Object Name
The resource name (filename) referenced or impacted by activity reported in the log, specifically related to what is parsed into Object.
Object Name is a friendly name or expanded information about the Object. Do not use Object Name if Object is not also parsed.
Object Name is normalized into the star schema of the Events database (LogRhythm_Events.dbo.Object).
Data Type
String (1000 characters maximum)
Aliases
| Use | Alias |
|---|---|
Client Console Full Name | Object Name |
Client Console Short Name | Object Name |
Web Console Tab/Name | Object Name |
Elasticsearch Fieldname | objectName |
Rule Builder Column Name | ObjectName |
Regex Pattern | <objectname> |
NetMon Name | Not applicable |
Field Relationships
- Object is described by Object Name
- Object Type
Common Applications
Everywhere that Object is used and a friendly name exists.
Use Case
- Getting context about an Object.
- Not likely to be a primary search field.
- Not likely to be a major field in AIE rules.
MPE/Data Masking Manipulations
Not applicable.
Usage Standards
- Object and Object Name are context-sensitive to the log itself. They must be defined for each device and device family across multiple samples.
- Object is primary and required to be filled first. Object Name is secondary and optional.
- Object Name is an expanded or friendly name of the object, not necessarily the file or process name (Object).
- For any database log:
- Object is the name of the database.
- Object Name should only be used if there is a human readable name in addition.
- Do not use Object Name with any other speciality field, such as session, process, URL, and so on.
Examples
Correct Examples
- Windows Security Event Log
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54559625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4907</EventID><Version>0</Version><Level>Information</Level><Task>Audit Policy Change</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime='2016-02-26T06:56:10.852896900Z'/><EventRecordID>228903233</EventRecordID><Correlation/><Execution ProcessID='752' ThreadID='768'/><Channel>Security</Channel><Computer>log.log.log</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>log\dave.crowley</Data><Data Name='SubjectUserName'>dave.crowley</Data><Data Name='SubjectDomainName'>log</Data><Data Name='SubjectLogonId'>0x10be65</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>File</Data><Data Name='ObjectName'>C:\Windows\System32\autochk.exe</Data><Data Name='HandleId'>0xb0</Data><Data Name='OldSd'>S:AI</Data><Data Name='NewSd'>S:(AU;SAFA;DCL545RSDWDWO;;;WD)</Data><Data Name='ProcessId'>0x3298</Data><Data Name='ProcessName'>C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data></EventData></Event>
File parses into Object—though Object Type would be better. Autochk.exe parses into Object Name appropriately.
- Windows Security Event Log
<Event xmlns='http://Host3/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{548465416845-5478-4994-a5ba-3e3b0328c30d}'/><EventID>6144</EventID><Version>0</Version><Level>Informationen</Level><Task>Andere Richtlinienänderungsereignisse</Task><Opcode>Info</Opcode><Keywords>Überwachung erfolgreich</Keywords><TimeCreated SystemTime='2016-03-15T17:52:23.176154700Z'/><EventRecordID>57042720</EventRecordID><Correlation/><Execution ProcessID='524' ThreadID='2808'/><Channel>Security</Channel><Computer>Host2l</Computer><Security/></System><EventData><Data Name='ErrorCode'>0</Data><Data Name='GPOList'>{31b2f340-016d-11d2-945f-00c04fb984f9} Default Domain Policy </Data></EventData></Event>
The string for GPOList parses into Object. The Default Domain Policy parses into Object Name.
- Cisco Unified Communication Mgr
11 09 2009 00:22:45 1.1.1.1 <LOC7:ERRR> 157: : : 125: Nov 09 05:22:03.34 UTC : %CCM_CALLMANAGER-CALLMANAGER-3-DeviceTypeMismatch: Device type mismatch. Name of device.:DAV002454654BA Device type.:436 Database device type:435 App ID:Cisco CallManager Cluster ID:CORP-DP001 Node ID:CORP0004-D31005
Cluster ID parses into Object. Node ID parses into Object Name.
- Voltage Securemail
01 29 2015 01:02:20 1.1.1.1 <USER:DBUG> voltage: LogMsgID="3", ServerNode="MVBK1", TenantID="LOG.BIZ.RU", SubTenant="<default>", Created="2015-01-29 01:02:20.673", Status="0", Summary="Authentication being handled for pete.store@recordflow.biz", EventLevel="Verbose", SessionID="1odz45646546dfdf3gscuijtpiv8", RequestID="1191", SourceName="IDAdapterEvents", EventName="Auth", Service="VSIBE", ClusterName="GH Data Center", ClusterUID="1", IPAddress="1.1.1.1", TenantUID="36", UserAgentType="2", Identity=" pete.store@recordflow.bizrecordflow.biz", AdapterType="vs.enrollment", AdapterID="24358855551109029088", Result="4", Duration="9", Details="null"
Vs.enrollment parses into Object. The numeric string for AdapterID parses into Object Name.
