Action [7.2]

Action is a broad field for what was done as described in the log. Action is usually a secondary function of a command or process. 

Data Type

String

Aliases

Field Relationships

• Command

• Status

• Result

• Response Code

• Process

Common Applications

• Firewall

• Proxy

• Antivirus

• IDS/IPS

• Vulnerability scanner

• RIM/FIM

Use Case

• Recording network traffic accepts, drops, or blocks.

• Secondary function of a command—for example, PowerShell (process), might issue "AD commandlet" (command), which might have an action of lock out user.

• Action describes a mechanism. The result describes a state outcome. A firewall action can "pass" traffic. The result might be "success.”  

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

• Capture more simplistic actions than command might.

• An Action is what you are trying to initiate via a command.

• Action, Process, and Command separation:A process is something "running."A command is an operating system command (for example, batch) or a user originated command to a system.The Action is often the "result" of a process or command. The A/V process (Symantec) might have a command of "Run Scan", which could have an Action of Quarantine.

• In RIM/FIM, the Action would be "read, write, add, delete" or any other common action verb applied to the file or registry key. 

Examples

• FortiGate

02 18 2015 16:13:49 1.1.1.1 <LOC7:INFO> date=2015-02-18 time=16:13:51 devname=FG22222222222217 devid=FGdfsdfds1111111 logid=1059028704 type=utm subtype=app-ctrl eventtype=app-ctrl-all level=information vd="root" appid=16637 user="pete.store" srcip=1.1.1.1 srcport=57227 dstip=1.1.1.1 dstport=53 proto=17 service="DNS" sessionid=391322221 applist="APPC Monitor All" appcat="Update" app="Sophos.Update" action=pass msg="Update: Sophos.Update," apprisk=low