V 2.0 : Endpoint Security Mgmt Event
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|
V 2.0 : Endpoint Security Mgmt Event | Base Rule | General Information | Information |
V 2.0 : Endpoint Console : Create Object | Sub Rule | Object Created | Access Success |
V 2.0 : Endpoint Console : Delete Object | Sub Rule | Object Deleted/Removed | Access Success |
V 2.0 : Endpoint Console : Install Policy | Sub Rule | Policy Enabled : System | Policy |
V 2.0 : Endpoint Console : Modify Object | Sub Rule | Object Modified | Access Success |
V 2.0 : Endpoint Console : UnAssign Policy | Sub Rule | Policy Disabled : System | Policy |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
product | <vmid> | Text/String | Product name |
Originip | <dip> | IP Address | IP of the log origin |
origin | N/A | N/A | Name of the first Security Gateway that reported this event |
operation | <action> <tag1> | Text/String | The type of operation done on the object or rule |
subject | <vendorinfo> | Text/String | Audit log category |
status | <status> | Text/String | N/A |
administrator | <login> | Text/String | User who performed the operation |
client | N/A | N/A | N/A |
performedon | <object> | Text/String | The name of the object that is affected by the action |
objecttable | N/A | N/A | N/A |
objecttype | <objecttype> | Text/String | The type of the affected object |
generalinformation | <subject> | Text/String | N/A |
time | N/A | N/A | The time stamp when the log was created |
Action | N/A | N/A | N/A |
ifdirection | N/A | N/A | Connection direction |
ifname | N/A | N/A | The name of the Security Gateway interface through which a connection traverses |
alert | N/A | N/A | N/A |
client_ip_host | <sip> | IP Address | N/A |
flags | N/A | N/A | Checkpoint internal field |
loguid | N/A | N/A | UUID of unified logs |
originsicname | N/A | N/A | Machine SIC |
sequencenum | N/A | N/A | Number added to order logs with the same Linux timestamp and origin |
version | N/A | N/A | N/A |
advanced_changes | N/A | N/A | N/A |
fieldschanges | N/A | N/A | N/A |
logic_changes | N/A | N/A | N/A |
sendtotrackerasadvancedauditlog | N/A | N/A | N/A |
session_uid | N/A | N/A | N/A |
securitypolicy | <policy> | Text/String | N/A |
uid | N/A | N/A | N/A |