Object
The resource (file) referenced or impacted by activity reported in the log, except when another schema field is more precisely relevant.
The following fields should be used if they are more relevant:
- Process. For anything clearly executable or running as a process.
- Action. Data explicitly classified as an action (for example, block traffic).
- Result. Result of a process (for example, HTTP result codes).
- Status. Explicit status as presented by log source.
- Reason. Explicit reason as presented by log source.
- Policy. Explicit policy.
- Command. Command executed by log source.
- Threat Name. Explicit threat name (for example, APT1).
- CVE. Explicit CVE in standard CVE format.
Hash. Explicitly generated Hash field. For more information, see Hash.
- Vendor Information. Additional information from vendor (beyond the Vendor Message ID or VMID).
- UserAgent. User agent string for web traffic.
- Anything that can be inferred into the LogRhythm Entity, Location or Network.
Data Type
String (1000 characters maximum)
Aliases
Use | Alias |
---|---|
Client Console Full Name | Object |
Client Console Short Name | Object |
Web Console Tab/Name | Object |
Elasticsearch Field Name | object |
Rule Builder Column Name | Object |
Regex Pattern | <object> |
NetMon Name | Not applicable |
Field Relationships
- Object Name
- Object Type
- Hash
Common Applications
- Stores a resource being mentioned in the log message.
- Can be used in almost every log source type.
Use Case
Finding a specific known resource for log source type (for example, searching for a specific database name).
MPE/Data Masking Manipulations
Not applicable.
Usage Standards
Do not use in the following cases:
- When another schema field is more appropriate to describe the resource (Process, Dname, Hash, Sender, Command, Recipient, Subject, etc.).
- When describing a LogRhythm-defined entity.
- To describe an event. Object describes an event's target.
Examples
Correct Examples
- Windows System Log
<Event xmlns='http://dum.dummy.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-DHCP-Server' Guid='{6d44402c-a145-4dac-9a01-f0555b41ca84}' EventSourceName='DhcpServer'/><EventID Qualifiers='0'>1020</EventID><Version>0</Version><Level>Warning</Level><Task>None</Task><Opcode>Info</Opcode><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-08-02T13:14:16.000000000Z'/><EventRecordID>1340877</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>System</Channel><Computer>IVNMKDP.DKVM.IVAN.log.cz.ru.biz</Computer><Security/></System><EventData><Data>1.1.1.1</Data><Data>100</Data><Data>0</Data></EventData></Event>
The IP represents the IP Scope of this DHCP log, so it is the referenced object in this context. It is not appropriate to use SIP/DIP/SNATIP/DNATIP because the data field does not represent a host.
- Windows System Log
<Event xmlns='http://dum.dummy.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Kernel-PnP' Guid='{9c343432439-12340-48324d-abhh7-e831c6sdf4539}'/><EventID>219</EventID><Version>0</Version><Level>Warning</Level><Task></Task><Opcode>Info</Opcode><Keywords></Keywords><TimeCreated SystemTime='2016-08-03T01:44:55.547851500Z'/><EventRecordID>5823877</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='88'/><Channel>System</Channel><Computer>IVNMKDP.DKVM.IVAN.log.cz.ru.biz</Computer><Security UserID='NT AUTHORITY\SYSTEM'/></System><EventData><Data Name='DriverNameLength'>60</Data><Data Name='DriverName'>PCI\VEN_8086&DEV_7020&SUBSYS_110434AF4&REV_01\3&13c0b0c5&0&0A</Data><Data Name='Status'>3221226382</Data><Data Name='FailureNameLength'>15</Data><Data Name='FailureName'>\Driver\usbuhci</Data><Data Name='Version'>0</Data></EventData></Event>
Object is the specific driver component that failed to load (\driver\usbuhci). ObjectName is the DriverName. Both are correct as the referenced object is the driver component, and ObjectName expands on this with the full driver name.
- Office 365 Exchange Logs
TS=2016-03-03T01:17:28 SESSID=50e4435a-45e6-42de-7ae3-08d13419636 COMMAND=Set-TransportConfig USERTYPE=DcAdmin USERKEY=NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost) WORKLOAD=Exchange RESULTCODE=True OBJECT=ivantesto365.onmicrosoft.com\Transport Settings USER=NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost) SIP= OBJECTNAME= PARAMETERS=[{"Name":"DomainController","Value":""},{"Name":"Identity","Value":"lrtesto365.onmicrosoft.com"},{"Name":"HygieneSuite","Value":"Premium"}] MODIFIEDPROPERTIES= EXTERNALACCESS=True ORIGINATINGSERVER=ivandave0298 (15.31.05654.011) ORGANIZATIONNAME=ivantesto365.onmicrosoft.com LOGONTYPE= MAILBOXOWNER= MAILBOXMASTER= LOGONUSERSID= LOGONUSERDISPLAYNAME= USERAGENT= CLIENTIPADDRESS= CLIENTPROCESSNAME= CLIENTVERSION= FOLDER= CROSSMAILBOXOPERATIONS= DESTMAILBOX= DESTMAILBOXOWNER= DESTMAILBOXMASTER= DESTFOLDER= FOLDERS= AFFECTEDITEMS= ITEM= SENDASUSER= SENDONBEHALFOFUSER=
ivantesto365.onmicrosoft.com\Transport Settings parses into Object because this setting is recorded as modified in the log.
