Priority B Messages | LogRhythm Documentation

Vendor Documentation

https://marketplace.microfocus.com/arcsight/content/lancope-stealthwatch-r

https://www.dropbox.com/s/mbwlv9f2t1si5d4/Lancope_StealthWatch_6_6_CEF_Config_Guide_2015.pdf?dl=0

Classification

Rule Name	Rule Type	Common Event	Classification
Priority B Messages	Base Rule	General Information	Information
Unknown OS	Sub Rule	System Software Warning	Warning
Policy Violation	Sub Rule	Security Policy Violation	Warning
Target Data Hoarding	Sub Rule	Data Loss Prevention Activity	Activity
Suspect Data Hoarding	Sub Rule	Data Loss Prevention Activity	Activity
Exploitation	Sub Rule	Potential Vulnerability Exploit Allowed	Activity
Data Hoarding	Sub Rule	Data Loss Prevention Activity	Activity
Watch Host Active	Sub Rule	Watchlist Hit	Activity
Watch Port Active	Sub Rule	Watchlist Hit	Activity
Spam Source	Sub Rule	Spam Detected	Activity
Relationship ICMP Flood	Sub Rule	General Attack Activity	Attack
Relationship UDP Flood	Sub Rule	General Attack Activity	Attack
Relationship SYN Flood	Sub Rule	General Attack Activity	Attack
Brute Force Login	Sub Rule	Brute Force Activity	Attack
Anomaly	Sub Rule	Protocol Anomaly	Attack
Packet Flood	Sub Rule	General Attack Activity	Attack
Port Flood	Sub Rule	General Attack Activity	Attack
UDP Flood	Sub Rule	General Attack Activity	Attack
SYN Flood	Sub Rule	General Attack Activity	Attack
ICMP Flood	Sub Rule	General Attack Activity	Attack
Half Open Attack	Sub Rule	General Attack Activity	Attack
Bad Host	Sub Rule	Host Compromised	Compromise
Scanner Talking	Sub Rule	Host Compromised	Compromise
Fake Application Detected	Sub Rule	Host Compromised	Compromise
StealthWatch Flow License Exceeded	Sub Rule	License Exceeded	Critical
SMC Disk Space Low	Sub Rule	Disk / Storage Full	Critical
SMC RAID Rebuilding	Sub Rule	Disk Drive Failure	Critical
SMC RAID Failure	Sub Rule	Disk Drive Failure	Critical
FlowCollector Performance Degraded	Sub Rule	Disk Drive Failure	Critical
FlowCollector RAID Rebuilding	Sub Rule	Disk Drive Failure	Critical
FlowCollector RAID Failure	Sub Rule	Disk Drive Failure	Critical
Data Exfiltration	Sub Rule	Data Loss Alert : High	Critical
High DDoS Source Index	Sub Rule	Host Distributed Denial Of Service	Denial Of Service
High DDoS Target Index	Sub Rule	Host Distributed Denial Of Service	Denial Of Service
Slow Connection Flood	Sub Rule	Network Denial Of Service	Denial Of Service
Unlicensed Feature	Sub Rule	License Error	Error
License Corrupted	Sub Rule	License Error	Error
FlowSensor Management Channel Down	Sub Rule	Flow Manager Error	Error
FlowSensor Time Mismatch	Sub Rule	Flow Manager Error	Error
FlowSensor RAID Rebuilding	Sub Rule	Flow Manager Error	Error
FlowSensor RAID Failure	Sub Rule	Flow Manager Error	Error
FlowSensor Traffic Lost	Sub Rule	Flow Manager Error	Error
FlowSensor VE Configuration Error	Sub Rule	Flow Manager Error	Error
MAC Address Violation	Sub Rule	Invalid MAC Address	Error
SMC Failover Channel Down	Sub Rule	Network Interface Changed State To Down	Information
Identity Channel Down	Sub Rule	Network Interface Changed State To Down	Information
SLIC Channel Down	Sub Rule	Network Interface Changed State To Down	Information
V-Motion	Sub Rule	General VMware Server Information	Information
New VM	Sub Rule	Status For Virtual Machine Set	Information
New Host Active	Sub Rule	Evaluated New Host	Information
Suspect Data Loss	Sub Rule	General Data Loss Message	Information
Bot Command & Control Server	Sub Rule	Detected Botnet Activity	Malware
Bot Infected Host - Successful C&C Activity	Sub Rule	Detected Botnet Activity	Malware
Bot Infected Host - Attempted C&C Activity	Sub Rule	Detected Botnet Activity	Malware
Worm Propagation	Sub Rule	Detected Worm Activity	Malware
Worm Activity	Sub Rule	Detected Worm Activity	Malware
Mail Rejects	Sub Rule	Unauthorized E-mail	Misuse
High Volume Email	Sub Rule	Traffic Denied by Network Firewall	Network Deny
New Flows Served	Sub Rule	Traffic Denied by Network Firewall	Network Deny
