Skip to main content
Skip table of contents

Object Type [7.2]

The resource type (file type) referenced or impacted by activity reported in the log, specifically related to what is parsed into Object. Object Type is a categorization field in comparison to Object Name, which is a specific description of the value in Object.

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type

String (0-512 characters, 64 average characters) 

Aliases

UseAlias

Client Console Full Name

Object Type

Client Console Short Name

Object Type

Web Console Tab/Name

Application/Object Type

Elasticsearch Field Name

objectType

Rule Builder Column Name

ObjectType

Regex Pattern

<objecttype>

NetMon Name

Not applicable

Field Relationships

  • Object Type is a categorization of the resource described in Object.
  • Object Type is a broader classification whereas Object Name is a specific name or description.

Common Applications

  • AV software
  • HTTP access logs

Use Case

Sub-classification when the event type is not enough.

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

  • Object Type does not require an Object. For example, a file scanner might create a log looking for .gif and not find any. The Object Type would be GIF, but there is no Object because no files were found.
  • Do not use Object Type with any other specialty field, such as Hash, Process, Subject, and so on. Object Type only applies to Object. 

Examples

  • HTTP access log. Object Type could contain the MIME type of file(s)
  • Windows Security Event Log

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4907</EventID><Version>0</Version><Level>Information</Level><Task>Audit Policy Change</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime='2016-02-26T06:56:10.852896900Z'/><EventRecordID>228903233</EventRecordID><Correlation/><Execution ProcessID='752' ThreadID='768'/><Channel>Security</Channel><Computer>USLT0775JCROW.schq.safaware.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>SAFAWARErecordflow\julian.crowley</Data><Data Name='SubjectUserName'>julian.crowley</Data><Data Name='SubjectDomainName'>SAFAWARE</Data><Data Name='SubjectLogonId'>0x10be75</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>File</Data><Data Name='ObjectName'>C:\Windows\System32\autochk.exe</Data><Data Name='HandleId'>0xb0</Data><Data Name='OldSd'>S:AI</Data><Data Name='NewSd'>S:(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data><Data Name='ProcessId'>0x3298</Data><Data Name='ProcessName'>C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data></EventData></Event>

In this case, Object is authchk.exe. Object Name is blank even though the source log explicitly calls it out. If the log had a field that called Auto check process or some other expanded description or friendly name of the object, then that value would parse into Object Name. Object Type would parse into File.

  • MS Forefront TMG Web Proxy

1.1.1.1 anonymous Windows-Update-Agent Y 2014-12-22 17:45:02 w3proxy APPGATEDR - - 1.1.1.1 80 31 221 359 http TCP HEAD http://ds.download.windowsupdate.com/v11/2/microsoftupdate/redir/v6-muauth.cab?14546421745 application/octet-stream Inet 200 0x40800000 [System] Allow all HTTP traffic from Forefront TMG to all networks (for CRL downloads) Req ID: 11c05fb1; Compression: client=No, server=No, compress rate=0% decompress rate=0% Local Host External 0x180 Allowed 2014-12-22 17:45:02 - - - - Allowed Malware Inspection Disabled for the Matching Policy Rule Unknown - - 0 - 0 - - - - - - 0 0 - 0 - - Feature disabled None ds.download.windowsupdate.com 50937 -

Application/octet-stream parses into Object Type, and v6-muauth.cab parses into Object (if possible). No Object Name is parsed.

  • Trend Micro Deep Discovery Inspector

06 05 2016 01:04:09 1.1.1.1 <LOC3:INFO> CEF:0|Trend Micro|Deep Discovery Inspector|3.82.1133|200127|Notable Characteristics of the analyzed sample|6|rt=Jun 05 2016 03:03:49 GMT+04:00 dvc=1.1.1.1 dvchost=uascdiscover.merto.uasc.corp dvcmac=00:00:00:00:00:00 deviceExternalId=4449875B3A-46561482-3301-FCA4-11156 fname=recordflow.exe fileHash=

9B822B964971D32EC4C97920CDD0D4620F767BC8107D2F

fileType=WIN32 EXE fsize=905216 cs1Label=PolicyCategory cs1=Autostart or other system reconfiguration msg=Key: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\ve9375CFF0413d11d3B88A00104B2A6676\\\nValue: \nType: REG_NONE cs3Label=SandboxImageType cs3=UASC2 cs2Label=PolicyName cs2=Modifies important registry entries to perform rogue functions

Win32 EXE parses into Object Type, recordflow.exe parses into Object, and the registry name parses into Object Name.

  • Cylance Protect

08 23 2016 08:39:29 1.1.1.1 <SLOG:WARN> 1 2016-08-23T13:39:12.2911991Z sysloghost CylancePROTECT - - - Event Type: Threat, Event Name: threat_changed, Device Name: USABLDRRECFLOW01, IP Address: (1.1.1.1), File Name: creative Host77, Path: c:\program files (x86)\adobe\adobe creative cloud\acc\, Drive Type: Internal Hard Drive, SHA256: 8050FE3DCA43D594611492AA149AF09FC9669149602BB2945AFEA4148A24B175, MD5: 59E0D058686BD35B0D5C02A4FD8BD0E0, Status: Abnormal, Cylance Score: 100, Found Date: 8/3/2016 4:22:21 PM, File Type: Executable, Is Running: True, Auto Run: False, Detected By: FileWatcher

Executable parses into Object Type, and creative Host77 parses into Object.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close