Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|---|---|---|
|
Type (type) |
<vmid> |
<vmid> |
|
Threat/Content Type (subtype) |
<vendorinfo>
|
<vendorinfo> |
|
Source address (src) |
<sip> |
<sip> |
|
Destination address (dst) |
<dip> |
<dip> |
|
NAT Source IP (natsrc) |
<snatip> |
<snatip> |
|
NAT Destination IP (natdst) |
<dnatip> |
<dnatip> |
|
Rule Name (rule) |
<policy> |
<policy> |
|
Source User (srcuser) |
<domainorigin>
|
<domainorigin>
|
|
Destination User (dstuser) |
<account> |
<domainimpacted>
|
|
N/A |
<process> |
N/A |
|
N/A |
<group> |
N/A |
|
Inbound Interface (inbound_if) |
<sinterface> |
<sinterface> |
|
Outbound Interface (outbound_if) |
<dinterface> |
<dinterface> |
|
Session ID (sessionid) |
<session> |
<session> |
|
Repeat Count (repeatcnt) |
<quantity> |
<quantity> |
|
Source Port (sport) |
<sport> |
<sport> |
|
Destination Port (dport) |
<dport> |
<dport> |
|
NAT Source Port (natsport) |
<snatport> |
<snatport> |
|
NAT Destination Port (natdport) |
<dnatport> |
<dnatport> |
|
Flags (flags) |
N/A |
<sessiontype> |
|
IP Protocol (proto) |
<protname> |
<protname> |
|
Action (action) |
<action>
|
<action>
|
|
URL/Filename (misc) |
N/A |
<url> |
|
Threat/Content Name (threatid) |
<object>
|
N/A |
|
N/A |
<objectname>
|
N/A |
|
N/A |
<action> |
N/A |
|
Threat/Content Name (threatid) |
<processid> |
N/A |
|
Category (category) |
<tag2>
|
<subject> |
|
Severity (severity) |
<severity> |
<severity> |
|
N/A |
<hash> |
N/A |
|
User Agent (user_agent) |
N/A |
<useragent> |
|
Sender (sender) |
<sender> |
N/A |
|
Subject (subject) |
<subject> |
N/A |
|
Recipient (recipient) |
<recipient> |
N/A |
|
Device Name (device_name) |
N/A |
<objectname> |
|
Application Characteristic (characteristic_of_app)** |
N/A |
<group> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Events |
Classifications |
|---|---|---|---|---|
|
1000722
|
THREAT Messages |
Base Rule |
General Attack Activity |
Attack |
|
Potentially Threatening URL Allowed |
Sub Rule |
Web Activity Allowed |
Activity |
|
|
URL Allowed |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
|
URL Denied - Flood Detected |
Sub Rule |
General Attack Activity |
Attack |
|
|
URL Threat Detected - Session Dropped |
Sub Rule |
General Attack Activity |
Attack |
|
|
URL Threat Detected - Packets Dropped |
Sub Rule |
General Attack Activity |
Attack |
|
|
URL Threat Detected - Dropped - Reset Sent |
Sub Rule |
General Attack Activity |
Attack |
|
|
URL Blocked |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
|
Potential Virus Content Allowed |
Sub Rule |
Detected Virus Activity |
Malware |
|
|
Virus Content Allowed |
Sub Rule |
Detected Virus Activity |
Malware |
|
|
Virus Traffic Denied |
Sub Rule |
Failed Virus Activity |
Failed Malware |
|
|
Virus Traffic Dropped - Session Dropped |
Sub Rule |
Failed Virus Activity |
Failed Malware |
|
|
Virus Detected - Packets Dropped |
Sub Rule |
Failed Virus Activity |
Failed Malware |
|
|
Virus Detected - Dropped - Reset Sent |
Sub Rule |
Failed Virus Activity |
Failed Malware |
|
|
Malicious URL Blocked |
Sub Rule |
Failed Malware Activity |
Failed Malware |
|
|
Potential Spyware Content Allowed |
Sub Rule |
Detected Spyware Activity |
Malware |
|
|
Spyware Content Allowed |
Sub Rule |
Detected Spyware Activity |
Malware |
|
|
Spyware Traffic Denied |
Sub Rule |
Failed Spyware Activity |
Failed Malware |
|
|
Spyware Traffic Dropped - Session Dropped |
Sub Rule |
Failed Spyware Activity |
Failed Malware |
|
|
Spyware Detected - Packets Dropped |
Sub Rule |
Failed Spyware Activity |
Failed Malware |
|
|
Spyware Detected - Dropped - Reset Sent |
Sub Rule |
Failed Spyware Activity |
Failed Malware |
|
|
Spyware Blocked |
Sub Rule |
Failed Spyware Activity |
Failed Malware |
|
|
Potential Vulnerability Exploit Allowed |
Sub Rule |
Vuln High Severity : General |
Vulnerability |
|
|
Vulnerability Exploit Allowed |
Sub Rule |
Potential Vulnerability Exploit Allowed |
Activity |
|
|
Vulnerability Exploit Denied |
Sub Rule |
Failed General Attack Activity |
Failed Attack |
|
|
Vulnerability Exploit Traffic Drop - Session Drop |
Sub Rule |
Failed General Attack Activity |
Failed Attack |
|
|
Vulnerability Exploit Traffic Drop - Packet Drop |
Sub Rule |
Failed General Attack Activity |
Failed Attack |
|
|
Vulnerability Exploit Traffic Dropped - Reset Sent |
Sub Rule |
Failed General Attack Activity |
Failed Attack |
|
|
Vulnerability Exploit Dropped |
Sub Rule |
Failed General Attack Activity |
Failed Attack |
|
|
Potentially Threatening File Observed - Allowed |
