injection	Attack
SID 21516 : JBoss JMX Console Access	Sub Rule	General Attack Activity	Attack
SID 24342 : WEB-MISC JBoss Web Console Acc Atmt	Sub Rule	General Attack Activity	Attack
SID 24343 : WEB-MISC JBoss JMXInvokrSrvlt Acc Atmt	Sub Rule	General Attack Activity	Attack
SID 25975 : Adb CldFsion Admin Interface Acc Atmt	Sub Rule	General Attack Activity	Attack
SID 26275 : DD-WRT Httpd Cgi-bin Rmt Cmd Exe Atmt	Sub Rule	Arbitrary Code Execution	Attack
SID 27572 : ApacheStruts Wldcrd Mtch OGNL RmtCdExe	Sub Rule	Arbitrary Code Execution	Attack
SID 27574 : ApchStrutOGNL GtRntime.execStatcMthAcc	Sub Rule	General Attack Activity	Attack
SID 31978 : Bash CGI Env Variable Inj Atmt	Sub Rule	Arbitrary Code Execution	Attack
SID 37078 : JDbDrivrMysqli Unserialize Cd Exe Atmt	Sub Rule	Arbitrary Code Execution	Attack
SID 38352 : WinOrchTrjnOrchNetWrdRC Vrnt Chk Logs	Sub Rule	Detected Trojan Activity	Malware
SID 39058 : JSP Webshell Backdoor Detct	Sub Rule	Detected Backdoor Activity	Malware
SID 39190 : Apache Struts Rmt Cd Exe Atmt	Sub Rule	Arbitrary Code Execution	Attack
SID 39191 : Apache Struts Rmt Cd Exe Atmt	Sub Rule	Arbitrary Code Execution	Attack
SID 41818 : Apache Struts Rmt Cd Exe Atmt	Sub Rule	Arbitrary Code Execution	Attack
SID 41819 : Apache Struts Rmt Cd Exe Atmt	Sub Rule	Arbitrary Code Execution	Attack
SID 42857 : MVPower DVR Shell Arbtry Cmd Exe Atmt	Sub Rule	Arbitrary Code Execution	Attack
SID 44315 : Java XML Deserlz Rmt Cd Exe Atmt	Sub Rule	Arbitrary Code Execution	Attack
SID 44531 : Apache Tomcat Rmt JSP File Upload Atmt	Sub Rule	Suspicious Host Activity	Suspicious
SID 44687 : Netgear Router Auth Bypass Atmt	Sub Rule	General Attack Activity	Attack
SID 44688 : Netgear Router Arbtry Cmd Exe Atmt	Sub Rule	Arbitrary Code Execution	Attack
SID 45749 : PHPUnit PHP Rmt Cd Exe Atmt	Sub Rule	Arbitrary Code Execution	Attack
SID 46316 : Drupal 8 Rmt Cd Exe Atmt	Sub Rule	Arbitrary Code Execution	Attack
SID 46486 : Slimware Utilities Var Outbnd Conn	Sub Rule	Detected Adware Activity	Malware
SID 46624 : GPON Router Authen Bypass Cmd Inj Atmt	Sub Rule	Arbitrary Code Execution	Attack
SID 47567 : WinTrjnZegost Var Outbnd Conn	Sub Rule	Detected Trojan Activity	Malware
SID 47634 : OGNL GetRntimeexe Static Mthd Acc Atmt	Sub Rule	General Attack Activity	Attack
SID 47649 : Apache Struts Rmt Cd Exe Atmt	Sub Rule	Arbitrary Code Execution	Attack
SID 47684 : RouterOS Directory Traversal Atmt	Sub Rule	General Attack Activity	Attack
SID 49376 : Apache Struts Rmt Cd Exe Atmt	Sub Rule	Arbitrary Code Execution	Attack
SID 49666 : SQL HTTP URI Blind Injection Attempt	Sub Rule	SQL Injection	Attack
SID 51390 : Pulse Sec SSL VPN Version Chk Atmt	Sub Rule	General Attack Activity	Attack
SID 51620 : VBulletin Pre-Auth Cmd Inj Atmt	Sub Rule	Arbitrary Code Execution	Attack
SID 52512 : Citrix ADC Gateway Arbtry Cd Exe Atmt	Sub Rule	Arbitrary Code Execution	Attack
SID 52603 : Citrix ADC Gateway Arbtry Cd Exe Atmt	Sub Rule	Arbitrary Code Execution	Attack
SID 52620 : Citrix ADC Gateway Arbtry Cd Exe Atmt	Sub Rule	Arbitrary Code Execution	Attack
SID 53589 : SERVER-WEBAPP DrayTek Multi Prod Cmd	Sub Rule	Arbitrary Code Execution	Attack
SID 53590 : SERVER-WEBAPP DrayTek Multi Prod Cmd	Sub Rule	Arbitrary Code Execution	Attack
SID 54307 : Js.Adware.Agent Varnt Redirect	Sub Rule	Detected Adware Activity	Malware
SID 54768 : Vbulletin Template Render Cd Exe Atmt	Sub Rule	Arbitrary Code Execution	Attack
SID 54794 : Zeroshell Linux RouterCmd Inj Atmt	Sub Rule	Arbitrary Code Execution	Attack

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type
SID	<vmid>	Number
DeviceUUID	<vendorinfo>	Text/String
N/A	<severity>	String
SrcIP	<sip>	Number
IngressZone	<sname>	String
DstIP	<dip>	Number
EgressZone	<dname>	String
srcport	<sport>	Number
dstport	<dport>	Number
IngressInterface	<sinterface>	String
EgressInterface	<dinterface>	String
Protocol	<protname>	String
User	<login>	String
NAPPolicy	<process>	String
Classification	<object>	String
Message	<subject>	String
VLAN_ID	<serialnumber>	Number
Client	<useragent>	String
ACPolicy	<policy>	String
GID	<group>	String
ApplicationProtocol	<command>	String
IntrusionPolicy	<action>	String
InlineResult	<result>	String
HTTPResponse	<responsecode>	Number