V 2.0 : IPS Logs
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 : IPS Logs | Base Rule | General IPS Message | Information |
| V 2.0 : IPS Logs Blocked | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
| V 2.0 : IPS Logs Warn | Sub Rule | General Network Traffic | Network Traffic |
| V 2.0 : IPS Logs Would Block | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Timestamp | N/A | N/A | When this request was made in UTC. |
| Identities | <object> | Text/String | All tunnel identities associated with this request. |
| Identity Types | <objecttype> | Text/String | The type of identity associated with this request. |
| Generator ID | N/A | N/A | Unique id assigned to the part of the IPS which generated the event. |
| Signature ID | N/A | N/A | Used to uniquely identify signatures. |
| Signature Message | <subject> | Text/String | A brief description of the signature. |
| Signature List ID | N/A | N/A | Unique id assigned to a Default or Custom Signature List. |
| Severity | <severity> | Text/String | The severity level of the rule, such as High, Medium, Low, and Very Low. |
| Attack Classification | N/A | N/A | The category of attack detected by a rule that is part of a more general type of attack class, such as trojan-activity, attempted-user, and unknown. |
| CVEs | <cve> | Text/String | A list of information about security vulnerabilities and exposures. |
| IP Protocol | <protname> | Text/String | The actual protocol of the traffic, such as TCP, UDP, ICMP. |
| Session ID | <session> | Number | The unique identifier of a session, which is used to group the correlated events between various services. |
| Source IP | <sip> | IP Address | The IP of the computer making the request. |
| Source Port | <sport> | Number | The port the request was made on. |
| Destination IP | <dip> | IP Address | The destination IP requested. |
| Destination Port | <dport> | Number | The destination port the request was made on. |
| Action | <action> <tag1> | Text/String | The action performed when criteria meets a rule, such as block, warn, and would_block. |