KEMBAR78
LogRhythm Schema Dictionary and Guide RevB | PDF | Trademark | Data
0% found this document useful (0 votes)
297 views226 pages

LogRhythm Schema Dictionary and Guide RevB

Uploaded by

ngdnam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
297 views226 pages

LogRhythm Schema Dictionary and Guide RevB

Uploaded by

ngdnam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 226

LogRhythm Schema Dictionary and Guide

January 09, 2019


© LogRhythm, Inc. All rights reserved.
This document contains proprietary and confidential information of LogRhythm, Inc., which is protected by
copyright and possible non-disclosure agreements. The Software described in this Guide is furnished under
the End User License Agreement or the applicable Terms and Conditions (“Agreement”) which governs the
use of the Software. This Software may be used or copied only in accordance with the Agreement. No part of
this Guide may be reproduced or transmitted in any form or by any means, electronic or mechanical,
including photocopying and recording for any purpose other than what is permitted in the Agreement.

Disclaimer
The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no
warranty of any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied
warranty of merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any
direct, indirect, incidental, consequential, or other damages alleged in connection with the furnishing or use
of this information.

Trademark
LogRhythm is a registered trademark of LogRhythm, Inc. All other company or product names mentioned
may be trademarks, registered trademarks, or service marks of their respective holders.

LogRhythm Inc.
4780 Pearl East Circle
Boulder, CO 80301
(303) 413-8745
www.logrhythm.com

Phone Support (7am - 6pm, Monday-Friday)


Toll Free in North America (MT) +1-866-255-0862
Direct Dial in the Americas (MT) +1-720-407-3990
EMEA (GMT) +44 (0) 844 3245898
META (GMT+4) +971 8000-3570-4506
APAC (SGT) +65 31572044
Table of Contents
Origin vs. Impacted ...................................................................................................... 23
Definition and Guidelines .................................................................................................................... 23
Use in Schema...................................................................................................................................... 23
What Determines Origin/Impacted? ................................................................................................... 24
Examples .............................................................................................................................................. 24
Polyfields and Parsing Field Aggregation ................................................................... 26
Application Tab ............................................................................................................ 27
Action [7.2]............................................................................................................................................ 28
Data Type ..............................................................................................................................................................................28
Aliases....................................................................................................................................................................................28
Field Relationships................................................................................................................................................................28
Common Applications ..........................................................................................................................................................28
Use Case ................................................................................................................................................................................29
MPE/Data Masking Manipulations .......................................................................................................................................29
Usage Standards ...................................................................................................................................................................29
Examples ...............................................................................................................................................................................29
Amount ................................................................................................................................................. 30
Data Type ..............................................................................................................................................................................30
Aliases....................................................................................................................................................................................30
Field Relationships................................................................................................................................................................30
Common Applications ..........................................................................................................................................................30
Use Case ................................................................................................................................................................................30
MPE/Data Masking Manipulations .......................................................................................................................................31
Usage Standards ...................................................................................................................................................................31
Examples ...............................................................................................................................................................................31
Command............................................................................................................................................. 32
Aliases....................................................................................................................................................................................32
Field Relationships................................................................................................................................................................32
Common Applications ..........................................................................................................................................................32
Use Case ................................................................................................................................................................................32

LogRhythm, Inc. | Contents 3


MPE/Data Masking Manipulations .......................................................................................................................................33
Usage Standards ...................................................................................................................................................................33
Examples ...............................................................................................................................................................................33
Hash [7.2].............................................................................................................................................. 36
Data Type ..............................................................................................................................................................................36
Aliases....................................................................................................................................................................................36
Field Relationships................................................................................................................................................................36
Common Applications ..........................................................................................................................................................36
Use Case ................................................................................................................................................................................37
MPE/Data Masking Manipulations .......................................................................................................................................37
Usage Standards ...................................................................................................................................................................37
Examples ...............................................................................................................................................................................37
IANA Protocol Name ............................................................................................................................ 39
Data Type ..............................................................................................................................................................................39
Aliases....................................................................................................................................................................................39
Field Relationships................................................................................................................................................................39
Common Applications ..........................................................................................................................................................40
Use Case ................................................................................................................................................................................40
MPE/Data Masking Manipulations .......................................................................................................................................40
Usage Standards ...................................................................................................................................................................40
Examples ...............................................................................................................................................................................40
IANA Protocol Number......................................................................................................................... 42
Data Type ..............................................................................................................................................................................42
Aliases....................................................................................................................................................................................42
Field Relationships................................................................................................................................................................42
Common Applications ..........................................................................................................................................................43
Use Case ................................................................................................................................................................................43
MPE/Data Masking Manipulations .......................................................................................................................................43
Usage Standards ...................................................................................................................................................................43
Examples ...............................................................................................................................................................................43
Object ................................................................................................................................................... 45
Data Type ..............................................................................................................................................................................45
Aliases....................................................................................................................................................................................45

LogRhythm, Inc. | Contents 4


Field Relationships................................................................................................................................................................46
Common Applications ..........................................................................................................................................................46
Use Case ................................................................................................................................................................................46
MPE/Data Masking Manipulations .......................................................................................................................................46
Usage Standards ...................................................................................................................................................................46
Examples ...............................................................................................................................................................................46
Object Name......................................................................................................................................... 51
Data Type ..............................................................................................................................................................................51
Aliases....................................................................................................................................................................................51
Field Relationships................................................................................................................................................................51
Common Applications ..........................................................................................................................................................51
Use Case ................................................................................................................................................................................51
MPE/Data Masking Manipulations .......................................................................................................................................52
Usage Standards ...................................................................................................................................................................52
Examples ...............................................................................................................................................................................52
Object Type [7.2] .................................................................................................................................. 57
Data Type ..............................................................................................................................................................................57
Aliases....................................................................................................................................................................................57
Field Relationships................................................................................................................................................................57
Common Applications ..........................................................................................................................................................57
Use Case ................................................................................................................................................................................58
MPE/Data Masking Manipulations .......................................................................................................................................58
Usage Standards ...................................................................................................................................................................58
Examples ...............................................................................................................................................................................58
Parent Process ID [7.2]......................................................................................................................... 61
Data Type ..............................................................................................................................................................................61
Aliases....................................................................................................................................................................................61
Field Relationships................................................................................................................................................................61
Common Applications ..........................................................................................................................................................61
Use Case ................................................................................................................................................................................62
MPE/Data Masking Manipulations .......................................................................................................................................62
Usage Standards ...................................................................................................................................................................62
Examples ...............................................................................................................................................................................62

LogRhythm, Inc. | Contents 5


Parent Process Name [7.2] .................................................................................................................. 64
Data Type ..............................................................................................................................................................................64
Aliases....................................................................................................................................................................................64
Field Relationships................................................................................................................................................................64
Common Applications ..........................................................................................................................................................64
Use Case ................................................................................................................................................................................65
MPE/Data Masking Manipulations .......................................................................................................................................65
Usage Standards ...................................................................................................................................................................65
Examples ...............................................................................................................................................................................65
Parent Process Path [7.2] .................................................................................................................... 67
Data Type ..............................................................................................................................................................................67
Aliases....................................................................................................................................................................................67
Field Relationships................................................................................................................................................................67
Common Applications ..........................................................................................................................................................67
Use Case ................................................................................................................................................................................68
MPE/Data Masking Manipulations .......................................................................................................................................68
Usage Standards ...................................................................................................................................................................68
Examples ...............................................................................................................................................................................68
Policy [7.2] ............................................................................................................................................ 70
Data Type ..............................................................................................................................................................................70
Aliases....................................................................................................................................................................................70
Field Relationships................................................................................................................................................................70
Common Applications ..........................................................................................................................................................70
Use Case ................................................................................................................................................................................71
MPE/Data Masking Manipulations .......................................................................................................................................71
Usage Standards ...................................................................................................................................................................71
Examples ...............................................................................................................................................................................71
Process ID ............................................................................................................................................. 73
Data Type ..............................................................................................................................................................................73
Aliases....................................................................................................................................................................................73
Field Relationships................................................................................................................................................................73
Common Applications ..........................................................................................................................................................73
Use Case ................................................................................................................................................................................73

LogRhythm, Inc. | Contents 6


MPE/Data Masking Manipulations .......................................................................................................................................74
Usage Standards ...................................................................................................................................................................74
Examples ...............................................................................................................................................................................74
Process Name....................................................................................................................................... 75
Data Type ..............................................................................................................................................................................75
Aliases....................................................................................................................................................................................75
Field Relationships................................................................................................................................................................75
Common Applications ..........................................................................................................................................................75
Use Case ................................................................................................................................................................................76
MPE/Data Masking Manipulations .......................................................................................................................................76
Usage Standards ...................................................................................................................................................................76
Examples ...............................................................................................................................................................................76
Quantity................................................................................................................................................ 78
Data Type ..............................................................................................................................................................................78
Aliases....................................................................................................................................................................................78
Field Relationships................................................................................................................................................................78
Common Applications ..........................................................................................................................................................78
Use Case ................................................................................................................................................................................78
MPE/Data Masking Manipulations .......................................................................................................................................78
Usage Standards ...................................................................................................................................................................79
Examples ...............................................................................................................................................................................79
Rate....................................................................................................................................................... 80
Data Type ..............................................................................................................................................................................80
Aliases....................................................................................................................................................................................80
Field Relationships................................................................................................................................................................80
Common Applications ..........................................................................................................................................................80
Use Case ................................................................................................................................................................................80
MPE/Data Masking Manipulations .......................................................................................................................................80
Usage Standards ...................................................................................................................................................................81
Examples ...............................................................................................................................................................................81
Reason [7.2].......................................................................................................................................... 82
Data Type ..............................................................................................................................................................................82
Aliases....................................................................................................................................................................................82

LogRhythm, Inc. | Contents 7


Field Relationships................................................................................................................................................................82
Common Applications ..........................................................................................................................................................82
Use Case ................................................................................................................................................................................83
MPE/Data Masking Manipulations .......................................................................................................................................83
Usage Standards ...................................................................................................................................................................83
Examples ...............................................................................................................................................................................83
Response Code [7.2] ............................................................................................................................ 85
Data Type ..............................................................................................................................................................................85
Aliases....................................................................................................................................................................................85
Field Relationships................................................................................................................................................................85
Common Applications ..........................................................................................................................................................85
Use Case ................................................................................................................................................................................86
MPE/Data Masking Manipulations .......................................................................................................................................86
Usage Standards ...................................................................................................................................................................86
Examples ...............................................................................................................................................................................86
Result [7.2]............................................................................................................................................ 88
Data Type ..............................................................................................................................................................................88
Aliases....................................................................................................................................................................................88
Field Relationships................................................................................................................................................................88
Common Applications ..........................................................................................................................................................88
Use Case ................................................................................................................................................................................89
MPE/Data Masking Manipulations .......................................................................................................................................89
Usage Standards ...................................................................................................................................................................89
Examples ...............................................................................................................................................................................89
Session.................................................................................................................................................. 91
Data Type ..............................................................................................................................................................................91
Aliases....................................................................................................................................................................................91
Field Relationships................................................................................................................................................................91
Common Applications ..........................................................................................................................................................91
Use Case ................................................................................................................................................................................92
MPE/Data Masking Manipulations .......................................................................................................................................92
Usage Standards ...................................................................................................................................................................92
Examples ...............................................................................................................................................................................92

LogRhythm, Inc. | Contents 8


Session Type [7.2] ................................................................................................................................ 94
Data Type ..............................................................................................................................................................................94
Aliases....................................................................................................................................................................................94
Field Relationships................................................................................................................................................................94
Common Applications ..........................................................................................................................................................94
Use Case ................................................................................................................................................................................95
MPE/Data Masking Manipulations .......................................................................................................................................95
Usage Standards ...................................................................................................................................................................95
Examples ...............................................................................................................................................................................95
Size........................................................................................................................................................ 97
Data Type ..............................................................................................................................................................................97
Aliases....................................................................................................................................................................................97
Field Relationships................................................................................................................................................................97
Common Applications ..........................................................................................................................................................97
Use Case ................................................................................................................................................................................97
MPE/Data Masking Manipulations .......................................................................................................................................98
Usage Standards ...................................................................................................................................................................98
Examples ...............................................................................................................................................................................98
Status [7.2] ........................................................................................................................................... 99
Data Type ..............................................................................................................................................................................99
Aliases....................................................................................................................................................................................99
Field Relationships................................................................................................................................................................99
Common Applications ..........................................................................................................................................................99
Use Case ..............................................................................................................................................................................100
MPE/Data Masking Manipulations .....................................................................................................................................100
Usage Standards .................................................................................................................................................................100
Examples .............................................................................................................................................................................100
Subject................................................................................................................................................ 102
Aliases..................................................................................................................................................................................102
Field Relationships..............................................................................................................................................................102
Common Applications ........................................................................................................................................................102
Use Case ..............................................................................................................................................................................102
MPE/Data Masking Manipulations .....................................................................................................................................103

