Classification

Classification

classificationName

 Classifications include Compromise, Attack, or Malware. The value is determined based on the MPE Rule’s assigned Common Event.

ClassificationType

classificationTypeName

One of the major activity groups (Operations, Audit, or Security) used to group log message types.

Common Event

commonEventName

A short, plain-language description of the log that determines its Classification.

CVE

cve

Common Vulnerabilities and Exposure. This field is used to refer to specific vulnerabilities for a product.

Direction

directionName

Direction of activity between a log's origin and impacted zones. Values can be Internal, External, Outbound, Local, or Unknown.

MPE Rule Name

mpeRuleName

Message Processing Engine (MPE) rule, which identifies and normalizes log messages and then assigns them to a Log Type (Common Event).

Policy

policy

The LogRhythm Policy (e.g., FIM, RIM, Agent, etc.) resulting in the log being generated.

Reason

reason

The reason code within a log message. For example:

Checkpoint: reason=mlx Syslog - AirTight IDS/IPS: REASON=1

Response Code

responseCode

The response code that is returned from a prior command.

Result

result

Anything indicating a result, including but not exclusively a code.

Severity

severity

A value indicating the severity of the log.

Status

status

The current waiting state for a process, system state, network state, or attempted action.

Threat ID

threatId

ID number or unique identifier of a threat. Note that CVE is stored separately.

Threat Name

threatName

The name of a specific threat as defined from a third-party security system or device, such as a firewall, IPS/IDS, AV, Endpoint Protection System, etc.

Vendor Info

vendorInfo

Human readable strings that may contain clarifying information not easily encapsulated by CE/Classification or a rule name.

Vendor Message ID

vendorMessageId

Unique vendor-assigned value that identifies the log message.