Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
EyeInspect Alert Logs |
Base Rule |
Suspicious Activity |
Suspicious |
|
DNP3 Invalid Reserved Bit Log |
Sub Rule |
Invalid Input Value |
Error |
|
Vulnerability Match Log |
Sub Rule |
Vulnerability Scanner Information |
Other Security |
|
Multiple Failed Connection Attempts Log |
Sub Rule |
Multiple Connection Attempts From Same Source |
Warning |
|
EtherNet/IP Device Unstable Connection Log |
Sub Rule |
Possible Unstable Link Or Faulty Cable |
Warning |
|
DNP3 Field Too Large Log |
Sub Rule |
Message Too Large |
Warning |
|
DNP3 Invalid Qualifier Code Log |
Sub Rule |
Invalid Message Code |
Error |
|
SMBGhost Exploitation Log |
Sub Rule |
Potential Vulnerability Exploit Allowed |
Activity |
|
Illegal Data Address Log |
Sub Rule |
Illegal Status |
Information |
|
DNP3 Device Unstable Connection Log |
Sub Rule |
Possible Unstable Link Or Faulty Cable |
Warning |
|
Invalid Field Value Log |
Sub Rule |
Invalid Field |
Error |
|
GW Device Failed To Respond Log |
Sub Rule |
No Response Received From Network Access Device |
Warning |
|
MODBUS/TCP Device Unstable Connection Log |
Sub Rule |
Possible Unstable Link Or Faulty Cable |
Warning |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
N/A |
N/A |
N/A |
Common Event Format identifier:Default or unspecified severity level (can be replaced with specific severity levels such as 1-10). |
|
N/A |
N/A |
N/A |
Vendor or organization name |
|
N/A |
N/A |
N/A |
Product or service name generating the event |
|
N/A |
<version> |
Text/String |
Version number |
|
N/A |
<vmid>
|
Text/String |
Specific name or identifier for the event. |
|
N/A |
<vendorinfo> |
Text/String |
Description |
|
N/A |
<severity> |
Number |
Severity level of the event (e.g., low, medium, high). |
|
cat |
N/A |
N/A |
alert |
|
externalId |
N/A |
N/A |
{ alertId} |
|
rt |
N/A |
N/A |
N/A |
|
smac |
<smac> |
Text/String |
N/A |
|
dmac |
<dmac> |
Text/String |
N/A |
|
src |
<sip> |
IP Address |
N/A |
|
dst |
<dip> |
IP Address |
N/A |
|
spt |
<sport> |
Number |
N/A |
|
dpt |
<dport> |
Number |
N/A |
|
proto |
<protname> |
Text/String |
N/A |
|
app |
N/A |
N/A |
N/A |
|
in |
<bytesin> |
Number |
N/A |
|
out |
<bytesout> |
Number |
N/A |
|
deviceDirection |
N/A |
N/A |
N/A |
|
deviceExternalId |
N/A |
N/A |
N/A |
|
cs1Label |
N/A |
N/A |
ProfileModule |
|
cs1 |
N/A |
N/A |
N/A |
|
cs2Label |
N/A |
N/A |
FEAState |
|
cs2 |
<status> |
Text/String |
N/A |
|
cn1Label |
N/A |
N/A |
AggrAlerts |
|
cn1 |
N/A |
N/A |
N/A |
|
deviceCustomDate1Label |
N/A |
N/A |
N/A |
|
deviceCustomDate1 |
N/A |
N/A |
N/A |
|
cn2Label |
N/A |
N/A |
FEADurationSec |
|
cn2 |
<seconds> |
Number |
N/A |
|
cs3Label |
N/A |
N/A |
FieldPath |
|
cs3 |
<parentprocesspath> |
Text/String |
N/A |
|
cs4Label |
N/A |
N/A |
FieldVal |
|
cs4 |
N/A |
N/A |
N/A |
|
cs5Label |
N/A |
N/A |
ExpVals |
|
cs5 |
N/A |
N/A |
N/A |
|
cs6Label |
N/A |
N/A |
Labels |
|
cs6 |
<cve> |
Text/String |
N/A |
|
msg |
<subject> |
Text/String |
N/A |