V 2.0 Traffic Messages 1
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|
V 2.0 Traffic Messages | Base Rule | General Network Traffic | Network Traffic |
V 2.0 Session Traffic Start Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0 Session Traffic Start Denied | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 Session Traffic Start Dropped | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 Session Traffic Start Reset | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 Session Traffic End Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0 Session Traffic End Denied | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 Session Traffic End Dropped | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 Session Traffic End Reset | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 Session Traffic Drop Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0 Session Traffic Drop Denied | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 Session Traffic Drop | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 Session Traffic Drop Reset | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 Session Traffic Deny Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0 Session Traffic Denied | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 Session Traffic Deny Dropped | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 Session Traffic Deny Reset | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
Header: Severity | <severity> | Text/String | N/A |
Type (type) | <vmid> | Text/String | Specifies the type of log; the value is TRAFFIC |
Threat/Content Type (subtype) | <vendorinfo> | Text/String | Subtype of traffic log; values are start, end, drop, and deny |
Source Address (src) | <sip> | IP Address | Original session source IP address |
Destination Address (dst) | <dip> | IP Address | Original session destination IP address |
NAT Source IP (natsrc) | <snatip> | IP Address | If Source NAT is performed, the post-NAT Source IP address |
NAT Destination IP (natdst) | <dnatip> | IP Address | If Destination NAT is performed, the post-NAT Destination IP address |
Rule Name (rule) | <policy> | Text/String | Name of the rule that the session matched |
Source User (srcuser) | <domainorigin> | Text/String | The username of the user who initiated the session |
Destination User (dstuser) | <domainimpacted> | Text/String | The username of the user to which the session was destined |
Application (app) | <object> | Text/String | Application associated with the session |
Inbound Interface (inbound_if) | <sinterface> | Text/String | Interface that the session was sourced from |
Outbound Interface (outbound_if) | <dinterface> | Text/String | The interface that the session was destined to |
Session ID (sessionid) | <session> | Number | An internal numerical identifier is applied to each session |
Source Port (sport) | <sport> | Number | Source port utilized by the session |
Destination Port (dport) | <dport> | Number | Destination port utilized by the session |
NAT Source Port (natsport) | <snatport> | Number | Post-NAT source port |
NAT Destination Port (natdport) | <dnatport> | Number | Post-NAT destination port |
IP Protocol (proto) | <protname> | Text/String | IP protocol associated with the session |
Action (action) | <action> | Text/String | Action taken for the session; possible values are: |
Bytes Sent (bytes_sent) | <bytesin> | Number | Number of bytes in the client-to-server direction of the session |
Bytes Received (bytes_received) | <bytesout> | Number | Number of bytes in the server-to-client direction of the session |
Elapsed Time (elapsed) | <seconds> | Number | The elapsed time of the session |
Category (category) | <subject> | Text/String | URL category associated with the session (if applicable) |
Packets Sent (pkts_sent) | <packetsin> | Number | Number of client-to-server packets for the session |
Packets Received (pkts_received) | <packetsout> | Number | Number of server-to-client packets for the session |
Session End Reason (session_end_reason) | <reason> | Text/String | The reason a session was terminated. If the termination had multiple causes, this field displays only the highest priority reason. The possible session end reason values are as follows, in order of priority (where the first is highest):
|
Device Name (device_name) | <objectname> | Text/String | The hostname of the firewall on which the session was logged. |
Application Category (category_of_app)** | <objecttype> | Text/String | The application category is specified in the application configuration properties. Values are: |
Application Characteristic (characteristic_of_app)** | <group> | Text/String | Comma-separated list of applicable characteristics of the application |