Result is for the outcome of a command operation or action. For example, the result of “quarantine" might be "success."
This field is not available in LogRhythm versions earlier than 7.2.1.
Client Console Full Name
Client Console Short Name
Web Console Tab/Name
Elasticsearch Field Name
Rule Builder Column Name
- Action. The Action should be what generated the result.
- Command. A Command could also be a generator of a result.
- Status. Status is similar to Result, but reserved for explicitly defined result values. Result is an outcome, whereas a Status can be independent of the action.
- Endpoint protection such as CarbonBlack or Cylance
- Determining whether an action or command succeeded or failed. Validating normal operational process.
- Monitoring backup processes to see if they were successful.
MPE/Data Masking Manipulations
- Result is the outcome of an occurence and should be tied to a command, action, or policy.
- Result should not contain industry standard response codes such as HTTP response codes.
- If given a choice, use VMID/Vendor Info if the log is just a message and not tied to an action/command. Use Result if the log contains a clear action/command. For example, VMID/Vendor Info might be tied to "Attempted quarantine" and the result might be "success.”
- Do not take result in the log literally. It could be a result, a VMID, or a status.
- F5 BIG-IP ASM
03 22 2012 14:19:54 a4eg01-1-admi <LOC1:NOTE> Mar 22 14:19:54 USABLDRRECFLOW01 local/ USABLDRRECFLOW01-1 notice apd: 01490102:5: de71deef: Access policy result: Network_Access
Access policy result shows Network Access as the result of a policy being applied. Network Access parses into Result.
- Vamsoft ORF
01 27 2013 18:54:25 220.127.116.11 <MAIL:INFO> Jan 27 18:52:57 fe80::1111:11e1:31111:dsfsd%13 ORFEE: SRC:SMTPSVC-1,CLASS:Blacklist,ACT:Reject,FP: OnArrival,IP:18.104.22.168,SND:no-reply@Host34,RCPT: pstore@Host2;agent414@Host2,TEXT:Email blacklisted by the SPF test (sender forged per policy of "Host34", SPF result: Fail).
Fail or SPF Fail parses into Result, reject from the ACT field parses into Action, and Blacklist or Sender Forged parses into Policy.
- Windows Event Log – Trend Micro AV
<Event xmlns='http://Host3/win/2004/08/events/event'><System><Provider Name='Trend Micro OfficeScan Server'/><EventID Qualifiers='32773'>600</EventID><Level>Warning</Level><Task>System</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-07-26T22:37:03.000000000Z'/><EventRecordID>152848</EventRecordID><Channel>Application</Channel><Computer>Host2</Computer><Security UserID='NT AUTHORITY\SYSTEM'/></System><EventData>Virus/Malware: Unauthorized File Encryption
File: \\safaware\thinnerapp\lotusnotes\bin\lotus Host1
Date/Time: 7/26/2016 18:35:25
Result: Virus successfully detected, cannot perform the Quarantine action
Showing result of AV scan and attempted remediation action to Quarantine.
- Cisco IDS/IPS
<evStatus eventId="1332222222222228024371874" vendor="Cisco" xmlns="<result status="true"></result></autoUpgradeServerCheck></evStatus>> USABLDRRECFLOW01</hostId><appName>mainApp</appName><appInstanceId>1260</appInstanceId></originator><time offset="-300" timeZone="GMT-06:00">1345793398595703000</time><autoUpgradeServerCheck><uri> </packageFileName>
This is a Result instead of a Status because it represents an outcome of a task or operation. Status represents a state independent of an operation being performed. AutoUpgradeServerCheck may parse into Action.