Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification
|
|---|---|---|---|
|
Firewall Messages - v6.2.X |
Base Rule |
General Firewall Event |
Information |
|
Potential Compromise |
Sub Rule |
Data Compromised |
Compromise |
|
Suspected Attack Related Anomalies |
Sub Rule |
Suspicious Activity |
Suspicious |
|
Protocol Violation : Low |
Sub Rule |
Vuln Low Severity : Protocol Violation |
Vulnerability |
|
Suspicious Traffic |
Sub Rule |
Network Traffic |
Network Traffic |
|
System Situations Messages |
Sub Rule |
General Error |
Error |
|
Suspected Probe |
Sub Rule |
Suspicious Network Activity |
Suspicious |
|
Protocol Violation : Medium |
Sub Rule |
General Protocol Violation |
Error |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
|
Version |
<version> |
Number |
|
vmid |
<vmid> |
Number |
|
command |
<command> |
Text/String |
|
severity |
<severity> |
Text/String/Number |
|
in |
<packetsin> |
Number |
|
out |
<packetsout> |
Number |
|
requestURL |
<url> |
Text/String |
|
cat |
<tag1> |
Text/String |
|
app |
<object> |
Text/String/Number |
|
deviceFacility |
<objectname> |
Text/String |
|
msg |
<subject> |
Text/String |
|
destinationTranslatedPort |
<dport> |
Number |
|
sourceTranslatedPort |
<sport> |
Number |
|
destinationTranslatedAddress |
<dnatip> |
IP Address |
|
sourceTranslatedAddress |
<snatip> |
IP Address |
|
act |
<action> |
Text/String |
|
deviceinboundinterface |
<sinterface> |
Text/String/Number |
|
proto |
<protnum> |
Number |
|
dpt |
<dport> |
Number |
|
spt |
<sport> |
Number |
|
dst |
<dip> |
IP Address |
|
src |
<sip> |
IP Address |
|
dvchost |
<dname> |
Text/String/Number |