V 2.0 : Mobile App Events
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|
V 2.0 : Mobile App Events | Base Rule | General Information | Information |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
virtuallogsource | N/A | N/A | N/A |
subproduct | N/A | N/A | Can be VPN or non-VPN |
Product | <vmid> | Text/String | Product name |
Originip | N/A | N/A | IP of the log origin |
origin | N/A | N/A | Name of the first Security Gateway that reported this event |
Action | <action> | Text/String | N/A |
SIP | <sip> | IP Address | Source IP |
SPort | <sport> | Number | Source host port number |
DIP | <dip> | IP Address | Destination IP |
dport | <dport> | Number | Destination host port number |
protocol | <protnum> | Number | Protocol detected on the connection |
ifname | <sinterface> | Text/String | The name of the Security Gateway interface through which a connection traverses |
ifdirection | N/A | N/A | N/A |
Reason | N/A | N/A | Information on the error occurred |
Rule | N/A | N/A | Matched rule number |
Info | N/A | N/A | Rule information on the blocked diameter CMD |
XlateSIP | <snatip> | IP Address | Source ipv4 after applying NAT |
XlateSport | <snatport> | Number | Source port after applying hide NAT on source IP |
XlateDIP | <dnatip> | IP Address | Destination ipv4 after applying NAT |
XlateDPort | <dnatport> | Number | Destination port after applying NAT |
User | N/A | N/A | Source user name |
alert | N/A | N/A | Alert level of matched rule (for connection logs) |
icmp-code | N/A | N/A | N/A |
icmp-type | N/A | N/A | N/A |
matched_category | N/A | N/A | Name of matched category |
rule_name | N/A | N/A | Access rule name |
Url | N/A | N/A | Matched URL |
time | N/A | N/A | The time stamp when the log was created |
src_user_name | <login> | Text/String | User name connected to source IP |
Severity | <severity> | Number | Threat severity determined by ThreatCloud Possible values: 0 - Informational 1 - Low 2 - Medium 3 - High 4 - Critical |
Protection_Type | N/A | N/A | Type of protection used to detect the attack |
appi_name | N/A | N/A | Application name |
client_name | N/A | N/A | Client Application or Software Blade that detected the event |
status | <status> | Text/String | OK/Warning/Error |
flags | N/A | N/A | Checkpoint internal field |
loguid | N/A | N/A | UUID of unified logs |
sequencenum | N/A | N/A | Number added to order logs with the same Linux timestamp and origin |
version | N/A | N/A | N/A |
app_package | N/A | N/A | Unique identifier of the application on the protected mobile device |
app_repackaged | N/A | N/A | Indicates whether the original application was repackaged by someone other than the official developer |
app_sig_id | N/A | N/A | The signature ID by which the application was detected |
app_version | N/A | N/A | Version of the application downloaded on the protected mobile device |
calc_geo_location | N/A | N/A | N/A |
client_version | <version> | Number | Build version of SandBlast Agent client installed on the computer |
dashboard_event_id | N/A | N/A | N/A |
dashboard_orig | N/A | N/A | N/A |
dashboard_time | N/A | N/A | N/A |
default_device_message | N/A | N/A | N/A |
developer_certificate_name | N/A | N/A | Name of the developer's certificate that was used to sign the mobile application |
developer_certificate_sha | N/A | N/A | N/A |
device_identification | N/A | N/A | N/A |
email_address | N/A | N/A | N/A |
facility | N/A | N/A | N/A |
hardware_model | N/A | N/A | N/A |
host_type | N/A | N/A | N/A |
incident_time | N/A | N/A | N/A |
jailbreak_message | N/A | N/A | N/A |
mdm_id | N/A | N/A | N/A |
os_name | N/A | N/A | Name of the OS installed on the source endpoint computer |
os_version | N/A | N/A | Build version of the OS installed on the source endpoint computer |
phone_number | N/A | N/A | N/A |
sys_app | N/A | N/A | N/A |
syslog_severity | N/A | N/A | N/A |