Ambiguous Examples
- NAC System – FortiGate
07 23 2016 20:00:12 1.1.1.1 <LOC7:NOTE> date=2016-07-23 time=23:00:11 devname=logfw devid=FG5555555RecFlw1600315 logid=0100043777 type=event subtype=system level=notice vd="Transparent" logdesc="NAC anomaly quarantine" srcip=1.1.1.1 dstip=2.2.22 src_int="port1" dst_int="N/A" srcport=0 dstport=0 proto=0 service="ip" action=ban-ip user="N/A" group="N/A" policyid=0 banned_src=dos banned_rule="tcp_dst_session" sensor="DoS-policy1"
Banned_src and banned_rule parse into Object and Object Name, respectively. These are ambiguous because the source and rule are related to one another, but source refers to a denial of service attack, which is more of an action than a resource.
In this case, banned_rule could be parsed into Policy and banned_src could parse into Object (because the rule acted on the "dos" src).
- Postgres
07 15 2015 14:59:42 1.1.1.1 <LOC4:INFO> Jul 15 14:59:43 src@Host70lt0 postgres[26940]: [708937-1] user=hasselhoff,db=recordflow_dev LOG: duration: 929.018 ms execute <unnamed>: UPDATE jobs.TRIGGERS SET TRIGGER_STATE = $1 WHERE SCHED_NAME = 'schedulerFactoryBean' AND JOB_NAME = $2 AND JOB_GROUP = $3 AND TRIGGER_STATE = $4
Database and Log parse into Object Name and Object, respectively. A database meets the criteria of a resource referenced or impacted in this log. However, the log seems closer to a command, action, or result (log parses into Command).
The database value should parse into Object, and the log should parse into Command. Object Name should not be used.
- Two logs from FortiGate with URLs
08 21 2016 02:16:52 1.1.1.1 <LOC1:ALRT> date=2016-08-21,time=02:17:46,devname=FG123456456,devid=FG5445645641,logid=0419016384,type=utm,subtype=ips,eventtype=signature,level=alert,vd="root",severity=low,srcip=1.1.1.1,dstip=1.1.1.1,srcintf="port16",dstintf="port16",policyid=1,sessionid=22078931,action=detected,proto=6,service=tcp/20480,attack="MS.IIS.Web.Server.Folder.Traversal.Evasion",srcport=53355,dstport=80,hostname="1.1.1.1",direction=outgoing,attackid=15152,profile="all_default",ref="http://www.fortinet.com/ids/VID5555",incidentserialno=1981412111,msg="web_server:
MS.IIS.Web.Server.Folder.Traversal.Evasion,",crscore=10,crlevel=medium
07 23 2016 20:00:12 1.1.1.1 <LOC7:ALRT> date=2016-07-23 time=23:00:11 devname=zackasdsd3343434 devid=FG5555121321 logid=0720018432 type=anomaly subtype=anomaly level=alert vd="Transparent" severity=critical srcip=1.1.1.1 dstip=1.1.1.1 srcintf="port1" sessionid=0 action=detected proto=6 service=SNMP count=802 attack="tcp_src_session" srcport=36078 dstport=162 attackid=4544654 policyid=1 ref="http://www.fortinet.com/ids/VID1511112" msg="anomaly: tcp_src_session, 1251 > threshold 1250, repeats 802 times" crscore=50 crlevel=critical
The domain of the URL parses into Object Name in the referrer field in both logs. Strictly speaking, this is a referenced object, but Object is not used in the first log, so there is no relation. In the second log, Subtype parses into Object and the domain of the URL parses into Object Name. There is no relation between these fields in the second instance, as subtype describes the event rather than a resource.
In these logs, the ref field defines an outside URL to additional information. It is not the object of the log or the name of the object. The ref field should parse into the Vendor Information field. There is no need to have an Object or Object Name for this log source.
- Entrust entillgence messaging server - User Credentials
06 07 2013 09:29:36 1.1.1.1 <LOC3:WARN> ECD[12901]: b7fd WARN ECD: (31516556428) Warning of credential expiry. Details [[friendlyName=Onboard SSL credential for www.recordflow.biz][days since expiry:161]]
Friendly name parses into Object Name and the subsequent hostname parses into Object. Object should parse into impacted host (dname) in this log. Object Name is strictly correct with the usage of object for the hostname, but would probably be better for Object after that is changed to dname.
If onboard SSL Credential parses into Object, then Object Name is empty. Also, the rule name and common event probably captures it already "credential expiry." Look at other samples to see if there are other types of credential besides the one shown here.
- Microsoft Antimalware
4/24/2013 4:03 PM TYPE=Warning USER= COMP=Host1 SORC=Microsoft Antimalware CATG=(0) EVID=1116 MESG=Microsoft Antimalware has detected malware or other potentially unwanted software. For more information please see the following: http://Host3/fwlink/?linkid=37020&name=Worm:Win32/Vobfus.PQ&threatid=2147680921 Name: Worm:Win32/Vobfus.PQ ID: 214764421 Severity: Severe Category: Worm Path: file:_C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APQ7.tmp Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Program Files (x86)\Symantec AntiVirus\RHost2 Signature Version: AV: 1.1.1.1, AS: 1.1.1.1, NIS: 1.1.1.1 Engine Version: AM: 1.1.9402.0, NIS: 1.1.1.1
The object is the target file (apq7.tmp), as it is being acted on. The name is a friendly descriptor and thus is the Object Name.