Skip to main content
Skip table of contents

Threat Intelligence Messages (Syslog - NetScout OCI CEF)

Vendor Documentation

N/A

Classification

Rule Name

Rule Type

Common Event

Classification

Threat Intelligence Messages

Base Rule

General Threat Message

Activity

Mapping with LogRhythm Schema

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

N/A

N/A

N/A

N/A

N/A

N/A

N/A

Device Vendor

product_name

<vendorinfo>

Text/String

N/A

oci_version

<version>

Text/String

N/A

risk_type_description

<vmid>

Text/String

N/A

event_sub_category

<object>

Text/String

N/A

Severity

<severity>

Number

Severity level; ranges from 1 to 10 (critical).

type

<objecttype>

Number

Can be:
0—Base event.
1—Aggregate event

Desc

<subject>

N/A

N/A

shost

<sname>

Text/String

Resolved IPV4 host address.
Present only for Threat Intelligence when both host and server are present.
dvchost will not be present in his case.

src

<sip>

IP Address

Unresolved IPv4 host address.
Present only for Threat Intelligence when both host and server are present.
dvchost will not be present in his case.

dhost

<dname>

Text/String

Resolved IPv4 server address.
Present only for Threat Intelligence when both host and server are present.
dvchost will not be present in this case.

dst

<dip>

IP Address

Unresolved IPv4 server address.
Present only for Threat Intelligence when both host and server are present.
dvchost will not be present in his case. dhost will be present.

srcHostGroup

N/A

N/A

N/A

app

<protname>

Text/String

Protocol/Application

interfaceCount

<quantity>

Number

N/A

violationCount

N/A

N/A

N/A

start

N/A

N/A

Start time of event.

end

N/A

N/A

End time of event.

url

<url>

Text/String

N/A

srccount

N/A

N/A

N/A

srcHostGroupcount

N/A

N/A

N/A

dstcount

N/A

N/A

N/A

dsthostgroupcount

N/A

N/A

N/A

iocconfidence

N/A

N/A

loC confidence value. Present only for Threat Intelligence.

hostgroupcount

N/A

N/A

Number of host groups encountered in given interval.
For base events it is always 1. Applicable to all risk types.

appcount

N/A

N/A

N/A

srcHostGroup

N/A

N/A

N/A

dsthostgroup

N/A

N/A

N/A

useridentity

N/A

N/A

Applicable for only Threat Intelligence base events.

iocDescription

N/A

N/A

N/A

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close