New Flows Initiated	Sub Rule	Traffic Denied by Network Firewall	Network Deny
Max Flows Served	Sub Rule	Traffic Denied by Network Firewall	Network Deny
Max Flows Initiated	Sub Rule	Traffic Denied by Network Firewall	Network Deny
High Total Traffic	Sub Rule	Traffic Denied by Network Firewall	Network Deny
High Target Index	Sub Rule	Traffic Denied by Network Firewall	Network Deny
High File Sharing Index	Sub Rule	Traffic Denied by Network Firewall	Network Deny
High Concern Index	Sub Rule	Traffic Denied by Network Firewall	Network Deny
FlowCollector FlowSensor VE Count Exceeded	Sub Rule	Lost Flow Detail Records	Network Traffic
FlowCollector Exporter Count Exceeded	Sub Rule	Lost Flow Detail Records	Network Traffic
FlowCollector Log Retention Reduced	Sub Rule	Lost Flow Detail Records	Network Traffic
FlowCollector Data Deleted	Sub Rule	Lost Flow Detail Records	Network Traffic
Interface Utilization Exceeded Outbound	Sub Rule	Max Flow Limit Reached	Network Traffic
Interface Utilization Exceeded Inbound	Sub Rule	Max Flow Limit Reached	Network Traffic
FlowCollector Flow Data Lost	Sub Rule	Lost Flow Detail Records	Network Traffic
ICMP Received	Sub Rule	ICMP Flow Events	Network Traffic
UDP Received	Sub Rule	UDP Flow Events	Network Traffic
NAT IP	Sub Rule	NAT Detection Status	Network Traffic
SYNs Received	Sub Rule	TCP SYN Received	Network Traffic
Short Fragments	Sub Rule	Fragmented Packet Received	Network Traffic
Port Scan	Sub Rule	Port Scan	Reconnaissance
Recon	Sub Rule	Reconnaissance Activity	Reconnaissance
FlowCollector Management Channel Down	Sub Rule	Process/Service Stopped	Startup and Shutdown
Cisco ISE Management Channel Down	Sub Rule	Process/Service Stopped	Startup and Shutdown
FlowCollector Stopped	Sub Rule	Process/Service Stopped	Startup and Shutdown
Relationship TCP Retransmission Ratio	Sub Rule	Suspicious Network Activity	Suspicious
Relationship Server Response Time	Sub Rule	Suspicious Network Activity	Suspicious
Relationship Round Trip Time	Sub Rule	Suspicious Network Activity	Suspicious
Relationship New Flows	Sub Rule	Suspicious Network Activity	Suspicious
Relationship Max Flows	Sub Rule	Suspicious Network Activity	Suspicious
Relationship Low Traffic	Sub Rule	Suspicious Network Activity	Suspicious
Relationship High Traffic	Sub Rule	Suspicious Network Activity	Suspicious
Relationship High Total Traffic	Sub Rule	Suspicious Network Activity	Suspicious
Suspect Quiet Long Flow	Sub Rule	Suspicious Network Activity	Suspicious
Command and Control	Sub Rule	Suspicious Network Activity	Suspicious
Beaconing Host	Sub Rule	Suspicious Host Activity	Suspicious
Trapped Host	Sub Rule	Suspicious Host Activity	Suspicious
Suspect Long Flow	Sub Rule	Suspicious Network Activity	Suspicious
Low Traffic	Sub Rule	Suspicious Network Activity	Suspicious
Touched	Sub Rule	Suspicious Host Activity	Suspicious
Suspect UDP Activity	Sub Rule	Suspicious Network Activity	Suspicious
Malformed Fragments	Sub Rule	Malformed Object	Suspicious
Host Lock Violation	Sub Rule	Suspicious Host Activity	Suspicious
High Traffic	Sub Rule	Suspicious Network Activity	Suspicious
Hi SMB Peers	Sub Rule	Vuln Low Severity : SMB / NETBIOS	Vulnerability
Mail Relay	Sub Rule	Vuln Medium Severity : Mail Services	Vulnerability

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type
Device Vendor	N/A	N/A
Device Product	N/A	N/A
time	N/A	N/A
target_hostname	<dname>	Text/String
alarm_severity_id	<severity>	Number
alarm_type_id	<vmid>	Number
alarm_type_description	<subject>, <threatname>	Text/String
port	<sport>	Number
target_ip	<dip>	Number
target_mac_address	<dmac>	N/A
target_label	<dname>	Text/String
alarm_type_name	<command>	Text/String
source_hostname	<sname>	N/A
source_ip	<sip>	Number
source_mac_address	<smac>	N/A
source_username	<login>	N/A
device_ip	<object>	Number
device_name	<objectname>	Text/String
details	N/A	N/A
protocol	N/A	N/A
alarm_id	N/A	N/A
alarm_category_name	N/A	N/A
start_active_time	N/A	N/A
end_active_time	N/A	N/A