LogRhythm, Inc. | Contents 9


Usage Standards .................................................................................................................................................................103
Incorrect Examples .............................................................................................................................................................103
URL...................................................................................................................................................... 106
Aliases..................................................................................................................................................................................106
Field Relationships..............................................................................................................................................................106
Common Applications ........................................................................................................................................................106
Use Case ..............................................................................................................................................................................107
MPE/Data Masking Manipulations .....................................................................................................................................107
Usage Standards .................................................................................................................................................................107
Examples .............................................................................................................................................................................107
User Agent [7.2] .................................................................................................................................. 108
Data Type ............................................................................................................................................................................108
Aliases..................................................................................................................................................................................108
Field Relationships..............................................................................................................................................................108
Common Applications ........................................................................................................................................................108
Use Case ..............................................................................................................................................................................108
MPE/Data Masking Manipulations .....................................................................................................................................109
Usage Standards .................................................................................................................................................................109
Examples .............................................................................................................................................................................109
Version ................................................................................................................................................ 110
Aliases..................................................................................................................................................................................110
Field Relationships..............................................................................................................................................................110
Common Applications ........................................................................................................................................................110
Use Case ..............................................................................................................................................................................110
MPE/Data Masking Manipulations .....................................................................................................................................111
Usage Standards .................................................................................................................................................................111
Examples .............................................................................................................................................................................111

Kbytes/Packets Tab ................................................................................................... 114


[prefix] [Bits/Bytes] [blank/In/Out] ................................................................................................... 115
Data Type ............................................................................................................................................................................115
Aliases..................................................................................................................................................................................115
Field Relationships..............................................................................................................................................................115

LogRhythm, Inc. | Contents 10


Common Applications ........................................................................................................................................................116
Use Case ..............................................................................................................................................................................116
MPE/Data Masking Manipulations .....................................................................................................................................116
Usage Standards .................................................................................................................................................................116
Examples .............................................................................................................................................................................116
Packets [Total/In/Out] ....................................................................................................................... 117
Data Type ............................................................................................................................................................................117
Aliases..................................................................................................................................................................................117
Field Relationships..............................................................................................................................................................117
Common Applications ........................................................................................................................................................118
Use Case ..............................................................................................................................................................................118
MPE/Data Masking Manipulations .....................................................................................................................................118
Usage Standards .................................................................................................................................................................118
Examples .............................................................................................................................................................................118

Classification Tab....................................................................................................... 119


CVE [7.2].............................................................................................................................................. 120
Data Type ............................................................................................................................................................................120
Aliases..................................................................................................................................................................................120
Field Relationships..............................................................................................................................................................120
Common Applications ........................................................................................................................................................120
Use Case ..............................................................................................................................................................................121
MPE/Data Masking Manipulations .....................................................................................................................................121
Usage Standards .................................................................................................................................................................121
Examples .............................................................................................................................................................................121
Severity............................................................................................................................................... 123
Data Type ............................................................................................................................................................................123
Aliases..................................................................................................................................................................................123
Field Relationships..............................................................................................................................................................123
Common Applications ........................................................................................................................................................123
Use Case ..............................................................................................................................................................................123
MPE/Data Masking Manipulations .....................................................................................................................................124
Usage Standards .................................................................................................................................................................124
Examples .............................................................................................................................................................................124

LogRhythm, Inc. | Contents 11


Threat ID [7.2]..................................................................................................................................... 126
Data Type ............................................................................................................................................................................126
Aliases..................................................................................................................................................................................126
Field Relationships..............................................................................................................................................................126
Common Applications ........................................................................................................................................................126
Use Case ..............................................................................................................................................................................127
MPE/Data Masking Manipulations .....................................................................................................................................127
Usage Standards .................................................................................................................................................................127
Examples .............................................................................................................................................................................127
Threat Name [7.2] .............................................................................................................................. 129
Data Type ............................................................................................................................................................................129
Aliases..................................................................................................................................................................................129
Field Relationships..............................................................................................................................................................129
Common Applications ........................................................................................................................................................130
Use Case ..............................................................................................................................................................................130
MPE/Data Masking Manipulations .....................................................................................................................................130
Usage Standards .................................................................................................................................................................130
Examples .............................................................................................................................................................................130
Vendor Info [7.2]................................................................................................................................. 132
Data Type ............................................................................................................................................................................132
Aliases..................................................................................................................................................................................132
Field Relationships..............................................................................................................................................................132
Common Applications ........................................................................................................................................................132
Use Case ..............................................................................................................................................................................132
MPE/Data Masking Manipulations .....................................................................................................................................133
Usage Standards .................................................................................................................................................................133
Examples .............................................................................................................................................................................133
Vendor Message ID ............................................................................................................................. 135
Data Type ............................................................................................................................................................................135
Aliases..................................................................................................................................................................................135
Field Relationships..............................................................................................................................................................135
Common Applications ........................................................................................................................................................135
Use Case ..............................................................................................................................................................................135

LogRhythm, Inc. | Contents 12


MPE/Data Masking Manipulations .....................................................................................................................................136
Usage Standards .................................................................................................................................................................136
Examples .............................................................................................................................................................................136

Host Tab ..................................................................................................................... 138


DIP/DestinationIP/Impacted IP......................................................................................................... 139
Data Type ............................................................................................................................................................................139
Aliases..................................................................................................................................................................................139
Field Relationships..............................................................................................................................................................139
Common Applications ........................................................................................................................................................140
Use Case ..............................................................................................................................................................................140
MPE/Data Masking Manipulations .....................................................................................................................................140
Usage Standards .................................................................................................................................................................140
Examples .............................................................................................................................................................................140
DIPv4................................................................................................................................................... 141
Data Type ............................................................................................................................................................................141
Aliases..................................................................................................................................................................................141
Field Relationships..............................................................................................................................................................141
Common Applications ........................................................................................................................................................141
Use Case ..............................................................................................................................................................................141
MPE/Data Masking Manipulations .....................................................................................................................................141
Usage Standards .................................................................................................................................................................142
Examples .............................................................................................................................................................................142
DIPv6................................................................................................................................................... 143
Data Type ............................................................................................................................................................................143
Aliases..................................................................................................................................................................................143
Field Relationships..............................................................................................................................................................143
Common Applications ........................................................................................................................................................143
Use Case ..............................................................................................................................................................................143
MPE/Data Masking Manipulations .....................................................................................................................................143
Usage Standards .................................................................................................................................................................144
Examples .............................................................................................................................................................................144
DIPv6E................................................................................................................................................. 145

LogRhythm, Inc. | Contents 13


Data Type ............................................................................................................................................................................145
Aliases..................................................................................................................................................................................145
Field Relationships..............................................................................................................................................................145
Common Applications ........................................................................................................................................................146
Use Case ..............................................................................................................................................................................146
MPE/Data Masking Manipulations .....................................................................................................................................146
Usage Standards .................................................................................................................................................................146
Examples .............................................................................................................................................................................146
Impacted Hostname .......................................................................................................................... 147
Data Type ............................................................................................................................................................................147
Aliases..................................................................................................................................................................................147
Field Relationships..............................................................................................................................................................147
Common Applications ........................................................................................................................................................148
Use Case ..............................................................................................................................................................................148
MPE/Data Masking Manipulations .....................................................................................................................................148
Usage Standards .................................................................................................................................................................148
Examples .............................................................................................................................................................................148
Impacted Hostname or IP.................................................................................................................. 149
Data Type ............................................................................................................................................................................149
Aliases..................................................................................................................................................................................149
Field Relationships..............................................................................................................................................................149
Common Applications ........................................................................................................................................................150
Use Case ..............................................................................................................................................................................150
MPE/Data Masking Manipulations .....................................................................................................................................150
Usage Standards .................................................................................................................................................................150
Examples .............................................................................................................................................................................150
Impacted Interface............................................................................................................................. 152
Data Type ............................................................................................................................................................................152
Aliases..................................................................................................................................................................................152
Field Relationships..............................................................................................................................................................152
Common Applications ........................................................................................................................................................153
Use Case ..............................................................................................................................................................................153
MPE/Data Masking Manipulations .....................................................................................................................................153

LogRhythm, Inc. | Contents 14


Usage Standards .................................................................................................................................................................153
Examples .............................................................................................................................................................................153
Impacted MAC Address ...................................................................................................................... 154
Data Type ............................................................................................................................................................................154
Aliases..................................................................................................................................................................................154
Field Relationships..............................................................................................................................................................154
Common Applications ........................................................................................................................................................155
Use Case ..............................................................................................................................................................................155
MPE/Data Masking Manipulations .....................................................................................................................................155
Usage Standards .................................................................................................................................................................155
Examples .............................................................................................................................................................................155
Impacted NAT IP ................................................................................................................................ 157
Data Type ............................................................................................................................................................................157
Aliases..................................................................................................................................................................................157
Field Relationships..............................................................................................................................................................157
Common Applications ........................................................................................................................................................158
Use Case ..............................................................................................................................................................................158
MPE/Data Masking Manipulations .....................................................................................................................................158
Usage Standards .................................................................................................................................................................158
Examples .............................................................................................................................................................................158
IP Address (Origin) ............................................................................................................................. 159
Data Type ............................................................................................................................................................................159
Aliases..................................................................................................................................................................................159
Field Relationships..............................................................................................................................................................159
Common Applications ........................................................................................................................................................160
Use Case ..............................................................................................................................................................................160
MPE/Data Masking Manipulations .....................................................................................................................................160
Usage Standards .................................................................................................................................................................160
Examples .............................................................................................................................................................................160
Origin Hostname ................................................................................................................................ 162
Data Type ............................................................................................................................................................................162
Aliases..................................................................................................................................................................................162
Field Relationships..............................................................................................................................................................162

LogRhythm, Inc. | Contents 15


Common Applications ........................................................................................................................................................163
Use Case ..............................................................................................................................................................................163
MPE/Data Masking Manipulations .....................................................................................................................................163
Usage Standards .................................................................................................................................................................163
Examples .............................................................................................................................................................................163
Origin Hostname or IP ....................................................................................................................... 164
Data Type ............................................................................................................................................................................164
Aliases..................................................................................................................................................................................164
Field Relationships..............................................................................................................................................................164
Common Applications ........................................................................................................................................................165
Use Case ..............................................................................................................................................................................165
MPE/Data Masking Manipulations .....................................................................................................................................165
Usage Standards .................................................................................................................................................................165
Examples .............................................................................................................................................................................165
Origin Interface .................................................................................................................................. 166
Data Type ............................................................................................................................................................................166
Aliases..................................................................................................................................................................................166
Field Relationships..............................................................................................................................................................166
Common Applications ........................................................................................................................................................167
Use Case ..............................................................................................................................................................................167
MPE/Data Masking Manipulations .....................................................................................................................................167
Usage Standards .................................................................................................................................................................167
Examples .............................................................................................................................................................................167
Origin MAC Address............................................................................................................................ 169
Data Type ............................................................................................................................................................................169
Aliases..................................................................................................................................................................................169
Field Relationships..............................................................................................................................................................169
Common Applications ........................................................................................................................................................170
Use Case ..............................................................................................................................................................................170
MPE/Data Masking Manipulations .....................................................................................................................................170
Usage Standards .................................................................................................................................................................170
Examples .............................................................................................................................................................................170
Origin NAT IP ...................................................................................................................................... 172

LogRhythm, Inc. | Contents 16


Data Type ............................................................................................................................................................................172
Aliases..................................................................................................................................................................................172
Field Relationships..............................................................................................................................................................172
Common Applications ........................................................................................................................................................173
Use Case ..............................................................................................................................................................................173
MPE/Data Masking Manipulations .....................................................................................................................................173
Usage Standards .................................................................................................................................................................173
Examples .............................................................................................................................................................................173
Serial Number [7.2] ............................................................................................................................ 174
Data Type ............................................................................................................................................................................174
Aliases..................................................................................................................................................................................174
Field Relationships..............................................................................................................................................................174
Common Applications ........................................................................................................................................................174
Use Case ..............................................................................................................................................................................175
MPE/Data Masking Manipulations .....................................................................................................................................175
Usage Standards .................................................................................................................................................................175
Examples .............................................................................................................................................................................175
SIPv4 ................................................................................................................................................... 177
Data Type ............................................................................................................................................................................177
Aliases..................................................................................................................................................................................177
Field Relationships..............................................................................................................................................................177
Common Applications ........................................................................................................................................................177
Use Case ..............................................................................................................................................................................177
MPE/Data Masking Manipulations .....................................................................................................................................177
Usage Standards .................................................................................................................................................................178
Examples .............................................................................................................................................................................178
SIPv6 ................................................................................................................................................... 179
Data Type ............................................................................................................................................................................179
Aliases..................................................................................................................................................................................179
Field Relationships..............................................................................................................................................................179
Common Applications ........................................................................................................................................................179
Use Case ..............................................................................................................................................................................179
MPE/Data Masking Manipulations .....................................................................................................................................179

