Search

Plain Text

Standard exact match (case-insensitive)

1. When searching the Domain field to find all logs containing “logrhythm.internal” you would enter exactly “logrhythm.internal” into the field.

SQL Pattern

Uses SQL Wildcard patterns where % acts as a wild card. SQL Pattern searches can have 1 or 2 wildcards per field and should always start with ‘sql:’ followed by the pattern

1. When searching the Domain field to find logs with logrhythm domains, internal and external, use ‘sql:logrhythm%’ which will match “logrhythm.internal” and “logrhythm.external”

2. When searching the Domain field to find logs with all domains that contain “log” use ‘sql:%log%’ which will match “logrhythm.internal”, “mylogdomain” and “external.logrhythm”

Regex Pattern (DX Search Only)

Uses Regex logic to perform advanced filtering of keyword fields. Should start with ‘regex:pattern'

1. When searching the Domain field to to find like with logrhythm domains, internal and external, use ‘regex:logrhythm\.(internal|external)’ which will match “logrhythm.internal” and “logrhythm.external”

2. When searching the Domain field to find logs with all domains that start with “log” and end in “internal” use ‘regex:log.*\.internal$’

Account by Active Directory Group

Enumerated List

The accounts with an Active Directory Group that are the recipients of the action.

Action

Keyword

Action is a broad field for what was done as described in the log. Action is usually a secondary function of a command or process. 

Address

Keyword

The email address involved in the activity, either the sender or recipient. In the Search Term field, type a full email address (for example, name@company.com).

Command

Keyword

The name of an executed command within the metadata (for example: login, get, or put).

Common Event

Dropdown

A short, plain-language description of the log that determines its classification.

When you select Common Event, the Search Term field becomes a typeahead field. For example, if you type "audit," a list opens with all Common Events that match "audit." You can then select an item from the list.

CVE

Keyword

CVE ID (for example, CVE-1999-0003) from vulnerability scan data.

Domain (Origin)
Domain (Impacted)

Keyword

Windows or DNS domain either referenced by a log or impacted by log activity.

Group

Keyword

User group or role referenced or impacted by the log activity. This group is typically an Active Directory group name or other type of logical container.

Hash

Keyword

The hash value (for example, MD5 or SHA256) of a file, process, or object. The value is independent of the algorithm. Only the resulting hash is stored in this field.

Host List (Impacted)

Host List (Origin or Impacted)

Host List (Origin)

Enumerated List

The host involved in the log activity, which may include the IP address, host name, or Ethernet address:

• Host (Impacted) is the destination.

• Host (Origin) is the source.

With Host filters, you can attain results for a Host List, IP Address List, or IP Range List as follows:

• Host List. Begin typing the name of a Host List in the Search field to display the available lists containing matching characters. Search results are based on the contents of the Host List that you select from the list.

• IP Address List or IP Range List. Type an IP Address or IP Range List name in the Search field. Search results are based on the contents of the IP Address List or the IP Range List that you select from the list.

To run a Host List search, you need to select from the host lists that have already been created in the Client Console. You cannot create new host lists on the Web Console, and you cannot type free text or non-lists as search criteria for the Host List filter.

Hostname (Impacted)

Hostname (Origin or
Impacted)

Hostname (Origin)

Keyword

The name of the host involved in the log activity (for example, a DNS name or a Netbios name):

• Hostname (Impacted) is the destination.

• Hostname (Origin) is the source.

Interface (Impacted)

Interface (Origin or Impacted)

Interface (Origin)

Keyword

The interface number of a device or physical port number of a switch:

• Interface (Impacted) is the destination interface.

• Interface (Origin) is the source interface.

IP Address (Impacted)

IP Address (Origin or Impacted)

IP Address (Origin)

IP Address

The IP addresses for the log activity:

• IP Address (Impacted) is the destination address.

• IP Address (Origin) is the source address.

