V 2.0 : DLP Events
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0: DLP Events | Base Rule | General DLP Message | Information |
| V 2.0 DLP: Accept | Sub Rule | Traffic Allowed by DLP | Network Allow |
| V 2.0 DLP: Encrypt | Sub Rule | Encrypt Packet | Network Traffic |
| V 2.0 DLP: Ask User | Sub Rule | General DLP Message | Information |
| V 2.0 DLP: Block | Sub Rule | Traffic Denied by DLP | Network Deny |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
| product | <vmid> | Text/String | Product name |
| Action | <action> <tag1> | Text/String | N/A |
| Originip | N/A | N/A | IP of the log origin |
| origin | N/A | N/A | Name of the first Security Gateway that reported this event |
| SIP | <sip> | IP Address | Source IP |
| SPort | <sport> | Number | Source host port number |
| DIP | <dip> | IP Address | Destination IP |
| dport | <dport> | Number | N/A |
| protocol | <protnum> | Number | Protocol detected on the connection |
| ifname | N/A | N/A | The name of the Security Gateway interface through which a connection traverses |
| ifdirection | N/A | N/A | N/A |
| proxy_src_ip | <snatip> | IP Address | Sender source IP (even when using proxy) |
| user | N/A | N/A | Source user name |
| src_user_name | <login> | Text/String | User name connected to source IP |
| dst_user_name | <account> | Text/String | Connected user name on the destination IP |
| from | <sender> | Text/String | Source mail Address |
| rule | N/A | N/A | N/A |
| severity | <severity> | Number | Threat severity determined by ThreatCloud Possible values: 0 - Informational 1 - Low 2 - Medium 3 - High 4 - Critical |
| user_status | N/A | N/A | N/A |
| portal_message | N/A | N/A | N/A |
| https_inspection_action | N/A | N/A | N/A |
| message_size | <size> | Number | Mail/post size |
| matched_file | N/A | N/A | Fingerprint: the file from FP repository that was matched by the traffic |
| dlp_file_name | <object> | Text/String | Matched file |
| dlp_recipients | <recipient> | Text/String | Mail recipients |
| dlp_word_list | N/A | N/A | Phrases matched by data type |
| dlp_template_score | N/A | N/A | Template data type match score |
| dlp_rule_name | N/A | N/A | Matched rule name |
| dlp_data_type_name | <objecttype> | Text/String | Matched data type |
| dlp_violation_description | N/A | N/A | Violation descriptions described in the rulebase |
| dlp_categories | N/A | N/A | Data type category |
| dlp_action_reason | <reason> | Text/String | Action chosen reason |
| dlp_subject | <subject> | Text/String | Mail subject |
| DLP_Transport | N/A | N/A | N/A |
| dlp_addtional_action | N/A | N/A | Watermark/None |
| duplicate | N/A | N/A | Log marked as duplicated, when mail is split and the Security Gateway sees it twice |
| incident_extension | N/A | N/A | Format of original data |
| outgoing_url | <url> | Text/String | URL related to this log (for HTTP) |
| Incident_UID | N/A | N/A | N/A |
| Related_Incident | N/A | N/A | N/A |
| time | N/A | N/A | The timestamp when the log was created |
| alert | N/A | N/A | N/A |
| flags | N/A | N/A | 131072 |
| loguid | N/A | N/A | UUID of unified logs |
| sequencenum | N/A | N/A | Number added to order logs with the same Linux timestamp and origin |
| version | N/A | N/A | N/A |
| __policy_id_tag | <policy> | Text/String | N/A |
| info | <vendorinfo> | Text/String | Special log message |
| origin_sic_name | N/A | N/A | Machine SIC |