Subject
Originally meant to be the subject of an email. In 7.2 schema, this field becomes a secondary "category" field that can be used in several ways.
Data Type
String (255 characters maximum)
Aliases
Use | Alias |
---|---|
Client Console Full Name | Subject |
Client Console Short Name | Subject |
Web Console Tab/Name | Subject |
Elasticsearch Field Name | subject |
Rule Builder Column Name | Subject |
Regex Pattern | <subject> |
NetMon Name | Not applicable |
Field Relationships
- Email fields (if email) for context
- Look at VMID, Vendor Info, and other category fields before using Subject
Common Applications
- Proxies
- NGFW
- NetMon
Use Case
- Classifying traffic (for example, secondary family of http traffic destinations).
- Categorizing data within the log, not the actual log message (use VMID, Vendor Info instead).
- UEBA—sub category of anomaly type.
MPE/Data Masking Manipulations
Not applicable.
Usage Standards
Use Subject as a category field only if another field is not more directly named (for example, Vendor Info).
Incorrect Examples
- Microsoft Event Log
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MetaFrameEvents'/><EventID Qualifiers='49152'>10001</EventID><Level>Error</Level><Task>None</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-07-20T07:13:01.000000000Z'/><EventRecordID>5950393</EventRecordID><Channel>Application</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></System><EventData>A usable server cannot be found on which to launch the application. Application: Citrix AppCenter, Client: USABLDRRECFLOW01 (address: 1.1.1.1;;;), User pete.store. Check your worker group definitions and load balancing policies to verify appropriate servers are assigned for Citrix AppCenter. </EventData></Event>
Based on the current standard this is incorrect; the above parses a description of the event into Subject. The Vendor Info tag can supplant this usage. This needs to parse into Vendor Info.
- Another Microsoft Event Log
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MOVEit Central'/><EventID Qualifiers='32768'>3</EventID><Level>Warning</Level><Task>None</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-09-22T01:18:14.000000000Z'/><EventRecordID>1325287</EventRecordID><Channel>Application</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></System><EventData>Task "Symitar Email Notifications": Could not log task end: [Microsoft][SQL Server Native Client 10.0]Communication link failure</EventData></Event>
Subject is parsing the entire event data. This is too broad and makes any kind of normalization impossible. This should be parsed into multiple fields including Object, Action, and Vendor Info.
- Blue Coat Proxy Log
2016-07-21 20:42:18 3148 1.1.1.1 http://www.amazon.com/Travel-Mattress-Healing-Magnetic-Cover/dp/B0029OMC6A RCF\Internet_users 1.1.1.1 1.1.1.1 Unavailable - Host3_exception DENIED "Spam;Malicious Outbound Data/Botnets;Scam/Questionable/Illegal" - 200 TCP_DENIED GET text/html;%20charset=UTF-8 http Host2 80 /Host1 - ico "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 1.1.1.1 3323 260 - "none" "none" unavailable
Subject parsing out the web content category. This might be OK if Subject definition is broadened to something more akin to category.
- Windows Application Event Log
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-EventSystem' Guid='{899daace-4868-4295-afcd-9eb8fb497561}' EventSourceName='EventSystem'/><EventID Qualifiers='32768'>4609</EventID><Version>0</Version><Level>Warning</Level><Task>Event Service</Task><Opcode></Opcode><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-10-21T14:39:07.000000000Z'/><EventRecordID>1919714</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></System><EventData><Data Name='param1'>d:\recflow\com \security.cpp</Data><Data Name='param2'>75</Data><Data Name='param3'>822706e5</Data></EventData></Event>
Return Code parses into Subject for lack of a better field. Response Code should be used for this instead.
- Windows Application Event Log
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MsiInstaller'/><EventID Qualifiers='0'>11728</EventID><Level>Information</Level><Task>None</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-11-15T18:44:56.000000000Z'/><EventRecordID>38096</EventRecordID><Channel>Application</Channel><Computer> USABLDRRECFLOW01</Computer><Security UserID='SAFAWARE\pete.store/></System><EventData><Data>Product: LogRhythm Console -- Configuration completed successfully.</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data></Data><Binary>7B38354632314132452D364144432D344638312D38454544211111111111130333237357D</Binary></EventData></Event>
Another example of an event description in Subject. This could be parsed into Vendor Information.
- Windows Security Event Log
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4656</EventID><Version>1</Version><Level>Information</Level><Task>Removable Storage</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime='2016-02-23T00:34:58.244632600Z'/><EventRecordID>7148428</EventRecordID><Correlation/><Execution ProcessID='504' ThreadID='512'/><Channel>Security</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'> USABLDRRECFLOW01$</Data><Data Name='SubjectDomainName'>SAFAWARE</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>File</Data><Data Name='ObjectName'>\Device\Floppy0</Data><Data Name='HandleId'>0x328</Data><Data Name='TransactionId'>{00000000-0000-0000-0000-000000000000}</Data></EventData></Event>
Removeable Storage parses into Subject. Object and Object Name are in use already. Object Type could be used in this instance, possibly rearranging use of Object and Object Name, as they are File and \Device\Floppy0, respectively.