Traffic : Forward
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| Traffic: Forward | Base Rule | Network Traffic | Network Traffic |
| Network/Traffic Allowed Messages | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
| Sniffer Traffic Accept | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
| Forwarded Traffic Blocked | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
| Forwarded Traffic Timeout | Sub Rule | User Session Timeout | Information |
| Forwarded Traffic Close | Sub Rule | Connection Closed | Network Traffic |
| Forwarded Traffic Accept - Reset | Sub Rule | Connection Reset | Network Traffic |
| Local Traffic Denied | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
| Forwarded Traffic Denied | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
| Forward Traffic Deny | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
| ICMP Traffic Allow | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
| Invalid Traffic | Sub Rule | Connection Failed | Network Traffic |
| Malware Activity Blocked | Sub Rule | Failed Botnet Activity | Failed Malware |
| Forwarded Traffic Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
| Forwarded Traffic Start | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
| Local Traffic Accepted | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
| Forwarded Traffic | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
| Forwarded Traffic Session Closed | Sub Rule | Connection Closed | Network Traffic |
| Forwarded Traffic Accept | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
| Local Traffic Accept | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
| Local Traffic Timeout | Sub Rule | Session Disconnected | Other Audit Success |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
| logid | <vmid> <tag1> | Number | The ID (logid) is a 10-digit field. It is a unique identifier for that specific log. |
| apprisk | <severity> | Text\String | Each log entry contains a Level (level) field that indicates the estimated severity of the event that caused the log entry. |
| srcip | <sip> | IP Address | IP address of the traffic’s origin. |
| dstip | <dip> | IP Address | Destination IP address for the web. |
| srcport | <sport> | Number | Port number of the traffic's origin. |
| dstport | <dport> | Number | Port number of the traffic's destination. |
| transip | <snatip> | IP Address | N/A |
| tranip | <dnatip> | IP Address | N/A |
| srcintf | <sinterface> | Text\String | Interface name of the traffic's origin. |
| dstintf | <dinterface> | Text\String | Interface of the traffic's destination. |
| proto | <protnum> | Number | The protocol used by web traffic (tcp by default). |
| user | <login> | Text\String | N/A |
| sessionid | <session> | Number | ID for the session. |
| appid | <processid> | Number | ID of the application. |
| app | <object> | Text\String | Name of the application. |
| appcat | <objectname> | Text\String | Category of the application. |
| devname | <subject> | Text\String | N/A |
| url | <url> | Text\String | N/A |
| policyid | <policy> | Number | N/A |
| group | <group> | Text\String | N/A |
| action | <action> <tag2> | Text\String | N/A |
| utmaction | <result> | Text\String | N/A |
| appact | <status> | Text\String | N/A |
| rcvdbyte | <bytesin> | Number | N/A |
| sentbyte | <bytesout> | Number | N/A |
| duration | <duration> | Number | N/A |
| utmaction | <tag3> | Text\String | N/A |