Priority B Messages
Vendor Documentation
https://marketplace.microfocus.com/arcsight/content/lancope-stealthwatch-r https://www.dropbox.com/s/mbwlv9f2t1si5d4/Lancope_StealthWatch_6_6_CEF_Config_Guide_2015.pdf?dl=0 |
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
Priority B Messages | Base Rule | General Information | Information |
Unknown OS | Sub Rule | System Software Warning | Warning |
Policy Violation | Sub Rule | Security Policy Violation | Warning |
Target Data Hoarding | Sub Rule | Data Loss Prevention Activity | Activity |
Suspect Data Hoarding | Sub Rule | Data Loss Prevention Activity | Activity |
Exploitation | Sub Rule | Potential Vulnerability Exploit Allowed | Activity |
Data Hoarding | Sub Rule | Data Loss Prevention Activity | Activity |
Watch Host Active | Sub Rule | Watchlist Hit | Activity |
Watch Port Active | Sub Rule | Watchlist Hit | Activity |
Spam Source | Sub Rule | Spam Detected | Activity |
Relationship ICMP Flood | Sub Rule | General Attack Activity | Attack |
Relationship UDP Flood | Sub Rule | General Attack Activity | Attack |
Relationship SYN Flood | Sub Rule | General Attack Activity | Attack |
Brute Force Login | Sub Rule | Brute Force Activity | Attack |
Anomaly | Sub Rule | Protocol Anomaly | Attack |
Packet Flood | Sub Rule | General Attack Activity | Attack |
Port Flood | Sub Rule | General Attack Activity | Attack |
UDP Flood | Sub Rule | General Attack Activity | Attack |
SYN Flood | Sub Rule | General Attack Activity | Attack |
ICMP Flood | Sub Rule | General Attack Activity | Attack |
Half Open Attack | Sub Rule | General Attack Activity | Attack |
Bad Host | Sub Rule | Host Compromised | Compromise |
Scanner Talking | Sub Rule | Host Compromised | Compromise |
Fake Application Detected | Sub Rule | Host Compromised | Compromise |
StealthWatch Flow License Exceeded | Sub Rule | License Exceeded | Critical |
SMC Disk Space Low | Sub Rule | Disk / Storage Full | Critical |
SMC RAID Rebuilding | Sub Rule | Disk Drive Failure | Critical |
SMC RAID Failure | Sub Rule | Disk Drive Failure | Critical |
FlowCollector Performance Degraded | Sub Rule | Disk Drive Failure | Critical |
FlowCollector RAID Rebuilding | Sub Rule | Disk Drive Failure | Critical |
FlowCollector RAID Failure | Sub Rule | Disk Drive Failure | Critical |
Data Exfiltration | Sub Rule | Data Loss Alert : High | Critical |
High DDoS Source Index | Sub Rule | Host Distributed Denial Of Service | Denial Of Service |
High DDoS Target Index | Sub Rule | Host Distributed Denial Of Service | Denial Of Service |
Slow Connection Flood | Sub Rule | Network Denial Of Service | Denial Of Service |
Unlicensed Feature | Sub Rule | License Error | Error |
License Corrupted | Sub Rule | License Error | Error |
FlowSensor Management Channel Down | Sub Rule | Flow Manager Error | Error |
FlowSensor Time Mismatch | Sub Rule | Flow Manager Error | Error |
FlowSensor RAID Rebuilding | Sub Rule | Flow Manager Error | Error |
FlowSensor RAID Failure | Sub Rule | Flow Manager Error | Error |
FlowSensor Traffic Lost | Sub Rule | Flow Manager Error | Error |
FlowSensor VE Configuration Error | Sub Rule | Flow Manager Error | Error |
MAC Address Violation | Sub Rule | Invalid MAC Address | Error |
SMC Failover Channel Down | Sub Rule | Network Interface Changed State To Down | Information |
Identity Channel Down | Sub Rule | Network Interface Changed State To Down | Information |
SLIC Channel Down | Sub Rule | Network Interface Changed State To Down | Information |
V-Motion | Sub Rule | General VMware Server Information | Information |
New VM | Sub Rule | Status For Virtual Machine Set | Information |
New Host Active | Sub Rule | Evaluated New Host | Information |
Suspect Data Loss | Sub Rule | General Data Loss Message | Information |
Bot Command & Control Server | Sub Rule | Detected Botnet Activity | Malware |
Bot Infected Host - Successful C&C Activity | Sub Rule | Detected Botnet Activity | Malware |
Bot Infected Host - Attempted C&C Activity | Sub Rule | Detected Botnet Activity | Malware |
Worm Propagation | Sub Rule | Detected Worm Activity | Malware |
Worm Activity | Sub Rule | Detected Worm Activity | Malware |
Mail Rejects | Sub Rule | Unauthorized E-mail | Misuse |
High Volume Email | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
New Flows Served | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
