v6.x Events - User
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| v6.x Events - User | Base Rule | General User Logged Event | Information |
| Authentication Logout | Sub Rule | User Logoff | Authentication Success |
| FSSO Active Directory Server Authentication Status | Sub Rule | Signon Information Received | Information |
| User Authentication Failed | Sub Rule | Authentication Failure Activity | Authentication Failure |
| Webfilter Override Successful | Sub Rule | Web Filtering Override Created | Information |
| Table Override Failure | Sub Rule | Failed To Add New Entry To Table | Error |
| User Alert | Sub Rule | General User Alert | Critical |
| User Critical | Sub Rule | User Critical | Critical |
| User Error | Sub Rule | User Error Message | Error |
| User Notice | Sub Rule | User Notice | Information |
| User Info | Sub Rule | User Information | Information |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
| logid | <vmid> | Number | The ID (logid) is a 10-digit field. It is a unique identifier for that specific log. |
| N/A | <severity> | Text\String | Each log entry contains a Level (level) field that indicates the estimated severity of the event that caused the log entry. |
| logdesc | <vendorinfo> | Text\String | N/A |
| srcip | <sip> | IP Address | IP address of the traffic’s origin. |
| dstip | <dip> | IP Address | Destination IP address for the web. |
| user | <login> | Text\String | Name of the user. |
| vd | <domainorigin> | Text\String | Name of the virtual domain in which the log message was recorded. |
| msg | <subject> | Text\String | N/A |
| type | <policy> | Text\String | N/A |
| status | <status> | Text\String | N/A |