LogRhythm Schema Dictionary and Guide

This schema guide contains descriptions of every field, including the intent for the field, guidance for how to parse data into the field, use cases for each field, and sample logs showing correct, incorrect, and ambiguous examples.

The fields in this guide are organized according to the tabs in the Analyzer grid in the LogRhythm Web Console. To access the Analyzer grid on the Dashboards page or Analyze page, at the lower-right side of the page, click the Logs tab.

Fields that are listed with [7.2] after the field name are not available in LogRhythm versions earlier than 7.2.1.

Origin vs. Impacted

Definition and Guidelines

LogRhythm presents log sources from the perspective of the impacted system, the origin system, or both. Although origin and impacted align with the network-centric view of "source" and "destination," origin and impacted are meant to represent a security-centric view, in which:

In a security-centric view:

• Origin represents:
  • The client in “client server.”
  • The attacker in a security context.
  • The cause of an observation.
  • The user account who performed an action.
• Impacted represents:
  • The server in "client server."
  • The target in a security context, or the device impacted by a security event.
  • The effect of an observation.
  • The user affected by an action.

Use in Schema

The use of origin and impacted is particularly important for understanding the schema. Origin and impacted apply to IP addresses, hosts, users, and other fields that describe the object in the log. These fields include:

• Hostname
• MAC address
• Interface
• IP address
• User

For an IP address, the schema parses into fields called SIP and DIP, where SIP represents origin and DIP represents impacted.

What Determines Origin/Impacted?

The origin/impacted context can be defined and changed in multiple places:

• Selecting correct parsing fields. This is important when converting the network view of source and destination to the security view of origin and impacted. Origin is not always source and impacted is not always destination.
• Rule definition with explicit options. The rule can explicitly force a conversion of direction.
• Automatic Host Contextualization (AHC). The AHC feature can change direction based on tables of well-known ports and protocols.

Examples

• O365 SharePoint. SIP is explicitly called out, but because O365 is the cloud, there is no discernable impacted hostname.

TS=2016-10-20T20:22:23 SESSID=8b157afd-eb80-45e4-926f-08d3f926cd63 COMMAND=AnonymousLinkUsed USERTYPE=Regular USERKEY=anonymous WORKLOAD=SharePoint RESULTCODE= OBJECT=https://dummysitez.com/Dummy/Shared Documents/abuse_ch_copy.txt USER=anonymous SIP=1.1.1.1 ITEMTYPE=File EVENTSOURCE=SharePoint USERAGENT=Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36 DOMAIN= FILENAME= DESTINATION= DESTINATIONFILENAME= USERSHAREDWITH= SHARINGTYPE= MODIFIEDPROPERTIES=

This is not a security event, so apply the network-centric view of client vs. server. The client is referenced in the SIP, and therefore SIP (origin) is the IP Origin. The IP Impacted is undefined, but the Impacted Host can be inferred from the log source. It is ambiguous whether the log source is the agent calling the API or refers to O365.

• Oracle 10g Audit. Client is the source of the session, but also impacted by the logoff.

20101115202959.307904 AUDIT_TYPE=Standard Audit STATEMENT_TYPE=LOGOFF BY CLEANUP RETURNCODE=0 AUDIT_OPTION= PRIV _USED=CREATE SESSION OS_USER=shenja DB_USER=SYSTEM UHOST=WKST0005 TERM=UNKNOWN OBJECT_SCHEMA= OBJECT_NAME= POLICY_NAME= NEW_OWNER= NEW_ NAME= EXT_NAME= SQL_TEXT= COMMENT_ TEXT=Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=1.1.1.1)(PORT=4888)) SES_ACTIONS= GLOBAL_UID= SESSION_ID=325213 PROXY_SESSIONID= STATEMENTID=1 ENTRYID=1 CLIENT_ID= ECONTEXT_ID= TRANSACTIONID= OS_PROCESS=610338 INSTANCE_NUMBER=0 ACTION=102 SQL_BIND= OBJ_PRIVILEGE= SYS_PRIVILEGE= OS_PRIVILEGE=NONE SCN= GRANTEE= LOGOFF_TIME=11/15/2010 3:32:42 PM LOGOFF_LREAD=1386 LOGOFF_PREAD=80 LOGOFF_LWRITE=36 LOGOFF_DLOCK=0 SESSION_CPU=10

Because this is not a security log, the host is likely the client (in client server). The host becomes the Origin Host. The Impacted Host is the Oracle server (automatically resolved by the log source).

