LSO : Syslog - Imperva Securesphere : User Logon Failure
Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|---|---|
N/A | <tag1> | N/A |
N/A | <tag2><threatname> | N/A |
N/A | <severity> | N/A |
act | <tag3><command> | N/A |
dst | <dip> | N/A |
dpt | <dport> | N/A |
duser | <login> | N/A |
src | <sip> | N/A |
spt | <sport> | N/A |
proto | <protname> | N/A |
cs1 | <object> | N/A |
cs2 | <group> | N/A |
cs3 | <process> | N/A |
cs4 | <objectname> | N/A |
cs5 | <subject><tag5> | N/A |
N/A | <tag4> | N/A |
osUsername | <account> | N/A |
osUserChain | <useragent> | N/A |
application | <url> | N/A |
schemaname | <policy> | N/A |
username | <sname> | N/A |
errormessage | <reason> | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|---|
1000989 | User Logon Failure | Base Rule | Authentication Failure Activity | Authentication Failure |
Cookie Injection | Sub Rule | General Attack Activity | Attack | |
Cookie Tampering | Sub Rule | General Attack Activity | Attack | |
Email Hoarding | Sub Rule | Unauthorized E-mail | Misuse | |
Double URL Encoding | Sub Rule | Suspicious Activity | Suspicious | |
Extremely Long Parameter | Sub Rule | Suspicious Activity | Suspicious | |
HTTP Signature Violation | Sub Rule | General Attack Activity | Attack | |
NULL Character In Parameter Value | Sub Rule | Suspicious Activity | Suspicious | |
Parameter Read Only Violation | Sub Rule | Suspicious Activity | Suspicious | |
Parameter Type Violation | Sub Rule | Suspicious Activity | Suspicious | |
SSL Untraceable Connection | Sub Rule | Suspicious Activity | Suspicious | |
Unauthorized Access To Service | Sub Rule | Unauthorized Program/Process | Misuse | |
Unauthorized Method For Known URL | Sub Rule | Unauthorized Activity | Misuse | |
Unauthorized Request Content Type | Sub Rule | Unauthorized Activity | Misuse | |
Unauthorized URL Access | Sub Rule | Unauthorized Activity | Misuse | |
Cross Site Request Forgery | Sub Rule | Cross-Site Request Forgery | Attack | |
Distributed Suspicious Response Code | Sub Rule | Suspicious Activity | Suspicious | |
Suspicious Response Code | Sub Rule | Suspicious Activity | Suspicious | |
Cross-Site Scripting | Sub Rule | Cross-Site Scripting | Attack | |
Custom Violation | Sub Rule | Security Violation | Other Security | |
Illegal HTTP Version | Sub Rule | Incorrect Version | Error | |
Redundant UTF-8 Encoding | Sub Rule | General Protocol Violation | Error | |
SQL Injection | Sub Rule | SQL Injection | Attack | |
Unknown HTTP Request Method | Sub Rule | HTTP Request Failed | Error | |
URL Above Root Directory | Sub Rule | Directory Traversal | Attack | |
Web Worm | Sub Rule | Detected Worm Activity | Malware | |
Illegal Byte Code Character In URL | Sub Rule | Illegal Characters | Error | |
HTTP Signature Violation : Blocked | Sub Rule | Failed General Attack Activity | Failed Attack | |
SQL Injection : Blocked | Sub Rule | Failed SQL Injection | Failed Attack | |
Cross-Site Scripting : Blocked | Sub Rule | Failed Cross-Site Scripting | Failed Attack | |
Cross Site Request Forgery : Blocked | Sub Rule | Failed Cross-Site Request Forgery | Failed Attack | |
Unknown HTTP Request Method : Blocked | Sub Rule | HTTP Request Failed | Error | |
URL Above Root Directory : Blocked | Sub Rule | Failed Directory Traversal | Failed Attack | |
Web Worm : Blocked | Sub Rule | Failed Worm Activity | Failed Malware | |
Illegal HTTP Version : Blocked | Sub Rule | Incorrect Version | Error | |
Redundant UTF-8 Encoding : Blocked | Sub Rule | General Protocol Violation | Error | |
SSL Untraceable Connection | Sub Rule | Suspicious Activity | Suspicious | |
Post Request - Missing Content Type | Sub Rule | Missing Attribute | Warning | |
Audit.DAM | Sub Rule | General Audit | Other Audit Success | |
eMail Hoarding | Sub Rule | General AlertEmail Critical | Critical | |
Malformed HTTP Header Line | Sub Rule | Malformed Signature | Warning | |
Network Protocol Violation Policy | Sub Rule | Security Policy Violation | Warning | |
Recommended Signature Policy for Web Application | Sub Rule | Signature Information | Information | |
Recommended Signature Policy for Web Application - | Sub Rule | Signatures Updated | Configuration |
LogRhythm Default v2.0
N/A