Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|---|---|---|
|
Type (type) |
<vmid> |
<vmid> |
|
Threat/Content Type (subtype) |
<vendorinfo>
|
<vendorinfo> |
|
Source address (src) |
<sip> |
<sip> |
|
Destination address (dst) |
<dip> |
<dip> |
|
NAT Source IP (natsrc) |
<snatip> |
<snatip> |
|
NAT Destination IP (natdst) |
<dnatip> |
<dnatip> |
|
Rule Name (rule) |
<policy> |
<policy> |
|
Source User (srcuser) |
<domainorigin>
|
<domainorigin>
|
|
Destination User (dstuser) |
<account> |
<domainimpacted>
|
|
N/A |
<process> |
N/A |
|
N/A |
<group> |
N/A |
|
Inbound Interface (inbound_if) |
<sinterface> |
<sinterface> |
|
Outbound Interface (outbound_if) |
<dinterface> |
<dinterface> |
|
Session ID (sessionid) |
<session> |
<session> |
|
Repeat Count (repeatcnt) |
<quantity> |
<quantity> |
|
Source Port (sport) |
<sport> |
<sport> |
|
Destination Port (dport) |
<dport> |
<dport> |
|
NAT Source Port (natsport) |
<snatport> |
<snatport> |
|
NAT Destination Port (natdport) |
<dnatport> |
<dnatport> |
|
IP Protocol (proto) |
<protname> |
<protname> |
|
Action (action) |
<action>
|
<action>
|
|
URL/Filename (misc) |
N/A |
<object> |
|
Threat/Content Name (threatid) |
<object>
|
<threatname> |
|
N/A |
<objectname>
|
N/A |
|
N/A |
<action> |
N/A |
|
Threat/Content Name (threatid) |
<processid> |
<threatid> |
|
Category (category) |
<tag2>
|
<subject> |
|
Severity (severity) |
<severity> |
<severity> |
|
N/A |
<hash> |
N/A |
|
Sender (sender) |
<sender> |
N/A |
|
Subject (subject) |
<subject> |
N/A |
|
Recipient (recipient) |
<recipient> |
N/A |
|
Device Name (device_name) |
N/A |
<objectname> |
|
Application Characteristic (characteristic_of_app)** |
N/A |
<group> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Events |
Classifications |
|---|---|---|---|---|
|
1000722 |
THREAT Messages |
Base Rule |
General Attack Activity |
Attack |
|
Potentially Threatening URL Allowed |
Sub Rule |
Web Activity Allowed |
Activity |
|
|
URL Allowed |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
|
URL Denied - Flood Detected |
Sub Rule |
General Attack Activity |
Attack |
|
|
URL Threat Detected - Session Dropped |
Sub Rule |
General Attack Activity |
Attack |
|
|
URL Threat Detected - Packets Dropped |
Sub Rule |
General Attack Activity |
Attack |
|
|
URL Threat Detected - Dropped - Reset Sent |
Sub Rule |
General Attack Activity |
Attack |
|
|
URL Blocked |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
|
Potential Virus Content Allowed |
Sub Rule |
Detected Virus Activity |
Malware |
|
|
Virus Content Allowed |
Sub Rule |
Detected Virus Activity |
Malware |
|
|
Virus Traffic Denied |
Sub Rule |
Failed Virus Activity |
Failed Malware |
|
|
Virus Traffic Dropped - Session Dropped |
Sub Rule |
Failed Virus Activity |
Failed Malware |
|
|
Virus Detected - Packets Dropped |
Sub Rule |
Failed Virus Activity |
Failed Malware |
|
|
Virus Detected - Dropped - Reset Sent |
Sub Rule |
Failed Virus Activity |
Failed Malware |
|
|
Malicious URL Blocked |
Sub Rule |
Failed Malware Activity |
Failed Malware |
|
|
Potential Spyware Content Allowed |
Sub Rule |
Detected Spyware Activity |
Malware |
|
|
Spyware Content Allowed |
Sub Rule |
Detected Spyware Activity |
Malware |
|
|
Spyware Traffic Denied |
Sub Rule |
Failed Spyware Activity |
Failed Malware |
|
|
Spyware Traffic Dropped - Session Dropped |
Sub Rule |
Failed Spyware Activity |
Failed Malware |
|
|
Spyware Detected - Packets Dropped |
Sub Rule |
Failed Spyware Activity |
Failed Malware |
|
|
Spyware Detected - Dropped - Reset Sent |
Sub Rule |
Failed Spyware Activity |
Failed Malware |
|
|
Spyware Blocked |
Sub Rule |
Failed Spyware Activity |
Failed Malware |
|
|
Potential Vulnerability Exploit Allowed |
Sub Rule |
Vuln High Severity : General |
Vulnerability |
|
|
Vulnerability Exploit Allowed |
Sub Rule |
Potential Vulnerability Exploit Allowed |
Activity |
|
|
Vulnerability Exploit Denied |
Sub Rule |
Failed General Attack Activity |
Failed Attack |
|
|
|
Sub Rule |
Failed General Attack Activity |
Failed Attack |
|
|
Vulnerability Exploit Traffic Drop - Packet Drop |
Sub Rule |
Failed General Attack Activity |
Failed Attack |
|
|
Vulnerability Exploit Traffic Dropped - Reset Sent |
Sub Rule |
Failed General Attack Activity |
Failed Attack |
|
|
