Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0: UTM: Web-Filter |
Base Rule |
General Web Filter Message |
Information |
|
V 2.0: Webfilter Url Filter Block |
Sub Rule |
Web Activity Blocked |
Failed Activity |
|
V 2.0: Webfilter Url Filter Exempt |
Sub Rule |
URL Exempted |
Activity |
|
V 2.0: Webfilter Url Filter Allow |
Sub Rule |
General WebFilter URLFilter |
Information |
|
V 2.0: Webfilter Url Filter Srv Cert Err Blk |
Sub Rule |
Session Information |
Information |
|
V 2.0: Webfilter Url Filter Srv Cert Err Pass |
Sub Rule |
Session Information |
Information |
|
V 2.0: Webfilter Web Ftgd Warning |
Sub Rule |
Rating Error |
Error |
|
V 2.0: Webfilter Web Ftgd Cat Blk |
Sub Rule |
Blocked Message |
Failed Activity |
|
V 2.0: Webfilter Web Ftgd Cat Warn |
Sub Rule |
General Warning |
Warning |
|
V 2.0: Webfilter Web Ftgd Cat Allow |
Sub Rule |
URL Information |
Information |
|
V 2.0: Webfilter Web Url |
Sub Rule |
URL Information |
Information |
|
V 2.0: Webfilter Web Scriptfilter ActiveX |
Sub Rule |
ActiveX Script Removed |
Information |
|
V 2.0: Web Content Banned Word Found |
Sub Rule |
Banned Word Notice |
Information |
|
V 2.0: Web Content MMS Banned Word Found |
Sub Rule |
Blocked Message Banned Attachment |
Failed Activity |
|
V 2.0: Web Content Exempt Word Found |
Sub Rule |
Web Content MMS Exempt Word |
Activity |
|
V 2.0: Web Content MMS Exempt Word Found |
Sub Rule |
Web Content MMS Exempt Word |
Activity |
|
V 2.0: Message Contain A KeyWord In Profile List |
Sub Rule |
General WEB Information |
Information |
|
V 2.0: Search Phrase Detected |
Sub Rule |
Search |
Information |
|
V 2.0: Web Content MMS Banned Word |
Sub Rule |
Banned Word Notice |
Information |
|
V 2.0: Request Contained An Invalid Domain Name |
Sub Rule |
Invalid Domain Name |
Information |
|
V 2.0: HTTP Cert Request Contain Invalid Domain |
Sub Rule |
Invalid Domain Name |
Information |
|
V 2.0: HTTP Certi Req Contained An Invalid Name |
Sub Rule |
Invalid Name |
Warning |
|
V 2.0: HTTP Certi Req Contained An Invalid Name |
Sub Rule |
Invalid Name |
Warning |
|
V 2.0: Insufficient Resources |
Sub Rule |
Insufficient Resources |
Critical |
|
V 2.0: Getting The Host Name Failed |
Sub Rule |
Hostname Not Found |
Warning |
|
V 2.0: Server Certificate Validation Failed |
Sub Rule |
Certificate Verification Failure |
Error |
|
V 2.0: SSL Session Blocked |
Sub Rule |
Session Invalidated |
Warning |
|
V 2.0: Service Not Active |
Sub Rule |
FortiGuard Service Not Enabled |
Critical |
|
V 2.0: Rating Error Occurred |
Sub Rule |
Rating Error |
Error |
|
V 2.0: URL Passed |
Sub Rule |
URL Information |
Information |
|
V 2.0: URL Blocked By Websense Service |
Sub Rule |
Web Site Blocked - Category |
Failed Activity |
|
V 2.0: URL Blocked With Redirect Msg By Websense |
Sub Rule |
Web Site Blocked - Category |
Failed Activity |
|
V 2.0: URL Allowed By Websense Service |
Sub Rule |
URL Information |
Information |
|
V 2.0: URL Address Exempted |
Sub Rule |
URL Exempted |
Activity |
|
V 2.0: Rating Error Occurred |
Sub Rule |
Rating Error |
Error |
|
V 2.0: Daily FortiGuard Quota Status |
Sub Rule |
URL Access Statistics |
Information |
|
V 2.0: URL Belongs To An Override Rule |
Sub Rule |
URL Information |
Information |
|
V 2.0: URL Belongs To An Override Rule |
Sub Rule |
URL Information |
Information |
|
V 2.0: FortiGuard Web Filter Category Quota Expir |
Sub Rule |
URL Access Statistics |
Information |
|
V 2.0: Cookie Removed |
Sub Rule |
Cookie Removed |
Information |
|
V 2.0: Java Applet Removed |
Sub Rule |
Java Applet Removed |
Information |
|
V 2.0: Script Entity Removed |
Sub Rule |
ActiveX Script Removed |
Information |
|
V 2.0: Cookie Removed Entirely |
Sub Rule |
Cookie Removed |
Information |
|
V 2.0: Referrer Removed From Request |
Sub Rule |
Object Modified |
Access Success |
|
V 2.0: Command Blocked |
Sub Rule |
Process Blocked |
Failed Activity |
|
V 2.0: Blocked By HTTP Header Content Type |
Sub Rule |
Blocked Message |
Failed Activity |
|
V 2.0: Depends On Info In Msg Field |
Sub Rule |
General WEB Information |
Information |
|
V 2.0: Depends On Info In Msg Field |
Sub Rule |
General WEB Information |
Information |
|
V 2.0: FortiGuard WebFilter Cate Quota Count Log |
Sub Rule |
URL Access Statistics |
Information |
|
V 2.0: CONTENT_TYPE_EXEMPT |
Sub Rule |
URL Exempted |
Activity |
|
V 2.0: ANTIPHISH_MATCH_URL_ALLOW |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
V 2.0: ANTIPHISH_MATCH_FTGD_ALLOW |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
