Syslog - Tenable.ot Security: Tenable.ot Events
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
Tenable.ot Events | Base Rule | General Information | Information |
Event Severity None | Sub Rule | General Information | Information |
Event Severity Low | Sub Rule | General Information | Information |
Event Severity Medium | Sub Rule | General Warning | Warning |
Event Severity High | Sub Rule | General Critical | Critical |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhthm Schema | Data Type | Schema Description |
|---|---|---|---|
N/A | N/A | N/A | Timestamp: |
N/A | N/A | N/A | Source IP: |
CEF:Version | N/A | N/A | The mandatory prefix 'CEF:' Followed by the CEF version number. |
N/A | <vendorinfo> | Text/String | Device Vendor |
N/A | N/A | N/A | Device Product |
N/A | <version> | Text/String/Number | Device Version |
N/A | <vmid> | Number | Device Event Class ID: |
N/A | <subject> | Text/String | Name: |
N/A | <severity> | Number | Severity: |
cat | <objecttype> | Text/String | Shows the general category of the Event.
|
duser | <account> | Text/String | The name of the destination asset which received the activity. This value can be any name by which Tenable.ot identifies the asset, such as a user-defined name, the DNS name, the IP address etc. |
dvchost | <object> | Text/String | The device that sent the log entry. For Tenable.ot logs the value is 'Indegy'. |
dst | <dip> | IP Address | The IP address of the destination asset which received the activity. The format is an IPv4 address. |
dpt | <dport> | Number | The port on the destination asset which received the activity. Valid port numbers are between 0 and 65535. |
externalId | N/A | N/A | The Log ID used by Tenable.ot to refer to the Event. |
in | <bytesin> | Number | The volume of data transferred from the source asset to the destination asset during the Event (in bytes). |
outcome | <result> | Text/String | Displays the outcome of the Event. For example, "success" or "failure". |
proto | <protname> | Text/String | Identifies the Layer-4 protocol used for the activity. The possible values are protocols such as TCP or UDP. |
rt | N/A | N/A | The date and time at which the Event was registered in Tenable.ot. The format is MMM dd yyyy HH:mm:ss. |
smac | <smac> | Text/String | The MAC address of the source asset that initiated the activity. |
dmac | <dmac> | Text/String | The MAC address of the destination asset that received the activity. |
spt | <sport> | Number | The port involved in the Event. Used in Open Port Events to show the open port that was discovered. Valid port numbers are 0 to 65535. |
src | <sip> | IP Address | The IP address of the source asset which initiated the activity.The format is an IPv4 address. |
suser | <login> | Text/String | The name of the source asset which initiated the activity. This value can be any name by which Tenable.ot identifies the asset, such as a user defined name, the DNS name, the IP address etc. |
msg | <action> | Text/String | A message with additional details about the Event. Used for anomaly detection Events. |
cn1 | N/A | N/A | Tenable.ot uses this field for 'Snapshot Diff detected' Events, to show which revision number didn't match the previous revision. |
cn1Label | N/A | N/A | For Tenable.ot, cn1Label="revision". |
cn2 | N/A | N/A | Tenable.ot uses this field for 'Firmware Version Change detected' Events, to show which backplane slot the firmware change occurred on. Format: "cn2=%d" |
cn2Label | N/A | N/A | For Tenable.ot, cn2Label="bpslot". |
cn3 | <cve> | Text/String | Tenable.ot uses this field for "Intrusion Detection" Events to show the ID of the Vulnerability (in the CVE listing) that was detected. |
cn3Label | N/A | N/A | For tenable.ot, cn3Label="rule_sid". |
cs1 | <status> | Text/String | Tenable.ot uses this field for 'Controller State Change detected' and 'Controller Key State Change detected' Events, to show the old and new states of the controller. Format: "cs1=%s->%s" (old status->new status, e.g. "running>stopped") |
cs1Label | N/A | N/A | For Tenable.ot, cs1Label="value_change" |
cs2 | N/A | N/A | Tenable.ot uses this field for 'Tag Write Values detected' Events, to show the tags that were written to and the values that were written. Format: "cs2=%s:%s",(tag name:tag value) |
cs2Label | N/A | N/A | For Tenable.ot, cs2Label="tag". |
cs3 | N/A | N/A | Tenable.ot uses this field for 'New Module detected' Events, to show the name of the Backplane to which the module was added. Format: "cs3=%s" |
cs3Label | N/A | N/A | For Tenable.ot, cs3Label="Bpname". |
cs4 | N/A | N/A | Tenable.ot uses this field for 'IP Conflict detected' and 'ARP Scan detected' Events, to show the IP addresses involved. Format: "cs4=%s" |
cs4Label | N/A | N/A | For Tenable.ot, cs4Label="addresses". |
cs5 | N/A | N/A | Tenable.ot uses this field for 'SYN Scan detected' Events, to show the involved ports. Format: "cs5=%s" |
cs5Label | N/A | N/A | For Tenable.ot, cs5Label="ports". |
cs6 | <policy> | Text/String | Tenable.ot uses this field to show the name of the Policy that generated the Event. Format: "cs6=%s" |
cs6Label | N/A | N/A | For Tenable.ot, cs6Label="policy_name". |
deviceCustomDate1 | N/A | N/A | Tenable.ot uses this field for 'inactive asset' Events, to show the date and time that the asset was last active. Format: "last deviceCustomDate1=%s" |
deviceCustomDate1Label | N/A | N/A | For Tenable.ot, deviceCustomDate1Label ="last" |