Result [7.2]
Result is for the outcome of a command operation or action. For example, the result of “quarantine" might be "success."
This field is not available in LogRhythm versions earlier than 7.2.1.
Data Type
String
Aliases
| Use | Alias |
|---|---|
Client Console Full Name | Result |
Client Console Short Name | Result |
Web Console Tab/Name | Result |
Elasticsearch Field Name | result |
Rule Builder Column Name | Result |
Regex Pattern | <result> |
NetMon Name | Not applicable |
Field Relationships
- Action. The Action should be what generated the result.
- Command. A Command could also be a generator of a result.
- Status. Status is similar to Result, but reserved for explicitly defined result values. Result is an outcome, whereas a Status can be independent of the action.
Common Applications
- Endpoint protection such as CarbonBlack or Cylance
- IDS/IPS
Use Case
- Determining whether an action or command succeeded or failed. Validating normal operational process.
- Monitoring backup processes to see if they were successful.
MPE/Data Masking Manipulations
Not applicable.
Usage Standards
- Result is the outcome of an occurence and should be tied to a command, action, or policy.
- Result should not contain industry standard response codes such as HTTP response codes.
- If given a choice, use VMID/Vendor Info if the log is just a message and not tied to an action/command. Use Result if the log contains a clear action/command. For example, VMID/Vendor Info might be tied to "Attempted quarantine" and the result might be "success.”
- Do not take result in the log literally. It could be a result, a VMID, or a status.
Examples
- F5 BIG-IP ASM
03 22 2012 14:19:54 a4eg01-1-admi <LOC1:NOTE> Mar 22 14:19:54 USABLDRRECFLOW01 local/ USABLDRRECFLOW01-1 notice apd[4096]: 01490102:5: de71deef: Access policy result: Network_Access
Access policy result shows Network Access as the result of a policy being applied. Network Access parses into Result.
- Vamsoft ORF
01 27 2013 18:54:25 1.1.1.1 <MAIL:INFO> Jan 27 18:52:57 fe80::1111:11e1:31111:dsfsd%13 ORFEE: SRC:SMTPSVC-1,CLASS:Blacklist,ACT:Reject,FP: OnArrival,IP:1.1.1.1,SND:no-reply@Host34,RCPT: pstore@Host2;agent414@Host2,TEXT:Email blacklisted by the SPF test (sender forged per policy of "Host34", SPF result: Fail).
Fail or SPF Fail parses into Result, reject from the ACT field parses into Action, and Blacklist or Sender Forged parses into Policy.
- Windows Event Log – Trend Micro AV
<Event xmlns='http://Host3/win/2004/08/events/event'><System><Provider Name='Trend Micro OfficeScan Server'/><EventID Qualifiers='32773'>600</EventID><Level>Warning</Level><Task>System</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-07-26T22:37:03.000000000Z'/><EventRecordID>152848</EventRecordID><Channel>Application</Channel><Computer>Host2</Computer><Security UserID='NT AUTHORITY\SYSTEM'/></System><EventData>Virus/Malware: Unauthorized File Encryption
Endpoint: USABLDRRECFLOW01
Domain: safaware\
File: \\safaware\thinnerapp\lotusnotes\bin\lotus Host1
Date/Time: 7/26/2016 18:35:25
Result: Virus successfully detected, cannot perform the Quarantine action
</EventData></Event>
Showing result of AV scan and attempted remediation action to Quarantine.
- Cisco IDS/IPS
<evStatus eventId="1332222222222228024371874" vendor="Cisco" xmlns="http://www.cisco.com/cids/2006/08/cidee">> USABLDRRECFLOW01</hostId><appName>mainApp</appName><appInstanceId>1260</appInstanceId></originator><time offset="-300" timeZone="GMT-06:00">1345793398595703000</time><autoUpgradeServerCheck><uri>http://breon.moore@1.1.1.1//swc/esd/06/273556262/contract/recordflowconsole.pkg</packageFileName><result status="true"></result></autoUpgradeServerCheck></evStatus>
This is a Result instead of a Status because it represents an outcome of a task or operation. Status represents a state independent of an operation being performed. AutoUpgradeServerCheck may parse into Action.