Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification
|
|---|---|---|---|
|
Firewall Messages - V6.4/6.5/6.6/6.7 |
Base Rule |
General Firewall Log |
Network Traffic |
|
VMID: 0 |
Sub Rule |
Syslog Information |
Information |
|
VMID: 1500 Stopping Unused Service |
Sub Rule |
Process/Service Stopping |
Startup and Shutdown |
|
VMID: 2011 Cluster Event |
Sub Rule |
General CLUSTER Message |
Information |
|
VMID: 2302 System Tester Notice |
Sub Rule |
Test Message |
Information |
|
VMID: 4118 System Policy Applied |
Sub Rule |
General POLICY Information |
Information |
|
VMID: 4501 FW Authentication New Config Successful |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
VMID: 70018 Connection Allowed |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
VMID: 70019 Connection Discarded |
Sub Rule |
Connection Removed Or Disabled |
Information |
|
VMID: 70021 Connection Closed |
Sub Rule |
Connection Closed |
Network Traffic |
|
VMID: 70022 Connection Closed Abnormally |
Sub Rule |
Connection Closed |
Network Traffic |
|
VMID: 70026 Connection Progress |
Sub Rule |
General Connection Messages |
Network Traffic |
|
VMID: 70511 HTTP URL Logged |
Sub Rule |
URL Logged - Category |
Activity |
|
VMID 1004: Connection Allowed |
Sub Rule |
Connection Established |
Network Traffic |
|
VMID 1001: Connection Discarded |
Sub Rule |
Request Discarded |
Network Traffic |
|
VMID 1008: Packet Discarded |
Sub Rule |
TCP Packet Dropped |
Information |
|
VMID 12100: IKEv2 SA Initiator Complete |
Sub Rule |
IKE Phase 1 Complete |
Activity |
|
VMID 12101: IKE SA Initiator Failed |
Sub Rule |
IKE Initiator: Phase 1 Negotiation |
Activity |
|
VMID 12102: IKE SA Responder Done |
Sub Rule |
IKE Accept IPSec Proposal |
Other Audit Success |
|
VMID 12105: IPSec SA Initiator Done |
Sub Rule |
IKE Phase 1 Complete |
Activity |
|
VMID 12107: IPSec SA Responder Done |
Sub Rule |
IKE Accept IPSec Proposal |
Other Audit Success |
|
VMID 12110: IKE Starting Initiator Negotiation |
Sub Rule |
IKE Initiator: Phase 1 Negotiation |
Activity |
|
VMID 12111: IKE Starting Responder Negotiation |
Sub Rule |
Starting IKE Negotiation |
Information |
|
VMID 12116: IKE SA Deleted |
Sub Rule |
IKE SA Delete Request Received |
Network Traffic |
|
VMID 12171: IKE Timeout |
Sub Rule |
IKE Ticket Exchange Failed - Timeout |
Activity |
|
VMID 15006: DHCP Client |
Sub Rule |
DHCP Information |
Information |
|
VMID 2000: Cluster Protocol |
Sub Rule |
General CLUSTER Message |
Information |
|
VMID 261653: Analyzer Compress Message |
Sub Rule |
General Information |
Information |
|
VMID 70027: Connection Interface Changed |
Sub Rule |
Connection Information |
Information |
|
VMID 70082: Protocol Violation |
Sub Rule |
General Protocol Information |
Information |
|
VMID 7059: TCP Checksum Mismatch |
Sub Rule |
General Checksum Information |
Information |
|
VMID 71009: VPN Connection |
Sub Rule |
General VPN Information |
Other Operations |
|
VMID 71012: IPSec VPN Connection |
Sub Rule |
General VPN Information |
Other Operations |
|
VMID 71040: Log Compress Message |
Sub Rule |
General Information Log Message |
Information |
|
VMID 71257: TCP Segment SYN Message |
Sub Rule |
VPN TCP SYN Message |
Information |
|
VMID 275137: Unknown Browser |
Sub Rule |
Unknown Browser Type |
Information |
|
VMID 275505: Unknown Status |
Sub Rule |
Status Log |
Information |
|
VMID 316105: TCP NTLMSSP Message |
Sub Rule |
General Information |
Information |
|
VMID 261657: Analyzer Compress Message |
Sub Rule |
General Information |
Information |
|
VMID 263279: UDP-Denial Of Service |
Sub Rule |
Application Denial Of Service |
Denial Of Service |
|
VMID 270346: HTTP Long Options Request Argument |
Sub Rule |
HTTP Response Error |
Error |
|
VMID 318473: MS_RPC_TPC_CPS |
Sub Rule |
RPC Request |
Activity |
|
VMID 323594: SNMP UDP Write Attempt |
Sub Rule |
SNMP Activity |
Activity |
|
VMID 324106: SNMP UDP Write Attemp Rejected |
Sub Rule |
Modify Object Failure |
Access Failure |
|
VMID 324107: SNMP UDP Write Attempt Accepted |
Sub Rule |
Object Accessed |
Access Success |
|
VMID 501475: File Binary Shell Code |
Sub Rule |
Programmable Binary File Data Processing Info Msg |
Information |
|
VMID 70095: TCP Small Overlapping Segment |
Sub Rule |
General TCP/IP Information |
Information |
|
VMID 70507: SSH Violation |
Sub Rule |
SSH Information-Only Event |
Information |
|
VMID 70961: Connection Rematched |
Sub Rule |
Connection Restored |
Information |
|
VMID 71268: TCP Window Small |
Sub Rule |
General TCP/IP Information |
Information |
|
VMID 72123: Anti-Malware Database Failure |
Sub Rule |
Database Information |
Information |
|
VMID 76515: Cannot Connect To Cloud |
Sub Rule |
General CLOUD Message |
Information |
|
VMID 79059: TLS Certificate Verify Failed |
Sub Rule |
TLS Message |
Information |
|
VMID 79973: SMB Attempted Tree Connect To Admin |
Sub Rule |
SMB Information Message |
Information |
|
Connection Refused Messages |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
|
severity |
<severity> |
Text/String/Number |
|
Version |
<version> |
Text/String |
|
vmid |
<vmid> |
Number |
|
command |
<command> |
Text/String |
|
severity |
<severity> |
Number |
|
suser |
<login> |
Text/String |
|
cat |
<objecttype> |
Text/String |
|
in |
<packetsin> |
Number |
|
out |
<packetsout> |
Number |
|
app |
<object> |
Text/String/Number |
|
protname |
<protname> |
Text/String/Number |
|
deviceFacility |
<objectname> |
Text/String |
|
destinationTranslatedPort |
<dnatport> |
Number |
|
sourceTranslatedPort |
<snatport> |
Number |
|
destinationTranslatedAddress |
<dnatip> |
IP Address |
|
sourceTranslatedAddress |
<snatip> |
IP Address |
|
msg |
<subject> |
Text/String |
|
act |
<action> |
Text/String |
|
deviceinboundinterface |
<dinterface> |
Text/String/Number |
|
dpt |
<dport> |
Number |
|
spt |
<sport> |
Number |
|
dst |
<dip> |
IP Address |
|
src |
<sip> |
IP Address |
|
dvchost |
<dname> |
Text/String/Number |