V 2.0 User ID Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 User ID Messages | Base Rule | General Authentication Event | Other Audit |
V 2.0 User Logon | Sub Rule | User Logon | Authentication Success |
| V 2.0 User Logoff | Sub Rule | User Logoff | Authentication Success |
| V 2.0 User Registration Event | Sub Rule | Registration | Information |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Type (type) | <vmid> | Text/String | Specifies the type of log; value is USERID. |
| Threat/Content Type (subtype) | <action> <tag1> | Text/String | Subtype of User-ID log; values are login, logout, register-tag, and unregister-tag. login—User logged in. logout—User logged out. register-tag—Indicates a tag or tags were registered for the user. unregister-tag—Indicates a tag or tags were unregistered for the user. |
| Source IP (ip) | <sip> | IP Address | Original session source IP address |
| User (user) | <domainorigin> <login> | Text/String | Identifies the end user. |
| Repeat Count (repeatcnt) | <quantity> | Number | Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds |
| Data Source (datasource) | <subject> | Text/String | Source from which mapping information is collected. |
| Device Name (device_name) | <objectname> | Text/String | The hostname of the firewall on which the session was logged. |