V 2.0 : Product Auditing Event
Vendor Documentation
Classification
| Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| V 2.0 : Product Auditing Event | Base Rule | Other Audit | General Auditing Message |
| V 2.0 : Product Auditing : Error | Sub Rule | Error | General Error Message |
| V 2.0 : Product Auditing : Warning | Sub Rule | Warning | General Warning Log Message |
| V 2.0 : Product Auditing : Information | Sub Rule | Information | General Information Log Message |
| V 2.0 : Product Auditing : Failure Audit | Sub Rule | Failure Audit | Auditing Failed |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
| Header (logVer) | N/A | N/A | CEF format version |
| Header (vendor) | <vendorinfo> | Text/string | Product vendor |
| Header (pname) | N/A | N/A | Product name |
| Header (pver) | N/A | N/A | Product version |
| Header (eventid) | N/A | N/A | Event ID |
| Header (eventName) | <vmid> | Text/string | Log name |
| Header (severity) | N/A | N/A | Severity |
| cat | N/A | N/A | Log type |
| deviceFacility | N/A | N/A | Managed product |
| dvchost | N/A | N/A | Display name of the managed endpoint |
| rt | N/A | N/A | Log generation time in UTC |
| cn1Label | N/A | N/A | Corresponding label for the "cn1" field |
| cn1 | N/A | N/A | Category ID Example: "536,870,912" |
| cn2Label | N/A | N/A | Corresponding label for the "cn2" field |
| cn2 | <severity> <tag1> | Number | Severity level Example: "4" 1 = ERROR 2 = WARNING 4 = INFORMATION 16 = FAILURE AUDIT |
| suser | <login> | Text/string | The name of the user on whose behalf the event occurred |
| deviceNtDomain | N/A | N/A | Active Directory domain Example: APEXTMCM |
| dntdom | N/A | N/A | Apex One domain hierarchy |
| ApexCentralHost | N/A | N/A | Apex Central host name |
| devicePayloadId | N/A | N/A | Unique message GUID |
| act | <action> | Text/string | Action |
| src | <sip> | Number/Ip address | Source IP |
| dst | <dip> | Number/Ip address | Destiantion IP |
| smac | <smac> | Text/string | Source MAC |
| spt | <sport> | Number | Source Port |
| dmac | <dmac> | Text/string | Destination MAC |
| dpt | <dport> | Number | Destination Port |
| deviceDirection | N/A | N/A | Direction |
| cn3Label | N/A | N/A | N/A |
| cn3 | N/A | N/A | N/A |
| cn4Label | N/A | N/A | N/A |
| cn4 | N/A | N/A | N/A |
| proto | <protnum> | Number | N/A |
| cs2Label | N/A | N/A | N/A |
| cs2 | N/A | N/A | N/A |
| cs1Label | N/A | N/A | N/A |
| cs1 | N/A | N/A | N/A |
| cnt | N/A | N/A | N/A |
| cn2Label | N/A | N/A | N/A |