V 2.0 : Endpoint Security Mgmt Event

Vendor Documentation

Rule Name	Rule Type	Common Event	Classification
V 2.0 : Endpoint Security Mgmt Event	Base Rule	General Information	Information
V 2.0 : Endpoint Console : Create Object	Sub Rule	Object Created	Access Success
V 2.0 : Endpoint Console : Delete Object	Sub Rule	Object Deleted/Removed	Access Success
V 2.0 : Endpoint Console : Install Policy	Sub Rule	Policy Enabled : System	Policy
V 2.0 : Endpoint Console : Modify Object	Sub Rule	Object Modified	Access Success
V 2.0 : Endpoint Console : UnAssign Policy	Sub Rule	Policy Disabled : System	Policy

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
product	<vmid>	Text/String	Product name
Originip	<dip>	IP Address	IP of the log origin
origin	N/A	N/A	Name of the first Security Gateway that reported this event
operation	<action> <tag1>	Text/String	The type of operation done on the object or rule
subject	<vendorinfo>	Text/String	Audit log category
status	<status>	Text/String	N/A
administrator	<login>	Text/String	User who performed the operation
client	N/A	N/A	N/A
performedon	<object>	Text/String	The name of the object that is affected by the action
objecttable	N/A	N/A	N/A
objecttype	<objecttype>	Text/String	The type of the affected object
generalinformation	<subject>	Text/String	N/A
time	N/A	N/A	The time stamp when the log was created
Action	N/A	N/A	N/A
ifdirection	N/A	N/A	Connection direction
ifname	N/A	N/A	The name of the Security Gateway interface through which a connection traverses
alert	N/A	N/A	N/A
client_ip_host	<sip>	IP Address	N/A
flags	N/A	N/A	Checkpoint internal field
loguid	N/A	N/A	UUID of unified logs
originsicname	N/A	N/A	Machine SIC
sequencenum	N/A	N/A	Number added to order logs with the same Linux timestamp and origin
version	N/A	N/A	N/A
advanced_changes	N/A	N/A	N/A
fieldschanges	N/A	N/A	N/A
logic_changes	N/A	N/A	N/A
sendtotrackerasadvancedauditlog	N/A	N/A	N/A
session_uid	N/A	N/A	N/A
securitypolicy	<policy>	Text/String	N/A
uid	N/A	N/A	N/A