Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0: UTM: App-Ctrl |
Base Rule |
General Application Control Message |
Information |
|
V 2.0: UTM App Ctrl IPS Pass |
Sub Rule |
Traffic Allowed by IDS/IPS |
Network Allow |
|
V 2.0: UTM App Ctrl IPS Block |
Sub Rule |
Traffic Denied by IDS/IPS |
Network Deny |
|
V 2.0: UTM App Ctrl IPS Reset |
Sub Rule |
General IPS Message |
Information |
|
V 2.0: Logid_App_Ctrl_Im_Basic |
Sub Rule |
Application Control IM Message |
Information |
|
V 2.0: Logid_App_Ctrl_Im_Basic_With_Status |
Sub Rule |
Application Control IM Message |
Information |
|
V 2.0: Logid_App_Ctrl_Im_Basic_With_Count |
Sub Rule |
Application Control IM Message |
Information |
|
V 2.0: Logid_App_Ctrl_Im_File |
Sub Rule |
Application Control IM Message |
Information |
|
V 2.0: Logid_App_Ctrl_Im_Chat |
Sub Rule |
Application Control IM Message |
Information |
|
V 2.0: Logid_App_Ctrl_Im_Chat_Block |
Sub Rule |
Application Control IM Message |
Information |
|
V 2.0: Logid_App_Ctrl_Im_Block |
Sub Rule |
Application Control IM Message |
Information |
|
V 2.0: Logid_App_Ctrl_Ssh_Pass |
Sub Rule |
SSH Session Opened |
Network Traffic |
|
V 2.0: Logid_App_Ctrl_Ssh_Block |
Sub Rule |
Denied SSH Session |
Warning |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
date |
N/A |
N/A |
The date of the log entry. |
|
time |
N/A |
N/A |
The time of the log entry. |
|
logid |
<vmid> |
Number |
The unique identifier for the log entry. |
|
type |
<vendorinfo> |
Text/String |
The type of log event. |
|
subtype |
N/A |
N/A |
The subtype of the log event. |
|
eventtype |
N/A |
N/A |
The type of application control event (all applications in this case). |
|
level |
<severity> |
Text/String |
The severity level of the log event. |
|
vd |
<sessiontype> |
Text/String |
The virtual domain is associated with the log event. |
|
eventtime |
N/A |
N/A |
The timestamp of the event. |
|
appid |
<object> |
Number |
The application ID. |
|
user |
<login> |
Text/String |
N/A |
|
srcip |
<sip> |
IP Address |
The source IP address of the communication. |
|
dstip |
<dip> |
IP Address |
The destination IP address of the communication. |
|
srcport |
<sport> |
Number |
The source port number. |
|
dstport |
<dport> |
Number |
The destination port number. |
|
srcintf |
<sinterface> |
Text/String |
The source interface. |
|
srcintfrole |
N/A |
N/A |
The role of the source interface. |
|
dstintf |
<dinterface> |
Text/String |
The destination interface. |
|
dstintfrole |
N/A |
N/A |
The role of the destination interface. |
|
proto |
<protnum> |
Number |
The protocol number (TCP in this case). |
|
service |
<parentprocessname> |
Text/String |
The service or protocol being used. |
|
direction |
N/A |
N/A |
The direction of the communication (outgoing in this case). |
|
policyid |
<policy> |
Number |
The ID of the policy associated with the log event. |
|
sessionid |
<session> |
Number |
The ID of the session associated with the log event. |
|
applist |
N/A |
N/A |
The application list. |
|
appcat |
<objecttype> |
Text/String |
The category of the application. |
|
app |
<objectname> |
Text/String |
The name of the application. |
|
action |
<action> |
Text/String |
The action taken by the system (pass in this case). |
|
hostname |
<dname> |
Text/String |
The hostname of the communication. |
|
incidentserialno |
<serialnumber> |
Number |
The serial number of the incident. |
|
url |
<url> |
Text/String |
The URL of the communication. |
|
msg |
<subject> |
Text/String |
Additional message or description of the log event. |
|
apprisk |
N/A |
N/A |
The risk level associated with the application. |
|
scertcname |
N/A |
N/A |
The common name of the server certificate. |
|
scertissuer |
N/A |
N/A |
The issuer of the server certificate. |
|
forwardedfor |
<snatip> |
IP Address |
N/A |