Skip to main content
Skip table of contents

Policy [7.2]

The specific policy referenced (for example, Firewall or Proxy) in a log message.

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type

String

Aliases

UseAlias

Client Console Full Name

Policy

Client Console Short Name

Policy

Web Console Tab/Name

Policy

Elasticsearch Field Name

policy

Rule Builder Column Name

Policy

Regex Pattern

<policy>

NetMon Name

Not applicable

Field Relationships

  • Group
  • Login
  • Account
  • Domain
  • Object (disambiguation—policy was historically stored as object in some cases)

Common Applications

  • Firewall
  • Antivirus
  • IDS/IPS
  • Directory
  • Vulnerability scanners
  • Audit tools
  • Proxies
  • IT management

Use Case

  • Tracking group policy
  • Correlating AV and vulnerability scanners
  • Compliance
  • Policy violations

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

  • Only store explicitly called out Policy values from log.
  • You can store policy synonyms (for example, Standard).
  • Capture the broadest policy if multiple different policy types are defined in the log.

Examples

  • SourceFire IDS

10 02 2016 20:30:22 1.1.1.1 <LOC6:WARN> Oct  2 23:27:07 mtl-corp-sen-01 CORPvDC: Protocol: TCP, SrcIP: 1.1.1.1, DstIP: 1.1.1.1, SrcPort: 54217, DstPort: 443, TCPFlags: 0x0, IngressInterface: s1p6, EgressInterface: s1p5, IngressZone: Ingress_CORP_recflow_FROM_NX, EgressZone: Egress_CORP_recflow_TO_ASA, DE: Primary Detection Engine (f20ae1fc-2be2-22e3-9bcc-2222222222222), Policy: RECFLOW_CORP_Sensor, ConnectType: End, AccessControlRuleName: Rules_Inspection_CORP_RF_Log, AccessControlRuleAction: Allow, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: recflow, InitiatorPackets: 9, ResponderPackets: 9, InitiatorBytes: 1017, ResponderBytes: 4258, NAPPolicy: RF_CORP_PREPROCESSORS, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://www.recordflow.biz

Policy is parsed here as it is explicitly called out. NAPPolicy can go unparsed as there is a broader policy name field.

  • Sourcefire IDS

05 22 2014 06:12:49 1.1.1.1 <SLOG:ERRR> 2014-05-22 10:12:47.494 recmetric:SOURCE[recflow.Host4]:REC2604E:[ALARM] Policy[ForTheRecord-Media] User[recflow\Domain Usersrecflowusers,Medium Mandatory Level@Mandatory Label...\ercflow,Host4] Process[\SystemRoot\System32\Host2] Action[read_dir] Res[M:\Media\QueryBuilder]  Effect[DENIED Code (1U,2U,3U,4U,5U,6U,7U,8U,9U,10U,11U,12P,13P,14U,15U,16U,17A,18U,19M)]

ForTheRecord-Media parses into Policy as it is explicitly called out.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close