• Windows Application. <computer> is where the event log was written.

<Event xmlns='http://dummysitex.com/win/2004/08/events/event'><System><Provider Name='MSSQLSERVER'/><EventID Qualifiers='49152'>32040</EventID><Level>Information</Level><Task>Server</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2013-12-18T20:19:48.000000000Z'/><EventRecordID>5652</EventRecordID><Channel>Application</Channel><Computer>ACMEPREM01</Computer><Security/></System><EventData>The alert for 'oldest unsent transaction' has been raised. The current value of '3' surpasses the threshold '1'.</EventData></Event>

The computer is the Impacted Host because there is no other context. Because the log came from this computer, it is the source of the log message.

• Cb Response. The endpoint is where the file originated in the scan, but is also likely impacted.

02 07 2017 17:30:21 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|5.1|watchlist.storage.hit.binary|cb_server=cbserver cb_version=525 copied_mod_len=8704 digsig_result=Unsigned digsig_result_code=2148204800 endpoint=PIA-EX2010-01|2018 file_desc= file_version=1.1.1.1 group=Default Servers host_count=1 internal_name=rwl_hdls.dll is_64bit=false is_executable_image=false last_seen=2017-02-07T23:26:29.825Z legal_copyright= link_md5=https://dum-dummy-01.dummy.net/#/binary/5F897E95044D43F58E30806857092186 md5=5F897E95044D43F58E30806857092186 observed_filename=c:\\windows\\temp\\rwl_hdls.dll orig_mod_len=8704 original_filename=rwl_hdls.dll os_type=Windows product_version=1.1.1.1 server_added_timestamp=2017-02-07T23:26:29.825Z server_name=localhost timestamp=1486510220.266 type=watchlist.storage.hit.binary watchlist_2=2017-02-07T23:30:03.972203Z watchlist_id=2 watchlist_name=Default: Newly Loaded Modules

Because this is a security event that occurred on the endpoint, the endpoint is the Impacted Host. The other hosts involved (for example, CB server or agent reading syslog) are not relevant to the security context.

• CylancePROTECT. The threat originated from the device and IP, but is also impacted by the threat and the quarantine.

05 09 2016 01:33:03 1.1.1.1 <SLOG:WARN> 1 2016-05-09T06:32:55.1224002Z sysloghost CylancePROTECT - - - Event Type: Threat, Event Name: threat_quarantined, Device Name: GQ-6FPLVZ1, IP Address: (1.1.1.1), File Name: SOP.EXE, Path: E:\HESS\Corrosion\HESS Okume Lab C drive Backup\NALCO\Okume CD training\programme\OkumeBandC\ProdWellManifolds\fscommand\, Drive Type: Internal Hard Drive, SHA256: 8050FE3DCA43D594611492AA149AF09FC9669149602BB2945AFEA4148A24B175 , MD5: 59E0D058686BD35B0D5C02A4FD8BD0E0 , Status: Quarantined, Cylance Score: 97, Found Date: 1/7/2016 5:03:51 PM, File Type: Executable, Is Running: False, Auto Run: False, Detected By: BackgroundThreatDetection

Because this is a security event, the Device Name is the Impacted Host.

Polyfields and Parsing Field Aggregation

Not all fields that are parsed in a rule are stored in the Data Indexer as parsed or displayed in the console as parsed. For example, the Web Console Duration field is a calculation based on one or more time-based parsing fields. Similarly, there are more than a dozen fields for bytes as a size, but only one value is stored and only one value is displayed.

Polyfields are a special type of display field used for aggregating across similar source data. For example, the Impacted Host polyfield could contain a hostname, an IP address, or a well-known entity. The hostname and IP address may also be stored separately. The polyfield generally has preference logic at the code level to determine which source field to display.

When reading this document, pay particular attention to fields that are called out as source data for a polyfield, or parsing fields that are transformed into final data fields.