Supported Lucene Fields by Dashboard Type
Data Indexer (DX) Dashboards were introduced to the Web Console in LogRhythm SIEM version 7.20. While the standard Event dashboard can be useful to display information about small datasets contained within the Web Console cache, a DX dashboard may be required to query larger datasets over longer periods without requiring logs to be classified as “events.”
Due to the many differences between these two dashboard types, there are variations between the fields that are supported when creating widgets and performing Lucene searches within the Web Console depending on which dashboard you are using. This page maintains a list of fields that are supported within each dashboard type.
Event Dashboard Supported Lucene Filter Fields
The following table displays fields that are supported for Lucene searches/filters on Event dashboards:
Display Name | Value |
|---|---|
Amount | amount |
Application List | portProtocol |
Classification | classificationName |
Command | command |
Common Event | commonEventName |
Direction | directionName |
Duration | duration |
Group | group |
Host (Impacted) KBytes In | kBytes |
Host (Impacted) KBytes Out | outboundKBytes |
Host (Impacted) KBytes Total | impactedHostTotalKBytes |
Host List (Impacted) | impactedHost |
Host List (Origin) | originHost |
Host (Impacted) Packets Received | itemsPacketsIn |
Host (Impacted) Packets Sent | itemsPacketsOut |
Host (Impacted) Packets Total | impactedHostTotalPackets |
Hostname (Impacted) | impactedName |
Hostname (Origin) | originName |
Known Application | serviceName |
Interface (Impacted) | impactedInterface |
Interface (Origin) | originInterface |
IP Address (Impacted) | impactedIp |
IP Address (Origin) | originIp |
Known Host (Impacted) | impactedHostName |
Known Host (Origin) | originHostName |
Location (Impacted) | impactedLocation |
Location (Origin) | originLocation |
Country (Origin) | originCountry |
Country (Impacted) | impactedCountry |
Region (Origin) | originRegion |
Region (Impacted) | impactedRegion |
Log Source | logSourceName |
Log Source Entity | entityName |
Log Source Type | logSourceTypeName |
MAC Address (Impacted) | impactedMac |
MAC Address (Origin) | originMac |
Log Message | logMessage |
MPE Rule Name | mpeRuleName |
NAT IP Address (Impacted) | impactedNatIp |
NAT IP Address (Origin) | originNatIp |
NAT TCP/UDP Port (Impacted) | impactedNatPort |
NAT TCP/UDP Port (Origin) | originNatPort |
Network (Impacted) | impactedNetwork |
Network (Origin) | originNetwork |
Object | object |
Object Name | objectName |
User (Origin) | login |
Priority | priority |
Process Name | process |
Process ID | processId |
Protocol | protocolName |
Quantity | quantity |
Rate | rate |
Recipient | recipient |
Sender | sender |
Session | session |
Severity | severity |
Size | size |
Subject | subject |
TCP/UDP Port (Impacted) | impactedPort |
TCP/UDP Port (Origin) | originPort |
URL | url |
User (Impacted) | account |
Vendor Message ID | vendorMessageId |
Version | version |
Domain (Impacted) | domainImpacted |
Domain (Origin) | domainOrigin |
Hash | hash |
Policy | policy |
Vendor Info | vendorInfo |
Result | result |
Object Type | objectType |
CVE | cve |
User Agent | userAgent |
Parent Process ID | parentProcessId |
Parent Process Name | parentProcessName |
Parent Process Path | parentProcessPath |
Serial Number | serialNumber |
Reason | reason |
Status | status |
Threat ID | threatId |
Threat Name | threatName |
Session Type | sessionType |
Action | action |
Response Code | responseCode |
User (Origin) Identity ID | userOriginIdentity |
User (Impacted) Identity ID | userImpactedIdentity |
Sender Identity ID | senderIdentity |
Recipient Identity ID | recipientIdentity |
Data Indexer (DX) Dashboard Supported Lucene Filter Fields
The following table displays fields that are supported for Lucene searches/filters on Data Indexer (DX) dashboards:
Display Name | Value |
|---|---|
Amount | amount |
Classification | msgClassName |
Command | command |
Common Event | commonEventName |
Direction | directionName |
Duration | duration |
Group | group |
Host (Impacted) Packets Received | itemsPacketsIn |
Host (Impacted) Packets Sent | itemsPacketsOut |
Host (Impacted) Packets Total | impactedHostTotalPackets |
Hostname (Impacted) | impactedName |
Hostname (Origin) | originName |
Known Application | serviceName |
Interface (Impacted) | impactedInterface |
Interface (Origin) | originInterface |
IP Address (Impacted) | impactedIp |
IP Address (Origin) | originIp |
Known Host (Impacted) | impactedHostName |
Known Host (Origin) | originHostName |
Location (Impacted) | impactedLocationName |
Location (Origin) | originLocationName |
Log Source | logSourceName |
Log Source Entity | entityName |
Log Source Type | msgSourceTypeName |
MAC Address (Impacted) | impactedMac |
MAC Address (Origin) | originMac |
MPE Rule Name | mpeRuleName |
NAT IP Address (Impacted) | impactedNatIp |
NAT IP Address (Origin) | originNatIp |
NAT TCP/UDP Port (Impacted) | impactedNatPort |
NAT TCP/UDP Port (Origin) | originNatPort |
Network (Impacted) | impactedNetwork |
Network (Origin) | originNetwork |
Object | object |
Object Name | objectName |
User (Origin) | login |
Priority | priority |
Process Name | process |
Process ID | processId |
Protocol | protocolName |
Quantity | quantity |
Rate | rate |
Recipient | recipient |
Sender | sender |
Session | session |
Severity | severity |
Size | size |
Subject | subject |
TCP/UDP Port (Impacted) | impactedPort |
TCP/UDP Port (Origin) | originPort |
URL | url |
User (Impacted) | account |
Vendor Message ID | vendorMessageId |
Version | version |
Domain (Impacted) | domain |
Domain (Origin) | domainOrigin |
Hash | hash |
Policy | policy |
Vendor Info | vendorInfo |
Result | result |
Object Type | objectType |
CVE | cve |
User Agent | userAgent |
Parent Process ID | parentProcessId |
Parent Process Name | parentProcessName |
Parent Process Path | parentProcessPath |
Serial Number | serialNumber |
Reason | reason |
Status | status |
Threat ID | threatId |
Threat Name | threatName |
Session Type | sessionType |
Action | action |
Response Code | responseCode |
User (Origin) Identity ID | userOriginIdentity |
User (Impacted) Identity ID | userImpactedIdentity |
Sender Identity ID | senderIdentity |
Recipient Identity ID | recipientIdentity |
Host (Impacted) Bytes In | bytesIn |
Host (Impacted) Bytes Out | bytesOut |
Host (Impacted) Bytes Total | bytesInOut |
Zone (Origin) | originZoneName |
Zone (Impacted) | impactedZoneName |
Entity (Origin) | originEntityName |
Entity (Impacted) | impactedEntityName |
IP Address V6 (Origin) | originIpV6 |
IP Address V6 (Impacted) | impactedIpV6 |
NAT IP Address V6 (Origin) | originNatIpV6 |
NAT IP Address V6 (Impacted) | impactedNatIpV6 |
Log ID | logId |