Syslog Fortinet FortiGate - V 2.0 : UTM : IPS
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
V 2.0 : UTM : IPS | Base Rule | General IPS Message | Information |
V 2.0 : IPS Signature ICMP | Sub Rule | General IPS/IDS Message | Other Operations |
V 2.0 : IPS Signature TCP UDP | Sub Rule | General Attack Activity | Attack |
V 2.0 : Attack Detected By Other Signature | Sub Rule | General Attack Activity | Attack |
V 2.0 : Attack Detected By A Malicious URL | Sub Rule | General Attack Activity | Attack |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
date | N/A | N/A | The date of the log entry. |
time | N/A | N/A | The time of the log entry. |
logid | <vmid> | Number | The unique identifier for the log entry. |
type | <vendorinfo> | Text/String | The type of log event. |
subtype | N/A | N/A | The subtype of the log event (intrusion prevention system). |
eventtype | N/A | N/A | The type of IPS event (signature-based in this case). |
level | N/A | N/A | The severity level of the log event. |
vd | <sessiontype> | Text/String | The virtual domain associated with the log event. |
eventtime | N/A | N/A | The timestamp of the event. |
severity | <severity> | Text/String | The severity level of the IPS event. |
srcip | <sip> | IP Address | The source IP address of the communication. |
srccountry | N/A | N/A | The country associated with the source IP address. |
dstip | <dip> | IP Address | The destination IP address of the communication. |
srcintf | <sinterface> | Text/String | The source interface. |
srcintfrole | N/A | N/A | The role of the source interface. |
dstintf | <dinterface> | Text/String | The destination interface. |
dstintfrole | N/A | N/A | The role of the destination interface. |
sessionid | <session> | Number | The ID of the session associated with the log event. |
action | <action> | Text/String | The action taken by the system (dropped in this case). |
proto | <protnum> | Number | The protocol number (TCP in this case). |
service | <protname> | Text/String | The service or protocol being used. |
policyid | <policy> | Number | The ID of the policy associated with the log event. |
attack | <threatname> | Text/String | The name of the detected attack. |
srcport | <sport> | Number | The source port number. |
dstport | <dport> | Number | The destination port number. |
hostname | <sname> | IP Address | The hostname of the communication. |
url | N/A | N/A | The URL of the communication. |
direction | N/A | N/A | The direction of the communication (incoming in this case). |
attackid | <threatid> | Number | The ID of the detected attack. |
profile | N/A | N/A | The IPS profile associated with the log event. |
ref | <url> | Text/String | Reference link for more information about the attack. |
incidentserialno | N/A | N/A | The serial number of the incident. |
msg | <subject> | Text/String | Additional message or description of the log event. |
crscore | N/A | N/A | The risk score associated with the event. |
craction | N/A | N/A | The action taken based on the risk score (4096 in this case). |
crlevel | N/A | N/A | The risk level associated with the event. |
<sessiontype> |
<sessiontype> |
<sessiontype> |