LogRhythm, Inc. | Contents 17


Usage Standards .................................................................................................................................................................180
Examples .............................................................................................................................................................................180
SIPv6E ................................................................................................................................................. 181
Data Type ............................................................................................................................................................................181
Aliases..................................................................................................................................................................................181
Field Relationships..............................................................................................................................................................181
Common Applications ........................................................................................................................................................182
Use Case ..............................................................................................................................................................................182
MPE/Data Masking Manipulations .....................................................................................................................................182
Usage Standards .................................................................................................................................................................182
Examples .............................................................................................................................................................................182

Identity Tab ................................................................................................................ 183


Account > User (Impacted) ................................................................................................................ 184
Data Type ............................................................................................................................................................................184
Aliases..................................................................................................................................................................................184
Field Relationships..............................................................................................................................................................184
Common Applications ........................................................................................................................................................185
Use Case ..............................................................................................................................................................................185
MPE/Data Masking Manipulations .....................................................................................................................................185
Usage Standards .................................................................................................................................................................185
Examples .............................................................................................................................................................................185
Group .................................................................................................................................................. 187
Data Type ............................................................................................................................................................................187
Aliases..................................................................................................................................................................................187
Field Relationships..............................................................................................................................................................187
Common Applications ........................................................................................................................................................187
Use Case ..............................................................................................................................................................................187
MPE/Data Masking Manipulations .....................................................................................................................................188
Usage Standards .................................................................................................................................................................188
Examples .............................................................................................................................................................................188
Login > User (Origin) .......................................................................................................................... 189
Data Type ............................................................................................................................................................................189

LogRhythm, Inc. | Contents 18


Aliases..................................................................................................................................................................................189
Field Relationships..............................................................................................................................................................189
Common Applications ........................................................................................................................................................190
Use Case ..............................................................................................................................................................................190
MPE/Data Masking Manipulations .....................................................................................................................................190
Usage Standards .................................................................................................................................................................190
Examples .............................................................................................................................................................................190
Recipient............................................................................................................................................. 192
Data Type ............................................................................................................................................................................192
Aliases..................................................................................................................................................................................192
Field Relationships..............................................................................................................................................................192
Common Applications ........................................................................................................................................................192
Use Case ..............................................................................................................................................................................192
MPE/Data Masking Manipulations .....................................................................................................................................193
Usage Standards .................................................................................................................................................................193
Examples .............................................................................................................................................................................193
Sender................................................................................................................................................. 195
Data Type ............................................................................................................................................................................195
Aliases..................................................................................................................................................................................195
Field Relationships..............................................................................................................................................................195
Common Applications ........................................................................................................................................................195
Use Case ..............................................................................................................................................................................195
MPE/Data Masking Manipulations .....................................................................................................................................196
Usage Standards .................................................................................................................................................................196
Examples .............................................................................................................................................................................196

Location Tab............................................................................................................... 198


Log Tab ....................................................................................................................... 199
Network Tab............................................................................................................... 200
Domain [7.2] ....................................................................................................................................... 201
Data Type ............................................................................................................................................................................201
Aliases..................................................................................................................................................................................201
Field Relationships..............................................................................................................................................................201

LogRhythm, Inc. | Contents 19


Common Applications ........................................................................................................................................................202
Use Case ..............................................................................................................................................................................202
MPE/Data Masking Manipulations .....................................................................................................................................202
Usage Standards .................................................................................................................................................................202
Examples .............................................................................................................................................................................202
Impacted NAT Port............................................................................................................................. 204
Data Type ............................................................................................................................................................................204
Aliases..................................................................................................................................................................................204
Field Relationships..............................................................................................................................................................204
Common Applications ........................................................................................................................................................205
Use Case ..............................................................................................................................................................................205
MPE/Data Masking Manipulations .....................................................................................................................................205
Usage Standards .................................................................................................................................................................205
Examples .............................................................................................................................................................................205
Impacted Port .................................................................................................................................... 206
Data Type ............................................................................................................................................................................206
Aliases..................................................................................................................................................................................206
Field Relationships..............................................................................................................................................................206
Common Applications ........................................................................................................................................................207
Use Case ..............................................................................................................................................................................207
MPE/Data Masking Manipulations .....................................................................................................................................207
Usage Standards .................................................................................................................................................................207
Examples .............................................................................................................................................................................207
Origin NAT Port .................................................................................................................................. 209
Data Type ............................................................................................................................................................................209
Aliases..................................................................................................................................................................................209
Field Relationships..............................................................................................................................................................209
Common Applications ........................................................................................................................................................210
Use Case ..............................................................................................................................................................................210
MPE/Data Masking Manipulations .....................................................................................................................................210
Usage Standards .................................................................................................................................................................210
Examples .............................................................................................................................................................................210
Origin Port .......................................................................................................................................... 211

LogRhythm, Inc. | Contents 20


Data Type ............................................................................................................................................................................211
Aliases..................................................................................................................................................................................211
Field Relationships..............................................................................................................................................................211
Common Applications ........................................................................................................................................................212
Use Case ..............................................................................................................................................................................212
MPE/Data Masking Manipulations .....................................................................................................................................212
Usage Standards .................................................................................................................................................................212
Examples .............................................................................................................................................................................212

Other MPE Fields ........................................................................................................ 214


[Tag1-Tag5] ........................................................................................................................................ 215
Data Type ............................................................................................................................................................................215
Aliases..................................................................................................................................................................................215
Field Relationships..............................................................................................................................................................215
Common Applications ........................................................................................................................................................215
Use Case ..............................................................................................................................................................................215
MPE/Data Masking Manipulations .....................................................................................................................................215
Usage Standards .................................................................................................................................................................216
Examples .............................................................................................................................................................................216
Items In ............................................................................................................................................... 217
Data Type ............................................................................................................................................................................217
Aliases..................................................................................................................................................................................217
Field Relationships..............................................................................................................................................................217
Common Applications ........................................................................................................................................................217
Use Case ..............................................................................................................................................................................217
MPE/Data Masking Manipulations .....................................................................................................................................218
Usage Standards .................................................................................................................................................................218
Examples .............................................................................................................................................................................218
Items Out ............................................................................................................................................ 219
Data Type ............................................................................................................................................................................219
Aliases..................................................................................................................................................................................219
Field Relationships..............................................................................................................................................................219
Common Applications ........................................................................................................................................................219
Use Case ..............................................................................................................................................................................219

LogRhythm, Inc. | Contents 21


MPE/Data Masking Manipulations .....................................................................................................................................220
Usage Standards .................................................................................................................................................................220
Examples .............................................................................................................................................................................220

Derived Data............................................................................................................... 221


Identity-Derived Data......................................................................................................................... 222
Log-Derived Data ............................................................................................................................... 223

LogRhythm, Inc. | Contents 22


LogRhythm Schema Dictionary and Guide

This document is a complete dictionary of the LogRhythm SIEM schema. This guide contains descriptions of
every field, including the intent for the field, guidance for how to parse data into the field, use cases for each
field, and sample logs showing correct, incorrect, and ambiguous examples.
The fields in this guide are organized according to the tabs in the Analyzer grid in the LogRhythm Web
Console. To access the Analyzer grid on the Dashboards page or Analyze page, at the lower-right side of the
page, click the Logs tab.

Fields that are listed with [7.2] after the field name are not available in LogRhythm versions earlier
than 7.2.1.

Origin vs. Impacted


Definition and Guidelines
LogRhythm presents log sources from the perspective of the impacted system, the origin system, or both.
Although origin and impacted align with the network-centric view of "source" and "destination," origin and
impacted are meant to represent a security-centric view, in which:
In a security-centric view:
• Origin represents:
• The client in “client server.”
• The attacker in a security context.
• The cause of an observation.
• The user account who performed an action.
• Impacted represents:
• The server in "client server."
• The target in a security context, or the device impacted by a security event.
• The effect of an observation.
• The user affected by an action.

Use in Schema
The use of origin and impacted is particularly important for understanding the schema. Origin and impacted
apply to IP addresses, hosts, users, and other fields that describe the object in the log. These fields include:
• Hostname
• MAC address
• Interface
• IP address
• User

For an IP address, the schema parses into fields called SIP and DIP, where SIP represents origin and
DIP represents impacted.

Origin vs. Impacted 23


LogRhythm Schema Dictionary and Guide

What Determines Origin/Impacted?


The origin/impacted context can be defined and changed in multiple places:
• Selecting correct parsing fields. This is important when converting the network view of source and destination
to the security view of origin and impacted. Origin is not always source and impacted is not always destination.
• Rule definition with explicit options. The rule can explicitly force a conversion of direction.
• Automatic Host Contextualization (AHC). The AHC feature can change direction based on tables of well-known
ports and protocols.

Examples
• O365 SharePoint. SIP is explicitly called out, but because O365 is the cloud, there is no discernable impacted
hostname.
TS=2016-10-20T20:22:23 SESSID=8b157afd-eb80-45e4-926f-08d3f926cd63
COMMAND=AnonymousLinkUsed USERTYPE=Regular USERKEY=anonymous WORKLOAD=SharePoint
RESULTCODE= OBJECT=https://lrhackathon.sharepoint.com/LogRhythm/Shared
Documents/abuse_ch_copy.txt USER=anonymous SIP=1.1.1.1 ITEMTYPE=File
EVENTSOURCE=SharePoint USERAGENT=Mozilla/5.0 (Windows NT 6.3; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36 DOMAIN=
FILENAME= DESTINATION= DESTINATIONFILENAME= USERSHAREDWITH= SHARINGTYPE=
MODIFIEDPROPERTIES=

This is not a security event, so apply the network-centric view of client vs. server. The client is
referenced in the SIP, and therefore SIP (origin) is the IP Origin. The IP Impacted is undefined, but
the Impacted Host can be inferred from the log source. It is ambiguous whether the log source is the
agent calling the API or refers to O365.

• Oracle 10g Audit. Client is the source of the session, but also impacted by the logoff.
20101115202959.307904 AUDIT_TYPE=Standard Audit STATEMENT_TYPE=LOGOFF BY CLEANUP
RETURNCODE=0 AUDIT_OPTION= PRIV _USED=CREATE SESSION OS_USER=shenja
DB_USER=SYSTEM UHOST=WKST0005 TERM=UNKNOWN OBJECT_SCHEMA= OBJECT_NAME=
POLICY_NAME= NEW_OWNER= NEW_ NAME= EXT_NAME= SQL_TEXT= COMMENT_
TEXT=Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)
(HOST=1.1.1.1)(PORT=4888)) SES_ACTIONS= GLOBAL_UID= SESSION_ID=325213
PROXY_SESSIONID= STATEMENTID=1 ENTRYID=1 CLIENT_ID= ECONTEXT_ID= TRANSACTIONID=
OS_PROCESS=610338 INSTANCE_NUMBER=0 ACTION=102 SQL_BIND= OBJ_PRIVILEGE=
SYS_PRIVILEGE= OS_PRIVILEGE=NONE SCN= GRANTEE= LOGOFF_TIME=11/15/2010 3:32:42 PM
LOGOFF_LREAD=1386 LOGOFF_PREAD=80 LOGOFF_LWRITE=36 LOGOFF_DLOCK=0 SESSION_CPU=10

Because this is not a security log, the host is likely the client (in client server). The host becomes the
Origin Host. The Impacted Host is the Oracle server (automatically resolved by the log source).

• Windows Application. <computer> is where the event log was written.

Origin vs. Impacted 24


LogRhythm Schema Dictionary and Guide

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/
event'><System><Provider Name='MSSQLSERVER'/><EventID Qualifiers='49152'>32040</
EventID><Level>Information</Level><Task>Server</Task><Keywords>Classic</
Keywords><TimeCreated SystemTime='2013-12-18T20:19:48.000000000Z'/
><EventRecordID>5652</EventRecordID><Channel>Application</
Channel><Computer>ACMEPREM01</Computer><Security/></System><EventData>The alert
for 'oldest unsent transaction' has been raised. The current value of '3'
surpasses the threshold '1'.</EventData></Event>

The computer is the Impacted Host because there is no other context. Because the log came from
this computer, it is the source of the log message.

