Action is a broad field for what was done as described in the log. Action is usually a secondary function of a command or process.
This field is not available in LogRhythm versions earlier than 7.2.1.
Client Console Full Name
Client Console Short Name
Web Console Tab/Name
Elasticsearch Field Name
Rule Builder Column Name
- Response Code
- Vulnerability scanner
- Recording network traffic accepts, drops, or blocks.
- Secondary function of a command—for example, PowerShell (process), might issue "AD commandlet" (command), which might have an action of lock out user.
- Action describes a mechanism. The result describes a state outcome. A firewall action can "pass" traffic. The result might be "success.”
MPE/Data Masking Manipulations
- Capture more simplistic actions than command might.
- An Action is what you are trying to initiate via a command.
- Action, Process, and Command separation:
- A process is something "running."
- A command is an operating system command (for example, batch) or a user originated command to a system.
- The Action is often the "result" of a process or command. The A/V process (Symantec) might have a command of "Run Scan", which could have an Action of Quarantine.
- In RIM/FIM, the Action would be "read, write, add, delete" or any other common action verb applied to the file or registry key.
02 18 2015 16:13:49 126.96.36.199 <LOC7:INFO> date=2015-02-18 time=16:13:51 devname=FG22222222222217 devid=FGdfsdfds1111111 logid=1059028704 type=utm subtype=app-ctrl eventtype=app-ctrl-all level=information vd="root" appid=16637 user="pete.store" srcip=188.8.131.52 srcport=57227 dstip=184.108.40.206 dstport=53 proto=17 service="DNS" sessionid=391322221 applist="APPC Monitor All" appcat="Update" app="Sophos.Update" action=pass msg="Update: Sophos.Update," apprisk=low
In this case, the firewall action is to "pass" the traffic because it is on an approved list.