V 2.0 : Web Security Event
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
---|---|---|---|
V 2.0 : Web Security Event | Base Rule | Activity | General Threat Message |
V 2.0 : Web Security : Unknown | Sub Rule | Activity | General Threat Message |
V 2.0 : Web Security : Pass | Sub Rule | Activity | General Threat Message |
V 2.0 : Web Security : Block | Sub Rule | Failed Activity | Threat Blocked |
V 2.0 : Web Security : Monitor | Sub Rule | Activity | General Threat Message |
V 2.0 : Web Security : Delete | Sub Rule | Failed Activity | Threat Deleted |
V 2.0 : Web Security : Quarantine | Sub Rule | Activity | Quarantine |
V 2.0 : Web Security : Warn | Sub Rule | Activity | General Threat Message |
V 2.0 : Web Security : Warn And Continue | Sub Rule | Activity | General Threat Message |
V 2.0 : Web Security : Override | Sub Rule | Activity | General Threat Message |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
Header (logVer) | N/A | N/A | CEF format version |
Header (vendor) | N/A | N/A | Appliance vendor |
Header (pname) | N/A | N/A | Appliance product |
Header (pver) | N/A | N/A | Appliance version |
Header (eventid) | <vmid> | Text/String | WB:Filter/Blocking Type |
Header (eventName) | N/A | N/A | Blocking Rule or "Filter/Blocking Type" |
Header (severity) | <severity> | Number | Severity |
deviceExternalId | N/A | N/A | ID |
rt | N/A | N/A | Log generation time in UTC |
app | <protnum> | Number | Protocol |
cntLabel | N/A | N/A | Corresponding label for the "cnt" field |
cnt | <quantity> | Number | Detections |
dpt | <dport> | Number | Server port |
act | <action> <tag1> | Number | 0: Unknown 1: Pass 2: Block 3: Monitor 4: Delete 5: Quarantine 6: Warn 7: Warn and continue 8: Override |
src | <sip> | IP Address | Endpoint IPv4 address |
c6a2Label | N/A | N/A | Corresponding label for the "c6a2" field |
c6a2 | <sip> | IP Address | Endpoint IPv6 address |
cs1Label | N/A | N/A | Corresponding label for the "cs1" field |
cs1 | <policy> | Text/String | Policy |
cat | <subject> | Number/Text/String | Filter/Blocking Type |
dvchost | N/A | N/A | Endpoint host name |
fname | <object> | Text/String | File |
request | <url> | Text/String/Number | URL |
deviceFacility | N/A | N/A | Product |
shost | <sname> | String/Number | Client host name |
reason | <reason> | String/Number | Critical Threat Type A: Known Advanced Persistent Threat (APT) B: Social engineering attack C: Vulnerability attack D: Lateral movement E: Unknown threats F: C&C callback G: Ransomware |
deviceNtDomain | N/A | N/A | Active Directory domain |
dntdom | N/A | N/A | Apex One domain hierarchy |
TMCMLogDetectedHost | <sname> | Text/String | Endpoint name where the log event occurred |
TMCMLogDetectedIP | <sip> | IP Address | IP address where the log event occurred |
ApexCentralHost | N/A | N/A | Apex Central host name |
devicePayloadId | N/A | N/A | Unique message GUID |
deviceDirection | N/A | Text/String | Traffic/Connection 0: None 1: Inbound 2: Outbound |
deviceProcessName | <process> | Text/String/Number | Process name |
duser | <domainimpacted> <account> | Text/String/Number | User name |
cn3Label | N/A | N/A | Corresponding label for the "cn3" field |
cn3 | N/A | N/A | Reputation score |
cn2Label | N/A | N/A | Corresponding label for the "cn2" field |
cn2 | N/A | N/A | Severity level 100: High 300: Medium high 500: Medium 700: Medium low 900: Low |
dst | <dip> | IP Address | Server IP address |
cs2Label | N/A | N/A | Corresponding label for the "cs2" field |
cs2 | N/A | N/A | Blocking rule |
cn1Label | N/A | N/A | Corresponding label for the "cn1" field |
cn1 | N/A | N/A | Severity code 0: Unknown 1: Information 2: Warning 3: Error 4: Critical |
cs5Label | N/A | N/A | Corresponding label for the "cs5" field |
cs5 | N/A | N/A | Reason code source |
cs4Label | N/A | N/A | Corresponding label for the "cs4" field |
cs4 | <responsecode> | Number | Reason Code |