• Cb Response. The endpoint is where the file originated in the scan, but is also likely impacted.
02 07 2017 17:30:21 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|5.1|
watchlist.storage.hit.binary|cb_server=cbserver cb_version=525
copied_mod_len=8704 digsig_result=Unsigned digsig_result_code=2148204800
endpoint=PIA-EX2010-01|2018 file_desc= file_version=1.1.1.1 group=Default
Servers host_count=1 internal_name=rwl_hdls.dll is_64bit=false
is_executable_image=false last_seen=2017-02-07T23:26:29.825Z legal_copyright=
link_md5=https://pia-carbla-01.smchcn.net/#/binary/
5F897E95044D43F58E30806857092186 md5=5F897E95044D43F58E30806857092186
observed_filename=c:\\windows\\temp\\rwl_hdls.dll orig_mod_len=8704
original_filename=rwl_hdls.dll os_type=Windows product_version=1.1.1.1
server_added_timestamp=2017-02-07T23:26:29.825Z server_name=localhost
timestamp=1486510220.266 type=watchlist.storage.hit.binary
watchlist_2=2017-02-07T23:30:03.972203Z watchlist_id=2 watchlist_name=Default:
Newly Loaded Modules

Because this is a security event that occurred on the endpoint, the endpoint is the Impacted Host.
The other hosts involved (for example, CB server or agent reading syslog) are not relevant to the
security context.

• CylancePROTECT. The threat originated from the device and IP, but is also impacted by the threat and the
quarantine.
05 09 2016 01:33:03 1.1.1.1 <SLOG:WARN> 1 2016-05-09T06:32:55.1224002Z
sysloghost CylancePROTECT - - - Event Type: Threat, Event Name:
threat_quarantined, Device Name: GQ-6FPLVZ1, IP Address: (1.1.1.1), File Name:
SOP.EXE, Path: E:\HESS\Corrosion\HESS Okume Lab C drive Backup\NALCO\Okume CD
training\programme\OkumeBandC\ProdWellManifolds\fscommand\, Drive Type: Internal
Hard Drive, SHA256:
8050FE3DCA43D594611492AA149AF09FC9669149602BB2945AFEA4148A24B175 , MD5:
59E0D058686BD35B0D5C02A4FD8BD0E0 , Status: Quarantined, Cylance Score: 97, Found

Origin vs. Impacted 25


LogRhythm Schema Dictionary and Guide

Date: 1/7/2016 5:03:51 PM, File Type: Executable, Is Running: False, Auto Run:
False, Detected By: BackgroundThreatDetection

Because this is a security event, the Device Name is the Impacted Host.

Polyfields and Parsing Field Aggregation


Not all fields that are parsed in a rule are stored in the Data Indexer as parsed or displayed in the console as
parsed. For example, the Web Console Duration field is a calculation based on one or more time-based
parsing fields. Similarly, there are more than a dozen fields for bytes as a size, but only one value is stored
and only one value is displayed.
Polyfields are a special type of display field used for aggregating across similar source data. For example, the
Impacted Host polyfield could contain a hostname, an IP address, or a well-known entity. The hostname and
IP address may also be stored separately. The polyfield generally has preference logic at the code level to
determine which source field to display.
When reading this document, pay particular attention to fields that are called out as source data for a
polyfield, or parsing fields that are transformed into final data fields.

Polyfields and Parsing Field Aggregation 26


LogRhythm Schema Dictionary and Guide

Application Tab
The fields in the Application tab describe the Impacted Object referenced by the log. The Application tab
contains the most fields.
The following fields are on the Application tab:
• Action [7.2]
• Amount
• Command
• Hash [7.2]
• IANA Protocol Name
• IANA Protocol Number
• Object
• Object Name
• Object Type [7.2]
• Parent Process ID [7.2]
• Parent Process Name [7.2]
• Parent Process Path [7.2]
• Policy [7.2]
• Process ID
• Process Name
• Quantity
• Rate
• Reason [7.2]
• Response Code [7.2]
• Result [7.2]
• Session
• Session Type [7.2]
• Size
• Status [7.2]
• Subject
• URL
• User Agent [7.2]
• Version

Application Tab 27
LogRhythm Schema Dictionary and Guide

Action [7.2]
Action is a broad field for what was done as described in the log. Action is usually a secondary function of a
command or process. 

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type
String

Aliases
Use Alias

Client Console Full Name Action

Client Console Short Name Action

Web Console Tab/Name Action

Elasticsearch Field Name action

Rule Builder Column Name Action

Regex Pattern <action>

NetMon Name Not applicable

Field Relationships
• Command
• Status
• Result
• Response Code
• Process

Common Applications
• Firewall
• Proxy

Application Tab 28
LogRhythm Schema Dictionary and Guide

• Antivirus
• IDS/IPS
• Vulnerability scanner
• RIM/FIM

Use Case
• Recording network traffic accepts, drops, or blocks.
• Secondary function of a command—for example, PowerShell (process), might issue "AD
commandlet" (command), which might have an action of lock out user.
• Action describes a mechanism. The result describes a state outcome. A firewall action can "pass" traffic. The
result might be "success.”  

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Capture more simplistic actions than command might.
• An Action is what you are trying to initiate via a command.
• Action, Process, and Command separation:
• A process is something "running."
• A command is an operating system command (for example, batch) or a user originated command to a
system.
• The Action is often the "result" of a process or command. The A/V process (Symantec) might have a
command of "Run Scan", which could have an Action of Quarantine.
• In RIM/FIM, the Action would be "read, write, add, delete" or any other common action verb applied to the file or
registry key. 

Examples
• FortiGate
02 18 2015 16:13:49 1.1.1.1 <LOC7:INFO> date=2015-02-18 time=16:13:51
devname=FG22222222222217 devid=FGdfsdfds1111111 logid=1059028704 type=utm
subtype=app-ctrl eventtype=app-ctrl-all level=information vd="root" appid=16637
user="pete.store" srcip=1.1.1.1 srcport=57227 dstip=1.1.1.1 dstport=53 proto=17
service="DNS" sessionid=391322221 applist="APPC Monitor All" appcat="Update"
app="Sophos.Update" action=pass msg="Update: Sophos.Update," apprisk=low

In this case, the firewall action is to "pass" the traffic because it is on an approved list.

Application Tab 29
LogRhythm Schema Dictionary and Guide

Amount
The qualitative description of quantity (percentage or relative numbers).

Data Type
Double

Aliases
Use Alias

Client Console Full Name Amount

Client Console Short Name Amount

Web Console Tab/Name Amount

Elasticsearch Field Name amount

Rule Builder Column Name Amount

Regex Pattern <amount>

NetMon Name Not applicable

Field Relationships
• Quantity
• Rate
• Size

Common Applications
• Point of Sale
• Hardware Monitoring

Use Case
• Capturing price into amount and quantity of items purchased to quantity for fraud analytics.
• Monitoring disk or CPU use and thresholds.

Application Tab 30
LogRhythm Schema Dictionary and Guide

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Currency amounts can be captured here.
• Percentages can be captured here.

Examples
• Huawei Access Router
04 07 2014 15:43:50 1.1.1.1 <LOC7:WARN> Apr  7 2014 13:43:49 USABLDRRECFLOW01 %
%01CPUP/4/CPU_USAGE_HIGH(l)[1237]:The CPU is overloaded, and the tasks with top
three CPU occupancy are HardIrq(80.8%), TICK(6.8%), ROUT(2.2%) . (CpuUsage=83%,
Threshold=80%)

Indicates the percent amount of CPU usage on router.

Application Tab 31
LogRhythm Schema Dictionary and Guide

Command
The specific command executed that has been recorded in the log message. 
Data Type
String

Aliases
Use Alias

Client Console Full Name Command

Client Console Short Name Command

Web Console Tab/Name Command

Elasticsearch Field Name command

Rule Builder Column Name Command

Regex Pattern <command>

NetMon Name Not applicable

Field Relationships
• Result
• Status
• Process
• Action

Common Applications
• PowerShell
• Windows Command Shell
• SSH
• Telnet
• Bash

Use Case

Application Tab 32
LogRhythm Schema Dictionary and Guide

• Cron
• Sudo
• Auditing

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Vendor Message ID is a unique event type identifier.
• Command identifies an executable or script with arguments.
• May contain an executable, but is distinct from Process.
• Can describe the execution of a process.
• Command within a process.
• Often specifically called out as CMD or Command.
• Not Action (for example, Firewall Block/Allow).
• Not Result (Command can have a Result).
• Command may describe Action.

Examples
Correct Examples
• Crowdstrike FalconHost
12 14 2016 18:53:39 1.1.1.1 <USER:NOTE> CEF:0|CrowdStrike|FalconHost|1.0|
ScanResults|AV Scan Results In A Detection Summary Event|4|
externalID=2222222222222222eee799 cn2Label=ProcessId cn2=148181079514282
shost=WIN-HPBKBMLLSST suser=pete.store fname=GoogleUpdate.exe filePath=\\Device\
\HarddiskVolume1\\Users\\pete.store\\AppData\\Local
fileHash=e361a8c5da2e3d1a0ed3be85ed906dad cs1Label=CommandLine cs1="C:\\Users\
\pete.store\\AppData\\Local\\GoogleUpdate.exe" sntdom=safaware
cs2Label=ScanResultEngine cs2=AVware cs3Label=ScanResultName cs3=Trojan-
Downloader.Win32.Fraudload cn4Label=ScanResultVersion cs4=1.1.1.1
cs6Label=FalconHostLink cs6=https://falcon.crowdstrike.com/activity/detections/
detail/ec3f4ca727a04f025f2ea97647a61799/222222222 cn3Label=Offset cn3=1066242

Specifically called out Command Line, even though it is an executable.

• CrowdStrike FalconHost
12 15 2016 00:19:05 1.1.1.1 <USER:NOTE> CEF:0|CrowdStrike|FalconHost|1.0|
ScanResults|AV Scan Results In A Detection Summary Event|3|
externalID=022222222222222222ea584f3783f5b1eee9 cn2Label=ProcessId
cn2=1482087830222222 shost= USABLDRRECFLOW01suser=Pete.Store fname=upnp.exe
filePath=\\Device\\HarddiskVolume1\\Users\\pete.store\\AppData\\Local\\Temp

Application Tab 33
LogRhythm Schema Dictionary and Guide

fileHash=13804f8dc4e72ba103d5e34de895c9db cs1Label=CommandLine cs1="C:\\Users\


\ALVINF~1\\AppData\\Local\\Temp\\upnp.exe" -a 1.1.1.1 1604 1604 TCP
sntdom=safaware cs2Label=ScanResultEngine cs2=TrendMicro
cs3Label=ScanResultName cs3=TROJ_GEN.R0FBC0CI116 cn4Label=ScanResultVersion
cs4=1.1.1.12 cs6Label=FalconHostLink cs6=https://falcon.crowdstrike.com/
activity/detections/detail/02c60e7a579b4fea584f3783f5b1eee9/222222222
cn3Label=Offset cn3=1066392

Executable with arguments.

• AIX
02 20 2013 09:16:33 1.1.1.1 <SAU1:NOTE> Feb 20 09:16:33 Message forwarded from
USABLDRRECFLOW01: sudo:  dt14437 : TTY=pts/0 ; PWD=/dst/home/omg37 ; USER=root ;
COMMAND=/usr/bin/crontab -l

Command called out explicitly.

• ProofPoint Spam Firewall


12 07 2011 14:19:10 1.1.1.1 <USER:NOTE> Dec  7 14:19:10 filter_instance1 rprt
s=11huq2222 m=1 x=pB7JJAlE02222 mod=access cmd=run rule=spamsafe duration=0.000

Run is the Command, not the Process.

Incorrect Examples
• Checkpoint Firewall
26Feb2013 14:59:21 Product=VPN-1 & FireWall-1 OriginIP=1.1.1.1 Origin=
USABLDRRECFLOW01Action=encrypt SIP=1.1.1.1 Source= USABLDRRECFLOW01SPort=0
DIP=1.1.1.1 Destination= USABLDRRECFLOW01DPort=0 Protocol=icmp ICMPType=8
ICMPCode=0 IFName=eth1 IFDirection=inbound Reason=- Rule=32 Info=-
XlateSIP=1.1.1.1 XlateSPort=- XlateDIP=- XlateDPort=-

Encrypt is not a command. Encrypt is better parsed into Action.

