Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0 : UTM : IPS |
Base Rule |
General IPS Message |
Information |
|
V 2.0 : IPS Signature ICMP |
Sub Rule |
General IPS/IDS Message |
Other Operations |
|
V 2.0 : IPS Signature TCP UDP |
Sub Rule |
General Attack Activity |
Attack |
|
V 2.0 : Attack Detected By Other Signature |
Sub Rule |
General Attack Activity |
Attack |
|
V 2.0 : Attack Detected By A Malicious URL |
Sub Rule |
General Attack Activity |
Attack |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
date |
N/A |
N/A |
The date of the log entry. |
|
time |
N/A |
N/A |
The time of the log entry. |
|
logid |
<vmid> |
Number |
The unique identifier for the log entry. |
|
type |
<vendorinfo> |
Text/String |
The type of log event. |
|
subtype |
N/A |
N/A |
The subtype of the log event (intrusion prevention system). |
|
eventtype |
N/A |
N/A |
The type of IPS event (signature-based in this case). |
|
level |
N/A |
N/A |
The severity level of the log event. |
|
vd |
<sessiontype> |
Text/String |
The virtual domain associated with the log event. |
|
eventtime |
N/A |
N/A |
The timestamp of the event. |
|
severity |
<severity> |
Text/String |
The severity level of the IPS event. |
|
srcip |
<sip> |
IP Address |
The source IP address of the communication. |
|
srccountry |
N/A |
N/A |
The country associated with the source IP address. |
|
dstip |
<dip> |
IP Address |
The destination IP address of the communication. |
|
srcintf |
<sinterface> |
Text/String |
The source interface. |
|
srcintfrole |
N/A |
N/A |
The role of the source interface. |
|
dstintf |
<dinterface> |
Text/String |
The destination interface. |
|
dstintfrole |
N/A |
N/A |
The role of the destination interface. |
|
sessionid |
<session> |
Number |
The ID of the session associated with the log event. |
|
action |
<action> |
Text/String |
The action taken by the system (dropped in this case). |
|
proto |
<protnum> |
Number |
The protocol number (TCP in this case). |
|
service |
<parentprocessname> |
Text/String |
The service or protocol being used. |
|
policyid |
<policy> |
Number |
The ID of the policy associated with the log event. |
|
attack |
<threatname> |
Text/String |
The name of the detected attack. |
|
srcport |
<sport> |
Number |
The source port number. |
|
dstport |
<dport> |
Number |
The destination port number. |
|
hostname |
<sname> |
IP Address |
The hostname of the communication. |
|
url |
N/A |
N/A |
The URL of the communication. |
|
direction |
N/A |
N/A |
The direction of the communication (incoming in this case). |
|
attackid |
<threatid> |
Number |
The ID of the detected attack. |
|
profile |
N/A |
N/A |
The IPS profile associated with the log event. |
|
ref |
<url> |
Text/String |
Reference link for more information about the attack. |
|
incidentserialno |
N/A |
N/A |
The serial number of the incident. |
|
msg |
<subject> |
Text/String |
Additional message or description of the log event. |
|
crscore |
N/A |
N/A |
The risk score associated with the event. |
|
craction |
N/A |
N/A |
The action taken based on the risk score (4096 in this case). |
|
crlevel |
N/A |
N/A |
The risk level associated with the event. |
|
<sessiontype> |
|
|
|
<sessiontype> |
|
|
|
<sessiontype> |
|
|