Packet Log Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
Packet Log Messages | Base Rule | General Information | Information |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
Header: Severity | <severity> | Text/String | N/A |
N/A | <objecttype> | Text/String | packet_log |
action | <action> | Text/String | This represents the connection/packet verdict. If this reads allowed, the connection was allowed, and if it reads denied, it will have been blocked. |
direction | N/A | N/A | This represents the determined direction of the initial connection (or pseudo-connection, in the case of connectionless protocols such as UDP). The value will be either inbound or outbound. Note that this is the direction of the connection and not necessarily the packet orientation. That is, a connection is outbound if a protected IP initiates the conversation. It is inbound if a protected IP is the target of an external initiator. It’s similar to a phone call: although I might call you on the phone, meaning that it’s an outbound connection from my perspective. During that connection, there are both inbound and outbound packets, regardless of the established and reported connection direction, which is always set for the duration of that particular conversation. |
ISH | N/A | N/A | This represents whether or not loose state handling was employed in determining the connection direction. Generally, if we see a pure SYN packet, we can definitively determine the connection direction. If, on the other hand, we do not see the originating SYN packet, we use a loose packet handling scheme to predict the packet direction. This can happen when a unit is first installed, or if it is rebooted. In the event that we used such a scheme, this key will appear in the log and will be set to true. |
group | <group> | Text/String | This is the resource group responsible for the verdict. It is enclosed in double quotes. |
proto | <protname> | Text/String | This is the identified protocol as determined from the packet’s header information. Most often it is TCP or UDP, but the full gamut of layer 2 and layer 3 protocols are observed by the device. Generally, all layer 2 traffic that does not encapsulate an IPv4 packet is always bridged through, whereas the IPv4 traffic is evaluated against our always-on real-time country, ASN, and threat/denied/allowed list intelligence. |
country | N/A | N/A | This is the country attributable to the external endpoint IP address. This information comes from our always-up-to-date geolocation intelligence for all IPs across the globe. It is enclosed in double quotes. |
as_num | N/A | N/A | This is the unique asynchronous subscriber number (ASN) id as determined from our always-up-to-date ASN intelligence for all networks across the globe. Normally this would only be used to cross-index into a separate SIEM database for advanced reporting. It is generally ignored by a parser in favor of human-readable as_name, as noted below. |
as_name | N/A | N/A | This is the ASN’s physical name. An example might be “Google Inc.” or “CloudFlare, Inc.” or “Orange S.A.” and so on. It is enclosed in double quotes. |
reason | <reason> | Text/String | The reason key provides the primary reason for the verdict. Values can be allowedlist, asn, country, deniedlist, policy, and threatlist. For details about the decision making process, the reader is referred to the threatER Enforce flowchart in the separate document Enforce - Policy Enforcement and our user manuals. |
src | <sip> | IP Address | This is the source IP address from the perspective of the connection orientation. For example, if a protected IP initiates an outbound connection to a Google server, then the protected IP is the source IP. If, on the other hand, an external IP initiates a connection to a protected IP, then the connection is inbound, and the source IP is the external IP. |
dst | <dip> | IP Address | This is the destination IP address from the perspective of the connection orientation. For example, if a protected IP initiates an outbound connection to a Google server, then the Google server is the destination. If, on the other hand, an external IP initiates a connection to a protected IP, then the connection is inbound, and the destination IP is the protected IP. |
src_port | <sport> | Number | This is the source port associated with the source IP of a TCP connection or UDP pseudo-connection. |
dst_port | <dport> | Number | This is the destination port associated with the destination IP of a TCP connection or UDP pseudo-connection. |
flags | <object> | Text/String | For TCP connections, this key lists the associated TCP flags for the particular connection/packet used for evaluation. It is always enclosed in double quotes (since multiple comma-separated TCP flags can be associated to one log, such as perhaps “RST,ACK”). |
tl | <threatname> | Text/String | Displays, as a double quoted comma separated value list, any and all threat lists associated with the IP address(es) associated with the connection. |
tl_category | <objectname> | Text/String | This lists all associated threat list categories for the packet as a double quoted comma-separated list. It is in lockstep-order to the values in the tl_threshold key. |
tl_score | <quantity> | Number | This lists all associated actual scores as a double quoted comma-separated list, where the order is identical to the ordering of the tl_category key for simple parsing correlation. Note that it is common for the scores to be the same for multiple category entries. |
tl_threshold | N/A | N/A | This lists all associated threshold scores as a double quoted comma-separated list, where the order is identical to the ordering of the tl_category key for simple parsing correlation. |
dl_active | N/A | N/A | Displays, as a double quoted comma separated value list, any and all active (enabled) denied lists associated with the resource group and policy responsible for the verdict. |
dl_inactive | N/A | N/A | Displays, as a double quoted comma separated value list, any and all inactive (disabled) denied lists associated with the resource group and policy responsible for the verdict. |
al_active | N/A | N/A | Displays, as a double quoted comma separated value list, any and all active (enabled) allowed lists associated with the resource group and policy responsible for the verdict. |
al_inactive | N/A | N/A | Displays, as a double quoted comma separated value list, any and all inactive (disabled) allowed lists associated with the resource group and policy responsible for the verdict. |