Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|---|---|---|
|
N/A |
<severity> |
<sname> |
|
N/A |
<sip> |
<sip> |
|
N/A |
<dip> |
<dip> |
|
N/A |
<vendorinfo> |
<dname> |
|
N/A |
<dname> |
<sport> |
|
N/A |
<sport> |
N/A |
|
N/A |
<dport> |
<dport> |
|
N/A |
<login> |
<login> |
|
N/A |
<domainorigin> |
<domainorigin> |
|
N/A |
<process> |
<subject> |
|
N/A |
<smac> |
<smac> |
|
N/A |
<dmac> |
<dmac> |
|
N/A |
<protname> |
<protname> |
|
N/A |
<threatname> |
<threatname> |
|
N/A |
<threatid> |
<threatid> |
|
N/A |
<url> |
<hash> |
|
N/A |
<quantity> |
<quantity> |
|
N/A |
<group> |
<tag1> |
|
N/A |
<duration> |
<tag2> |
|
N/A |
<tag1> |
N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Events |
Classifications |
|---|---|---|---|---|
|
1001595
|
Suspicious Activity |
Base Rule |
Suspicious Network Activity |
Suspicious |
|
Port Scan Detected |
Sub Rule |
Port Scan |
Reconnaissance |
|
|
Unsolicited Incoming ARP Reply Detected |
Sub Rule |
Suspicious Activity |
Suspicious |
|
|
Brute Force Remote Login |
Sub Rule |
Brute Force Activity |
Attack |
|
|
Category |
Sub Rule |
URL Logged - Category |
Activity |
|
|
Web Attack |
Sub Rule |
General Attack Activity |
Attack |
|
|
System Infected |
Sub Rule |
General Virus Infected Alert |
Critical |
|
|
OS Attack |
Sub Rule |
General Attack Activity |
Attack |
|
|
Attack |
Sub Rule |
General Attack Activity |
Attack |
|
|
Denial Of Service Attack |
Sub Rule |
Network Denial Of Service |
Denial Of Service |
|
|
Blocked Attack |
Sub Rule |
Threat Blocked |
Failed Activity |
|
|
Device Manager Allowed Device |
Sub Rule |
Device Allocated |
Other Audit Success |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Events |
Classifications |
|---|---|---|---|---|
|
1011181 |
V 2.0 : Outbound SEP Malcious Activity Detected |
Base Rule |
General Attack Activity |
Attack |