New Flows Initiated | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
Max Flows Served | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
Max Flows Initiated | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
High Total Traffic | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
High Target Index | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
High File Sharing Index | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
High Concern Index | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
FlowCollector FlowSensor VE Count Exceeded | Sub Rule | Lost Flow Detail Records | Network Traffic |
FlowCollector Exporter Count Exceeded | Sub Rule | Lost Flow Detail Records | Network Traffic |
FlowCollector Log Retention Reduced | Sub Rule | Lost Flow Detail Records | Network Traffic |
FlowCollector Data Deleted | Sub Rule | Lost Flow Detail Records | Network Traffic |
Interface Utilization Exceeded Outbound | Sub Rule | Max Flow Limit Reached | Network Traffic |
Interface Utilization Exceeded Inbound | Sub Rule | Max Flow Limit Reached | Network Traffic |
FlowCollector Flow Data Lost | Sub Rule | Lost Flow Detail Records | Network Traffic |
ICMP Received | Sub Rule | ICMP Flow Events | Network Traffic |
UDP Received | Sub Rule | UDP Flow Events | Network Traffic |
NAT IP | Sub Rule | NAT Detection Status | Network Traffic |
SYNs Received | Sub Rule | TCP SYN Received | Network Traffic |
Short Fragments | Sub Rule | Fragmented Packet Received | Network Traffic |
Port Scan | Sub Rule | Port Scan | Reconnaissance |
Recon | Sub Rule | Reconnaissance Activity | Reconnaissance |
FlowCollector Management Channel Down | Sub Rule | Process/Service Stopped | Startup and Shutdown |
Cisco ISE Management Channel Down | Sub Rule | Process/Service Stopped | Startup and Shutdown |
FlowCollector Stopped | Sub Rule | Process/Service Stopped | Startup and Shutdown |
Relationship TCP Retransmission Ratio | Sub Rule | Suspicious Network Activity | Suspicious |
Relationship Server Response Time | Sub Rule | Suspicious Network Activity | Suspicious |
Relationship Round Trip Time | Sub Rule | Suspicious Network Activity | Suspicious |
Relationship New Flows | Sub Rule | Suspicious Network Activity | Suspicious |
Relationship Max Flows | Sub Rule | Suspicious Network Activity | Suspicious |
Relationship Low Traffic | Sub Rule | Suspicious Network Activity | Suspicious |
Relationship High Traffic | Sub Rule | Suspicious Network Activity | Suspicious |
Relationship High Total Traffic | Sub Rule | Suspicious Network Activity | Suspicious |
Suspect Quiet Long Flow | Sub Rule | Suspicious Network Activity | Suspicious |
Command and Control | Sub Rule | Suspicious Network Activity | Suspicious |
Beaconing Host | Sub Rule | Suspicious Host Activity | Suspicious |
Trapped Host | Sub Rule | Suspicious Host Activity | Suspicious |
Suspect Long Flow | Sub Rule | Suspicious Network Activity | Suspicious |
Low Traffic | Sub Rule | Suspicious Network Activity | Suspicious |
Touched | Sub Rule | Suspicious Host Activity | Suspicious |
Suspect UDP Activity | Sub Rule | Suspicious Network Activity | Suspicious |
Malformed Fragments | Sub Rule | Malformed Object | Suspicious |
Host Lock Violation | Sub Rule | Suspicious Host Activity | Suspicious |
High Traffic | Sub Rule | Suspicious Network Activity | Suspicious |
Hi SMB Peers | Sub Rule | Vuln Low Severity : SMB / NETBIOS | Vulnerability |
Mail Relay | Sub Rule | Vuln Medium Severity : Mail Services | Vulnerability |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type |
|---|---|---|
Device Vendor | N/A | N/A |
Device Product | N/A | N/A |
time | N/A | N/A |
target_hostname | <dname> | Text/String |
alarm_severity_id | <severity> | Number |
alarm_type_id | <vmid> | Number |
alarm_type_description | <subject>, <threatname> | Text/String |
port | <sport> | Number |
target_ip | <dip> | Number |
target_mac_address | <dmac> | N/A |
target_label | <dname> | Text/String |
alarm_type_name | <command> | Text/String |
source_hostname | <sname> | N/A |
source_ip | <sip> | Number |
source_mac_address | <smac> | N/A |
source_username | <login> | N/A |
device_ip | <object> | Number |
device_name | <objectname> | Text/String |
details | N/A | N/A |
protocol | N/A | N/A |
alarm_id | N/A | N/A |
alarm_category_name | N/A | N/A |
start_active_time | N/A | N/A |
end_active_time | N/A | N/A |