Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0 Firewall Log Events |
Base Rule |
General Firewall Log |
Network Traffic |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|
datetime |
N/A |
N/A |
Time and date of the transaction. This excludes the time zone. |
|
user |
<login>,
|
Text/String |
User's login name in email address format. |
|
department |
N/A |
N/A |
Department of the user. |
|
locationname |
N/A |
N/A |
Location name. |
|
cdport |
<dport> |
Number |
Client destination port. For aggregated sessions, this is the client destination port of the last session in the aggregate. |
|
csport |
<sport> |
Number |
Client source port. For aggregated sessions, this is the client source port of the last session in the aggregate. |
|
sdport |
N/A |
N/A |
Server destination port. For aggregated sessions, this is the server destination IP address of the last session in the aggregate. |
|
ssport |
N/A |
N/A |
Server source port. For aggregated sessions, this is the server source port of the last session in the aggregate. |
|
csip |
<sip> |
IP Address |
Client source IP address. For aggregated sessions, this is the client source IP address of the last session in the aggregate. |
|
cdip |
<dip> |
IP Address |
Client destination IP address. For aggregated sessions, this is the client destination IP address of the last session in the aggregate. |
|
ssip |
N/A |
N/A |
Server source IP address. For aggregated sessions, this is the server source IP address of the last session in the aggregate. |
|
sdip |
N/A |
N/A |
Server's destination IP. |
|
tsip |
N/A |
N/A |
Tunnel IP address of the client (source). For aggregated sessions, this is the client's tunnel IP address corresponding to the last session in the aggregate. |
|
tunsport |
N/A |
N/A |
N/A |
|
tuntype |
N/A |
N/A |
N/A |
|
action |
<action> |
Text/String |
Action that the service took on the transaction: Allowed or Blocked |
|
dnat |
N/A |
N/A |
Indicates if the destination NAT policy was applied. |
|
stateful |
N/A |
N/A |
N/A |
|
aggregate |
N/A |
N/A |
N/A |
|
nwsvc |
<object> |
Text/String |
The network service that was used. |
|
nwapp |
N/A |
N/A |
The network application that was accessed. |
|
proto |
<protname> |
Text/String |
Protocol in use. |
|
ipcat |
<subject> |
Text/String |
URL category that corresponds to the server IP address. |
|
destcountry |
N/A |
N/A |
Abbreviated code of the country of the destination IP address |
|
avgduration |
N/A |
N/A |
Average session duration, in milliseconds, if the sessions were aggregated. |
|
rulelabel |
N/A |
N/A |
Name of the the rule that was applied to the transaction. |
|
inbytes |
<bytesin> |
Number |
Number of bytes sent from the server to the client. |
|
outbytes |
<bytesout> |
Number |
Number of bytes sent from the client to the server. |
|
duration |
N/A |
N/A |
Session or request duration in seconds. |
|
durationms |
<milliseconds> |
Number |
Session or request duration in milliseconds. |
|
numsessions |
<quantity> |
Number |
Number of sessions that were aggregated. |
|
ipsrulelabel |
<policy> |
Text/String |
Name of the IPS policy that was applied to the Firewall session. |
|
threatcat |
N/A |
N/A |
Category of the threat in the Firewall session by the IPS engine. |
|
threatname |
<threatname> |
Text/String |
Name of the threat detected in the Firewall session by the IPS engine. |