V 2.0 Scan Threat Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|
V 2.0 Scan Threat Messages | Base Rule | General Threat Message | Activity |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
Type (type) | <vmid> | Text/String | Specifies the type of log; the value is THREAT. |
Threat/Content Type (subtype) | <vendorinfo> | Text/String | A subtype of threat log. Values include the following: |
Source address (src) | <sip> | IP Address | Original session source IP address |
Destination address (dst) | <dip> | IP Address | Original session destination IP address |
NAT Source IP (natsrc) | <snatip> | IP Address | If Source NAT is performed, the post-NAT Source IP address |
NAT Destination IP (natdst) | <dnatip> | IP Address | If Destination NAT is performed, the post-NAT Destination IP address |
Rule Name (rule) | <policy> | Text/String | Name of the rule that the session matched |
Source User (srcuser) | <domainorigin> | Text/String | The username of the user who initiated the session |
Destination User (dstuser) | <domainimpacted> | Text/String | The username of the user to which the session was destined |
Inbound Interface (inbound_if) | <sinterface> | Text/String | Interface that the session was sourced from |
Outbound Interface (outbound_if) | <dinterface> | Text/String | Interface that the session was destined to |
Session ID (sessionid) | <session> | Number | An internal numerical identifier is applied to each session |
Repeat Count (repeatcnt) | <quantity> | Number | Number of sessions with the same Source IP, Destination IP, Application, and Subtype seen within 5 seconds |
Source Port (sport) | <sport> | Number | Source port utilized by the session |
Destination Port (dport) | <dport> | Number | Destination port utilized by the session |
NAT Source Port (natsport) | <snatport> | Number | Post-NAT source port |
NAT Destination Port (natdport) | <dnatport> | Number | Post-NAT destination port |
IP Protocol (proto) | <protname> | Text/String | IP protocol associated with the session |
Action (action) | <action> | Text/String | Action is taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, and block-URL. |
Threat/Content Name (threatid) | <threatname> | Text/String/Number | Palo Alto Networks identifier for the threat. It is a description string followed by a 64-bit numerical identifier in parentheses for some Subtypes |
Severity (severity) | <severity> | Text/String | Severity associated with the threat; values are informational, low, medium, high, critical. |
Device Name (device_name) | <objectname> | Text/String | The hostname of the firewall on which the session was logged |
Application Characteristic (characteristic_of_app)** | <group> | Text/String | Comma-separated list of applicable characteristics of the application |