V 2.0 : Endpoint Application Control Event
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| V 2.0 : Endpoint Application Control Event | Base Rule | Activity | General Activity |
| V 2.0 : Endpoint Application Control : Allowed | Sub Rule | Activity | Application Control Detection |
| V 2.0 : Endpoint Application Control : Blocked | Sub Rule | Failed Activity | Application Blocked |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Header (logVer) | N/A | N/A | CEF format version |
| Header (vendor) | N/A | N/A | Appliance vendor |
| Header (pname) | N/A | N/A | Appliance product |
| Header (pver) | N/A | N/A | Appliance version |
| Header (eventid) | N/A | N/A | 0: Allow 1: Block 2: Lockdown |
| Header (eventName) | <vmid> | Text/String | Event name |
| Header (severity) | <severity> | Number | Severity |
| deviceExternalId | N/A | N/A | ID |
| dvchost | N/A | N/A | Computer name |
| rt | N/A | N/A | Log generation time in UTC |
| shost | <sname> | Text/String/Number | Client host name |
| cs1Label | N/A | N/A | Corresponding label for the "cs1" field |
| cs1 | N/A | N/A | Product server pattern version |
| suser | <login> | Text/String/Number | Client user name |
| cs2Label | N/A | N/A | Corresponding label for the "cs2" field |
| cs2 | <sip> | IP Address | Client IPv4 address |
| c6a3 | <sip> | IP Address | Client IPv6 address |
| cn1Label | N/A | N/A | Corresponding label for the "cn1" field |
| cn1 | N/A | N/A | Client status 1: Rebuilding database 2: Online 3: Offline |
| filehash | <hash> | Text/String/Number | Application file SHA-1 hash |
| fname | <process> | Text/String | Application file name |
| cs3Label | N/A | N/A | Corresponding label for the "cs3" field |
| cs3 | <command> | Text/String | Application process command line |
| duser | <account> | Text/String/Number | User name |
| cs4Label | N/A | N/A | Corresponding label for the "cs4" field |
| cs4 | N/A | N/A | Rule name |
| cs5Label | N/A | N/A | Corresponding label for the "cs5" field |
| cs5 | <policy> | Text/String | Policy name |
| act | <action> <tag1> | Text/String | Policy action 0: Allowed 1: Blocked 2: Reported as allowed 3: Reported as blocked |
| deviceFacility | N/A | N/A | Product name |
| deviceNtDomain | N/A | N/A | Active Directory domain |
| dntdom | N/A | N/A | Apex One domain hierarchy |
| ApexCentralHost | N/A | N/A | Apex Central host name |
| devicePayloadId | N/A | N/A | Unique message GUID |