LSO : Syslog - Imperva Securesphere : Activity Alerts
Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|---|---|
N/A | <severity> | N/A |
N/A | <version> | N/A |
N/A | <tag1> | N/A |
N/A | <severity> | N/A |
act | <command> | N/A |
dst | <dip> | N/A |
dpt | <dport> | N/A |
duser | <account> | N/A |
src | <sip> | N/A |
spt | <sport> | N/A |
proto | <protname> | N/A |
cat | <objecttype> | N/A |
cs2 | <group> | N/A |
cs3 | <object> | N/A |
cs4 | <vendorinfo> | N/A |
cs5= | <threatname> | N/A |
cs6 | <parentprocessname> | N/A |
cs10 | <process> | N/A |
cs12 | <dname> | N/A |
cs13 | <session> | N/A |
cs15 | <sessiontype> | N/A |
osUsername | <login> | N/A |
osUserchain | <useragent> | N/A |
application | <objectname> | N/A |
schemaname | <policy> | N/A |
username | <sname> | N/A |
errormessage | <reason> | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|---|
1006200 | Activity Alerts | Base Rule | General Alert Message | Information |
Cookie Injection | Sub Rule | HTTP Cookie | Activity | |
XSS | Sub Rule | Vuln High Severity : CGI Abuses : XSS | Vulnerability | |
Custom Violation | Sub Rule | Security Violation | Other Security | |
Extremely Long HTTP Request | Sub Rule | Line In HTTP Request Too Long | Warning | |
HTTP Signature Violation | Sub Rule | General Signature Detection | Warning | |
Illegal Byte Code Character In Header Name | Sub Rule | Illegal Characters | Error | |
Illegal Byte Code Character In Method | Sub Rule | Illegal Characters | Error | |
Illegal Byte Code Character In URL | Sub Rule | Illegal Characters | Error | |
Illegal HTTP Version | Sub Rule | General HTTP Warning | Warning | |
Unauthorized SOAP Action | Sub Rule | SOAP Message Body | Activity | |
Unknown HTTP Request Method | Sub Rule | Invalid HTTP Request | Information | |
Custom-Policy-Violation | Sub Rule | Security Policy Violation | Warning | |
Malformed HTTP Header Line | Sub Rule | HTTP Header Error | Error | |
ThreatRader -TOR IPs | Sub Rule | General Threat Message | Activity | |
Directory Traversal (In Cookies/Parameters Value) | Sub Rule | Directory Traversal | Attack | |
Attempt To Execute Privileged Operation | Sub Rule | Failed Suspicious User Activity | Failed Suspicious | |
Extremely Long SQL Request | Sub Rule | General Attack Activity | Attack | |
SQL Signature Violation | Sub Rule | General Attack Activity | Attack | |
Unauthorized Database User | Sub Rule | Suspicious User Activity | Suspicious | |
Unauthorized Source Application | Sub Rule | Unauthorized Program/Process | Misuse | |
Web Profile Policy | Sub Rule | Unauthorized Activity | Misuse | |
Cross Site Request Forgery | Sub Rule | Cross-Site Request Forgery | Attack | |
HTTP/1.x Protocol Policy | Sub Rule | General Protocol Information | Information | |
Migrated Web Protocol Policy For Server Group | Sub Rule | Object Modified | Access Success | |
Network Protocol Violations Policy | Sub Rule | Security Policy Violation | Warning | |
Post Request - Missing Content Type | Sub Rule | Web Request POST | Network Traffic | |
Recommended Signatures Policy For Web Applications | Sub Rule | General Policy | Other Audit | |
Suspicious Response Code | Sub Rule | Suspicious Activity | Suspicious | |
Web Correlation Policy | Sub Rule | General Policy | Other Audit | |
Web Protocol Policy - Venture | Sub Rule | General Policy | Other Audit | |
XSS Taylor | Sub Rule | General Protocol Information | Information | |
SQL Login Failed | Sub Rule | SQL Login | Activity |
LogRhythm Default v2.0
N/A