Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|
|
V 2.0 : Web Security Event |
Base Rule |
Activity |
General Threat Message |
|
V 2.0 : Web Security : Unknown |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : Web Security : Pass |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : Web Security : Block |
Sub Rule |
Failed Activity |
Threat Blocked |
|
V 2.0 : Web Security : Monitor |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : Web Security : Delete |
Sub Rule |
Failed Activity |
Threat Deleted |
|
V 2.0 : Web Security : Quarantine |
Sub Rule |
Activity |
Quarantine |
|
V 2.0 : Web Security : Warn |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : Web Security : Warn And Continue |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : Web Security : Override |
Sub Rule |
Activity |
General Threat Message |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
Header (logVer) |
N/A |
N/A |
CEF format version |
|
Header (vendor) |
N/A |
N/A |
Appliance vendor |
|
Header (pname) |
N/A |
N/A |
Appliance product |
|
Header (pver) |
N/A |
N/A |
Appliance version |
|
Header (eventid) |
<vmid> |
Text/String |
WB:Filter/Blocking Type |
|
Header (eventName) |
N/A |
N/A |
Blocking Rule or "Filter/Blocking Type" |
|
Header (severity) |
<severity> |
Number |
Severity |
|
deviceExternalId |
N/A |
N/A |
ID |
|
rt |
N/A |
N/A |
Log generation time in UTC |
|
app |
<protnum> |
Number |
Protocol |
|
cntLabel |
N/A |
N/A |
Corresponding label for the "cnt" field |
|
cnt |
<quantity> |
Number |
Detections |
|
dpt |
<dport> |
Number |
Server port |
|
act |
<action>
|
Number |
0: Unknown
|
|
src |
<sip> |
IP Address |
Endpoint IPv4 address |
|
c6a2Label |
N/A |
N/A |
Corresponding label for the "c6a2" field |
|
c6a2 |
<sip> |
IP Address |
Endpoint IPv6 address |
|
cs1Label |
N/A |
N/A |
Corresponding label for the "cs1" field |
|
cs1 |
<policy> |
Text/String |
Policy |
|
cat |
<subject> |
Number/Text/String |
Filter/Blocking Type |
|
dvchost |
N/A |
N/A |
Endpoint host name |
|
fname |
<object> |
Text/String |
File |
|
request |
<url> |
Text/String/Number |
URL |
|
deviceFacility |
N/A |
N/A |
Product |
|
shost |
<sname> |
String/Number |
Client host name |
|
reason |
<reason> |
String/Number |
Critical Threat Type
|
|
deviceNtDomain |
N/A |
N/A |
Active Directory domain |
|
dntdom |
N/A |
N/A |
Apex One domain hierarchy |
|
TMCMLogDetectedHost |
<sname> |
Text/String |
Endpoint name where the log event occurred |
|
TMCMLogDetectedIP |
<sip> |
IP Address |
IP address where the log event occurred |
|
ApexCentralHost |
N/A |
N/A |
Apex Central host name |
|
devicePayloadId |
N/A |
N/A |
Unique message GUID |
|
deviceDirection |
N/A |
Text/String |
Traffic/Connection
|
|
deviceProcessName |
<process> |
Text/String/Number |
Process name |
|
duser |
<domainimpacted>
|
Text/String/Number |
User name |
|
cn3Label |
N/A |
N/A |
Corresponding label for the "cn3" field |
|
cn3 |
N/A |
N/A |
Reputation score |
|
cn2Label |
N/A |
N/A |
Corresponding label for the "cn2" field |
|
cn2 |
N/A |
N/A |
Severity level
|
|
dst |
<dip> |
IP Address |
Server IP address |
|
cs2Label |
N/A |
N/A |
Corresponding label for the "cs2" field |
|
cs2 |
N/A |
N/A |
Blocking rule |
|
cn1Label |
N/A |
N/A |
Corresponding label for the "cn1" field |
|
cn1 |
N/A |
N/A |
Severity code
|
|
cs5Label |
N/A |
N/A |
Corresponding label for the "cs5" field |
|
cs5 |
N/A |
N/A |
Reason code source |
|
cs4Label |
N/A |
N/A |
Corresponding label for the "cs4" field |
|
cs4 |
<responsecode> |
Number |
Reason Code |