V 2.0 : Intrusion Prevention Event
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| V 2.0 : Intrusion Prevention Event | Base Rule | Activity | General Activity |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
| Header (logVer) | N/A | N/A | CEF format version |
| Header (vendor) | N/A | N/A | Product vendor |
| Header (pname) | N/A | N/A | Product name |
| Header (pver) | N/A | N/A | Product version |
| Header (eventid) | N/A | N/A | Event ID |
| Header (eventName) | <vmid> | Text/String | Log name |
| Header (severity) | N/A | N/A | Severity |
| rt | N/A | N/A | Log generation time in UTC |
| dvchost | N/A | N/A | Display name of the managed endpoint |
| deviceFacility | N/A | N/A | Product name |
| act | <action> | Text/String | Action 0 = UNKNOWN 3 = DELETE 6 = LOG 10 = INSERT/REPLACE 13 = BLOCK 257 = RESET |
| src | <sip> | IP Address | Source IPv4 address |
| c6a2Label | N/A | N/A | Corresponding label for the "c6a2" field |
| c6a2 | <sip> | IP Address | Source IPv6 address |
| dst | <dip> | IP Address | Destination IPv4 address |
| c6a3Label | N/A | N/A | Corresponding label for the "c6a3" field |
| c6a3Label | <dip> | IP Address | Destination IPv6 address |
| smac | <smac> | Text/String/Number | Source MAC address |
| spt | <sport> | Number | Source port |
| dmac | <dmac> | Text/String/Number | Destination host MAC address |
| dpt | <dport> | Number | Destination port |
| cn2Label | N/A | N/A | Corresponding label for the "cn2" field |
| cn2 | N/A | N/A | Indicates whether the system is in "detection only" mode 0 or NULL = No 1 = Yes |
| deviceDirection | N/A | N/A | Incoming or outgoing direction |
| cn3Label | N/A | N/A | Corresponding label for the "cn3" field |
| cn3 | N/A | N/A | Weighted priority of the incident |
| cn4Label | N/A | N/A | Corresponding label for the "cn4" field |
| cn4 | <severity> | Number | The system defined incident severity value 1 = LOW 2 = MEDIUM 3 = HIGH 4 = CRITICAL |
| proto | N/A | N/A | The network protocol being exploited 28 = ICMP 46 = ICMPv6 10003 = TCP 10004 = UDP 10005 = IGMP 10006 = GGP 10007 = PUP 10008 = IDP 10009 = ND 10010 = RAW |
| cs2Label | N/A | N/A | Corresponding label for the "cs2" field |
| cs2 | N/A | N/A | The network application name |
| cn1Label | N/A | N/A | Corresponding label for the "cn1" field |
| cn1 | N/A | N/A | The ID of the inspection rule |
| cs1Label | N/A | N/A | Corresponding label for the "cs1" field |
| cs1 | <policy> | Text/String/Number | The string literal of the rule ID and description |
| cnt | <quantity> | Number | Aggregated count |
| deviceNtDomain | N/A | N/A | Active Directory domain |
| dntdom | N/A | N/A | Apex One domain hierarchy |
| TMCMLogDetectedHost | <sname> | Text/String | Endpoint name where the log event occurred |
| TMCMLogDetectedIP | <sip> | IP Address | IP address where the log event occurred |