Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0 : Symantec DLP Events |
Base Rule |
General DLP Message |
Information |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
N/A |
N/A |
N/A |
Format |
|
N/A |
N/A |
N/A |
Device Vendor |
|
N/A |
<vendorinfo> |
Text/String |
DeviceProduct |
|
N/A |
N/A |
N/A |
Device Version |
|
N/A |
N/A |
N/A |
ruleID |
|
N/A |
N/A |
N/A |
POLICY |
|
N/A |
N/A |
N/A |
Severity |
|
APPLICATION_NAME |
<process> |
Text/String |
Specifies the name of the application that is associated with the incident. |
|
ATTACHMENT_FILENAME |
<object> |
Text/String |
Specifies the name of the attached file. |
|
BLOCKED |
<action> |
Text/String |
Indication of whether or not Symantec Data Loss Prevention blocked the message (yes or no). |
|
DESTINATION_IP |
<dip> |
IP Address |
Specifies the destination IP address. |
|
INCIDENT_ID |
N/A |
N/A |
The unique identifier of the incident. |
|
INCIDENT_SNAPSHOT |
<url> |
Text/String |
The fully qualified URL to the incident snapshot page for the incident. |
|
MATCH_COUNT |
N/A |
N/A |
The incident match count. |
|
OCCURED_ON |
N/A |
N/A |
Specifies the date on which the incident occurred. This date may be different than the date the incident was reported. |
|
POLICY |
<policy> |
Text/String |
The name of the policy that was violated. |
|
POLICY_RULES / RULES |
N/A |
N/A |
A comma-separated list of one or more policy rules that were violated. |
|
PROTOCOL |
<protname> |
Text/String |
The protocol, device type, and target type of the incident, where applicable. |
|
RECIPIENTS |
<recipient> |
Text/String |
A comma-separated list of one or more message recipients. Includes the requested URL in web incidents. |
|
REPORTED_ON |
N/A |
N/A |
Specifies the date on which the incident was reported. |
|
MONITOR_NAME |
N/A |
N/A |
Specifies the detection server or cloud detector that created the incident. |
|
SENDER |
<sender> |
Text/String |
The message sender. |
|
SEVERITY |
<severity> |
Text/String |
The severity that is assigned to incident. |
|
STATUS |
<status> |
Text/String |
Specifies the remediation status of the incident. |
|
SUBJECT |
<subject> |
Text/String |
The subject of the message. |
|
URL |
<url> |
Text/String |
Specifies the file path or location. |
|
APPLICATION_USER |
<account> |
N/A |
The name of the application user. |
|
DATAOWNER_NAME |
N/A |
N/A |
The person responsible for remediating the incident. This field must be set manually, or with one of the lookup plug-ins.
|
|
DATAOWNER_EMAIL |
N/A |
N/A |
The email address of the person responsible for remediating the incident. This field can be set manually, or with one of the lookup plug-ins. |
|
ENDPOINT_LOCATION |
N/A |
N/A |
The location of the endpoint computer. |
|
ENDPOINT_MACHINE |
<sname> |
Text/String |
The name of the endpoint computer that generated the violation. |
|
ENDPOINT USERNAME |
<domainorigin>/<login> |
Text/String |
The name of the endpoint user. |
|
MACHINE_IP |
<sip> |
IP Address |
The corporate IP address of the endpoint computer. |
|
USER_JUSTIFICATION |
<reason> |
Text/String |
The justification that was provided by the endpoint user. |
|
PATH |
N/A |
N/A |
The full path to the file in which the incident was found. |
|
FILE_NAME |
<object> |
Text/String |
The name of the file in which the incident was found. |
|
PARENT_PATH |
N/A |
N/A |
The path to the parent directory of the file in which the incident was found. |
|
QUARANTINE_PARENT_PATH |
N/A |
N/A |
The path to the parent directory in which the file was quarantined. |
|
SCAN_DATE |
N/A |
N/A |
The date of the scan that found the incident. |
|
TARGET |
N/A |
N/A |
The name of the target in which the incident was found. |
|
FNAME |
<object> |
Text/String |
N/A |
|
ENDPOINT_DEVICE_ID |
N/A |
N/A |
N/A |