V 2.0 Correlated Event Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|
V 2.0 Correlated Event Messages | Base Rule | Suspicious Activity | Suspicious |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
Type (type) | <vmid> | Text/String | Specifies the type of log; value is CORRELATION. |
Content/Threat Type (subtype) | <vendorinfo> | Text/String | Subtype of the correlation log; unused. |
Source Address (src) | <sip> | IP Address | IP address of the user who initiated the event. |
Source User (srcuser) | <domainorigin> <login> | Text/String | Username of the user who initiated the event. |
Category (category) | <subject> | Text/String | A summary of the kind of threat or harm posed to the network, user, or host. |
Severity (severity) | <severity> | Text/String | Severity associated with the event; values are informational, low, medium, high, critical. |
Device Name (device_name) | <objectname> | Number | The hostname of the firewall on which the session was logged |
Object Name (objectname) | <threatname> | Text/String | Name of the correlation object that was matched on. |
Object ID (object_id) | <threatid> | Number | Name of the object associated with the system event. |
Evidence (evidence) | <reason> | Text/String | A summary statement that indicates how many times the host has matched against the conditions defined in the correlation object. For example, Host visited known malware URl (19 times). |