Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log FieldLogRhythm Default

LogRhythm Default v2.0

Agent VersionN/A
N/A
Device MessageN/A<vendorinfo>
Device Name<object>N/A
Event Name<vmid><action>, <tag1>
Event TypeN/A<vmid>
IP AddressN/A<dip>
Logged On UsersN/A<domainorigin>, <login>
MAC AddressN/A<dmac>
OSN/AN/A
Policy ChangeN/AN/A
Policy NameN/AN/A
RenamedN/AN/A
User<login>
<login>
Zones AddedN/AN/A
Zone NameN/A
N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex IDRule NameRule TypeCommon EventsClassifications
1008376Device RemovedBase RuleConfiguration Modified : SecurityConfiguration

LogRhythm Default v2.0

Regex IDRule NameRule TypeCommon EventsClassifications
1011402
V 2.0 : Cylance Protect : Device EventsBase RuleGeneral Information Log MessageInformation
V 2.0 : Cylance Protect : Policy AssignedSub RulePolicy Enabled : ObjectPolicy
V 2.0 : Cylance Protect : Device RemovedSub RuleObject Deleted/RemovedAccess Success
V 2.0 : Cylance Protect : Device UpdatedSub RuleObject Attribute ModifiedAccess Success
V 2.0 : Cylance Protect : Zone AssignedSub RuleObject Attribute ModifiedAccess Success
V 2.0 : Cylance Protect : Device RegisteredSub RuleDevice RegisteredOther Audit Success
V 2.0 : Cylance Protect : System SecuritySub RuleGeneral Authentication EventOther Audit