V 2.0 Decryption Event Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 Decryption Event Messages | Base Rule | Session Information | Information |
| V 2.0 Decryption Session Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
| V 2.0 Decryption Session Denied | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
| V 2.0 Decryption Session Dropped | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
| V 2.0 Decryption Session Reset | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Type (type) | <vmid> | Text/String | Specifies the type of log; the value is DECRYPTION. |
| Threat/ContentType (subtype) | <vendorinfo> | Text/String/Number | Not used in the Decryption log. |
| Source Address (src) | <sip> | IP Address | Original session source IP address. |
| Destination Address (dst) | <dip> | IP Address | Original session destination IP address. |
| NAT Source IP (natsrc) | <snatip> | IP Address | If Source NAT is performed, the post-NAT Source IP address. |
| NAT Destination IP (natdst) | <dnatip> | IP Address | If Destination NAT is performed, the post-NAT Destination IP address. |
| Rule (rule) | <policy> | Text/String | A security policy rule that controls the session traffic. |
| Source User (srcuser) | <domainorigin> <login> | Text/String | The username of the user who initiated the session. |
| Destination User (dstuser) | <domainimpacted> <account> | Text/String | The username of the user to which the session was destined. |
| Inbound Interface (inbound_if) | <sinterface> | Text/String | An interface that the session was sourced from. |
| Outbound Interface (outbound_if) | <dinterface> | Text/String | An interface that the session was destined to. |
| Session ID (sessionid) | <session> | Number | An internal numerical identifier is applied to each session. |
| Repeat Count (repeatcnt) | <quantity> | Number | Number of sessions with the same Source IP, Destination IP, Application, and Content/Threat Type seen within 5 seconds. |
| Source Port (sport) | <sport> | Number | Source port utilized by the session. |
| Destination Port (dport) | <dport> | Number | Destination port utilized by the session. |
| NAT Source Port (natsport) | <snatport> | Number | Post-NAT source port. |
| NAT Destination Port (natdport) | <dnatport> | Number | Post-NAT destination port. |
| IP Protocol (proto) | <protname> | Text/String | IP protocol associated with the session. |
| Action (action) | <action> <tag1> | Text/String | Action taken for the session; possible values are:
|
| Device Name (device_name) | <objectname> | Text/String | The hostname of the firewall on which the session was logged. |
| Application Characteristic (characteristic_of_app) | <result> | Text/String | Comma-separated list of applicable characteristics of the application. |