Skip to main content
Skip table of contents

V 2.0 : Network Content Inspection Event

Vendor Documentation

Classification

Rule Name

Rule Type

Classification

Common Event

V 2.0 : Network Content Inspection EventBase RuleActivityGeneral Activity
V 2.0 : Network Content Inspection : UnknownSub RuleActivityGeneral Activity
V 2.0 : Network Content Inspection : PassSub RuleActivityWeb Activity Allowed
V 2.0 : Network Content Inspection : BlockSub RuleFailed ActivityGeneral Failed Activity
V 2.0 : Network Content Inspection : MonitorSub RuleActivityGeneral Activity
V 2.0 : Network Content Inspection : DeleteSub RuleFailed ActivityGeneral Failed Activity
V 2.0 : Network Content Inspection : QuarantineSub RuleActivityQuarantine
V 2.0 : Network Content Inspection : WarnSub RuleActivityGeneral Activity
V 2.0 : Network Content Inspection : Warn & ContinueSub RuleActivityWeb Activity Allowed
V 2.0 : Network Content Inspection : OverrideSub RuleActivityWeb Activity Allowed

Mapping with LogRhythm Schema

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
Header (logVer)N/AN/ACEF format version
Header (vendor)N/AN/AAppliance vendor
Header (pname)N/AN/AAppliance product
Header (pver)N/AN/AAppliance version
Header (eventid)<vmid>Text/StringNCIE:Action
Header (eventName)N/AN/AName
Header (severity)<severity>NumberSeverity
deviceExternalIdN/AN/AID
rtN/AN/ALog generation time in UTC
catN/AN/ALog type
deviceFacilityN/AN/AProduct name
deviceProcessName<process>Text/String/NumberTarget Process
act<action>
<tag1>
Text/StringAction
0: Unknown
1: Pass
2: Block
3: Monitor
4: Delete
5: Quarantine
6: Warn
7: Warn and continue
8: Override
src<sip>IP AddressSource IPv4 address
c6a2LabelN/AN/ACorresponding label for the "c6a2" field
c6a2N/AN/ALocal IPv6 address
dst<dip>IP AddressDestination IPv4 address
c6a3LabelN/AN/ACorresponding label for the "c6a3" field
c6a3N/AN/ARemote IPv6 address
spt<sport>NumberSource port
dpt<dport>NumberDestination port
deviceDirectionN/AN/ATraffic direction
0: None
1: Inbound
2: Outbound
cn1LabelN/AN/ACorresponding label for the "cn1" field
cn1N/AN/APattern type
0: Global C&C pattern
1: Relevance rules
2: User-defined block list
cs2LabelN/AN/ACorresponding label for the "cs2" field
cs2<threatname>Text/StringThreat name
reason<reason>Text/StringCritical threat type
A: Known Advanced Persistent Threat (APT)
B: Social engineering attack
C: Vulnerability attack
D: Lateral movement
E: Unknown threats
F: C&C callback
G: Ransomware
deviceNtDomainN/AN/AActive Directory domain
dntdomN/AN/AApex One domain hierarchy
dvchostN/AN/AHost name
TMCMLogDetectedHostN/AN/AEndpoint name where the log event occurred
TMCMLogDetectedIPN/AN/AIP address where the log event occurred
ApexCentralHostN/AN/AApex Central host name
devicePayloadIdN/AN/AUnique message GUID
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.