Skip to main content
Skip table of contents

V 2.0 Correlated Event Messages

Vendor Documentation


Rule Name

Rule Type

Common Event


V 2.0 Correlated Event Messages

Base Rule

Suspicious Activity


Mapping with LogRhythm Schema  

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
Type (type)<vmid>Text/StringSpecifies the type of log; value is CORRELATION.
Content/Threat Type (subtype)<vendorinfo>Text/StringSubtype of the correlation log; unused.
Source Address (src)<sip>IP AddressIP address of the user who initiated the event.
Source User (srcuser)<domainorigin>
Text/StringUsername of the user who initiated the event.
Category (category)<subject>Text/StringA summary of the kind of threat or harm posed to the network, user, or host.
Severity (severity)<severity>Text/StringSeverity associated with the event; values are informational, low, medium, high, critical.
Device Name (device_name)<objectname>NumberThe hostname of the firewall on which the session was logged
Object Name (objectname)<threatname>Text/StringName of the correlation object that was matched on.
Object ID (object_id)<threatid>NumberName of the object associated with the system event.
Evidence (evidence)<reason>Text/StringA summary statement that indicates how many times the host has matched against the conditions defined in the correlation object. For example, Host visited known malware URl (19 times).
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.