V 2.0 : Content Awareness Events
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 : Content Awareness Events | Base Rule | General Network Traffic | Network Traffic |
| V 2.0 : Content Awareness : Traffic Accept | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
| V 2.0 : Content Awareness : Traffic Reject | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
| V 2.0 : Content Awareness : Traffic Allow | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
| V 2.0 : Content Awareness : Traffic Block | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| subproduct | N/A | N/A | Sub-product |
| Product | <vmid> | Text/String | Product name |
| Action | <action> <tag1> | Text/String | N/A |
| Originip | N/A | N/A | IP of the log origin |
| SIP | <sip> | IP Address | Source IP |
| Origin | N/A | N/A | Name of the first Security Gateway that reported this event |
| src_machine_name | N/A | N/A | Machine name connected to source IP |
| DIP | <dip> | IP Address | Destination IP |
| dst_machine_name | N/A | N/A | Machine name connected to destination IP |
| dport | <dport> | Number | Destination host port number |
| protocol | <protnum> | Number | Protocol detected on the connection |
| ifname | N/A | N/A | The name of the Security Gateway interface, through which a connection traverses |
| ifdirection | N/A | N/A | Connection direction |
| User | N/A | N/A | Source user name |
| src_user_name | N/A | N/A | User name connected to source IP |
| dst_user_name | N/A | N/A | Connected user name on the destination IP |
| file_name | <object> | Number | File name |
| file_direction | N/A | N/A | File direction Possible options: upload, download |
| file_type | <objecttype> | Text/String | Classified file type |
| file_size | <size> | Number | Attachment file size / Matched file size |
| data_type_name | N/A | N/A | Data type in rulebase that was matched |
| file_id | <object> | Number | Unique file identifier |
| invalid_file_size | N/A | N/A | file_size field is valid only if this field is set to 0 |
| top_archive_file_name | N/A | N/A | In case of archive file: the file that was sent/received |
| connection_luuid | N/A | N/A | Calculation of md5 of the IP and user name as UID |
| duration | N/A | N/A | N/A |
| alert | N/A | N/A | Alert level of matched rule (for connection logs) |
| conn_direction | N/A | N/A | N/A |
| flags | N/A | N/A | N/A |
| logid | N/A | N/A | N/A |
| loguid | N/A | N/A | UUID of unified logs |
| originsicname | N/A | N/A | Machine SIC |
| sequencenum | N/A | N/A | Number added to order logs with the same Linux timestamp and origin |
| version | N/A | N/A | N/A |
| __policy_id_tag | <policy> | Text/String | N/A |
| data_type_name | N/A | N/A | Data type in rule base that was matched |
| data_type_uid | N/A | N/A | N/A |
| specific_data_type_name | N/A | N/A | Compound/Group scenario, data type that was matched |
| specific_data_type_uid | N/A | N/A | N/A |
| word_list | N/A | N/A | Words matched by data type |
| hll_key | N/A | N/A | N/A |