Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|
|
V 2.0 : Data Loss Prevention Event |
Base Rule |
Information |
General DLP Message |
|
V 2.0 : DLP : Not Available |
Sub Rule |
Information |
General DLP Message |
|
V 2.0 : DLP : Blocked |
Sub Rule |
Network Deny |
Traffic Denied by DLP |
|
V 2.0 : DLP : Deleted |
Sub Rule |
Network Deny |
Traffic Denied by DLP |
|
V 2.0 : DLP : Delivered |
Sub Rule |
Network Allow |
Traffic Allowed by DLP |
|
V 2.0 : DLP : Logged |
Sub Rule |
Information |
General DLP Message |
|
V 2.0 : DLP : Passed |
Sub Rule |
Network Allow |
Traffic Allowed by DLP |
|
V 2.0 : DLP : Quarantined |
Sub Rule |
Information |
General DLP Message |
|
V 2.0 : DLP : Replaced |
Sub Rule |
Information |
General DLP Message |
|
V 2.0 : DLP : Archived |
Sub Rule |
Information |
General DLP Message |
|
V 2.0 : DLP : Archived (Message Body Only) |
Sub Rule |
Information |
General DLP Message |
|
V 2.0 : DLP : Quarantined (Message Body Only) |
Sub Rule |
Information |
General DLP Message |
|
V 2.0 : DLP : Passed (Message Body Only) |
Sub Rule |
Network Allow |
Traffic Allowed by DLP |
|
V 2.0 : DLP : Encrypted |
Sub Rule |
Network Traffic |
Encrypt Packet |
|
V 2.0 : DLP : Alerted (Endpoint) |
Sub Rule |
Information |
General DLP Message |
|
V 2.0 : DLP : Alerted (Server) |
Sub Rule |
Information |
General DLP Message |
|
V 2.0 : DLP : Data Recorded |
Sub Rule |
Information |
General DLP Message |
|
V 2.0 : DLP : User Justified |
Sub Rule |
Network Allow |
Traffic Allowed by DLP |
|
V 2.0 : DLP : Handed Off |
Sub Rule |
Information |
General DLP Message |
|
V 2.0 : DLP : Recipient Altered |
Sub Rule |
Information |
General DLP Message |
|
V 2.0 : DLP : Blind Carbon Copied |
Sub Rule |
Information |
General DLP Message |
|
V 2.0 : DLP : Delivery Postponed |
Sub Rule |
Information |
General DLP Message |
|
V 2.0 : DLP : Stamped |
Sub Rule |
Information |
General DLP Message |
|
V 2.0 : DLP : Attachment Deleted |
Sub Rule |
Information |
General DLP Message |
|
V 2.0 : DLP : Subject Tagged |
Sub Rule |
Information |
General DLP Message |
|
V 2.0 : DLP : X-header Tagged |
Sub Rule |
Information |
General DLP Message |
|
V 2.0 : DLP : Decrypted |
Sub Rule |
Information |
General DLP Message |
|
V 2.0 : DLP : Re-encrypted |
Sub Rule |
Information |
General DLP Message |
|
V 2.0 : DLP : Tagged (Mail) |
Sub Rule |
Information |
General DLP Message |
|
V 2.0 : DLP : Encrypted (User Key) |
Sub Rule |
Network Traffic |
Encrypt Packet |
|
V 2.0 : DLP : Encrypted (Group Key) |
Sub Rule |
Network Traffic |
Encrypt Packet |
|
V 2.0 : DLP : Moved |
Sub Rule |
Information |
General DLP Message |
|
V 2.0 : DLP : Passed (Encrypted) |
Sub Rule |
Network Allow |
Traffic Allowed by DLP |
|
V 2.0 : DLP : Passed (User Justified) |
Sub Rule |
Network Allow |
Traffic Allowed by DLP |
|
V 2.0 : DLP : Block (Endpoint Encryption not installed) |
Sub Rule |
Network Deny |
Traffic Denied by DLP |
|
V 2.0 : DLP : Blocked (user justified) |
Sub Rule |