Incorrect Examples
- Sensitive Data
04/10-07:08:54.002765 [**] [139:1:1] SDF_COMBO_ALERT [**] [Classification: Sensitive Data was Transmitted Across the Network] [Priority: 2] {PROTO:254} 1.1.1.1 -> 1.1.1.1
SDF_COMBO_ALERT parses into Object. This is incorrect because SDF_COMBO_ALERT indicates the type of log message, rather than what object is impacted or referenced in the log. In this example, the Object field should not be used.
- Cisco ACS
06 07 2013 09:13:19 1.1.1.1 <LOC6:NOTE> Jun 7 09:13:19 mrk-prd-acs CSCOacs_TACACS_Accounting 0000819174 2 1 NetworkDeviceGroups=Location:All Locations:DPDC, AuditSessionId=davemon:1.1.1.1:tty1:1.1.1.1, Response={Type=Accounting; AcctReply-Status=Success; }
The Success value is parsed incorrectly from the key status into Object. It should parse into Status instead. In this example, the Object field should not be used.
- Symantec Endpoint Server
01 28 2015 16:15:37 1.1.1.1 <LPTR:INFO> Jan 28 16:01:42 SymantecServer MVK-GDF-01: hostname,Local: 1.1.1.1,Local: 0,Local: 010000000001,Remote: 1.1.1.1,Remote: ,Remote: 0,Remote: 5156165156RS,7,Inbound,Begin: 2015-01-28 15:54:39,End: 2015-01-28 15:54:39,Occurrences: 1,Application: ,Rule: Block all other traffic,Location: Corporate Network,User: Dave_Store,Domain: DP,Action: Blocked
The Location value should not parse into Object, as this can be inferred, and entities can be used to gather this type of data. Location should be tied to the entity structure. In this case, the Object field should not be used. Application in a log could be Process or Object, depending on the analysis of additional samples.
- Snare 2008 Event Log
08 28 2016 23:03:14 1.1.1.1 <USER:NOTE> Aug 28 23:03:14 DAVEWINDOW.loc.gregsports.com MSWinEventLog 1 Application 15450631 Sun Aug 28 23:03:14 2016 1026 .NET Runtime N/A N/A Error DAVEWINDOW.loc.gregsports.com None Application: pptviewerbackendwatchdog.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.TypeInitializationException…
Application should be parsed into Process because it is an executable. In this example, the Object field should not be used.
Ambiguous Examples
- Riverbed
01 24 2014 02:57:25 1.1.1.1 <LOC0:NOTE> Jan 24 02:57:25 IVNDPMVK01 rbmd[10763]: [rbmd.NOTICE]: Connecting to appliance IVAN48564546TV
The log notice may be a hostname or a device name (such as an AP). It is ambiguous whether this strictly meets the definition of object impacted, object referenced, or something else. In this case, the field could be a device, serial number, or other identifier. Object is not incorrect, but this log source should be researched further.
- Microsoft Application Log
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MsiInstaller'/><EventID Qualifiers='0'>1022</EventID><Level>Information</Level><Task>None</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2014-11-05T08:50:01.000000000Z'/><EventRecordID>9442</EventRecordID><Channel>Application</Channel><Computer>IVNMKDP.DKVM.IVAN.log.cz.ru.biz</Computer><Security UserID='NT AUTHORITY\SYSTEM'/></System><EventData>Product: Microsoft .NET Framework 4.5 - Update 'KB2979578v2' installed successfully.</EventData></Event>
Product could parse into Process instead of Object. Object is not incorrect, but may be confusing. In this case, the product does not define a runnable process on the system, so Object is a better choice than Process.
- Windows Application Log
<Event xmlns='http://Host1/win/2004/08/events/event'><System><Provider Name='SQLSERVERAGENT'/><EventID Qualifiers='16384'>208</EventID><Level>Warning</Level><Task>Job Engine</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2015-07-23T18:20:39.000000000Z'/><EventRecordID>2042567</EventRecordID><Channel>Application</Channel><Computer>IVNMKDP.DKVM.IVAN.log.cz.ru.biz </Computer><Security/></System><EventData>SQL Server Scheduled Job 'LogRhythm Sunday Maintenance' (0x7BN5C000E7A34C90000000D2F3) - Status: Failed - Invoked on: 2015-07-23 12:20:38 - Message: The job failed. The Job was invoked by User sa. The last step to run was step 29 (LogRhythm Job Step Validation). The job was requested to start at step 29 (LogRhythm Job Step Validation).</EventData></Event>
Job name parses into Object. However, it is ambiguous whether job is an object, an action, or a process.
- Windows Security Log
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4907</EventID><Version>0</Version><Level>Information</Level><Task>Audit Policy Change</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime='2016-02-26T06:56:10.852896900Z'/><EventRecordID>228903233</EventRecordID><Correlation/><Execution ProcessID='752' ThreadID='768'/><Channel>Security</Channel><Computer>IVNMKDP.DKVM.IVAN.log.cz.ru.biz</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>IVN\dave.crowley</Data><Data Name='SubjectUserName'>dave.crowley</Data><Data Name='SubjectDomainName'>IVN</Data><Data Name='SubjectLogonId'>0x10be65</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>File</Data><Data Name='ObjectName'>C:\Windows\System32\autochk.exe</Data><Data Name='HandleId'>0xb0</Data><Data Name='OldSd'>S:AI</Data><Data Name='NewSd'>S:(AU;SAFA;DCLCSDSDWDWO;;;WD)</Data><Data Name='ProcessId'>0x3298</Data><Data Name='ProcessName'>C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data></EventData></Event>
File parses into Object, and the XML field is ObjectType, so it is a good candidate for ObjectType. Autochk and path parses into ObjectName, and XML calls this ObjectName as well.