Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0 : Admin Audit Logs |
Base Rule |
General Audit Messages |
Information |
|
V 2.0 : Audit Logs Created |
Sub Rule |
Object Created |
Access Success |
|
V 2.0 : Audit Logs Deleted |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
V 2.0 : Audit Logs Updated |
Sub Rule |
Object Modified |
Access Success |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
ID |
N/A |
N/A |
A unique identifier of the audit event. |
|
Timestamp |
N/A |
N/A |
The date and time when this request was made, in UTC. This is different than the Umbrella dashboard, which converts the time to your specified time zone. |
|
|
<account> |
Text/String |
The email of the user that triggered the event. |
|
User |
<login> |
Text/String |
The account name of the user who created the change. |
|
Type |
<object> |
Text/String |
Where the change was made, such as settings or a policy. |
|
Action |
<action> <tag1> |
Text/String |
The type of change made, such as Create, Update, or Delete. |
|
Logged in from |
<sip> |
IP Address |
The user's IP source. |
|
Before |
N/A |
N/A |
The policy or setting before the change was made. |
|
After |
N/A |
N/A |
The policy or setting after the change was made. |