• Juniper Firewall
04 22 2012 17:28:13 1.1.1.1 <USER:INFO> 1 2012-04-23T08:27:25.564  RT_FLOW -
RT_FLOW_SESSION_CLOSE [junos@21.1.1.1.2.41 reason="unset" source-
address="1.1.1.1" source-port="138" destination-address="1.1.1.1" destination-
port="138" service-name="junos-nbds" nat-source-address="1.1.1.1" nat-source-
port="138" nat-destination-address="1.1.1.1" nat-destination-port="138" src-nat-

Application Tab 34
LogRhythm Schema Dictionary and Guide

rule-name="None" dst-nat-rule-name="None" protocol-id="17" policy-


name="allowAll" source-zone-name="trust" destination-zone-name="trust" session-
id-32="21434" packets-from-client="1" bytes-from-client="229" packets-from-
server="0" bytes-from-server="0" elapsed-time="59" application="UNKNOWN" nested-
application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-
interface="fe-0/0/7.0"]

RT_FLOW_SESSION_CLOSE is not a command. RT_FLOW_SESSION_CLOSE is VMID.

• Palo Alto Firewall


02 24 2015 15:21:01 1.1.1.1 <USER:INFO> Feb 24 15:21:01 1,2015/02/24
15:21:01,0011C100222,TRAFFIC,drop,0,2015/02/24
15:21:01,1.1.1.1,1.1.1.1,1.1.1.1,1.1.1.1,denyall,,,not-
applicable,vsys1,dmz,inet,ethernet1/9,,LogRhythm-Receiver,2015/02/24
15:21:00,0,1,64812,443,0,0,0x0,tcp,deny,66,66,0,1,2015/02/24 15:21:02,0,any,
0,27629666933,0x0,United States,United States,0,1,0

Drop is not the Command. Drop is the Action. Denyall is not Command either. Denyall is closer to
Result (could also be the name of a Policy).

Application Tab 35
LogRhythm Schema Dictionary and Guide

Hash [7.2]
The hash value (for example, MD5 or SHA256) of a file, process, or object. The value is independent of the
algorithm. Only the resulting hash is stored in this field.
Only three hash types are in common usage: MD5, SHA1, and SHA256.

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type
Alphanumeric string (0-512 characters, 64 average characters) 

Aliases
Use Alias

Client Console Full Name Hash

Client Console Short Name Hash

Web Console Tab/Name Hash

Elasticsearch Field Name hash

Rule Builder Column Name Hash

Regex Pattern <hash>

NetMon Name Not applicable

Field Relationships
Object, Process, and Object Name fields. This is the hash for the process identified in process.

Common Applications
• IDS/IPS
• Vulnerability scanners
• Endpoint monitoring (for example, Cbresponse)
• Threat Intelligence feeds

Application Tab 36
LogRhythm Schema Dictionary and Guide

• Antivirus

Use Case
Mapping hash value to threat feeds and known Indictators of Compromise (IOCs).

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Priority if there are multiple hashes is MD5 > SHA1 > SHA256, until strongly typed fields available.
• Make it as easy as possible to match to most common threat feeds.
• Do not include the hash type in the field (for example, remove MD5:).

Examples
• Cylance log sample
Sample - 05 09 2016 21:40:29 1.1.1.1 <SLOG:WARN> 1 2016-05-10T02:40:19.2905167Z
sysloghost CylancePROTECT - - - Event Type: AppControl, Event Name: pechange,
Device Name: US-JNTJKV1, IP Address: (1.1.1.1, 1.1.1.1,), Action: Deny, Action
Type: PE File Change, File Path: C:\Users\Public\TechTools\Host65, SHA256:
8050FE3DCA43D594611492AA149AF09FC9669149602BB2945AFEA4148A24B175

Parse the hash removing the algorithm header SHA256.

• Cb Response log sample


Sample - 05 13 2016 20:56:15 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|5.1|
watchlist.hit.binary|cb_server=cbserver    cb_version=511   
company_name=Microsoft Corporation    copied_mod_len=11616   
digsig_issuer=Microsoft Windows Production PCA 2011   
digsig_prog_name=Microsoft Windows    digsig_publisher=Microsoft Corporation   
digsig_result=Signed    digsig_result_code=0   
digsig_sign_time=2015-10-30T12:32:00Z    digsig_subject=Microsoft Windows   
endpoint=[" USABLDRRECFLOW01"]    file_desc=recordflow console   
file_version=10.0.10.0 (th2_release.151029-1700)    group=["Testing"]   
host_count=1    internal_name=recflowcon    is_64bit=true   
is_executable_image=false    last_seen=2016-05-14T03:42:10.709Z   
legal_copyright=© Record Flow LLC. All rights reserved.   
md5=59E0D058686BD35B0D5C02A4FD8BD0E0observed_filename=["c:\\windows\\system32\
\downlevel\\api-ms-win-core-stringansi-l1-1-0.dll"]    orig_mod_len=11616   
original_filename=apisetstub    os_type=Windows    product_name=Microsoft®
Windows® Operating System    product_version=10.0.10586.0   

Application Tab 37
LogRhythm Schema Dictionary and Guide

server_added_timestamp=2016-05-14T03:42:10.709Z    server_name=USABLDRRECFLOW01
signed=Signed    timestamp=2016-05-14T03:42:10.709Z   
type=watchlist.hit.binary    watchlist_id=4    watchlist_name=Newly Loaded
Modules

Parse the hash removing the type md5=.

Application Tab 38
LogRhythm Schema Dictionary and Guide

IANA Protocol Name


The IANA Protocol Name representing the official registered name for well-known network protocols. For
more information, see RFC 5237 and RFC 7045.

Data Type
String

Aliases
Use Alias

Client Console Full Name Known Application

Client Console Short Name Not applicable

Web Console Tab/Name Application

Elasticsearch Field Name application/protocolName/serviceName

Rule Builder Column Name <protname>

Regex Pattern <protname>

NetMon Name Not applicable

Field Relationships
• SIP • Origin Port
• SIPv4 • Origin NAT Port
• SIPv6 • Impacted Port
• SIPv6E • Impacted NAT Port
• Origin Hostname • Origin MAC Address
• Origin Hostname or IP • Impacted MAC Address
• Origin NAT IP • Origin Interface
• DIP • Impacted Interface
• DIPv4 • Origin Domain
• DIPv6 • Impacted Domain
• DIPv6E • Origin Login
• Impacted Hostname • Impacted Account
• Impacted Hostname or IP • IANA Protocol Number
• Impacted NAT IP

Application Tab 39
LogRhythm Schema Dictionary and Guide

Common Applications
• Firewalls
• IDS/IPS
• NetMon

Use Case
Classifying network traffic.

MPE/Data Masking Manipulations


Compares to list of IANA Protocol Names and is shown in Known Application in the Client Console or
Application in the Web Console.

Usage Standards
• Only parse IANA Protocol Names in this field.
• If both Protocol Number and Protocol Name are present in a log, parse Protocol Number.
• For Protocol Names and Numbers, see https://www.iana.org/assignments/protocol-numbers/protocol-
numbers.xhtml

Examples
• FortiGate
12 12 2016 12:18:55 1.1.1.1 <LOC7:ALRT> date=2016-12-12 time=12:18:55
devname=ABC-DEF-FORTIGATE-02 devid=FG80050000000 logid=0419016385 type=utm
subtype=ips eventtype=signature level=alert vd=root severity=low srcip=1.1.1.1
srccountry="Reserved" dstip=1.1.1.1 srcintf="WIFI_NETWORK" dstintf="VLAN"
policyid=380 sessionid=24634444 action=dropped proto=1 service="PING"
attack="Traceroute" icmpid=0x6425 icmptype=0x08 icmpcode=0x00 attackid=12466
profile="IPS_WEB_OUT" ref="http://Host1/ids/VID12345" incidentserialno=123456789
msg="icmp: Traceroute," crscore=5 crlevel=low

Service corresponds with proto=1 which is ICMP (Ping). Service can sometimes indicate an IANA
Protocol Name instead of a process. For more information, see http://www.iana.org/assignments/
protocol-numbers/protocol-numbers.xhtml.

• Juniper Firewall
11 06 2009 12:09:51 1.1.1.1 <SAU1:CRIT> dc-dp-1: NetScreen device_id=dc-dp-1
[Root]system-critical-00033: Src IP session limit! From 1.1.1.1:11698 to
1.1.1.1:49156, proto UDP (zone DAVE-PK1 int  ethernet0/0.3). Occurred 16 times.
(2010-11-06 12:09:50)

Application Tab 40
LogRhythm Schema Dictionary and Guide

Proto shows the Protocol Name UDP instead of a number. Corresponds to protocol number 17. For
more information, see http://www.iana.org/assignments/protocol-numbers/protocol-
numbers.xhtml.

Application Tab 41
LogRhythm Schema Dictionary and Guide

IANA Protocol Number


The Internet Assigned Numbers Authority (IANA) Protocol Number represents the official registered ID for
well-known network protocols. For more information, see RFC 5237 and RFC 7045.

Data Type
Integer (0 to 255)

Aliases
Use Alias

Client Console Full Name Known Application

Client Console Short Name Not applicable

Web Console Tab/Name Application

Elasticsearch Field Name application/protocolID/serviceName

Rule Builder Column Name Protnum

Regex Pattern <protnum>

NetMon Name Application (remapped by syslog parser)

Field Relationships
• SIP • Origin Port
• SIPv4 • Origin NAT Port
• SIPv6 • Impacted Port
• SIPv6E • Impacted NAT Port
• Origin Hostname • Origin MAC Address
• Origin Hostname or IP • Impacted MAC Address
• Origin NAT IP • Origin Interface
• DIP • Impacted Interface
• DIPv4 • Origin Domain
• DIPv6 • Impacted Domain
• DIPv6E • Origin Login
• Impacted Hostname • Impacted Account
• Impacted Hostname or IP • IANA Protocol Name
• Impacted NAT IP

Application Tab 42
LogRhythm Schema Dictionary and Guide

Common Applications
• Firewalls
• IDS/IPS

Use Case
Classifying network traffic.

MPE/Data Masking Manipulations


Compares to a list of IANA Protocol Numbers and is shown in Known Application in the Client Console or
Application in the Web Console.

Usage Standards
• Do not overload this field. It maps to a table in the SIEM (protocol).
• Only parse IANA Protocol Numbers in this field.
• If both the Protocol Number and Protocol Name are present in a log, parse the Protocol Number.
• For Protocol Names and Numbers, see https://www.iana.org/assignments/protocol-numbers/protocol-
numbers.xhtml.

Examples
• FortiGate
12 12 2016 12:18:55 1.1.1.1 <LOC7:ALRT> date=2016-12-12 time=12:18:55
devname=ABC-DEF-FORTIGATE-02 devid=FG000000000000 logid=042006385 type=utm
subtype=ips eventtype=signature level=alert vd=root severity=low srcip=1.1.1.1
srccountry="Reserved" dstip=1.1.1.1 srcintf="WIFI_NETWORK" dstintf="VLAN"
policyid=4 sessionid=5156446 action=dropped proto=1 service="PING"
attack="Traceroute" icmpid=0x6425 icmptype=0x08 icmpcode=0x00 attackid=12466
profile="IPS_WEB_OUT" ref="http://Host1/ids/VID5555" incidentserialno=5000000000
msg="icmp: Traceroute," crscore=5 crlevel=low

Proto (short for protocol) typically indicates IANA Protocol Numbers or Protocol Names. In this
case, proto represents a number. Proto=1 corresponds to ICMP (Ping). For more information, see
http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml.

• Cisco Netflow
02 19 2014 06:41:03 NetFlow V9 CONN_ID=- Src=1.1.1.1 SPort=57534 InIfc=4
Dst=1.1.1.1 DPort=8612 OutIfc=9 Prot=17 ICMP_IPV4_TYPE=- ICMP_IPV4_CODE=-
XLATE_SRC_ADDR_IPV4=- XLATE_DST_ADDR_IPV4=- XLATE_SRC_PORT=- XLATE_DST_PORT=-
FW_EVENT=- FW_EXT_EVENT=- EVENT_TIME_MSEC=- IN_PERMANENT_BYTES=-
DETAILS=CONN_ID=1632425523 ICMP_IPV4_TYPE=0 ICMP_IPV4_CODE=0

Application Tab 43
LogRhythm Schema Dictionary and Guide

XLATE_SRC_ADDR_IPV4=1.1.1.1 XLATE_DST_ADDR_IPV4=1.1.1.1 XLATE_SRC_PORT=57534


XLATE_DST_PORT=8612 FW_EVENT=2 FW_EXT_EVENT=2013 EVENT_TIME_MSEC=1392835263526
IN_PERMANENT_BYTES=16 DefaultDevice TemplateID=263

Prot indicates an IANA Protocol Number, corresponding to UDP. For more information, see http://
www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml.