Known Application

Dropdown

Known application or service, such as HTTP, POP3, or Telnet. An application is "known" if LogRhythm SIEM can match the protocol number from the log to a service name in the Events Database.

Known Host (Impacted)

Known Host (Origin or Impacted)

Known Host (Origin)

Dropdown

The host record associated with a specific Entity:

• Known Host (Origin) is the source of the log activity.

• Known Host (Impacted) is the destination of the log activity.

When you select one of the Known Host fields, the Search Term field becomes a typeahead field.

Location (Impacted)

Location (Origin or Impacted)

Location (Origin)

Dropdown

The geographic area involved in the log activity:

• Location (Origin) is the source area.

• Location (Impacted) is the destination area.

When you select one of the Location fields, the Search Term field becomes a typeahead field.

The Location values are derived from the LogRhythm SIEM's GeoLocation feature.

Log Message

Tokenized Text

The entire raw log message as it was received by the System Monitor Agent.

This field allows for free-text searching against data which may or may not have been parsed into another metadata field. 

Data in the Log Message field is tokenized by Elasticsearch, which is reflected in searches. For best results, search for specific terms rather than phrases. For example, if your log message contains the phrase "Quick Brown Fox," this is actually tokenized as three separate items: "quick", "brown", and "fox". Therefore, if you search the Log Message field for "quick brown fox," you are actually searching for the three independent terms: "quick", "brown", and "fox", which produces results of any message which contains the terms "quick", "brown", or "fox". For more information on how this works, refer to the Elasticsearch documentation.

Log Source Entity

Dropdown

A logical collection of unique networks, devices, and systems.

When you select Log Source Entity, the Search Term field becomes a typeahead field.

Log Source Root Entity

Dropdown

The parent for a logical collection (Log Source Entity).

When you select Log Source Root Entity, the Search Term field becomes a typeahead field.

Log Source Type

Dropdown

Type of facility or source where the log originated.
When you select Log Source Type, the Search Term field becomes a typeahead field. For example, if you type "sys," a list opens with all log source types that match "sys." You can then select an item from the list.

MAC Address (Impacted)

MAC Address (Origin or Impacted)

MAC Address (Origin)

Keyword

The MAC address involved in the log message:

• MAC Address (Origin) is the source.

• MAC Address (Impacted) is the destination.

When searching for MAC addresses, you must separate character strings using a colon (:) or a hyphen (-). For example:
AX:4T:77:98:KD:F6:L0
or
AX-4T-77-98-KD-F6-L0

MPE Rule Name

Dropdown

Message Processing Engine (MPE) rule, which identifies and normalizes log messages and then assigns them to a Log Type (Common Event).

When you select MPE Rule, the Search Term field becomes a typeahead field.

NAT IP Address (Impacted)

NAT IP Address (Origin or Impacted)

NAT IP Address (Origin)

IP Address

The IP address that was translated via NAT device logs:

• NAT IP Address (Origin) is the source.

• NAT IP Address (Impacted) is the destination.

NAT TCP/UDP Port (Impacted)

NAT TCP/UDP Port (Origin or Impacted)

NAT TCP/UDP Port (Origin)

Integer

The TCP/UDP port that was translated via NAT device logs:

• NAT TCP/UDP Port (Origin) is the source.

• NAT TCP/UDP Port (Impacted) is the destination.

Network (Impacted)

Network (Impacted or Origin)

Network (Origin)

Dropdown

Network involved in the log activity:

• Network (Origin) is the source network.

• Network (Impacted) is the destination network.

When you select one of the Network fields, the Search Term field becomes a typeahead field.

Object

Object Name

Keyword

Resource that is referenced or impacted by the log activity. An "object" can include a file, file path, registry key, etc.

The Object field contains the full path and name, but ObjectName only stores the object name.

Object Type

Keyword

The resource type (file type) referenced or impacted by activity reported in the log, specifically related to what is parsed into Object. Object Type is a categorization field in comparison to Object Name, which is a specific description of the value in Object.

