Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|
|
V 2.0 : Endpoint Application Control Event |
Base Rule |
Activity |
General Activity |
|
V 2.0 : Endpoint Application Control : Allowed |
Sub Rule |
Activity |
Application Control Detection |
|
V 2.0 : Endpoint Application Control : Blocked |
Sub Rule |
Failed Activity |
Application Blocked |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
Header (logVer) |
N/A |
N/A |
CEF format version |
|
Header (vendor) |
N/A |
N/A |
Appliance vendor |
|
Header (pname) |
N/A |
N/A |
Appliance product |
|
Header (pver) |
N/A |
N/A |
Appliance version |
|
Header (eventid) |
N/A |
N/A |
0: Allow
|
|
Header (eventName) |
<vmid> |
Text/String |
Event name |
|
Header (severity) |
<severity> |
Number |
Severity |
|
deviceExternalId |
N/A |
N/A |
ID |
|
dvchost |
N/A |
N/A |
Computer name |
|
rt |
N/A |
N/A |
Log generation time in UTC |
|
shost |
<sname> |
Text/String/Number |
Client host name |
|
cs1Label |
N/A |
N/A |
Corresponding label for the "cs1" field |
|
cs1 |
N/A |
N/A |
Product server pattern version |
|
suser |
<login> |
Text/String/Number |
Client user name |
|
cs2Label |
N/A |
N/A |
Corresponding label for the "cs2" field |
|
cs2 |
<sip> |
IP Address |
Client IPv4 address |
|
c6a3 |
<sip> |
IP Address |
Client IPv6 address |
|
cn1Label |
N/A |
N/A |
Corresponding label for the "cn1" field |
|
cn1 |
N/A |
N/A |
Client status
|
|
filehash |
<hash> |
Text/String/Number |
Application file SHA-1 hash |
|
fname |
<process> |
Text/String |
Application file name |
|
cs3Label |
N/A |
N/A |
Corresponding label for the "cs3" field |
|
cs3 |
<command> |
Text/String |
Application process command line |
|
duser |
<account> |
Text/String/Number |
User name |
|
cs4Label |
N/A |
N/A |
Corresponding label for the "cs4" field |
|
cs4 |
N/A |
N/A |
Rule name |
|
cs5Label |
N/A |
N/A |
Corresponding label for the "cs5" field |
|
cs5 |
<policy> |
Text/String |
Policy name |
|
act |
<action>
|
Text/String |
Policy action
|
|
deviceFacility |
N/A |
N/A |
Product name |
|
deviceNtDomain |
N/A |
N/A |
Active Directory domain |
|
dntdom |
N/A |
N/A |
Apex One domain hierarchy |
|
ApexCentralHost |
N/A |
N/A |
Apex Central host name |
|
devicePayloadId |
N/A |
N/A |
Unique message GUID |