Application Tab 44
LogRhythm Schema Dictionary and Guide

Object
The resource (file) referenced or impacted by activity reported in the log, except when another schema field
is more precisely relevant.
The following fields should be used if they are more relevant:
• Process. For anything clearly executable or running as a process.
• Action. Data explicitly classified as an action (for example, block traffic).
• Result. Result of a process (for example, HTTP result codes).
• Status. Explicit status as presented by log source.
• Reason. Explicit reason as presented by log source.
• Policy. Explicit policy.
• Command. Command executed by log source.
• Threat Name. Explicit threat name (for example, APT1).
• CVE. Explicit CVE in standard CVE format.
• Hash. Explicitly generated Hash field. For more information, see Hash.
• Vendor Information. Additional information from vendor (beyond the Vendor Message ID or VMID).
• UserAgent. User agent string for web traffic.
• Anything that can be inferred into the LogRhythm Entity, Location or Network.

Data Type
String (1000 characters maximum)

Aliases
Use Alias

Client Console Full Name Object

Client Console Short Name Object

Web Console Tab/Name Object

Elasticsearch Field Name object

Rule Builder Column Name Object

Regex Pattern <object>

NetMon Name Not applicable

Application Tab 45
LogRhythm Schema Dictionary and Guide

Field Relationships
• Object Name
• Object Type
• Hash

Common Applications
• Stores a resource being mentioned in the log message.
• Can be used in almost every log source type.

Use Case
Finding a specific known resource for log source type (for example, searching for a specific database name).

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
Do not use in the following cases:
• When another schema field is more appropriate to describe the resource (Process, Dname, Hash, Sender,
Command, Recipient, Subject, etc.).
• When describing a LogRhythm-defined entity.
• To describe an event. Object describes an event's target.

Examples
Correct Examples
• Windows System Log
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/
event'><System><Provider Name='Microsoft-Windows-DHCP-Server' Guid='{6d44402c-
a145-4dac-9a01-f0555b41ca84}' EventSourceName='DhcpServer'/><EventID
Qualifiers='0'>1020</EventID><Version>0</Version><Level>Warning</
Level><Task>None</Task><Opcode>Info</Opcode><Keywords>Classic</
Keywords><TimeCreated SystemTime='2016-08-02T13:14:16.000000000Z'/
><EventRecordID>1340877</EventRecordID><Correlation/><Execution ProcessID='0'
ThreadID='0'/><Channel>System</
Channel><Computer>IVNMKDP.DKVM.IVAN.log.cz.ru.biz</Computer><Security/></
System><EventData><Data>1.1.1.1</Data><Data>100</Data><Data>0</Data></
EventData></Event>

Application Tab 46
LogRhythm Schema Dictionary and Guide

The IP represents the IP Scope of this DHCP log, so it is the referenced object in this context. It is not
appropriate to use SIP/DIP/SNATIP/DNATIP because the data field does not represent a host.

• Windows System Log


<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/
event'><System><Provider Name='Microsoft-Windows-Kernel-PnP'
Guid='{9c343432439-12340-48324d-abhh7-e831c6sdf4539}'/><EventID>219</
EventID><Version>0</Version><Level>Warning</Level><Task></Task><Opcode>Info</
Opcode><Keywords></Keywords><TimeCreated
SystemTime='2016-08-03T01:44:55.547851500Z'/><EventRecordID>5823877</
EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='88'/
><Channel>System</Channel><Computer>IVNMKDP.DKVM.IVAN.log.cz.ru.biz</
Computer><Security UserID='NT AUTHORITY\SYSTEM'/></System><EventData><Data
Name='DriverNameLength'>60</Data><Data
Name='DriverName'>PCI\VEN_8086&DEV_7020&SUBSYS_110434AF4&REV_01\3&13c0b0c5&0&0A<
/Data><Data Name='Status'>3221226382</Data><Data Name='FailureNameLength'>15</
Data><Data Name='FailureName'>\Driver\usbuhci</Data><Data Name='Version'>0</
Data></EventData></Event>

Object is the specific driver component that failed to load (\driver\usbuhci). ObjectName is the
DriverName. Both are correct as the referenced object is the driver component, and ObjectName
expands on this with the full driver name.

• Office 365 Exchange Logs


TS=2016-03-03T01:17:28 SESSID=50e4435a-45e6-42de-7ae3-08d13419636 COMMAND=Set-
TransportConfig USERTYPE=DcAdmin USERKEY=NT AUTHORITY\SYSTEM
(Microsoft.Exchange.ServiceHost) WORKLOAD=Exchange RESULTCODE=True
OBJECT=ivantesto365.onmicrosoft.com\Transport Settings USER=NT AUTHORITY\SYSTEM
(Microsoft.Exchange.ServiceHost) SIP= OBJECTNAME=
PARAMETERS=[{"Name":"DomainController","Value":""},
{"Name":"Identity","Value":"lrtesto365.onmicrosoft.com"},
{"Name":"HygieneSuite","Value":"Premium"}] MODIFIEDPROPERTIES=
EXTERNALACCESS=True ORIGINATINGSERVER=ivandave0298 (15.31.05654.011)
ORGANIZATIONNAME=ivantesto365.onmicrosoft.com LOGONTYPE= MAILBOXOWNER=
MAILBOXMASTER= LOGONUSERSID= LOGONUSERDISPLAYNAME= USERAGENT= CLIENTIPADDRESS=
CLIENTPROCESSNAME= CLIENTVERSION= FOLDER= CROSSMAILBOXOPERATIONS= DESTMAILBOX=
DESTMAILBOXOWNER= DESTMAILBOXMASTER= DESTFOLDER= FOLDERS= AFFECTEDITEMS= ITEM=
SENDASUSER= SENDONBEHALFOFUSER=

ivantesto365.onmicrosoft.com\Transport Settings parses into Object because this setting is


recorded as modified in the log.

Application Tab 47
LogRhythm Schema Dictionary and Guide

Incorrect Examples
• Sensitive Data
04/10-07:08:54.002765  [**] [139:1:1] SDF_COMBO_ALERT [**] [Classification:
Sensitive Data was Transmitted Across the Network] [Priority: 2] {PROTO:254}
1.1.1.1 -> 1.1.1.1

SDF_COMBO_ALERT parses into Object. This is incorrect because SDF_COMBO_ALERT indicates the
type of log message, rather than what object is impacted or referenced in the log. In this example,
the Object field should not be used.

• Cisco ACS
06 07 2013 09:13:19 1.1.1.1 <LOC6:NOTE> Jun  7 09:13:19 mrk-prd-acs
CSCOacs_TACACS_Accounting 0000819174 2 1  NetworkDeviceGroups=Location:All
Locations:DPDC, AuditSessionId=davemon:1.1.1.1:tty1:1.1.1.1,
Response={Type=Accounting; AcctReply-Status=Success; }

The Success value is parsed incorrectly from the key status into Object. It should parse into Status
instead. In this example, the Object field should not be used.

• Symantec Endpoint Server


01 28 2015 16:15:37 1.1.1.1 <LPTR:INFO> Jan 28 16:01:42 SymantecServer MVK-
GDF-01: hostname,Local: 1.1.1.1,Local: 0,Local: 010000000001,Remote:
1.1.1.1,Remote: ,Remote: 0,Remote: 5156165156RS,7,Inbound,Begin: 2015-01-28
15:54:39,End: 2015-01-28 15:54:39,Occurrences: 1,Application: ,Rule: Block all
other traffic,Location: Corporate Network,User: Dave_Store,Domain: DP,Action:
Blocked

The Location value should not parse into Object, as this can be inferred, and entities can be used to
gather this type of data. Location should be tied to the entity structure. In this case, the Object field
should not be used. Application in a log could be Process or Object, depending on the analysis of
additional samples.

• Snare 2008 Event Log


08 28 2016 23:03:14 1.1.1.1 <USER:NOTE> Aug 28 23:03:14
DAVEWINDOW.loc.gregsports.com MSWinEventLog     1     Application 15450631   
Sun Aug 28 23:03:14 2016    1026  .NET Runtime      N/A   N/A   Error     
DAVEWINDOW.loc.gregsports.com None        Application:
pptviewerbackendwatchdog.exe Framework Version: v4.0.30319 Description: The
process was terminated due to an unhandled exception. Exception Info:
System.TypeInitializationException…

Application Tab 48
LogRhythm Schema Dictionary and Guide

Application should be parsed into Process because it is an executable. In this example, the Object
field should not be used.

Ambiguous Examples
• Riverbed
01 24 2014 02:57:25 1.1.1.1 <LOC0:NOTE> Jan 24 02:57:25 IVNDPMVK01 rbmd[10763]:
[rbmd.NOTICE]: Connecting to appliance IVAN48564546TV

The log notice may be a hostname or a device name (such as an AP). It is ambiguous whether this
strictly meets the definition of object impacted, object referenced, or something else. In this case,
the field could be a device, serial number, or other identifier. Object is not incorrect, but this log
source should be researched further.

• Microsoft Application Log


<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/
event'><System><Provider Name='MsiInstaller'/><EventID Qualifiers='0'>1022</
EventID><Level>Information</Level><Task>None</Task><Keywords>Classic</
Keywords><TimeCreated SystemTime='2014-11-05T08:50:01.000000000Z'/
><EventRecordID>9442</EventRecordID><Channel>Application</
Channel><Computer>IVNMKDP.DKVM.IVAN.log.cz.ru.biz</Computer><Security UserID='NT
AUTHORITY\SYSTEM'/></System><EventData>Product: Microsoft .NET Framework 4.5 -
Update 'KB2979578v2' installed successfully.</EventData></Event>

Product could parse into Process instead of Object. Object is not incorrect, but may be confusing. In
this case, the product does not define a runnable process on the system, so Object is a better choice
than Process.

• Windows Application Log


<Event xmlns='http://Host1/win/2004/08/events/event'><System><Provider
Name='SQLSERVERAGENT'/><EventID Qualifiers='16384'>208</
EventID><Level>Warning</Level><Task>Job Engine</Task><Keywords>Classic</
Keywords><TimeCreated SystemTime='2015-07-23T18:20:39.000000000Z'/
><EventRecordID>2042567</EventRecordID><Channel>Application</
Channel><Computer>IVNMKDP.DKVM.IVAN.log.cz.ru.biz </Computer><Security/></
System><EventData>SQL Server Scheduled Job 'LogRhythm Sunday Maintenance'
(0x7BN5C000E7A34C90000000D2F3) - Status: Failed - Invoked on: 2015-07-23
12:20:38 - Message: The job failed.  The Job was invoked by User sa.  The last
step to run was step 29 (LogRhythm Job Step Validation).  The job was requested
to start at step 29 (LogRhythm Job Step Validation).</EventData></Event>

Application Tab 49
LogRhythm Schema Dictionary and Guide

Job name parses into Object. However, it is ambiguous whether job is an object, an action, or a
process.

• Windows Security Log


<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/
event'><System><Provider Name='Microsoft-Windows-Security-Auditing'
Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4907</
EventID><Version>0</Version><Level>Information</Level><Task>Audit Policy
Change</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated
SystemTime='2016-02-26T06:56:10.852896900Z'/><EventRecordID>228903233</
EventRecordID><Correlation/><Execution ProcessID='752' ThreadID='768'/
><Channel>Security</Channel><Computer>IVNMKDP.DKVM.IVAN.log.cz.ru.biz</
Computer><Security/></System><EventData><Data
Name='SubjectUserSid'>IVN\dave.crowley</Data><Data
Name='SubjectUserName'>dave.crowley</Data><Data Name='SubjectDomainName'>IVN</
Data><Data Name='SubjectLogonId'>0x10be65</Data><Data
Name='ObjectServer'>Security</Data><Data Name='ObjectType'>File</Data><Data
Name='ObjectName'>C:\Windows\System32\autochk.exe</Data><Data
Name='HandleId'>0xb0</Data><Data Name='OldSd'>S:AI</Data><Data Name='NewSd'>S:
(AU;SAFA;DCLCSDSDWDWO;;;WD)</Data><Data Name='ProcessId'>0x3298</Data><Data
Name='ProcessName'>C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</
Data></EventData></Event>

File parses into Object, and the XML field is ObjectType, so it is a good candidate for ObjectType.
Autochk and path parses into ObjectName, and XML calls this ObjectName as well.

Application Tab 50
LogRhythm Schema Dictionary and Guide

Object Name
The resource name (filename) referenced or impacted by activity reported in the log, specifically related to
what is parsed into Object.
Object Name is a friendly name or expanded information about the Object. Do not use Object Name if Object
is not also parsed.
Object Name is normalized into the star schema of the Events database (LogRhythm_Events.dbo.Object). 

