Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0 DNS Log Events |
Base Rule |
General DNS Information |
Information |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|
datetimeA41:A54B10A41:A52A4A41:A49 |
N/A |
N/A |
Time and date of the transaction. This excludes the time zone. |
|
user |
<login>, <domainorigin> |
Text/String |
User's login name in email address format. |
|
dept |
N/A |
N/A |
Department of the user. |
|
location |
N/A |
N/A |
Gateway location or sublocation of the source. |
|
reqaction |
<action> |
Text/String |
Name of the action that was applied to the DNS request. |
|
resaction |
N/A |
N/A |
Name of the action that was applied to the DNS response. |
|
reqrulelabel |
<policy> |
Text/String |
Name of the rule that was applied to the DNS request. |
|
resrulelabel |
N/A |
N/A |
Name of the rule that was applied to the DNS response. |
|
dns_reqtype |
N/A |
N/A |
N/A |
|
dns_req |
<url> |
Text/String |
N/A |
|
dns_resp |
N/A |
N/A |
N/A |
|
srv_dport |
<dport> |
Number |
N/A |
|
durationms |
<milliseconds> |
Number |
Duration of the DNS request in milliseconds. |
|
clt_sip |
<sip> |
IP Address |
Server IP address of the request. |
|
srv_dip |
<dip> |
IP Address |
The IP address of the user. This can be the internal IP address if it is visible; for example, traffic sent through a GRE tunnel or an internal IP address indicated using XFF. Otherwise, it's the client Internet (NATted Public) IP address. |
|
category |
<subject> |
Text/String |
URL Category of the FQDN in the DNS request. |
|
deviceowner |
N/A |
N/A |
Device owner |
|
devicehostname |
<dname> |
Text/String |
Device host name |