Sub Rule |
Potentially Threatening File Observed |
Activity |
|
|
Threatening File Allowed |
Sub Rule |
Unauthorized Program/Process |
Misuse |
|
|
Threatening File Type Denied |
Sub Rule |
Failed Malware Activity |
Failed Malware |
|
|
Threatening File Dropped - Session Dropped |
Sub Rule |
Failed Malware Activity |
Failed Malware |
|
|
Threatening File Dropped - Packets Dropped |
Sub Rule |
Failed Malware Activity |
Failed Malware |
|
|
Threatening File Dropped - Reset Sent |
Sub Rule |
Failed Malware Activity |
Failed Malware |
|
|
Threatening File Blocked |
Sub Rule |
Failed Malware Activity |
Failed Malware |
|
|
Scan Detected |
Sub Rule |
Port Scan |
Reconnaissance |
|
|
DoS Detected |
Sub Rule |
Host Denial Of Service |
Denial Of Service |
|
|
Data Pattern Filtered |
Sub Rule |
Data Pattern Filtered |
Failed Activity |
|
|
Threat Allow - Dead-Sites |
Sub Rule |
Unauthorized Website |
Misuse |
|
|
Threat Allow - Dating |
Sub Rule |
Social Media Activity |
Misuse |
|
|
Threat Allow - Cult-And-Occult |
Sub Rule |
Unauthorized Activity |
Misuse |
|
|
Threat Allow - Computer-And-Internet-Security |
Sub Rule |
Unauthorized Website |
Misuse |
|
|
Threat Allow - Computer-And-Internet-Info |
Sub Rule |
Unauthorized Website |
Misuse |
|
|
Threat Allow - Business-And-Economy |
Sub Rule |
Unauthorized Website |
Misuse |
|
|
Threat Allow - Auctions |
Sub Rule |
Unauthorized Activity |
Misuse |
|
|
Threat Allow - Any |
Sub Rule |
Unauthorized Website |
Misuse |
|
|
Threat Alert - Web-Hosting |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Web-Based-Email |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Unknown |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Travel |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Training-And-Tools |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Swimsuits-And-Intimate-Apparel |
Sub Rule |
Failed Adult Content |
Failed Misuse |
|
|
Threat Alert - Streaming-Media |
Sub Rule |
Failed Streaming Media |
Failed Misuse |
|
|
Threat Alert - Spyware-And-Adware |
Sub Rule |
Failed Spyware Activity |
Failed Malware |
|
|
Threat Alert - Sports |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Spam-URLs |
Sub Rule |
Failed Unauthorized E-mail |
Failed Misuse |
|
|
Threat Alert - Society |
Sub Rule |
Failed Social Media Activity |
Failed Misuse |
|
|
Threat Alert - Shopping |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Shareware-And-Freeware |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Search-Engines |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Religion |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Reference-And-Research |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Real-Estate |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Private-IP-Addresses |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Philosophy-And-Political-Advocacy |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Personal-Sites-And-Blogs |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Pay-To-Surf |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Parked-Domains |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Online-Personal-Storage |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - News-And-Media |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Motor-Vehicles |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Malware-Sites |
Sub Rule |
Possible Malware Activity |
Malware |
|
|
Threat Alert - Job-Search |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Internet-Portals |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Internet-Communications |
Sub Rule |
Failed IM/Chat Activity |
Failed Misuse |
|
|
Threat Alert - Individual-Stock-Advice-And-Tools |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Image-And-Video-Search |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Hunting-And-Fishing |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Health-And-Medicine |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Government |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Games |
Sub Rule |
Failed Game Activity |
Failed Misuse |
|
|
Threat Alert - Financial-Services |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Entertainment-And-Arts |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Educational-Institutions |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Dead-Sites |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Dating |
Sub Rule |
Failed Social Media Activity |
Failed Misuse |
|
|
