Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|
|
User Authentication And Session Message |
Base Rule |
Information |
General Event Log Information |
|
Admin: User Account Modified |
Sub Rule |
Account Modified |
User Account Attribute Modified |
|
Admin: Server Shutdown Activity |
Sub Rule |
Startup and Shutdown |
System Shutdown |
|
Admin: Session Timed Out |
Sub Rule |
Information |
User Session Timeout |
|
Admin: Forcing Off User |
Sub Rule |
Authentication Success |
User Logoff |
|
Admin: Password Realm Restrictions Failed |
Sub Rule |
Authentication Failure |
User Logon Failure |
|
Admin: User Logged Out |
Sub Rule |
Authentication Success |
User Logoff |
|
Admin: Password Change Failed Activity |
Sub Rule |
Other Audit Failure |
Failed Password Change Attempt |
|
Access: Login Succeeded Activity |
Sub Rule |
Authentication Success |
User Logon |
|
Access: Session Terminated |
Sub Rule |
Information |
Session Ended |
|
Access: Login Failed Activity |
Sub Rule |
Authentication Failure |
User Logon Failure |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
|---|---|---|
|
N/A |
<severity> |
String |
|
N/A |
<sip> |
IP Address |
|
N/A |
<login> |
String |
|
N/A |
<group> |
String |
|
N/A |
<vmid> |
String |
|
N/A |
<tag1> |
String |
|
N/A |
<tag2> |
String |
|
N/A |
<session> |
String |
|
N/A |
<useragent> |
String |
|
N/A |
<reason> |
String |