Network Deny |
Traffic Denied by DLP |
|
V 2.0 : DLP : Blocked (Endpoint Encryption logged off) |
Sub Rule |
Network Deny |
Traffic Denied by DLP |
|
V 2.0 : DLP : Blocked (Endpoint Encryption error) |
Sub Rule |
Network Deny |
Traffic Denied by DLP |
|
V 2.0 : DLP : Web Upload |
Sub Rule |
Information |
General DLP Message |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
Header (logVer) |
N/A |
N/A |
CEF format version |
|
Header (vendor) |
N/A |
N/A |
Appliance vendor |
|
Header (pname) |
N/A |
N/A |
Appliance product |
|
Header (pver) |
N/A |
N/A |
Appliance version |
|
Header (eventid) |
N/A |
N/A |
Event ID |
|
Header (eventName) |
<vmid> |
Text/String |
Log name |
|
Header (severity) |
<severity> |
Number |
Severity |
|
cs3Label |
N/A |
N/A |
Corresponding label for the "cs3" field |
|
cs3 |
N/A |
N/A |
Endpoint host name |
|
cs1Label |
N/A |
N/A |
Corresponding label for the "cs1" field |
|
cs1 |
N/A |
N/A |
Policy GUID |
|
cs2Label |
N/A |
N/A |
Corresponding label for the "cs2" field |
|
cs2 |
<policy> |
Text/String |
Policy name |
|
cn1Label |
N/A |
N/A |
Corresponding label for the "cn1" field |
|
cn1 |
N/A |
N/A |
Product type value |
|
rt |
N/A |
N/A |
Log generation time in UTC |
|
src |
<sip> |
Ip Address |
Source host IP address |
|
smac |
<smac> |
Text/String/Number |
Source host MAC address |
|
shost |
<sname> |
Text/String/Number |
Source host name |
|
cs4Label |
N/A |
N/A |
Corresponding label for the "cs4" field |
|
cs4 |
<login> |
Text/String/Number |
The user name in violation |
|
request |
<url> |
Text/String/Number |
The URL accessed |
|
suser |
<sender> |
Text/String/Number |
Email sender |
|
duser |
<recipient> |
Text/String/Number |
Comma (,) separated list of recipients |
|
msg |
N/A |
N/A |
Subject |
|
filepath |
N/A |
N/A |
File path |
|
fname |
<object> |
Text/String/Number |
Trigger file name |
|
cs5Label |
N/A |
N/A |
Corresponding label for the "cs5" field |
|
cs5 |
N/A |
N/A |
Rule name |
|
cs6Label |
N/A |
N/A |
Corresponding label for the "cs6" field |
|
cs6 |
N/A |
N/A |
Template name |
|
cn3Label |
N/A |
N/A |
Corresponding label for the "cn3" field |
|
cn3 |
N/A |
N/A |
Channel type |
|
cn2Label |
N/A |
N/A |
Corresponding label for the "cn2" field |
|
cn2 |
<action>
|
Number |
Action result |
|
fsize |
<size> |
Number |
File size in bytes |
|
deviceFacility |
N/A |
N/A |
Product name |
|
deviceNtDomain |
N/A |
N/A |
Active Directory domain |
|
dntdom |
N/A |
N/A |
Apex One domain hierarchy |
|
externalId |
N/A |
N/A |
Log ID of the event |
|
cfp1Label |
N/A |
N/A |
Corresponding label for the "cfp1Label" field |
|
cfp1 |
N/A |
N/A |
Indicates whether the forensic file can be downloaded |
|
dvchost |
N/A |
N/A |
Server host name |
|
TMCMLogDetectedHost |
N/A |
N/A |
Endpoint name where the log event occurred |
|
TMCMLogDetectedIP |
N/A |
N/A |
IP address where the log event occurred |
|
ApexCentralHost |
N/A |
N/A |
Apex Central host name |
|
devicePayloadId |
N/A |
N/A |
Unique message GUID |