| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|
| N/A | N/A | N/A | Format |
| N/A | N/A | N/A | Device Vendor |
| N/A | <vendorinfo> | Text/String | DeviceProduct |
| N/A | N/A | N/A | Device Version |
| N/A | N/A | N/A | ruleID |
| N/A | N/A | N/A | POLICY |
| N/A | N/A | N/A | Severity |
| APPLICATION_NAME | <process> | Text/String | Specifies the name of the application that is associated with the incident. |
| ATTACHMENT_FILENAME | <object> | Text/String | Specifies the name of the attached file. |
| BLOCKED | <action> | Text/String | Indication of whether or not Symantec Data Loss Prevention blocked the message (yes or no). |
| DESTINATION_IP | <dip> | IP Address | Specifies the destination IP address. |
| INCIDENT_ID | N/A | N/A | The unique identifier of the incident. |
| INCIDENT_SNAPSHOT | <url> | Text/String | The fully qualified URL to the incident snapshot page for the incident. |
| MATCH_COUNT | N/A | N/A | The incident match count. |
| OCCURED_ON | N/A | N/A | Specifies the date on which the incident occurred. This date may be different than the date the incident was reported. |
| POLICY | <policy> | Text/String | The name of the policy that was violated. |
| POLICY_RULES / RULES | N/A | N/A | A comma-separated list of one or more policy rules that were violated. |
| PROTOCOL | <protname> | Text/String | The protocol, device type, and target type of the incident, where applicable. |
| RECIPIENTS | <recipient> | Text/String | A comma-separated list of one or more message recipients. Includes the requested URL in web incidents. |
| REPORTED_ON | N/A | N/A | Specifies the date on which the incident was reported. |
| MONITOR_NAME | N/A | N/A | Specifies the detection server or cloud detector that created the incident. |
| SENDER | <sender> | Text/String | The message sender. |
| SEVERITY | <severity> | Text/String | The severity that is assigned to incident. |
| STATUS | <status> | Text/String | Specifies the remediation status of the incident. |
| SUBJECT | <subject> | Text/String | The subject of the message. |
| URL | <url> | Text/String | Specifies the file path or location. |
| APPLICATION_USER | <account> | N/A | The name of the application user. |
| DATAOWNER_NAME | N/A | N/A | The person responsible for remediating the incident. This field must be set manually, or with one of the lookup plug-ins.
Reports can automatically be sent to the data owner for remediation. |
| DATAOWNER_EMAIL | N/A | N/A | The email address of the person responsible for remediating the incident. This field can be set manually, or with one of the lookup plug-ins. |
| ENDPOINT_LOCATION | N/A | N/A | The location of the endpoint computer. |
| ENDPOINT_MACHINE | <sname> | Text/String | The name of the endpoint computer that generated the violation. |
| ENDPOINT USERNAME | <domainorigin>/<login> | Text/String | The name of the endpoint user. |
| MACHINE_IP | <sip> | IP Address | The corporate IP address of the endpoint computer. |
| USER_JUSTIFICATION | <reason> | Text/String | The justification that was provided by the endpoint user. |
| PATH | N/A | N/A | The full path to the file in which the incident was found. |
| FILE_NAME | <object> | Text/String | The name of the file in which the incident was found. |
| PARENT_PATH | N/A | N/A | The path to the parent directory of the file in which the incident was found. |
| QUARANTINE_PARENT_PATH | N/A | N/A | The path to the parent directory in which the file was quarantined. |
| SCAN_DATE | N/A | N/A | The date of the scan that found the incident. |
| TARGET | N/A | N/A | The name of the target in which the incident was found. |
| FNAME | <object> | Text/String | N/A |
| ENDPOINT_DEVICE_ID | N/A | N/A | N/A |
