Skip to main content
Skip table of contents

V 2.0 : Web Security Event

Vendor Documentation


Rule Name

Rule Type


Common Event

V 2.0 : Web Security EventBase RuleActivityGeneral Threat Message
V 2.0 : Web Security : UnknownSub RuleActivityGeneral Threat Message
V 2.0 : Web Security : PassSub RuleActivityGeneral Threat Message
V 2.0 : Web Security : BlockSub RuleFailed ActivityThreat Blocked
V 2.0 : Web Security : MonitorSub RuleActivityGeneral Threat Message
V 2.0 : Web Security : DeleteSub RuleFailed ActivityThreat Deleted
V 2.0 : Web Security : QuarantineSub RuleActivityQuarantine
V 2.0 : Web Security : WarnSub RuleActivityGeneral Threat Message
V 2.0 : Web Security : Warn And ContinueSub RuleActivityGeneral Threat Message
V 2.0 : Web Security : OverrideSub RuleActivityGeneral Threat Message

Mapping with LogRhythm Schema

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
Header (logVer)N/AN/ACEF format version
Header (vendor)N/AN/AAppliance vendor
Header (pname)N/AN/AAppliance product
Header (pver)N/AN/AAppliance version
Header (eventid)<vmid> Text/StringWB:Filter/Blocking Type
Header (eventName)N/AN/ABlocking Rule or "Filter/Blocking Type"
Header (severity)<severity>NumberSeverity
rtN/AN/ALog generation time in UTC
cntLabelN/AN/A Corresponding label for the "cnt" field
dpt<dport>NumberServer port
Number0: Unknown
1: Pass
2: Block
3: Monitor
4: Delete
5: Quarantine
6: Warn
7: Warn and continue
8: Override
src<sip>IP AddressEndpoint IPv4 address
c6a2LabelN/AN/ACorresponding label for the "c6a2" field
c6a2<sip>IP AddressEndpoint IPv6 address
cs1LabelN/AN/ACorresponding label for the "cs1" field
cat<subject>Number/Text/StringFilter/Blocking Type
dvchostN/AN/AEndpoint host name
shost<sname>String/NumberClient host name
reason<reason>String/NumberCritical Threat Type
A: Known Advanced Persistent Threat (APT)
B: Social engineering attack
C: Vulnerability attack
D: Lateral movement
E: Unknown threats
F: C&C callback
G: Ransomware
deviceNtDomainN/AN/AActive Directory domain
dntdomN/AN/AApex One domain hierarchy
TMCMLogDetectedHost<sname>Text/StringEndpoint name where the log event occurred
TMCMLogDetectedIP<sip>IP AddressIP address where the log event occurred
ApexCentralHostN/AN/AApex Central host name
devicePayloadIdN/AN/AUnique message GUID
deviceDirection N/A Text/StringTraffic/Connection
0: None
1: Inbound
2: Outbound
deviceProcessName<process> Text/String/NumberProcess name
Text/String/NumberUser name
cn3Label N/AN/ACorresponding label for the "cn3" field
cn3N/AN/AReputation score
cn2LabelN/AN/ACorresponding label for the "cn2" field
cn2N/AN/ASeverity level
100: High
300: Medium high
500: Medium
700: Medium low
900: Low
dst<dip>IP AddressServer IP address
cs2LabelN/AN/ACorresponding label for the "cs2" field
cs2N/AN/ABlocking rule
cn1LabelN/AN/ACorresponding label for the "cn1" field
cn1N/AN/ASeverity code
0: Unknown
1: Information
2: Warning
3: Error
4: Critical
cs5LabelN/AN/ACorresponding label for the "cs5" field
cs5N/AN/AReason code source
cs4LabelN/AN/ACorresponding label for the "cs4" field
cs4<responsecode>NumberReason Code
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.