V 2.0 : Network Content Inspection Event
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
---|---|---|---|
V 2.0 : Network Content Inspection Event | Base Rule | Activity | General Activity |
V 2.0 : Network Content Inspection : Unknown | Sub Rule | Activity | General Activity |
V 2.0 : Network Content Inspection : Pass | Sub Rule | Activity | Web Activity Allowed |
V 2.0 : Network Content Inspection : Block | Sub Rule | Failed Activity | General Failed Activity |
V 2.0 : Network Content Inspection : Monitor | Sub Rule | Activity | General Activity |
V 2.0 : Network Content Inspection : Delete | Sub Rule | Failed Activity | General Failed Activity |
V 2.0 : Network Content Inspection : Quarantine | Sub Rule | Activity | Quarantine |
V 2.0 : Network Content Inspection : Warn | Sub Rule | Activity | General Activity |
V 2.0 : Network Content Inspection : Warn & Continue | Sub Rule | Activity | Web Activity Allowed |
V 2.0 : Network Content Inspection : Override | Sub Rule | Activity | Web Activity Allowed |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
Header (logVer) | N/A | N/A | CEF format version |
Header (vendor) | N/A | N/A | Appliance vendor |
Header (pname) | N/A | N/A | Appliance product |
Header (pver) | N/A | N/A | Appliance version |
Header (eventid) | <vmid> | Text/String | NCIE:Action |
Header (eventName) | N/A | N/A | Name |
Header (severity) | <severity> | Number | Severity |
deviceExternalId | N/A | N/A | ID |
rt | N/A | N/A | Log generation time in UTC |
cat | N/A | N/A | Log type |
deviceFacility | N/A | N/A | Product name |
deviceProcessName | <process> | Text/String/Number | Target Process |
act | <action> <tag1> | Text/String | Action 0: Unknown 1: Pass 2: Block 3: Monitor 4: Delete 5: Quarantine 6: Warn 7: Warn and continue 8: Override |
src | <sip> | IP Address | Source IPv4 address |
c6a2Label | N/A | N/A | Corresponding label for the "c6a2" field |
c6a2 | N/A | N/A | Local IPv6 address |
dst | <dip> | IP Address | Destination IPv4 address |
c6a3Label | N/A | N/A | Corresponding label for the "c6a3" field |
c6a3 | N/A | N/A | Remote IPv6 address |
spt | <sport> | Number | Source port |
dpt | <dport> | Number | Destination port |
deviceDirection | N/A | N/A | Traffic direction 0: None 1: Inbound 2: Outbound |
cn1Label | N/A | N/A | Corresponding label for the "cn1" field |
cn1 | N/A | N/A | Pattern type 0: Global C&C pattern 1: Relevance rules 2: User-defined block list |
cs2Label | N/A | N/A | Corresponding label for the "cs2" field |
cs2 | <threatname> | Text/String | Threat name |
reason | <reason> | Text/String | Critical threat type A: Known Advanced Persistent Threat (APT) B: Social engineering attack C: Vulnerability attack D: Lateral movement E: Unknown threats F: C&C callback G: Ransomware |
deviceNtDomain | N/A | N/A | Active Directory domain |
dntdom | N/A | N/A | Apex One domain hierarchy |
dvchost | N/A | N/A | Host name |
TMCMLogDetectedHost | N/A | N/A | Endpoint name where the log event occurred |
TMCMLogDetectedIP | N/A | N/A | IP address where the log event occurred |
ApexCentralHost | N/A | N/A | Apex Central host name |
devicePayloadId | N/A | N/A | Unique message GUID |