V 2.0 Authentication Messages 1
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 Authentication Messages | Base Rule | General Authentication Event |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Type (type) | <vmid> | Text/String | Specifies the type of log; value is AUTHENTICATION. |
| Threat/Content Type (subtype) | <vendorinfo> | Text/String | Subtype of the system log |
| Source IP (ip) | <sip> | Number | Original session source IP address. |
| User (user) | <login> | Text/String | End user being authenticated |
| Object (object) | <object> | Text/String | Name of the object associated with the system event. |
| Authentication Policy (authpolicy) | <policy> | Text/String | Policy invoked for authentication before allowing access to a protected resource. |
| Repeat Count (repeatcnt) | <quantity> | Number | Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds. |
| Log Action (logset) | <action> | Text/String | Log Forwarding Profile that was applied to the session. |
| Description (desc) | <subject> | Text/String | Additional authentication information. |
| Event Type (event) | <result> | Text/String | Result of the authentication attempt. |
| Device Name (device_name) | <objectname> | Text/String | The hostname of the firewall on which the session was logged. |
| Authentication Protocol (authproto) | <protname> | Text/String | Indicates the authentication protocol used by the server. For example, PEAP with GTC. |
| Source Hostname (src_host) | <sname> | Text/String | The hostname of the device that Device-ID identifies as the source of the traffic. |
| Source MAC Address (src_mac) | <smac> | Text/String | The MAC address for the device that Device-ID identifies as the source of the traffic. |
| User Agent (user_agent) | <useragent> | Text/String | The string from the HTTP request header User-Agent. |
| Session ID | <session> | Number | A string that uniquely identifies the traffic session. |