Data Type
String (1000 characters maximum)

Aliases
Use Alias

Client Console Full Name Object Name

Client Console Short Name Object Name

Web Console Tab/Name Object Name

Elasticsearch Fieldname objectName

Rule Builder Column Name ObjectName

Regex Pattern <objectname>

NetMon Name Not applicable

Field Relationships
• Object is described by Object Name
• Object Type

Common Applications
Everywhere that Object is used and a friendly name exists.

Use Case

Application Tab 51
LogRhythm Schema Dictionary and Guide

• Getting context about an Object.


• Not likely to be a primary search field.
• Not likely to be a major field in AIE rules.

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Object and Object Name are context-sensitive to the log itself. They must be defined for each device and device
family across multiple samples.
• Object is primary and required to be filled first. Object Name is secondary and optional.
• Object Name is an expanded or friendly name of the object, not necessarily the file or process name
(Object).
• For any database log:
• Object is the name of the database.
• Object Name should only be used if there is a human readable name in addition.
• Do not use Object Name with any other speciality field, such as session, process, URL, and so on.

Examples
Correct Examples
• Windows Security Event Log
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/
event'><System><Provider Name='Microsoft-Windows-Security-Auditing'
Guid='{54559625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4907</
EventID><Version>0</Version><Level>Information</Level><Task>Audit Policy
Change</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated
SystemTime='2016-02-26T06:56:10.852896900Z'/><EventRecordID>228903233</
EventRecordID><Correlation/><Execution ProcessID='752' ThreadID='768'/
><Channel>Security</Channel><Computer>log.log.log</Computer><Security/></
System><EventData><Data Name='SubjectUserSid'>log\dave.crowley</Data><Data
Name='SubjectUserName'>dave.crowley</Data><Data Name='SubjectDomainName'>log</
Data><Data Name='SubjectLogonId'>0x10be65</Data><Data
Name='ObjectServer'>Security</Data><Data Name='ObjectType'>File</Data><Data
Name='ObjectName'>C:\Windows\System32\autochk.exe</Data><Data
Name='HandleId'>0xb0</Data><Data Name='OldSd'>S:AI</Data><Data Name='NewSd'>S:
(AU;SAFA;DCL545RSDWDWO;;;WD)</Data><Data Name='ProcessId'>0x3298</Data><Data
Name='ProcessName'>C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</
Data></EventData></Event>

Application Tab 52
LogRhythm Schema Dictionary and Guide

File parses into Object—though Object Type would be better. Autochk.exe parses into Object Name
appropriately.

• Windows Security Event Log


<Event xmlns='http://Host3/win/2004/08/events/event'><System><Provider
Name='Microsoft-Windows-Security-Auditing' Guid='{548465416845-5478-4994-
a5ba-3e3b0328c30d}'/><EventID>6144</EventID><Version>0</
Version><Level>Informationen</Level><Task>Andere
Richtlinienänderungsereignisse</Task><Opcode>Info</Opcode><Keywords>Überwachung
erfolgreich</Keywords><TimeCreated SystemTime='2016-03-15T17:52:23.176154700Z'/
><EventRecordID>57042720</EventRecordID><Correlation/><Execution ProcessID='524'
ThreadID='2808'/><Channel>Security</Channel><Computer>Host2l</
Computer><Security/></System><EventData><Data Name='ErrorCode'>0</Data><Data
Name='GPOList'>{31b2f340-016d-11d2-945f-00c04fb984f9}     Default Domain
Policy </Data></EventData></Event>

The string for GPOList parses into Object. The Default Domain Policy parses into Object Name.

• Cisco Unified Communication Mgr


11 09 2009 00:22:45 1.1.1.1 <LOC7:ERRR> 157: : : 125: Nov 09 05:22:03.34 UTC : 
%CCM_CALLMANAGER-CALLMANAGER-3-DeviceTypeMismatch: Device type mismatch. Name of
device.:DAV002454654BA Device type.:436 Database device type:435 App ID:Cisco
CallManager Cluster ID:CORP-DP001 Node ID:CORP0004-D31005

Cluster ID parses into Object. Node ID parses into Object Name.

• Voltage Securemail
01 29 2015 01:02:20 1.1.1.1 <USER:DBUG> voltage: LogMsgID="3",
ServerNode="MVBK1", TenantID="LOG.BIZ.RU", SubTenant="<default>",
Created="2015-01-29 01:02:20.673", Status="0", Summary="Authentication being
handled for pete.store@recordflow.biz", EventLevel="Verbose",
SessionID="1odz45646546dfdf3gscuijtpiv8", RequestID="1191",
SourceName="IDAdapterEvents", EventName="Auth", Service="VSIBE", ClusterName="GH
Data Center", ClusterUID="1", IPAddress="1.1.1.1", TenantUID="36",
UserAgentType="2", Identity=" pete.store@recordflow.bizrecordflow.biz",
AdapterType="vs.enrollment", AdapterID="24358855551109029088", Result="4",
Duration="9", Details="null"

Vs.enrollment parses into Object. The numeric string for AdapterID parses into Object Name.

Application Tab 53
LogRhythm Schema Dictionary and Guide

Ambiguous Examples
• NAC System – FortiGate
07 23 2016 20:00:12 1.1.1.1 <LOC7:NOTE> date=2016-07-23 time=23:00:11
devname=logfw devid=FG5555555RecFlw1600315 logid=0100043777 type=event
subtype=system level=notice vd="Transparent" logdesc="NAC anomaly quarantine"
srcip=1.1.1.1 dstip=2.2.22 src_int="port1" dst_int="N/A" srcport=0 dstport=0
proto=0 service="ip" action=ban-ip user="N/A" group="N/A" policyid=0
banned_src=dos banned_rule="tcp_dst_session" sensor="DoS-policy1"

Banned_src and banned_rule parse into Object and Object Name, respectively. These are
ambiguous because the source and rule are related to one another, but source refers to a denial of
service attack, which is more of an action than a resource.
In this case, banned_rule could be parsed into Policy and banned_src could parse into Object
(because the rule acted on the "dos" src).

• Postgres
07 15 2015 14:59:42 1.1.1.1 <LOC4:INFO> Jul 15 14:59:43 src@Host70lt0
postgres[26940]: [708937-1] user=hasselhoff,db=recordflow_dev LOG:  duration:
929.018 ms  execute <unnamed>: UPDATE jobs.TRIGGERS SET TRIGGER_STATE = $1 WHERE
SCHED_NAME = 'schedulerFactoryBean' AND JOB_NAME = $2 AND JOB_GROUP = $3 AND
TRIGGER_STATE = $4

Database and Log parse into Object Name and Object, respectively. A database meets the criteria of
a resource referenced or impacted in this log. However, the log seems closer to a command, action,
or result (log parses into Command).
The database value should parse into Object, and the log should parse into Command. Object
Name should not be used.

• Two logs from FortiGate with URLs


08 21 2016 02:16:52 1.1.1.1 <LOC1:ALRT>
date=2016-08-21,time=02:17:46,devname=FG123456456,devid=FG5445645641,logid=04190
16384,type=utm,subtype=ips,eventtype=signature,level=alert,vd="root",severity=lo
w,srcip=1.1.1.1,dstip=1.1.1.1,srcintf="port16",dstintf="port16",policyid=1,sessi
onid=22078931,action=detected,proto=6,service=tcp/
20480,attack="MS.IIS.Web.Server.Folder.Traversal.Evasion",srcport=53355,dstport=
80,hostname="1.1.1.1",direction=outgoing,attackid=15152,profile="all_default",re
f="http://www.fortinet.com/ids/
VID5555",incidentserialno=1981412111,msg="web_server:
 
MS.IIS.Web.Server.Folder.Traversal.Evasion,",crscore=10,crlevel=medium

Application Tab 54
LogRhythm Schema Dictionary and Guide

07 23 2016 20:00:12 1.1.1.1 <LOC7:ALRT> date=2016-07-23 time=23:00:11


devname=zackasdsd3343434 devid=FG5555121321 logid=0720018432 type=anomaly
subtype=anomaly level=alert vd="Transparent" severity=critical srcip=1.1.1.1
dstip=1.1.1.1 srcintf="port1" sessionid=0 action=detected proto=6 service=SNMP
count=802 attack="tcp_src_session" srcport=36078 dstport=162 attackid=4544654
policyid=1 ref="http://www.fortinet.com/ids/VID1511112" msg="anomaly:
tcp_src_session, 1251 > threshold 1250, repeats 802 times" crscore=50
crlevel=critical

The domain of the URL parses into Object Name in the referrer field in both logs. Strictly speaking,
this is a referenced object, but Object is not used in the first log, so there is no relation. In the
second log, Subtype parses into Object and the domain of the URL parses into Object Name. There
is no relation between these fields in the second instance, as subtype describes the event rather
than a resource.
In these logs, the ref field defines an outside URL to additional information. It is not the object of the
log or the name of the object. The ref field should parse into the Vendor Information field. There is
no need to have an Object or Object Name for this log source.

• Entrust entillgence messaging server - User Credentials


06 07 2013 09:29:36 1.1.1.1 <LOC3:WARN> ECD[12901]: b7fd WARN ECD: (31516556428)
Warning of credential expiry.  Details [[friendlyName=Onboard SSL credential for
www.recordflow.biz][days since expiry:161]]

Friendly name parses into Object Name and the subsequent hostname parses into Object. Object
should parse into impacted host (dname) in this log. Object Name is strictly correct with the usage
of object for the hostname, but would probably be better for Object after that is changed to dname.
If onboard SSL Credential parses into Object, then Object Name is empty. Also, the rule name and
common event probably captures it already "credential expiry." Look at other samples to see if
there are other types of credential besides the one shown here.

• Microsoft Antimalware
4/24/2013 4:03 PM TYPE=Warning USER= COMP=Host1 SORC=Microsoft Antimalware
CATG=(0) EVID=1116 MESG=Microsoft Antimalware has detected malware or other
potentially unwanted software.  For more information please see the following:
http://Host3/fwlink/?linkid=37020&name=Worm:Win32/Vobfus.PQ&threatid=2147680921 
      Name: Worm:Win32/Vobfus.PQ    ID: 214764421     Severity: Severe       
Category: Worm    Path: file:_C:\Documents and Settings\All Users\Application
Data\Symantec\SRTSP\Quarantine\APQ7.tmp  Detection Origin: Local machine    
Detection Type: Concrete      Detection Source: Real-Time Protection       
User: NT AUTHORITY\SYSTEM     Process Name: C:\Program Files (x86)\Symantec
AntiVirus\RHost2     Signature Version: AV: 1.1.1.1, AS: 1.1.1.1, NIS: 1.1.1.1 
    Engine Version: AM: 1.1.9402.0, NIS: 1.1.1.1

Application Tab 55
LogRhythm Schema Dictionary and Guide

The object is the target file (apq7.tmp), as it is being acted on. The name is a friendly descriptor and
thus is the Object Name.

Application Tab 56
LogRhythm Schema Dictionary and Guide

Object Type [7.2]


The resource type (file type) referenced or impacted by activity reported in the log, specifically related to
what is parsed into Object. Object Type is a categorization field in comparison to Object Name, which is a
specific description of the value in Object.

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type
String (0-512 characters, 64 average characters) 

Aliases
Use Alias

Client Console Full Name Object Type

Client Console Short Name Object Type

Web Console Tab/Name Application/Object Type

Elasticsearch Field Name objectType

Rule Builder Column Name ObjectType

Regex Pattern <objecttype>

NetMon Name Not applicable

Field Relationships
• Object Type is a categorization of the resource described in Object.
• Object Type is a broader classification whereas Object Name is a specific name or description.

Common Applications
• AV software
• HTTP access logs

Application Tab 57
LogRhythm Schema Dictionary and Guide

Use Case
Sub-classification when the event type is not enough.

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Object Type does not require an Object. For example, a file scanner might create a log looking for .gif and not
find any. The Object Type would be GIF, but there is no Object because no files were found.
• Do not use Object Type with any other specialty field, such as Hash, Process, Subject, and so on. Object Type
only applies to Object. 

