Log-Derived Data
Derived data is generated based on information about the parser (for example, Common Event), on post processing information parsed out of the log (for example, Duration), or contextual information linking the log data to an entity or host (for example, Priority). The following fields are Log-Derived data where the value of the field is not part of the original log.
| Display Field | Description | Associated Data Sources |
|---|---|---|
| Application Tab | ||
| Application | Application derived by IANA protocol and port number or directly assigned in MPE processing settings. | Protocol Number |
| Known Application | Application derived from IANA protocol and port number. If a known application cannot be derived, it is displayed as unknown. | Protocol Name |
| Duration | Duration is a polyfield for capturing time derived. | Time Start |
| Classification Tab | ||
| Classification | Value is determined based on the MPE Rule’s assigned Common Event. Classification choice is a secondary effect of choosing the correct common event for a rule. Each common event has a classification and the classification is automatically associated to the log via the common event selection. | Assigned |
| Common Event | Value is determined based on the MPE Rule’s assigned Common Event. | Assigned |
| Priority | Value is determined based on the Risk-Based Priority (RBP) calculation. | Risk-Based Priority |
| Direction | Indicates the directional flow of data between the Origin Host and the Impacted Host — Inbound, Outbound, Internal, External, or Unknown. | Origin/Impacted Host |
| MPE Rule Name | Name of rule that matched, assigned on rule creation. | Assigned |
| Host Tab | ||
| Host (Origin) | Origin host derived from Origin IP Address, Origin Hostname, or both. | IP Address (Origin) Hostname (Origin) |
| Host (Impacted) | Impacted host derived from Impacted IP Address, Impacted Hostname, or both. | IP Address (Impacted) Hostname (Impacted) |
| Known Host (Origin) | A value determined by mapping parsed origin host identifiers, such as IP address or hostname, to a LogRhythm host record. | IP Address (Origin) Hostname (Origin) LogRhythm Host Record |
| Known Host (Impacted) | A value determined by mapping parsed impacted host identifiers, such as IP address or hostname, to a LogRhythm host record. | IP Address (Impacted) |
| Location Tab | ||
| Entity (Origin) | A value determined based on the origin host's assigned entity. | IP Address (Origin) Hostname (Origin) Entity |
| Entity (Impacted) | A value determined based on the impacted host's assigned entity. | IP Address (Impacted) Hostname (Impacted) Entity |
| Zone (Origin) | A value determined based on the zone of the origin host – Internal, External, DMZ, or Unknown. | IP Address (Origin) |
| Zone (Impacted) | A value determined based on the zone of the impacted host – Internal, External, DMZ, or Unknown. | IP Address (Impacted) |
| Location (Origin) | A value determined by resolving the parsed origin IP address against a Geo-IP database. | IP Address (Origin) |
| Location (Impacted) | A value determined by resolving the parsed impacted IP address against a Geo-IP database. | IP Address (Impacted) |
| Country (Origin) | The country in which the determined origin location exists. | IP Address (Origin) |
| Country (Impacted) | The country in which the determined impacte location exists. | IP Address (Impacted) |
| Log Tab | ||
| Log Date/Normal Date | Timestamp when the log was generated or received, corrected to UTC. | Agent |
| Log Count | The number of identical log messages received. | Agent |
| Log Source Entity | The entity to which the log source belongs. | Agent |
| Log Source Type | The device or application from which a log was received. | Agent |
| Log Source Host | The origin host from which the log was received. | Agent |
| Log Source | The assigned name of a log source. | Agent |
| Log Sequence Number | The sequence in which a log was collected, generated by the Agent. | Agent |
| Log Message | The raw log message. | Agent |
| First Log Date | Timestamp when the first identical log message was received. | Agent |
| Last Log Date | Timestamp when the last identical log message was received. | Agent |
| Network Tab | ||
| Network (Origin) | A value determined by mapping the origin IP address to a LogRhythm network record. | IP Address (Origin) LogRhythm Network Record |
| Network (Impacted) | A value determined by mapping the impacted IP address to a LogRhythm network record. | IP Address (Impacted) |