V 2.0 Authentication Messages 1
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|
V 2.0 Authentication Messages | Base Rule | General Authentication Event |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
Type (type) | <vmid> | Text/String | Specifies the type of log; value is AUTHENTICATION. |
Threat/Content Type (subtype) | <vendorinfo> | Text/String | Subtype of the system log |
Source IP (ip) | <sip> | Number | Original session source IP address. |
User (user) | <login> | Text/String | End user being authenticated |
Object (object) | <object> | Text/String | Name of the object associated with the system event. |
Authentication Policy (authpolicy) | <policy> | Text/String | Policy invoked for authentication before allowing access to a protected resource. |
Repeat Count (repeatcnt) | <quantity> | Number | Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds. |
Log Action (logset) | <action> | Text/String | Log Forwarding Profile that was applied to the session. |
Description (desc) | <subject> | Text/String | Additional authentication information. |
Event Type (event) | <result> | Text/String | Result of the authentication attempt. |
Device Name (device_name) | <objectname> | Text/String | The hostname of the firewall on which the session was logged. |
Authentication Protocol (authproto) | <protname> | Text/String | Indicates the authentication protocol used by the server. For example, PEAP with GTC. |
Source Hostname (src_host) | <sname> | Text/String | The hostname of the device that Device-ID identifies as the source of the traffic. |
Source MAC Address (src_mac) | <smac> | Text/String | The MAC address for the device that Device-ID identifies as the source of the traffic. |
User Agent (user_agent) | <useragent> | Text/String | The string from the HTTP request header User-Agent. |
Session ID | <session> | Number | A string that uniquely identifies the traffic session. |