Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
| Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|
| N/A | <severity> | <sname> |
| N/A | <sip> | <sip> |
| N/A | <dip> | <dip> |
| N/A | <vendorinfo> | <dname> |
| N/A | <dname> | <sport> |
| N/A | <sport> | N/A |
| N/A | <dport> | <dport> |
| N/A | <login> | <login> |
| N/A | <domainorigin> | <domainorigin> |
| N/A | <process> | <subject> |
| N/A | <smac> | <smac> |
| N/A | <dmac> | <dmac> |
| N/A | <protname> | <protname> |
| N/A | <threatname> | <threatname> |
| N/A | <threatid> | <threatid> |
| N/A | <url> | <hash> |
| N/A | <quantity> | <quantity> |
| N/A | <group> | <tag1> |
| N/A | <duration> | <tag2> |
| N/A | <tag1> | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
| Regex ID | Rule Name | Rule Type | Common Events | Classifications |
|---|
1001595
| Suspicious Activity | Base Rule | Suspicious Network Activity | Suspicious |
| Port Scan Detected | Sub Rule | Port Scan | Reconnaissance |
| Unsolicited Incoming ARP Reply Detected | Sub Rule | Suspicious Activity | Suspicious |
| Brute Force Remote Login | Sub Rule | Brute Force Activity | Attack |
| Category | Sub Rule | URL Logged - Category | Activity |
| Web Attack | Sub Rule | General Attack Activity | Attack |
| System Infected | Sub Rule | General Virus Infected Alert | Critical |
| OS Attack | Sub Rule | General Attack Activity | Attack |
| Attack | Sub Rule | General Attack Activity | Attack |
| Denial Of Service Attack | Sub Rule | Network Denial Of Service | Denial Of Service |
| Blocked Attack | Sub Rule | Threat Blocked | Failed Activity |
| Device Manager Allowed Device | Sub Rule | Device Allocated | Other Audit Success |
LogRhythm Default v2.0
| Regex ID | Rule Name | Rule Type | Common Events | Classifications |
|---|
| 1011181 | V 2.0 : Outbound SEP Malcious Activity Detected | Base Rule | General Attack Activity | Attack |