Threat Alert - Cult-And-Occult |
Sub Rule |
Failed Adult Content |
Failed Misuse |
|
|
Threat Alert - Computer-And-Internet-Security |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Computer-And-Internet-Info |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Business-And-Economy |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Auctions |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Any |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Content-Delivery-Networks |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Home And Garden |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Legal |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Local Information |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Online Music |
Sub Rule |
Failed Streaming Media |
Failed Misuse |
|
|
Threat Alert - Social Networking |
Sub Rule |
Failed Social Media Activity |
Failed Misuse |
|
|
Threat Alert - Translation |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
Threat Alert - Web Advertisements |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
URL Block-Continue |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
|
Threatening File Forwarded |
Sub Rule |
File Intercepted |
Activity |
|
|
URL Allowed : Continue |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
|
Vulnerability Exploit Traffic Dropped - Reset Both |
Sub Rule |
Failed General Attack Activity |
Failed Attack |
|
|
Wildfire Upload - Skip |
Sub Rule |
Message Submission |
Information |
|
|
Wildfire Upload - Success |
Sub Rule |
Message Submission |
Information |
|
|
Brute Force Attack : FTP Login |
Sub Rule |
Vuln High Severity : Brute Force Attack |
Vulnerability |
|
|
Wildfire-Virus Detected - Reset Both |
Sub Rule |
Failed Virus Activity |
Failed Malware |
|
|
Wildfire - Potential Virus Content Allowed |
Sub Rule |
Detected Virus Activity |
Malware |
|
|
Wildfire-Virus Content Allowed |
Sub Rule |
Detected Virus Activity |
Malware |
|
|
Wildfire-Virus Traffic Denied |
Sub Rule |
Failed Virus Activity |
Failed Malware |
|
|
Wildfire-Virus Traffic Dropped - Session Dropped |
Sub Rule |
Failed Virus Activity |
Failed Malware |
|
|
Wildfire-Virus Detected - Packets Dropped |
Sub Rule |
Failed Virus Activity |
Failed Malware |
|
|
Wildfire-Virus Detected - Dropped - Reset Sent |
Sub Rule |
Failed Virus Activity |
Failed Malware |
|
|
Wildfire-Malicious URL Blocked |
Sub Rule |
Failed Malware Activity |
Failed Malware |
|
|
Virus Detected - Dropped - Reset Both |
Sub Rule |
Failed Virus Activity |
Failed Malware |
|
|
Spyware Detected - Dropped - Reset Both |
Sub Rule |
Failed Spyware Activity |
Failed Malware |
|
|
Vuln Exploit Traffic Dropped - Reset Server |
Sub Rule |
Failed General Attack Activity |
Failed Attack |
|
|
Vulnerability Exploit Detected : Low Severity |
Sub Rule |
Vuln Low Severity : General |
Vulnerability |
|
|
File Detected |
Sub Rule |
Suspicious File Download |
Activity |
|
|
Vulnerability Exploit Detected : High Severity |
Sub Rule |
Vuln High Severity : General |
Vulnerability |
|
|
Wildfire : Benign Determination |
Sub Rule |
Virus Scan Completed - No Viruses Found |
Information |
|
|
Wildfire : Grayware Determination |
Sub Rule |
Potentially Threatening File Observed |
Activity |
|
|
Wildfire : Malware Determination |
Sub Rule |
Detected Virus Activity |
Malware |
|
|
Potential Vulnerability Exploit Allowed : Low |
Sub Rule |
Vuln Low Severity : General |
Vulnerability |
|
|
Potential Vulnerability Exploit Allowed : Info |
Sub Rule |
Vuln Low Severity : Information Gathering |
Vulnerability |
|
|
Vulnerability Exploit Detected : Medium Severity |
Sub Rule |
Vuln Medium Severity : General |
Vulnerability |
|
|
Failed Attack : Packet Dropped |
Sub Rule |
Failed General Attack Activity |
Failed Attack |
|
|
Spyware Detected - Dropped - Reset Server |
Sub Rule |
Failed Spyware Activity |
Failed Malware |
|
|
Spyware Sinkhole Activity Messages |
Sub Rule |
Suspicious Network Activity |
Suspicious |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Events |
Classifications |
|---|---|---|---|---|
|
1010875 |
V 2.0 URL Threat Messages |
Base Rule |
General Threat Message |
Activity |
|
V 2.0 Potentially Malicious URL Allowed |
Sub Rule |
Traffic Allowed by Proxy |
Network Allow |
|
|
V 2.0 User Continue URL Block |
Sub Rule |
Traffic Allowed by Proxy |
Network Allow |
|
|
V 2.0 User Override URL Block |
Sub Rule |
Traffic Allowed by Proxy |
Network Allow |
|
|
V 2.0 URL Request Blocked |
Sub Rule |
Traffic Denied by Proxy |
Network Deny |