V 2.0 Correlated Event Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
V 2.0 Correlated Event Messages | Base Rule | Suspicious Activity | Suspicious |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Type (type) | <vmid> | Text/String | Specifies the type of log; value is CORRELATION. |
| Content/Threat Type (subtype) | <vendorinfo> | Text/String | Subtype of the correlation log; unused. |
| Source Address (src) | <sip> | IP Address | IP address of the user who initiated the event. |
| Source User (srcuser) | <domainorigin> <login> | Text/String | Username of the user who initiated the event. |
| Category (category) | <subject> | Text/String | A summary of the kind of threat or harm posed to the network, user, or host. |
| Severity (severity) | <severity> | Text/String | Severity associated with the event; values are informational, low, medium, high, critical. |
| Device Name (device_name) | <objectname> | Number | The hostname of the firewall on which the session was logged |
| Object Name (objectname) | <threatname> | Text/String | Name of the correlation object that was matched on. |
| Object ID (object_id) | <threatid> | Number | Name of the object associated with the system event. |
| Evidence (evidence) | <reason> | Text/String | A summary statement that indicates how many times the host has matched against the conditions defined in the correlation object. For example, Host visited known malware URl (19 times). |