V 2.0 : Device Access Control Event
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| V 2.0 : Device Access Control Event | Base Rule | Other Audit | General Access Control Message |
| V 2.0 : Device Access Control : Modify | Sub Rule | Access Success | Object Modified |
| V 2.0 : Device Access Control : Read & Execute | Sub Rule | Access Success | Object Read |
| V 2.0 : Device Access Control : Read | Sub Rule | Access Success | Object Read |
| V 2.0 : DAC : List Device Content Only | Sub Rule | Access Success | Object Read |
| V 2.0 : Device Access Control : Block | Sub Rule | Access Failure | Access Object Failure |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Header (logVer) | N/A | N/A | CEF format version |
| Header (vendor) | N/A | N/A | Appliance vendor |
| Header (pname) | N/A | N/A | Appliance product |
| Header (pver) | N/A | N/A | Appliance version |
| Header (eventid) | N/A | N/A | Event ID |
| Header (eventName) | <vmid> | Text/String | Log name |
| Header (severity) | <severity> | Number | Severity |
| rt | N/A | N/A | The log generation time in UTC |
| cs1Label | N/A | N/A | Corresponding label for the "cs1" field |
| cs1 | N/A | N/A | Server host name |
| shost | <sname> | Text/String/Number | Source host name |
| duser | <domainimpacted> <account> | Text/String/Number | User name |
| dvchost | <dname> | Text/String/Number | Target host name |
| cn1Label | N/A | N/A | Corresponding label for the "cn1" field |
| cn1 | N/A | N/A | Product ID 0 Unknown product 1 ScanMail for ccMail 2 ScanMail for Lotus Domino 3 ScanMail for Microsoft Exchange 4 ScanMail for Microsoft Mail 5 ScanMail for OpenMail 6 Reserved 1 7 Reserved 2 8 Reserved 3 9 Reserved 4 10 InterScan WebProtect 11 Reserved 5 12 Reserved 6 13 Reserved 7 14 PC-cillin Corporate Edition 15 Apex One 16 Apex One for Microsoft SBS 18 ServerProtect for Windows 19 ServerProtect for Windows (SOHO) 20 Apex Central 21 Generic 22 InterScan VirusWall for Unix 23 InterScan VirusWall for Windows 24 MOCA 25 GoldenGate 26 ActiveUpdate 27 IS_Y2K_SCANNER 28 Y2K VIRUS TECH SUPPORT SRV 30 HouseCall 31 PC-cillin ISP server 32 PC-cillin ISP client 33 eManager for ScanMail Exchange 34 InterScan Messaging Security Suite for Windows 35 InterScan Messaging Security Suite for UNIX 36 PortalProtect 37 GateLock Corporate Edition 38 Firewall management (NetScreen) 39 InterScan Web Security Suite for Solaris 40 InterScan Web Security Suite for Windows NT 41 Nokia Message Protector 42 InterScan Web Security Suite for Linux 43 InterScan Web Security Suite for Appliance 44 InterScan Messaging Security Appliance 45 InterScan for Small and Medium Business for Windows NT 46 InterScan Web Security Virtual Appliance 47 InterScan Messaging Security Virtual Appliance 50 InterScan Gateway Security Appliance 51 ServerProtect for Linux 52 ServerProtect for EMC 53 ServerProtect for NetApp 56 Child Apex Central Server 60 Damage Cleanup Services 65 Golden Gate for NT 66 Network VirusWall 1200 67 Network VirusWall MIPS 68 Network VirusWall 2500 69 Network VirusWall 2500 v2 70 Vulnerability Assessment 71 Network Virus Wall Enforcer 1200 72 Network VirusWall Enforcer 73 Network VirusWall Enforcer 75 Trend Micro Threat Mitigator 85 Anti-Spyware Enterprise Edition 87 Trend Micro InterScan for Cisco CSC SSM-20 88 Trend Micro InterScan for Cisco CSC SSM-10 90 IM Security 95 InterScan VirusWall 96 InterScan VirusWall for Linux 100 Control Manager Agent 200 eDoctor Server 300 eDoctor Agent 132 InterScan Messaging Security Suite for Solaris 120 Threat Discovery Appliance 131 Database Protect for Linux 151 Total Discovery Mitigation Server 154 Deep Discovery Inspector 155 ScanMail for IBM Domino 156 Deep Discovery Email Inspector 1000 InterScan eManager 1001 InterScan AppletTrap 1002 InterScan VirusWall Java 1003 IS_SEMAIL 1004 InterScan WebProtect for ICAP 10001 NEC StarOffice 20001 Dr. Soloman Anti-virus 20002 Inoculan 20003 Norton Anti-virus 20004 Sophos Sweep 20005 Intel LANProtect 20006 McAfee Virus Scan 20007 FProt 21000 Other third-party product 31001 Apex One (Mac) 31002 Trend Micro Endpoint Encryption 31003 Trend Micro Endpoint Application Control 31004 Trend Micro Deep Security 31006 Vulnerability Protection 31005 Trend Micro Mobile Security 31007 Trend Micro Safe Mobile Workforce 31008 Deep Discovery Analyzer 31009 Trend Micro Endpoint Sensor 31012 Deep Discovery Web Inspector 31101 Trend Micro Email Security 31102 Worry Free Business Security Services 31103 Trend Micro Web Security 31104 Cloud App Security 55555 Demo product |
| sproc | <process> | Text/String | Target process |
| fname | <object> | Text/String/Number | File name |
| cn2Label | N/A | N/A | Corresponding label for the "cn2" field |
| cn2 | N/A | N/A | 0: USB storage device 1: Non-storage USB 2: CD/DVD 3: Floppy disks 4: Network driver |
| cn3Label | N/A | N/A | Corresponding label for the "cn3" field |
| cn3 | <action> <tag1> | Text/String/Number | 0: Modify 1: Read and execute 2: Read 3: List device content only 4: Block |
| deviceFacility | N/A | N/A | Product |
| deviceNtDomain | N/A | N/A | Active Directory domain |
| dntdom | N/A | N/A | Apex One domain hierarchy |
| TMCMLogDetectedHost | <sname> | Text/String/Number | Endpoint name where the log event occurred |
| TMCMLogDetectedIP | <sip> | IP Address | IP address where the log event occurred |
| ApexCentralHost | N/A | N/A | Apex Central host name |
| devicePayloadId | N/A | N/A | Unique message GUID |