Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
Traffic: Forward |
Base Rule |
Network Traffic |
Network Traffic |
|
Network/Traffic Allowed Messages |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
Sniffer Traffic Accept |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
Forwarded Traffic Blocked |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
Forwarded Traffic Timeout |
Sub Rule |
User Session Timeout |
Information |
|
Forwarded Traffic Close |
Sub Rule |
Connection Closed |
Network Traffic |
|
Forwarded Traffic Accept - Reset |
Sub Rule |
Connection Reset |
Network Traffic |
|
Local Traffic Denied |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
Forwarded Traffic Denied |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
Forward Traffic Deny |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
ICMP Traffic Allow |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
Invalid Traffic |
Sub Rule |
Connection Failed |
Network Traffic |
|
Malware Activity Blocked |
Sub Rule |
Failed Botnet Activity |
Failed Malware |
|
Forwarded Traffic Allowed |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
Forwarded Traffic Start |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
Local Traffic Accepted |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
Forwarded Traffic |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
Forwarded Traffic Session Closed |
Sub Rule |
Connection Closed |
Network Traffic |
|
Forwarded Traffic Accept |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
Local Traffic Accept |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
Local Traffic Timeout |
Sub Rule |
Session Disconnected |
Other Audit Success |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|
logid |
<vmid> <tag1> |
Number |
The ID (logid) is a 10-digit field. It is a unique identifier for that specific log. |
|
apprisk |
<severity> |
Text\String |
Each log entry contains a Level (level) field that indicates the estimated severity of the event that caused the log entry. |
|
srcip |
<sip> |
IP Address |
IP address of the traffic’s origin. |
|
dstip |
<dip> |
IP Address |
Destination IP address for the web. |
|
srcport |
<sport> |
Number |
Port number of the traffic's origin. |
|
dstport |
<dport> |
Number |
Port number of the traffic's destination. |
|
transip |
<snatip> |
IP Address |
N/A |
|
tranip |
<dnatip> |
IP Address |
N/A |
|
srcintf |
<sinterface> |
Text\String |
Interface name of the traffic's origin. |
|
dstintf |
<dinterface> |
Text\String |
Interface of the traffic's destination. |
|
proto |
<protnum> |
Number |
The protocol used by web traffic (tcp by default). |
|
user |
<login> |
Text\String |
N/A |
|
sessionid |
<session> |
Number |
ID for the session. |
|
appid |
<processid> |
Number |
ID of the application. |
|
app |
<object> |
Text\String |
Name of the application. |
|
appcat |
<objectname> |
Text\String |
Category of the application. |
|
devname |
<subject> |
Text\String |
N/A |
|
url |
<url> |
Text\String |
N/A |
|
policyid |
<policy> |
Number
|
N/A |
|
group |
<group> |
Text\String |
N/A |
|
action |
<action> <tag2> |
Text\String |
N/A |
|
utmaction |
<result> |
Text\String |
N/A |
|
appact |
<status> |
Text\String |
N/A |
|
rcvdbyte |
<bytesin> |
Number |
N/A |
|
sentbyte |
<bytesout> |
Number |
N/A |
|
duration |
<duration> |
Number |
N/A |
|
utmaction |
<tag3> |
Text\String |
N/A |