Skip to main content
Skip table of contents

V 2.0 Decryption Event Messages

Vendor Documentation

Classification

Rule Name

Rule Type

Common Event

Classification

V 2.0 Decryption Event MessagesBase RuleSession InformationInformation
V 2.0 Decryption Session AllowedSub RuleTraffic Allowed by Network FirewallNetwork Allow
V 2.0 Decryption Session DeniedSub RuleTraffic Denied by Network FirewallNetwork Deny
V 2.0 Decryption Session DroppedSub RuleTraffic Denied by Network FirewallNetwork Deny
V 2.0 Decryption Session ResetSub RuleTraffic Denied by Network FirewallNetwork Deny

Mapping with LogRhythm Schema  

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

Type (type)<vmid>Text/StringSpecifies the type of log; the value is DECRYPTION.
Threat/ContentType (subtype)<vendorinfo>Text/String/NumberNot used in the Decryption log.
Source Address (src)<sip>IP AddressOriginal session source IP address.
Destination Address (dst)<dip>IP AddressOriginal session destination IP address.
NAT Source IP (natsrc)<snatip>IP AddressIf Source NAT is performed, the post-NAT Source IP address.
NAT Destination IP (natdst)<dnatip>IP AddressIf Destination NAT is performed, the post-NAT Destination IP address.
Rule (rule)<policy>Text/StringA security policy rule that controls the session traffic.
Source User (srcuser)<domainorigin>
<login>
Text/StringThe username of the user who initiated the session.
Destination User (dstuser)<domainimpacted>
<account>
Text/StringThe username of the user to which the session was destined.
Inbound Interface (inbound_if)<sinterface>Text/StringAn interface that the session was sourced from.
Outbound Interface (outbound_if)<dinterface>Text/StringAn interface that the session was destined to.
Session ID (sessionid)<session>NumberAn internal numerical identifier is applied to each session.
Repeat Count (repeatcnt)<quantity>NumberNumber of sessions with the same Source IP, Destination IP, Application, and Content/Threat Type seen within 5 seconds.
Source Port (sport)<sport>NumberSource port utilized by the session.
Destination Port (dport)<dport>NumberDestination port utilized by the session.
NAT Source Port (natsport)<snatport>NumberPost-NAT source port.
NAT Destination Port (natdport)<dnatport>NumberPost-NAT destination port.
IP Protocol (proto)<protname>Text/StringIP protocol associated with the session.
Action (action)<action>
<tag1>
Text/StringAction taken for the session; possible values are:
  • allow—the session was allowed by policy
  • deny—the session was denied by policy
  • drop—the session was dropped silently
  • drop ICMP—session was silently dropped with an ICMP unreachable message to the host or application
  • reset both—session was terminated and a TCP reset was sent to both sides of the connection
  • reset client—the session was terminated and a TCP reset was sent to the client
  • reset server—session was terminated and a TCP reset was sent to the server
Application Characteristic (characteristic_of_app)<objectname>Text/StringComma-separated list of applicable characteristics of the application.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.