Host Network Detection Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
Host Network Detection Messages | Base Rule | Network Information Message | Information |
Host Network Allowed | Sub Rule | Network Information Message | Information |
Host Network Blocked | Sub Rule | Blocked Message | Failed Activity |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
Version | N/A | N/A | N/A |
Vendor | N/A | N/A | N/A |
Device Product | N/A | N/A | N/A |
Device Version | <version> | Numbers | N/A |
Device Event Class_ID | <vmid> | Text/String | The number representing the type of the event. If translation is used, the type enum name is defined by the ICD Schema. |
Name | <vendorinfo> | Text/String | The description of the event. If the message attribute is missing and translation is used, the name is generated using the type_id and id enum names. |
Severity | <severity> | Numbers | The severity of the event, mapped as follows:
|
act | <result> <tag1> | Text/String | The outcome of the event. It is either a numeric value or text when translation is used. |
cat | <objecttype> | Text/String | The event type category. It is either a numeric value or text when translation is used. |
cnt | N/A | N/A | N/A |
deviceExternalId | N/A | N/A | The unique identifier of the device. |
dtz | N/A | N/A | The time zone of the event’s Device Time, converted from minutes ahead or behind UTC to a standard time zone identifier. |
dvc | <sip> | IP Address | The IP address that pertains to the event, if in IPv4 format (otherwise, placed in c6a1). |
dvchost | <sname> | Text/String | The name of the device originating the event. |
dvcmac | <smac> | Text/Number | N/A |
reason | <reason> | Text/String | N/A |
rt | N/A | N/A | N/A |
deviceCustomDate1 | N/A | N/A | N/A |
deviceCustomDate1Label | N/A | N/A | N/A |
start | N/A | N/A | The number of milliseconds since 01/01/1970 00:00:00 UTC. |
End | N/A | N/A | N/A |
agt | N/A | N/A | The IP address of the collector device, if in IPv4 format. |
ahost | N/A | N/A | The host name of the collector device. |
aid | N/A | N/A | The unique identifier of the collector. |
request | N/A | N/A | N/A |
app | N/A | N/A | N/A |
proto | <protnum> | Numbers | N/A |
dpt | <dport> | Numbers | N/A |
dst | <dip> | IP Address | N/A |
shost | <sname> | Text/String | N/A |
sourceServiceName | <process> | Text/String | N/A |
spt | <sport> | Numbers | N/A |
src | <sip> | IP Address | N/A |
cs1 | <threatname> | Text/String | N/A |
cs1Label | N/A | N/A | N/A |
cs2 | N/A | N/A | N/A |
cs2Label | N/A | N/A | N/A |
cs3 | <policy> | Text/String | N/A |
cs3Label | N/A | N/A | N/A |
cs6 | N/A | N/A | N/A |
cs6Label | N/A | N/A | N/A |
cs4 | <group> | Text/String | N/A |
cs4Label | N/A | N/A | N/A |
cs5 | N/A | N/A | N/A |
cs5Label | N/A | N/A | N/A |
suser | <login> | Text/String | The source user by name. |
symcICDxLogName | <object> | Text/String | The ICDx archive name (log_name). |
symcICDxUUID | N/A | N/A | The JSON-encoded event data that was not mapped to any CEF attributes. |
symcICDxData | <subject> | Text/String | N/A |