|Web Console Display Name||Lucene Search Syntax||Field Description|
Classifications include Compromise, Attack, or Malware. The value is determined based on the MPE Rule’s assigned Common Event.
One of the major activity groups (Operations, Audit, or Security) used to group log message types.
A short, plain-language description of the log that determines its Classification.
Common Vulnerabilities and Exposure. This field is used to refer to specific vulnerabilities for a product.
Direction of activity between a log's origin and impacted zones. Values can be Internal, External, Outbound, Local, or Unknown.
MPE Rule Name
Message Processing Engine (MPE) rule, which identifies and normalizes log messages and then assigns them to a Log Type (Common Event).
The LogRhythm Policy (e.g., FIM, RIM, Agent, etc.) resulting in the log being generated.
The reason code within a log message. For example:
Checkpoint: reason=mlx Syslog - AirTight IDS/IPS: REASON=1
The response code that is returned from a prior command.
Anything indicating a result, including but not exclusively a code.
A value indicating the severity of the log.
The current waiting state for a process, system state, network state, or attempted action.
ID number or unique identifier of a threat. Note that CVE is stored separately.
The name of a specific threat as defined from a third-party security system or device, such as a firewall, IPS/IDS, AV, Endpoint Protection System, etc.
Human readable strings that may contain clarifying information not easily encapsulated by CE/Classification or a rule name.
Vendor Message ID
Unique vendor-assigned value that identifies the log message.