Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
Tenable.ot Events |
Base Rule |
General Information |
Information |
|
Event Severity None |
Sub Rule |
General Information |
Information |
|
Event Severity Low |
Sub Rule |
General Information |
Information |
|
Event Severity Medium |
Sub Rule |
General Warning |
Warning |
|
Event Severity High |
Sub Rule |
General Critical |
Critical |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhthm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
N/A |
N/A |
N/A |
Timestamp:
|
|
N/A |
N/A |
N/A |
Source IP:
|
|
CEF:Version |
N/A |
N/A |
The mandatory prefix 'CEF:' Followed by the CEF version number. |
|
N/A |
<vendorinfo> |
Text/String |
Device Vendor |
|
N/A |
N/A |
N/A |
Device Product |
|
N/A |
<version> |
Text/String/Number |
Device Version |
|
N/A |
<vmid> |
Number |
Device Event Class ID:
|
|
N/A |
<subject> |
Text/String |
Name:
|
|
N/A |
<severity>
|
Number |
Severity:
|
|
cat |
<objecttype> |
Text/String |
Shows the general category of the Event.
|
|
duser |
<account> |
Text/String |
The name of the destination asset which received the activity. This value can be any name by which Tenable.ot identifies the asset, such as a user-defined name, the DNS name, the IP address etc. |
|
dvchost |
<object> |
Text/String |
The device that sent the log entry. For Tenable.ot logs the value is 'Indegy'. |
|
dst |
<dip> |
IP Address |
The IP address of the destination asset which received the activity. The format is an IPv4 address. |
|
dpt |
<dport> |
Number |
The port on the destination asset which received the activity. Valid port numbers are between 0 and 65535. |
|
externalId |
N/A |
N/A |
The Log ID used by Tenable.ot to refer to the Event. |
|
in |
<bytesin> |
Number |
The volume of data transferred from the source asset to the destination asset during the Event (in bytes). |
|
outcome |
<result> |
Text/String |
Displays the outcome of the Event. For example, "success" or "failure". |
|
proto |
<protname> |
Text/String |
Identifies the Layer-4 protocol used for the activity. The possible values are protocols such as TCP or UDP. |
|
rt |
N/A |
N/A |
The date and time at which the Event was registered in Tenable.ot. The format is MMM dd yyyy HH:mm:ss. |
|
smac |
<smac> |
Text/String |
The MAC address of the source asset that initiated the activity. |
|
dmac |
<dmac> |
Text/String |
The MAC address of the destination asset that received the activity. |
|
spt |
<sport> |
Number |
The port involved in the Event. Used in Open Port Events to show the open port that was discovered. Valid port numbers are 0 to 65535. |
|
src |
<sip> |
IP Address |
The IP address of the source asset which initiated the activity.The format is an IPv4 address. |
|
suser |
<login> |
Text/String |
The name of the source asset which initiated the activity. This value can be any name by which Tenable.ot identifies the asset, such as a user defined name, the DNS name, the IP address etc. |
|
msg |
<action> |
Text/String |
A message with additional details about the Event. Used for anomaly detection Events.
|
|
cn1 |
N/A |
N/A |
Tenable.ot uses this field for 'Snapshot Diff detected' Events, to show which revision number didn't match the previous revision. |
|
cn1Label |
N/A |
N/A |
For Tenable.ot, cn1Label="revision". |
|
cn2 |
N/A |
N/A |
Tenable.ot uses this field for 'Firmware Version Change detected' Events, to show which backplane slot the firmware change occurred on. Format: "cn2=%d" |
|
cn2Label |
N/A |
N/A |
For Tenable.ot, cn2Label="bpslot". |
|
cn3 |
<cve> |
Text/String |
Tenable.ot uses this field for "Intrusion Detection" Events to show the ID of the Vulnerability (in the CVE listing) that was detected. |
|
cn3Label |
N/A |
N/A |
For tenable.ot, cn3Label="rule_sid". |
|
cs1 |
<status> |
Text/String |
Tenable.ot uses this field for 'Controller State Change detected' and 'Controller Key State Change detected' Events, to show the old and new states of the controller. Format: "cs1=%s->%s" (old status->new status, e.g. "running>stopped") |
|
cs1Label |
N/A |
N/A |
For Tenable.ot, cs1Label="value_change" |
|
cs2 |
N/A |
N/A |
Tenable.ot uses this field for 'Tag Write Values detected' Events, to show the tags that were written to and the values that were written. Format: "cs2=%s:%s",(tag name:tag value) |
|
cs2Label |
N/A |
N/A |
For Tenable.ot, cs2Label="tag". |
|
cs3 |
N/A |
N/A |
Tenable.ot uses this field for 'New Module detected' Events, to show the name of the Backplane to which the module was added. Format: "cs3=%s" |
|
cs3Label |
N/A |
N/A |
For Tenable.ot, cs3Label="Bpname". |
|
cs4 |
N/A |
N/A |
Tenable.ot uses this field for 'IP Conflict detected' and 'ARP Scan detected' Events, to show the IP addresses involved. Format: "cs4=%s" |
|
cs4Label |
N/A |
N/A |
For Tenable.ot, cs4Label="addresses". |
|
cs5 |
N/A |
N/A |
Tenable.ot uses this field for 'SYN Scan detected' Events, to show the involved ports. Format: "cs5=%s" |
|
cs5Label |
N/A |
N/A |
For Tenable.ot, cs5Label="ports". |
|
cs6 |
<policy> |
Text/String |
Tenable.ot uses this field to show the name of the Policy that generated the Event. Format: "cs6=%s" |
|
cs6Label |
N/A |
N/A |
For Tenable.ot, cs6Label="policy_name". |
|
deviceCustomDate1 |
N/A |
N/A |
Tenable.ot uses this field for 'inactive asset' Events, to show the date and time that the asset was last active. Format: "last deviceCustomDate1=%s" |
|
deviceCustomDate1Label |
N/A |
N/A |
For Tenable.ot, deviceCustomDate1Label ="last" |