V 2.0 : Data Loss Prevention Event
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| V 2.0 : Data Loss Prevention Event | Base Rule | Information | General DLP Message |
| V 2.0 : DLP : Not Available | Sub Rule | Information | General DLP Message |
| V 2.0 : DLP : Blocked | Sub Rule | Network Deny | Traffic Denied by DLP |
| V 2.0 : DLP : Deleted | Sub Rule | Network Deny | Traffic Denied by DLP |
| V 2.0 : DLP : Delivered | Sub Rule | Network Allow | Traffic Allowed by DLP |
| V 2.0 : DLP : Logged | Sub Rule | Information | General DLP Message |
| V 2.0 : DLP : Passed | Sub Rule | Network Allow | Traffic Allowed by DLP |
| V 2.0 : DLP : Quarantined | Sub Rule | Information | General DLP Message |
| V 2.0 : DLP : Replaced | Sub Rule | Information | General DLP Message |
| V 2.0 : DLP : Archived | Sub Rule | Information | General DLP Message |
| V 2.0 : DLP : Archived (Message Body Only) | Sub Rule | Information | General DLP Message |
| V 2.0 : DLP : Quarantined (Message Body Only) | Sub Rule | Information | General DLP Message |
| V 2.0 : DLP : Passed (Message Body Only) | Sub Rule | Network Allow | Traffic Allowed by DLP |
| V 2.0 : DLP : Encrypted | Sub Rule | Network Traffic | Encrypt Packet |
| V 2.0 : DLP : Alerted (Endpoint) | Sub Rule | Information | General DLP Message |
| V 2.0 : DLP : Alerted (Server) | Sub Rule | Information | General DLP Message |
| V 2.0 : DLP : Data Recorded | Sub Rule | Information | General DLP Message |
| V 2.0 : DLP : User Justified | Sub Rule | Network Allow | Traffic Allowed by DLP |
| V 2.0 : DLP : Handed Off | Sub Rule | Information | General DLP Message |
| V 2.0 : DLP : Recipient Altered | Sub Rule | Information | General DLP Message |
| V 2.0 : DLP : Blind Carbon Copied | Sub Rule | Information | General DLP Message |
| V 2.0 : DLP : Delivery Postponed | Sub Rule | Information | General DLP Message |
| V 2.0 : DLP : Stamped | Sub Rule | Information | General DLP Message |
| V 2.0 : DLP : Attachment Deleted | Sub Rule | Information | General DLP Message |
| V 2.0 : DLP : Subject Tagged | Sub Rule | Information | General DLP Message |
| V 2.0 : DLP : X-header Tagged | Sub Rule | Information | General DLP Message |
| V 2.0 : DLP : Decrypted | Sub Rule | Information | General DLP Message |
| V 2.0 : DLP : Re-encrypted | Sub Rule | Information | General DLP Message |
| V 2.0 : DLP : Tagged (Mail) | Sub Rule | Information | General DLP Message |
| V 2.0 : DLP : Encrypted (User Key) | Sub Rule | Network Traffic | Encrypt Packet |
| V 2.0 : DLP : Encrypted (Group Key) | Sub Rule | Network Traffic | Encrypt Packet |
| V 2.0 : DLP : Moved | Sub Rule | Information | General DLP Message |
| V 2.0 : DLP : Passed (Encrypted) | Sub Rule | Network Allow | Traffic Allowed by DLP |
| V 2.0 : DLP : Passed (User Justified) | Sub Rule | Network Allow | Traffic Allowed by DLP |
| V 2.0 : DLP : Block (Endpoint Encryption not installed) | Sub Rule | Network Deny | Traffic Denied by DLP |
| V 2.0 : DLP : Blocked (user justified) | Sub Rule | Network Deny | Traffic Denied by DLP |
| V 2.0 : DLP : Blocked (Endpoint Encryption logged off) | Sub Rule | Network Deny | Traffic Denied by DLP |
| V 2.0 : DLP : Blocked (Endpoint Encryption error) | Sub Rule | Network Deny | Traffic Denied by DLP |
| V 2.0 : DLP : Web Upload | Sub Rule | Information | General DLP Message |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Header (logVer) | N/A | N/A | CEF format version |
| Header (vendor) | N/A | N/A | Appliance vendor |
| Header (pname) | N/A | N/A | Appliance product |
| Header (pver) | N/A | N/A | Appliance version |
| Header (eventid) | N/A | N/A | Event ID |
| Header (eventName) | <vmid> | Text/String | Log name |
| Header (severity) | <severity> | Number | Severity |
| cs3Label | N/A | N/A | Corresponding label for the "cs3" field |
| cs3 | N/A | N/A | Endpoint host name |
| cs1Label | N/A | N/A | Corresponding label for the "cs1" field |
| cs1 | N/A | N/A | Policy GUID |
| cs2Label | N/A | N/A | Corresponding label for the "cs2" field |
| cs2 | <policy> | Text/String | Policy name |
| cn1Label | N/A | N/A | Corresponding label for the "cn1" field |
| cn1 | N/A | N/A | Product type value |
| rt | N/A | N/A | Log generation time in UTC |
| src | <sip> | Ip Address | Source host IP address |
| smac | <smac> | Text/String/Number | Source host MAC address |
| shost | <sname> | Text/String/Number | Source host name |
| cs4Label | N/A | N/A | Corresponding label for the "cs4" field |
| cs4 | <login> | Text/String/Number | The user name in violation |
| request | <url> | Text/String/Number | The URL accessed |
| suser | <sender> | Text/String/Number | Email sender |
| duser | <recipient> | Text/String/Number | Comma (,) separated list of recipients |
| msg | N/A | N/A | Subject |
| filepath | N/A | N/A | File path |
| fname | <object> | Text/String/Number | Trigger file name |
| cs5Label | N/A | N/A | Corresponding label for the "cs5" field |
| cs5 | N/A | N/A | Rule name |
| cs6Label | N/A | N/A | Corresponding label for the "cs6" field |
| cs6 | N/A | N/A | Template name |
| cn3Label | N/A | N/A | Corresponding label for the "cn3" field |
| cn3 | N/A | N/A | Channel type |
| cn2Label | N/A | N/A | Corresponding label for the "cn2" field |
| cn2 | <action> <tag1> | Number | Action result |
| fsize | <size> | Number | File size in bytes |
| deviceFacility | N/A | N/A | Product name |
| deviceNtDomain | N/A | N/A | Active Directory domain |
| dntdom | N/A | N/A | Apex One domain hierarchy |
| externalId | N/A | N/A | Log ID of the event |
| cfp1Label | N/A | N/A | Corresponding label for the "cfp1Label" field |
| cfp1 | N/A | N/A | Indicates whether the forensic file can be downloaded |
| dvchost | N/A | N/A | Server host name |
| TMCMLogDetectedHost | N/A | N/A | Endpoint name where the log event occurred |
| TMCMLogDetectedIP | N/A | N/A | IP address where the log event occurred |
| ApexCentralHost | N/A | N/A | Apex Central host name |
| devicePayloadId | N/A | N/A | Unique message GUID |