V 2.0: ANTIPHISH_MATCH_DEFAULT_ALLOW |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
V 2.0: ANTIPHISH_MATCH_URL_BLOCK |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
V 2.0: ANTIPHISH_MATCH_FTGD_BLOCK |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
V 2.0: ANTIPHISH_MATCH_DEFAULT_BLOCK |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
V 2.0: VIDEOFILTER_CATEGORY_BLOCK |
Sub Rule |
Blocked Message |
Failed Activity |
|
V 2.0: VIDEOFILTER_CATEGORY_MONITOR |
Sub Rule |
General MONITOR Message |
Information |
|
V 2.0: VIDEOFILTER_CATEGORY_ALLOW |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
V 2.0: VIDEOFILTER_CHANNEL_BLOCK |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
V 2.0: VIDEOFILTER_CHANNEL_MONITOR |
Sub Rule |
General MONITOR Message |
Information |
|
V 2.0: VIDEOFILTER_CHANNEL_ALLOW |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
V 2.0: UNKNOWN_CE_BLOCK |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
V 2.0: UNKNOWN_CE_BYPASS |
Sub Rule |
Traffic Redirected |
Network Traffic |
|
V 2.0: VIDEOFILTER_TITLE_BLOCK |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
V 2.0: VIDEOFILTER_TITLE_MONITOR |
Sub Rule |
General MONITOR Message |
Information |
|
V 2.0: VIDEOFILTER_TITLE_ALLOW |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
V 2.0: VIDEOFILTER_DESCRIPTION_BLOCK |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
V 2.0: VIDEOFILTER_DESCRIPTION_MONITOR |
Sub Rule |
General MONITOR Message |
Information |
|
V 2.0: VIDEOFILTER_DESCRIPTION_ALLOW |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
date |
N/A |
N/A |
The date of the log event. |
|
time |
N/A |
N/A |
The time of the log event. |
|
logid |
<vmid> |
Number |
A unique identifier for the log event. |
|
type |
<vendorinfo> |
Text/String |
The type of log event. In this case, it is an UTM event. |
|
subtype |
N/A |
N/A |
The subtype of the log event. In this case, it is a webfilter event. |
|
eventtype |
N/A |
N/A |
The event type of the log event. In this case, it is a ftgd_blk event. |
|
level |
<severity> |
Text/String |
The severity level of the log event. In this case, it is a warning. |
|
vd |
<sessiontype> |
Text/String |
The vdom in which the log event occurred. |
|
eventtime |
N/A |
N/A |
The time at which the log event occurred. |
|
policyid |
<policy> |
Number |
The policy ID that was used to block the URL. |
|
sessionid |
<session> |
Number |
The session ID of the web browsing session. |
|
user |
<login> |
Text/String |
The user who logged in. |
|
srcip |
<sip> |
IP Address |
The source IP address of the web browsing session. |
|
srcport |
<sport> |
Number |
The source port of the web browsing session. |
|
srcintf |
<sinterface> |
Text/String |
The source interface of the web browsing session. |
|
srcintfrole |
N/A |
N/A |
The role of the source interface of the web browsing session. |
|
dstip |
<dip> |
IP Address |
The destination IP address of the web browsing session. |
|
dstport |
<dport> |
Number |
The destination port of the web browsing session. |
|
dstintf |
<dinterface> |
Text/String |
The destination interface of the web browsing session. |
|
dstintfrole |
N/A |
N/A |
The role of the destination interface of the web browsing session. |
|
proto |
<protnum> |
Number |
The protocol of the web browsing session. |
|
service |
<parentprocessname> |
Text/String |
The service of the web browsing session. |
|
hostname |
<dname> |
Text/String |
The hostname of the blocked URL. |
|
profile |
<account> |
Text/String |
The profile that was used to block the URL. |
|
action |
<action> |
Text/String |
The action that was taken. In this case, it was a blocked. |
|
reqtype |
<objecttype> |
Text/String |
The request type. |
|
url |
<url> |
Text/String |
The URL that was blocked. |
|
sentbyte |
<bytesout> |
Number |
The number of bytes sent in the HTTP request. |
|
rcvdbyte |
<bytesin> |
Number |
The number of bytes received in the HTTP response. |
|
direction |
N/A |
N/A |
The direction of the web browsing session. |
|
msg |
<subject> |
Text/String |
The message associated with the log event. |
|
method |
<command> |
Text/String |
The method used to block the URL. |
|
cat |
N/A |
N/A |
The category of the blocked URL. |
|
catdesc |
<threatname> |
Text/String |
The description of the category of the blocked URL. |
|
crscore |
<threatid> |
Number |
The risk score of the blocked URL. |
|
craction |
N/A |
N/A |
The action to be taken if the URL is encountered again. |
|
crlevel |
N/A |
N/A |
The severity level of the blocked URL. |