Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0: UTM: Anamoly |
Base Rule |
General Firewall Event |
Information |
|
V 2.0: Anomaly Attack Anomaly Tcp Udp |
Sub Rule |
General Attack Activity |
Attack |
|
V 2.0: Logid_Attck_Anomaly_Icmp |
Sub Rule |
General Attack Activity |
Attack |
|
V 2.0: Logid_Attck_Anomaly_Others |
Sub Rule |
General Attack Activity |
Attack |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
date |
N/A |
N/A |
The date of the log entry. |
|
time |
N/A |
N/A |
The time of the log entry. |
|
logid |
<vmid> |
Number |
The unique identifier for the log entry. |
|
type |
<vendorinfo> |
Text/String |
The type of log event. |
|
subtype |
N/A |
N/A |
The subtype of the log event. |
|
eventtype |
N/A |
N/A |
The specific type of anomaly event. |
|
level |
N/A |
N/A |
The severity level of the log event. |
|
vd |
<sessiontype> |
Text/String |
The virtual domain associated with the log event. |
|
eventtime |
N/A |
N/A |
The timestamp of the event. |
|
severity |
<severity> |
Text/String |
The severity level of the anomaly event. |
|
srcip |
<sip> |
IP Address |
The source IP address of the communication. |
|
srccountry |
N/A |
N/A |
The country associated with the source IP address. |
|
dstip |
<dip> |
IP Address |
The destination IP address of the communication. |
|
srcintf |
<sinterface> |
Text/String |
The source interface. |
|
srcintfrole |
N/A |
N/A |
The role of the source interface. |
|
sessionid |
<session> |
Number |
The ID of the session associated with the log event. |
|
action |
<action> |
Text/String |
The action taken by the system (clearing the session in this case). |
|
proto |
<protnum> |
Number |
The protocol number (ICMP in this case). |
|
service |
<parentprocessname> |
Text/String |
The service or protocol being used. |
|
count |
<quantity> |
Number |
The count of ICMP packets observed. |
|
attack |
<threatname> |
Text/String |
The name of the detected attack. |
|
icmpid |
N/A |
N/A |
The ICMP packet identifier. |
|
icmptype |
N/A |
N/A |
The ICMP packet type. |
|
icmpcode |
N/A |
N/A |
The ICMP packet code. |
|
attackid |
<threatid> |
Number |
The ID of the detected attack. |
|
policyid |
<policy> |
Number |
The ID of the policy associated with the log event. |
|
policytype |
N/A |
N/A |
The type of policy associated with the log event. |
|
ref |
<url> |
Text/String |
Reference link for more information about the attack. |
|
msg |
<subject> |
Text/String |
Additional message or description of the log event. |
|
crscore |
N/A |
N/A |
The risk score associated with the event. |
|
craction |
N/A |
N/A |
The action taken based on the risk score (4096 in this case). |
|
crlevel |
N/A |
N/A |
The risk level associated with the event. |