User Login | LogRhythm Documentation

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field	LogRhythm Default	LogRhythm Default v2.0
N/A	<severity>	N/A
Event Type	N/A	<vmid>
Event Name	<vmid>	<action>, <tag1>
Message	N/A	<vendorinfo>
SHA256	N/A	<hash>
FileName	N/A	<object>
Reason	N/A	<reason>
Added to	N/A	<subject>
Category	N/A	<objecttype>
Source IP	<sip>	N/A
User	<login>	<domainorigin>, <login>
Devices/Device	N/A	<dname>

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID	Rule Name	Rule Type	Common Events	Classifications
1008213	User Login	Base Rule	User Logon	Authentication Success
	Login Failed	Sub Rule	User Logon Failure	Authentication Failure
	Login Success	Sub Rule	User Logon	Authentication Success

LogRhythm Default v2.0

Regex ID	Rule Name	Rule Type	Common Events	Classifications
1011399	V 2.0 : Cylance Protect : Audit Event	Base Rule	General Auditing Message	Other Audit
	V 2.0 : Cylance Protect : Agent Updated	Sub Rule	Software Updated	Configuration
	V 2.0 : Cylance Protect : App Added	Sub Rule	Object Added	Access Success
	V 2.0 : Cylance Protect : App Modified	Sub Rule	Object Modified	Access Success
	V 2.0 : Cylance Protect : App Removed	Sub Rule	Object Deleted/Removed	Access Success
	V 2.0 : Cylance Protect : Cert Added	Sub Rule	Object Added	Access Success
	V 2.0 : Cylance Protect : Cert Deleted	Sub Rule	Object Deleted/Removed	Access Success
	V 2.0 : Cylance Protect : Cert Modified	Sub Rule	Object Modified	Access Success
	V 2.0 : Cylance Protect : Cert Added To Safe List	Sub Rule	Configuration Modified : Security	Configuration
	V 2.0 : Cylance Protect : Cert Rem. From Safe List	Sub Rule	Configuration Modified : Security	Configuration
	V 2.0 : Cylance Protect : Custom Auth Disabled	Sub Rule	Configuration Modified : Security	Configuration
	V 2.0 : Cylance Protect : Custom Auth Saved	Sub Rule	Configuration Modified : Security	Configuration
	V 2.0 : Cylance Protect : Device Added	Sub Rule	Object Added	Access Success
	V 2.0 : Cylance Protect : Device Modified	Sub Rule	Object Modified	Access Success
	V 2.0 : Cylance Protect : Device Removed	Sub Rule	Object Deleted/Removed	Access Success
	V 2.0 : Cylance Protect : Support Login Modified	Sub Rule	Configuration Modified : Security	Configuration
	V 2.0 : Cylance Protect : File Added To Global Lis	Sub Rule	Configuration Modified : Security	Configuration
	V 2.0 : Cylance Protect : File Rem. From Global Li	Sub Rule	Configuration Modified : Security	Configuration
	V 2.0 : Cylance Protect : User Logon Failure	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : Cylance Protect : User Logon Success	Sub Rule	User Logon	Authentication Success
	V 2.0 : Cylance Protect : Policy Added	Sub Rule	Object Added	Access Success
	V 2.0 : Cylance Protect : Policy Modified	Sub Rule	Object Modified	Access Success
	V 2.0 : Cylance Protect : Policy Removed	Sub Rule	Object Deleted/Removed	Access Success
	V 2.0 : Cylance Protect : File Added To Safe List	Sub Rule	Configuration Modified : Security	Configuration
	V 2.0 : Cylance Protect : File Rem. From Safe List	Sub Rule	Configuration Modified : Security	Configuration
	V 2.0 : Cylance Protect : Script Added To Safe Lis	Sub Rule	Configuration Modified : Security	Configuration
	V 2.0 : Cylance Protect : Script Rem. From Safe Li	Sub Rule	Configuration Modified : Security	Configuration
	V 2.0 : Cylance Protect : Syslog Disabled	Sub Rule	Configuration Modified : Security	Configuration
	V 2.0 : Cylance Protect : Syslog Settings Modified	Sub Rule	Configuration Modified : Security	Configuration
	V 2.0 : Cylance Protect : File Added To Quarantine	Sub Rule	Configuration Modified : Security	Configuration
	V 2.0 : Cylance Protect : User Quarantined File	Sub Rule	Quarantined Message	Failed Activity
	V 2.0 : Cylance Protect : File Added To Safe List	Sub Rule	Configuration Modified : Security	Configuration
	V 2.0 : Cylance Protect : User Waived File Threat	Sub Rule	General Security	Other Security
	V 2.0 : Cylance Protect : User Account Created	Sub Rule	User Account Created	Account Created
	V 2.0 : Cylance Protect : User Account Modified	Sub Rule	User Account Attribute Modified	Account Modified
	V 2.0 : Cylance Protect : User Account Removed	Sub Rule	User Account Deleted	Account Deleted
	V 2.0 : Cylance Protect : Zone Added	Sub Rule	Object Added	Access Success
	V 2.0 : Cylance Protect : Device Added To Zone	Sub Rule	Configuration Modified : Security	Configuration
	V 2.0 : Cylance Protect : Zone Modified	Sub Rule	Object Modified	Access Success
	V 2.0 : Cylance Protect : Zone Removed	Sub Rule	Production	Object Deleted/Removed
	V 2.0 : Cylance Protect : Device Removed From Zone	Sub Rule	Production	Configuration Modified : Security
	V 2.0 : Cylance Protect : Zone Rule Added	Sub Rule	Production	Object Added
	V 2.0 : Cylance Protect : Zone Rule Modified	Sub Rule	Production	Object Modified
	V 2.0 : Cylance Protect : Zone Rule Removed	Sub Rule	Production	Object Deleted/Removed