Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
Update Messages |
Base Rule |
General LiveUpdate Information |
Information |
|
Update Configuration Messages |
Sub Rule |
Configuration Information |
Information |
|
Update Content Messages |
Sub Rule |
General Audit Messages |
Information |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|
Version |
N/A |
N/A |
N/A |
|
Vendor |
N/A |
N/A |
N/A |
|
Device Product |
N/A |
N/A |
N/A |
|
Device Version |
<version> |
Numbers |
N/A |
|
Device Event Class_ID |
<vmid> |
Text/String |
The number representing the type of the event. If translation is used, the type enum name is defined by the ICD Schema. |
|
Name |
<vendorinfo> |
Text/String |
The description of the event. If the message attribute is missing and translation is used, the name is generated using the type_id and id enum names. |
|
Severity |
<severity> |
Numbers |
The severity of the event, mapped as follows:
|
|
act |
<result> <tag1> |
Text/String |
The outcome of the event. It is either a numeric value or text when translation is used. |
|
cat |
<objecttype> |
Text/String |
The event type category. It is either a numeric value or text when translation is used. |
|
deviceExternalId |
N/A |
N/A |
The unique identifier of the device. |
|
dtz |
N/A |
N/A |
The time zone of the event’s Device Time, converted from minutes ahead or behind UTC to a standard time zone identifier. |
|
dvc |
<sip> |
IP Address |
The IP address that pertains to the event, if in IPv4 format (otherwise, placed in c6a1). |
|
dvchost |
<sname> |
Text/String |
The name of the device originating the event. |
|
rt |
N/A |
N/A |
The time that the ICDx system collected the event, expressed as the number of milliseconds since 01/01/1970 00:00:00 UTC. |
|
deviceCustomDate1 |
N/A |
N/A |
N/A |
|
deviceCustomDate1Label |
N/A |
N/A |
N/A |
|
start |
N/A |
N/A |
The number of milliseconds since 01/01/1970 00:00:00 UTC. |
|
agt |
N/A |
N/A |
The IP address of the collector device, if in IPv4 format. |
|
ahost |
N/A |
N/A |
The host name of the collector device. |
|
aid |
N/A |
N/A |
The unique identifier of the collector. |
|
cs6 |
N/A |
N/A |
N/A |
|
cs6Label |
N/A |
N/A |
N/A |
|
cs4 |
<group> |
Text/String |
N/A |
|
cs4Label |
N/A |
N/A |
N/A |
|
cs5 |
N/A |
N/A |
N/A |
|
cs5Label |
N/A |
N/A |
N/A |
|
suser |
<login> |
Text/String |
The source user by name. |
|
symcICDxLogName |
<object> |
Text/String |
The ICDx archive name (log_name). |
|
symcICDxUUID |
N/A |
N/A |
The JSON-encoded event data that was not mapped to any CEF attributes. |
|
symcICDxData |
<subject> |
Text/String |
N/A |