Vulnerability Exploit Dropped |
Sub Rule |
Failed General Attack Activity |
Failed Attack |
|
|
Potentially Threatening File Observed - Allowed |
Sub Rule |
Potentially Threatening File Observed |
Activity |
|
|
Threatening File Allowed |
Sub Rule |
Unauthorized Program/Process |
Misuse |
|
|
Threatening File Type Denied |
Sub Rule |
Failed Malware Activity |
Failed Malware |
|
|
Threatening File Dropped - Session Dropped |
Sub Rule |
Failed Malware Activity |
Failed Malware |
|
|
Threatening File Dropped - Packets Dropped |
Sub Rule |
Failed Malware Activity |
Failed Malware |
|
|
Threatening File Dropped - Reset Sent |
Sub Rule |
Failed Malware Activity |
Failed Malware |
|
|
Threatening File Blocked |
Sub Rule |
Failed Malware Activity |
Failed Malware |
|
|
Scan Detected |
Sub Rule |
Port Scan |
Reconnaissance |
|
|
DoS Detected |
Sub Rule |
Host Denial Of Service |
Denial Of Service |
|
|
Data Pattern Filtered |
Sub Rule |
Data Pattern Filtered |
Failed Activity |
|
|
URL Block-Continue |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
|
Threatening File Forwarded |
Sub Rule |
File Intercepted |
Activity |
|
|
URL Allowed : Continue |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
|
Vulnerability Exploit Traffic Dropped - Reset Both |
Sub Rule |
Failed General Attack Activity |
Failed Attack |
|
|
Wildfire Upload - Skip |
Sub Rule |
Message Submission |
Information |
|
|
Wildfire Upload - Success |
Sub Rule |
Message Submission |
Information |
|
|
Brute Force Attack : FTP Login |
Sub Rule |
Vuln High Severity : Brute Force Attack |
Vulnerability |
|
|
Wildfire-Virus Detected - Reset Both |
Sub Rule |
Failed Virus Activity |
Failed Malware |
|
|
Wildfire - Potential Virus Content Allowed |
Sub Rule |
Detected Virus Activity |
Malware |
|
|
Wildfire-Virus Content Allowed |
Sub Rule |
Detected Virus Activity |
Malware |
|
|
Wildfire-Virus Traffic Denied |
Sub Rule |
Failed Virus Activity |
Failed Malware |
|
|
Wildfire-Virus Traffic Dropped - Session Dropped |
Sub Rule |
Failed Virus Activity |
Failed Malware |
|
|
Wildfire-Virus Detected - Packets Dropped |
Sub Rule |
Failed Virus Activity |
Failed Malware |
|
|
Wildfire-Virus Detected - Dropped - Reset Sent |
Sub Rule |
Failed Virus Activity |
Failed Malware |
|
|
Wildfire-Malicious URL Blocked |
Sub Rule |
Failed Malware Activity |
Failed Malware |
|
|
Virus Detected - Dropped - Reset Both |
Sub Rule |
Failed Virus Activity |
Failed Malware |
|
|
Spyware Detected - Dropped - Reset Both |
Sub Rule |
Failed Spyware Activity |
Failed Malware |
|
|
Vuln Exploit Traffic Dropped - Reset Server |
Sub Rule |
Failed General Attack Activity |
Failed Attack |
|
|
Vulnerability Exploit Detected : Low Severity |
Sub Rule |
Vuln Low Severity : General |
Vulnerability |
|
|
File Detected |
Sub Rule |
Suspicious File Download |
Activity |
|
|
Vulnerability Exploit Detected : High Severity |
Sub Rule |
Vuln High Severity : General |
Vulnerability |
|
|
Wildfire : Benign Determination |
Sub Rule |
Virus Scan Completed - No Viruses Found |
Information |
|
|
Wildfire : Grayware Determination |
Sub Rule |
Potentially Threatening File Observed |
Activity |
|
|
Wildfire : Malware Determination |
Sub Rule |
Detected Virus Activity |
Malware |
|
|
Potential Vulnerability Exploit Allowed : Info |
Sub Rule |
Vuln Low Severity : Information Gathering |
Vulnerability |
|
|
Vulnerability Exploit Detected : Medium Severity |
Sub Rule |
Vuln Medium Severity : General |
Vulnerability |
|
|
Failed Attack : Packet Dropped |
Sub Rule |
Failed General Attack Activity |
Failed Attack |
|
|
Spyware Detected - Dropped - Reset Server |
Sub Rule |
Failed Spyware Activity |
Failed Malware |
|
|
Spyware Sinkhole Activity Messages |
Sub Rule |
Suspicious Network Activity |
Suspicious |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|
1010900 |
V 2.0 Vulnerability Threat Messages |
Base Rule |
Vuln Medium Severity : Firewall |
Vulnerability |
|
V 2.0 Potential Vulnerability Exploit Alert |
Sub Rule |
Vuln Medium Severity : Information Gathering |
Vulnerability |
|
|
V 2.0 Potential Vulnerability Exploit Allowed |
Sub Rule |
Potential Vulnerability Exploit Allowed |
Activity |
|
|
V 2.0 Vulnerability Exploit Blocked |
Sub Rule |
Failed General Attack Activity |
Failed Attack |