Action [7.2]

Action is a broad field for what was done as described in the log. Action is usually a secondary function of a command or process. 

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type

String

Aliases

Field Relationships

• Command
• Status
• Result
• Response Code
• Process

Common Applications

• Firewall
• Proxy
• Antivirus
• IDS/IPS
• Vulnerability scanner
• RIM/FIM

Use Case

• Recording network traffic accepts, drops, or blocks.
• Secondary function of a command—for example, PowerShell (process), might issue "AD commandlet" (command), which might have an action of lock out user.
• Action describes a mechanism. The result describes a state outcome. A firewall action can "pass" traffic. The result might be "success.”  

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

• Capture more simplistic actions than command might.
• An Action is what you are trying to initiate via a command.
• Action, Process, and Command separation:
  • A process is something "running."
  • A command is an operating system command (for example, batch) or a user originated command to a system.
  • The Action is often the "result" of a process or command. The A/V process (Symantec) might have a command of "Run Scan", which could have an Action of Quarantine.
• In RIM/FIM, the Action would be "read, write, add, delete" or any other common action verb applied to the file or registry key. 

Examples

• FortiGate

02 18 2015 16:13:49 1.1.1.1 <LOC7:INFO> date=2015-02-18 time=16:13:51 devname=FG22222222222217 devid=FGdfsdfds1111111 logid=1059028704 type=utm subtype=app-ctrl eventtype=app-ctrl-all level=information vd="root" appid=16637 user="pete.store" srcip=1.1.1.1 srcport=57227 dstip=1.1.1.1 dstport=53 proto=17 service="DNS" sessionid=391322221 applist="APPC Monitor All" appcat="Update" app="Sophos.Update" action=pass msg="Update: Sophos.Update," apprisk=low

In this case, the firewall action is to "pass" the traffic because it is on an approved list.