Skip to main content
Skip table of contents

V 2.0 : Intrusion Prevention Event

Vendor Documentation


Rule Name

Rule Type


Common Event

V 2.0 : Intrusion Prevention EventBase RuleActivityGeneral Activity

Mapping with LogRhythm Schema

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

Header (logVer)N/AN/ACEF format version
Header (vendor)N/AN/AProduct vendor
Header (pname)N/AN/AProduct name
Header (pver)N/AN/AProduct version
Header (eventid)N/AN/AEvent ID
Header (eventName)<vmid>Text/StringLog name
Header (severity)N/AN/ASeverity
rtN/AN/ALog generation time in UTC
dvchostN/AN/ADisplay name of the managed endpoint
deviceFacilityN/AN/AProduct name
6 = LOG
13 = BLOCK
257 = RESET
src<sip>IP AddressSource IPv4 address
c6a2LabelN/AN/ACorresponding label for the "c6a2" field
c6a2<sip>IP AddressSource IPv6 address
dst<dip>IP AddressDestination IPv4 address
c6a3LabelN/AN/ACorresponding label for the "c6a3" field
c6a3Label<dip>IP AddressDestination IPv6 address
smac<smac>Text/String/NumberSource MAC address
spt<sport>NumberSource port
dmac<dmac>Text/String/NumberDestination host MAC address
dpt<dport>NumberDestination port
cn2LabelN/AN/ACorresponding label for the "cn2" field
cn2N/AN/AIndicates whether the system is in "detection only" mode
0 or NULL = No
1 = Yes
deviceDirectionN/AN/AIncoming or outgoing direction
cn3LabelN/AN/ACorresponding label for the "cn3" field
cn3N/AN/AWeighted priority of the incident
cn4LabelN/AN/ACorresponding label for the "cn4" field
cn4<severity>NumberThe system defined incident severity value
1 = LOW
3 = HIGH
protoN/AN/AThe network protocol being exploited
28 = ICMP
46 = ICMPv6
10003 = TCP
10004 = UDP
10005 = IGMP
10006 = GGP
10007 = PUP
10008 = IDP
10009 = ND
10010 = RAW
cs2LabelN/AN/ACorresponding label for the "cs2" field
cs2N/AN/AThe network application name
cn1LabelN/AN/ACorresponding label for the "cn1" field
cn1N/AN/AThe ID of the inspection rule
cs1LabelN/AN/ACorresponding label for the "cs1" field
cs1<policy>Text/String/NumberThe string literal of the rule ID and description
cnt<quantity>NumberAggregated count
deviceNtDomainN/AN/AActive Directory domain
dntdomN/AN/AApex One domain hierarchy
TMCMLogDetectedHost<sname>Text/StringEndpoint name where the log event occurred
TMCMLogDetectedIP<sip>IP AddressIP address where the log event occurred
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.