Origin Login by Active Directory Group

Enumerated List

The users within an Active Directory group that are the source of the log activity.

When you select Origin Login by Active Directory Group, the Term field to the left becomes a typeahead field.

Parent Process ID

Keyword

The Parent Process ID of a system or application process that is of interest.

Parent Process Name

Keyword

The parent process name of a system or application process. 

Parent Process Path

Keyword

The full path of a parent process of a system or application process.

Policy

Keyword

The specific policy referenced (for example, Firewall or Proxy) in a log message.

Port

Integer

The port involved in the activity.
The Search Term field requires an exact value for a specific port, such as 80 or 8080.

Process ID

Integer

The ID associated with a process.

Process Name

Keyword

Name or value that identifies a process (for example, "inetd" or "sshd").

Protocol

Keyword

Network protocol applicable to the log message.

When you select Protocol, the Search Term field becomes a typeahead field.

Recipient

Keyword

Email address or VOIP caller number. For non-email logs, this field could represent the user who received a form of information.

Reason

Keyword

The justification for an action or result. 

Response Code

Keyword

The explicit and well-defined response code for an action or command in a log. Response Code differs from Result in that response code should be well structured and easily identifiable as a code.

Result

Keyword

Result is for the outcome of a command operation or action.  For example, the result of “quarantine" might be "success."

Sender

Keyword

Email originator or VOIP caller number. For non-email logs, this field could represent the user who received a form of information.

Serial Number

Keyword

The hardware or software serial number in a log message. Should be a permanent, unique identifier of what it is identifying.

Session

Keyword

The user, system, or application session.

Session Type

Keyword

The type of session described in the log (for example, console, CLI, or web). This field is free text.  

Severity

Keyword

A value indicating the severity of the log.

Subject

Keyword

Email subject line. For non-email logs, this field could represent the subject in some form of communicated information.

Status

Keyword

The vendor's perspective on the state of a system, process, or entity. Status should not be used as the result of an action. 

TCP/UDP Port (Impacted)

TCP/UDP Port (Origin or Impacted)

TCP/UDP Port (Origin)

Integer

The TCP or UDP port number:

• TCP/UDP Port (Origin) is the source.

• TCP/UDP Port (Impacted) is the destination.

Threat ID

Keyword

The ID number of a threat when available from an IDS/IPS signature, endpoint protection, or firewall log.

Threat Name

Keyword

The name of a threat described in the log message (for example, malware, exploit name, or signature name). Do not overload with Policy. 

URL

Keyword

URL referenced or impacted by the log activity.

User Agent

Keyword

The User Agent string from web server logs (for example, Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36).

User (Impacted)

Keyword
or
Enumerated List

The user account that is the recipient of the action (for example, a password reset on a user account).

When you select the Account filter, you can get results for either an Active Directory Group or a user name string, as follows:

• Active Directory Group. As you begin typing characters in the Search Term field, it displays a list of all Active Directory Group names that match those characters. If you select a group from the displayed list or if the text you typed matches an Active Directory Group name, results appear for the Active Directory Group.

• User name string. Type the user name in the Search Term field. If the text you type does not match an Active Directory Group name, results appear for the corresponding user field (Login or Account, or both).

User (Login or Account)

Keyword
or
Enumerated List

The user login or account that is the source of the log activity.

When you select the User (Login or Account) filter, you can get results for either an Active Directory Group or a user name string, as follows:

• Active Directory Group. As you begin typing characters in the Search Term field, it displays a list of all Active Directory Group names that match those characters. If you select a group from the displayed list or if the text you typed matches an Active Directory Group name, results appear for the Active Directory Group.

• User name string. Type the user name in the Search Term field. If the text you type does not match an Active Directory Group name, results appear for the corresponding user field (Login or Account, or both).

