Syslog Fortinet FortiGate - V 2.0 : UTM : Anomaly
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
V 2.0 : UTM : Anomaly | Base Rule | General Firewall Event | Information |
V 2.0 : Anomaly Attack Anomaly Tcp Udp | Sub Rule | General Attack Activity | Attack |
V 2.0 : Logid_Attck_Anomaly_Icmp | Sub Rule | General Attack Activity | Attack |
V 2.0 : Logid_Attck_Anomaly_Others | Sub Rule | General Attack Activity | Attack |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
date | N/A | N/A | The date of the log entry. |
time | N/A | N/A | The time of the log entry. |
logid | <vmid> | Number | The unique identifier for the log entry. |
type | <vendorinfo> | Text/String | The type of log event. |
subtype | N/A | N/A | The subtype of the log event. |
eventtype | N/A | N/A | The specific type of anomaly event. |
level | N/A | N/A | The severity level of the log event. |
vd | <sessiontype> | Text/String | The virtual domain associated with the log event. |
eventtime | N/A | N/A | The timestamp of the event. |
severity | <severity> | Text/String | The severity level of the anomaly event. |
srcip | <sip> | IP Address | The source IP address of the communication. |
srccountry | N/A | N/A | The country associated with the source IP address. |
dstip | <dip> | IP Address | The destination IP address of the communication. |
srcintf | <sinterface> | Text/String | The source interface. |
srcintfrole | N/A | N/A | The role of the source interface. |
sessionid | <session> | Number | The ID of the session associated with the log event. |
action | <action> | Text/String | The action taken by the system (clearing the session in this case). |
proto | <protnum> | Number | The protocol number (ICMP in this case). |
service | <protname> | Text/String | The service or protocol being used. |
count | <quantity> | Number | The count of ICMP packets observed. |
attack | <threatname> | Text/String | The name of the detected attack. |
icmpid | N/A | N/A | The ICMP packet identifier. |
icmptype | N/A | N/A | The ICMP packet type. |
icmpcode | N/A | N/A | The ICMP packet code. |
attackid | <threatid> | Number | The ID of the detected attack. |
policyid | <policy> | Number | The ID of the policy associated with the log event. |
policytype | N/A | N/A | The type of policy associated with the log event. |
ref | <url> | Text/String | Reference link for more information about the attack. |
msg | <subject> | Text/String | Additional message or description of the log event. |
crscore | N/A | N/A | The risk score associated with the event. |
craction | N/A | N/A | The action taken based on the risk score (4096 in this case). |
crlevel | N/A | N/A | The risk level associated with the event. |