User (Origin)

Keyword
or
Enumerated List

The user login that is the source of the log activity.

When you select the User (Origin) filter, you can get results for either an Active Directory Group or a user name string, as follows:

• Active Directory Group. As you begin typing characters in the Search Term field, it displays a list of all Active Directory Group names that match those characters. If you select a group from the displayed list or if the text you typed matches an Active Directory Group name, results appear for the Active Directory Group.

• User name string. Enter the user name in the Search Term field. If the text you enter does not match an Active Directory Group name, results appear for the corresponding user field (Login or Account, or both).

User by Active Directory Group

Enumerated List

The user login within an Active Directory group that is the source of the log activity.

When you select User Active Directory Group, the Search Term field becomes a typeahead field.

Vendor Info

Keyword

Description of specific vendor log or event identifier for the log. Human readable elaboration that directly correlates to the VMID.

Vendor Message ID

Keyword

Unique vendor-assigned value that identifies the log message.

Version

Keyword

A value that represents a version (OS version, patch version, doc version, etc.).

Access Failure

Failed read, write, or execute access on files, programs, and other relevant objects.

Access Granted

Activity related to granting of access rights and privileges.

Access Revoked

Activity related to revocation of access rights and privileges.

Access Success

Successful read, write, or execute access on files, programs, and other relevant objects.

Account Created

Activity related to user or system/computer account creation.

Account Deleted

Activity related to user or system/computer account deletion.

Account Modified

The modification of a user or group outside granting/revoking access. No group level or access level changes.

Activity

General system or network activity.

Attack

Activity that indicates a system or network attack, where it is either assumed to have been successful or cannot be assumed to have failed.

Authentication Failure

Failed user and system authentication activity, due to bad credentials or unauthorized attempt (user not allowed to log in).

Authentication Success

Successful user and system authentication activity, including a user or system gaining access through any method of authentication.

Compromise

Successful system or network compromise.

These types of logs are seen more on Host Intrusion Detection Systems (HIDS) than on network-based detection mechanisms.

Configuration

Activity pertaining to the state or configuration of a system where it is not related to a Policy.

Critical

Logs reporting critical conditions.

Denial of Service

Activity that indicates a Denial of Service attack, where it is assumed to have succeeded or cannot be assumed to have failed.

Error

Logs reporting error conditions.

Failed Activity

General system or network activity that was not successful, possibly due to preventative measures.

Failed Attack

Attack activity that was not successful, possibly due to preventative measures.

Failed Denial of Service

Denial of Service activity that was not successful, possibly due to preventative measures.

Failed Malware

Malware activity that was not successful, possibly due to preventative measures.

Failed Misuse

Activity that indicates a system or network misuse that was not successful, possibly due to preventative measures.

Failed Suspicious

Suspicious activity that was not successful, possibly due to preventative measures.

Information

Logs reporting general information.

Malware

Activity that indicates malware installation, propagation, or use.

Misuse

Activity that indicates system or network misuse.

Network Allow

Network activity that was allowed per a device policy.

Network Deny

Network activity that was not allowed per a device policy.

Network Traffic

Network traffic activity such as flows, connections, and usage statistics.

Other

Operations activity not otherwise classifiable.

Other Audit

Audited activity not otherwise classifiable.

Other Audit Failure

Failed audited activity not otherwise classifiable.

Other Audit Success

Successful audited activity not otherwise classifiable.

Other Security

Security activity not otherwise classifiable.

Policy

Activity pertaining to the policy of a network, system, device, or other relevant object. Includes configuration changes related to a Policy.

Reconnaissance

Activity that indicates system or network reconnaissance.

Startup and Shutdown

Activity pertaining to the starting and stopping of a system, device, application, or other relevant object.

Suspicious

Activity that is suspicious, but not known to be an attack or unauthorized.

Vulnerability

Logs reporting vulnerabilities.

Warning

Logs reporting warnings.