Examples
• HTTP access log. Object Type could contain the MIME type of file(s)
• Windows Security Event Log
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/
event'><System><Provider Name='Microsoft-Windows-Security-Auditing'
Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4907</
EventID><Version>0</Version><Level>Information</Level><Task>Audit Policy
Change</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated
SystemTime='2016-02-26T06:56:10.852896900Z'/><EventRecordID>228903233</
EventRecordID><Correlation/><Execution ProcessID='752' ThreadID='768'/
><Channel>Security</Channel><Computer>USLT0775JCROW.schq.safaware.com</
Computer><Security/></System><EventData><Data
Name='SubjectUserSid'>SAFAWARErecordflow\julian.crowley</Data><Data
Name='SubjectUserName'>julian.crowley</Data><Data
Name='SubjectDomainName'>SAFAWARE</Data><Data Name='SubjectLogonId'>0x10be75</
Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>File</
Data><Data Name='ObjectName'>C:\Windows\System32\autochk.exe</Data><Data
Name='HandleId'>0xb0</Data><Data Name='OldSd'>S:AI</Data><Data Name='NewSd'>S:
(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data><Data Name='ProcessId'>0x3298</Data><Data
Name='ProcessName'>C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</
Data></EventData></Event>

In this case, Object is authchk.exe. Object Name is blank even though the source log explicitly calls
it out. If the log had a field that called Auto check process or some other expanded description or
friendly name of the object, then that value would parse into Object Name. Object Type would
parse into File.

• MS Forefront TMG Web Proxy

Application Tab 58
LogRhythm Schema Dictionary and Guide

1.1.1.1 anonymous Windows-Update-Agent Y 2014-12-22 17:45:02 w3proxy APPGATEDR -


- 1.1.1.1 80 31 221 359 http TCP HEAD http://ds.download.windowsupdate.com/
v11/2/microsoftupdate/redir/v6-muauth.cab?14546421745 application/octet-stream
Inet 200 0x40800000 [System] Allow all HTTP traffic from Forefront TMG to all
networks (for CRL downloads) Req ID: 11c05fb1; Compression: client=No,
server=No, compress rate=0% decompress rate=0% Local Host External 0x180 Allowed
2014-12-22 17:45:02 - - - - Allowed Malware Inspection Disabled for the Matching
Policy Rule Unknown - - 0 - 0 - - - - - - 0 0 - 0 - - Feature disabled None
ds.download.windowsupdate.com 50937 -

Application/octet-stream parses into Object Type, and v6-muauth.cab parses into Object (if
possible). No Object Name is parsed.

• Trend Micro Deep Discovery Inspector


06 05 2016 01:04:09 1.1.1.1 <LOC3:INFO> CEF:0|Trend Micro|Deep Discovery
Inspector|3.82.1133|200127|Notable Characteristics of the analyzed sample|6|
rt=Jun 05 2016 03:03:49 GMT+04:00 dvc=1.1.1.1
dvchost=uascdiscover.merto.uasc.corp dvcmac=00:00:00:00:00:00
deviceExternalId=4449875B3A-46561482-3301-FCA4-11156 fname=recordflow.exe
fileHash=
9B822B964971D32EC4C97920CDD0D4620F767BC8107D2F
fileType=WIN32 EXE fsize=905216 cs1Label=PolicyCategory cs1=Autostart or other
system reconfiguration msg=Key: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows
NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\
\ve9375CFF0413d11d3B88A00104B2A6676\\\nValue: \nType: REG_NONE
cs3Label=SandboxImageType cs3=UASC2 cs2Label=PolicyName cs2=Modifies important
registry entries to perform rogue functions

Win32 EXE parses into Object Type, recordflow.exe parses into Object, and the registry name parses
into Object Name.

• Cylance Protect
08 23 2016 08:39:29 1.1.1.1 <SLOG:WARN> 1 2016-08-23T13:39:12.2911991Z
sysloghost CylancePROTECT - - - Event Type: Threat, Event Name: threat_changed,
Device Name: USABLDRRECFLOW01, IP Address: (1.1.1.1), File Name: creative
Host77, Path: c:\program files (x86)\adobe\adobe creative cloud\acc\, Drive
Type: Internal Hard Drive, SHA256:
8050FE3DCA43D594611492AA149AF09FC9669149602BB2945AFEA4148A24B175, MD5:
59E0D058686BD35B0D5C02A4FD8BD0E0, Status: Abnormal, Cylance Score: 100, Found
Date: 8/3/2016 4:22:21 PM, File Type: Executable, Is Running: True, Auto Run:
False, Detected By: FileWatcher

Application Tab 59
LogRhythm Schema Dictionary and Guide

Executable parses into Object Type, and creative Host77 parses into Object.

Application Tab 60
LogRhythm Schema Dictionary and Guide

Parent Process ID [7.2]


The Parent Process ID of a system or application process that is of interest.

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type
String (16 characters)

Aliases
Use Alias

Client Console Full Name Parent Process ID

Client Console Short Name Parent Process ID

Web Console Tab/Name Application/Parent Process ID

Elasticsearch Field Name parentProcessId

Rule Builder Column Name ParentProcessID

Regex Pattern <parentprocessid>

NetMon Name Not applicable

Field Relationships
• Parent Process Name
• Parent Process Path
• Process Name
• Process ID
• Object
• Object Name
• Object Type
• Session
• Session Type

Common Applications

Application Tab 61
LogRhythm Schema Dictionary and Guide

• Endpoint devices (for example, Carbon Black)


• Windows logs

Use Case
Identifying that Office is the source for a PowerShell process that is malicious.

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
Parse the most obvious meaningful parent ID, which is typically a top-level root.

Examples
• Windows Event Log - Sysmon
<Event xmlns='http://Host3/win/2004/08/events/event'><System><Provider
Name='Microsoft-Windows-Sysmon' Guid='{22222222-C22A-43E0-BF4C-06F5698FFBD9}'/
><EventID>1</EventID><Version>5</Version><Level>Information</Level><Task>Process
Create (rule: ProcessCreate)</Task><Opcode>Info</Opcode><Keywords></
Keywords><TimeCreated SystemTime='2016-09-19T17:50:20.719863700Z'/
><EventRecordID>230097</EventRecordID><Correlation/><Execution ProcessID='3716'
ThreadID='3740'/><Channel>Microsoft-Windows-Sysmon/Operational</
Channel><Computer> USABLDRRECFLOW01</Computer><Security UserID='NT
AUTHORITY\SYSTEM'/></System><EventData>Process Create:
UtcTime: 2016-09-19 17:50:20.718
ProcessGuid: {FCC7BD93-255C-57E0-0000-00109BAC260D}
ProcessId: 127228
Image: C:\Windows\System32\Host2
CommandLine: Host2 /c echo ffsuli > \\.\pipe\ffsuli
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {FCC7BD93-8F2C-57DC-0000-22222222222}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=
811627E612944FE5DADF2A14763A08111143C27E
ParentProcessGuid: {FCC7BD93-8F2B-57DC-0000-222222222222}
ParentProcessId: 504

Application Tab 62
LogRhythm Schema Dictionary and Guide

ParentImage: C:\Windows\System32\Host1
ParentCommandLine: C:\Windows\system32\Host1</EventData></Event>

Parent Process ID is specifically called out in this log.

• Cb Response
08 30 2016 02:20:42 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|1.1.1.1623.1033|
watchlist.storage.hit.process|cb_server=cbserver      
cb_version=1.1.1.1623.1033 childproc_count=1   cmdline=C:\\Windows\\system32\
\cmd.exe /c ping provisionserver >nul 2>nul      crossproc_count=1  
filemod_count=0       host_type=workstation     
last_update=2016-08-30T08:02:01.670Z    modload_count=11      
netconn_count=0     os_type=windows    
parent_guid=222222222-0000-2010-01d2-0294ad4c889c parent_id=2222222222      
parent_name=scsdiscovery.exe     parent_pid=8208      
parent_unique_id=222222-0000-2010-01d2-0294ad4c889c-2222222222       path=c:\
\windows\\syswow64\\cmd.exe    
process_guid=000001c3-0000-097c-01d2-222222222   
process_id=000001c3-0000-097c-01d2-22222222222 process_name=cmd.exe      
process_pid=2428    regmod_count=0      server_name=localhost.localdomain
start=2016-08-30T08:01:24.874Z timestamp=1472548449.903  
type=watchlist.storage.hit.process      
unique_id=000001c3-0000-097c-01d2-22222222222-00000001     
username=SYSTEM       watchlist_155=2016-08-30T09:10:02.525745Z     
watchlist_id=155       watchlist_name=Command Line

Parent_pid (Process ID) called out specifically.

Application Tab 63
LogRhythm Schema Dictionary and Guide

Parent Process Name [7.2]


The parent process name of a system or application process. 

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type
String (255 characters maximum)

Aliases
Use Alias

Client Console Full Name Parent Process Name

Client Console Short Name Parent Process Name

Web Console Tab/Name Parent Process Name

Elasticsearch Field Name parentProcessName

Rule Builder Column Name ParentProcessName

Regex Pattern <parentprocessname>

NetMon Name Not applicable

Field Relationships
• Parent Process ID
• Parent Process Path
• Process Name
• Process ID
• Object
• Object Name
• Object Type
• Session
• Session Type

Common Applications

Application Tab 64
LogRhythm Schema Dictionary and Guide

• Endpoint devices (for example, Carbon Black)


• Windows logs

Use Case
Identifying that Office is the source for a PowerShell process that is malicious.

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Parse the most obvious meaningful parent process (typically top-level root).
• Parent Process Name must match the Parent Process ID.
• Do not capture the process path in the name. That goes in Parent Process Path.

Examples
• Cb Response
08 30 2016 02:20:42 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|1.1.1.1623.1033|
watchlist.storage.hit.process|cb_server=cbserver      
cb_version=1.1.1.1623.1033 childproc_count=1   cmdline=C:\\Windows\\system32\
\cmd.exe /c ping provisionserver >nul 2>nul      crossproc_count=1  
filemod_count=0       host_type=workstation     
last_update=2016-08-30T08:02:01.670Z    modload_count=11      
netconn_count=0     os_type=windows    
parent_guid=000001c3-0000-2010-01d2-0294ad4c889c
parent_id=7575139489275778785    parent_name=scsdiscovery.exe      
parent_pid=8208    
parent_unique_id=000001c3-0000-2010-01d2-0294ad4c889c-22222222222       path=c:\
\windows\\syswow64\\cmd.exe    
process_guid=000001c3-0000-097c-01d2-2222222222  
process_id=000001c3-0000-097c-01d2-22222222222 process_name=cmd.exe      
process_pid=2428    regmod_count=0      server_name=localhost.localdomain
start=2016-08-30T08:01:24.874Z timestamp=1472548449.903  
type=watchlist.storage.hit.process      
unique_id=000001c3-0000-097c-01d2-222222222222-00000001    
username=SYSTEM       watchlist_155=2016-08-30T09:10:02.525745Z     
watchlist_id=155       watchlist_name=Command Line

Parent_Name is the parent process name in this instance.

• Windows Event Log - Sysmon

Application Tab 65
LogRhythm Schema Dictionary and Guide

<Event xmlns='http://Host3/win/2004/08/events/event'><System><Provider
Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/
><EventID>1</EventID><Version>5</Version><Level>Information</Level><Task>Process
Create (rule: ProcessCreate)</Task><Opcode>Info</Opcode><Keywords></
Keywords><TimeCreated SystemTime='2016-09-19T17:50:20.719863700Z'/
><EventRecordID>230097</EventRecordID><Correlation/><Execution ProcessID='3716'
ThreadID='3740'/><Channel>Microsoft-Windows-Sysmon/Operational</
Channel><Computer>LRXM</Computer><Security UserID='NT AUTHORITY\SYSTEM'/></
System><EventData>Process Create:
UtcTime: 2016-09-19 17:50:20.718
ProcessGuid: {FCC7BD93-255C-57E0-0000-222222222222}
ProcessId: 127228
Image: C:\Windows\System32\Host2
CommandLine: Host2 /c echo ffsuli > \\.\pipe\ffsuli
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {FCC7BD93-8F2C-57DC-0000-2222222222}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=
811627E612944FE5DADF2A14763A08111143C27E
ParentProcessGuid: {FCC7BD93-8F2B-57DC-0000-22222222222}
ParentProcessId: 504
ParentImage: C:\Windows\System32\Host1
ParentCommandLine: C:\Windows\system32\Host1</EventData></Event>

Obfuscated process name, but this would be appropriate for Parent Process Name.

Application Tab 66
LogRhythm Schema Dictionary and Guide

Parent Process Path [7.2]


The full path of a parent process of a system or application process.

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type
String (892 characters maximum)

Aliases
Use Alias

Client Console Full Name Parent Process Path

Client Console Short Name Parent Process Path

Web Console Tab/Name Parent Process Path

Elasticsearch Field Name parentProcessPath

Rule Builder Column Name ParentProcessPath

Regex Pattern <parentprocesspath>

NetMon Name Not applicable

Field Relationships
• Parent Process ID
• Parent Process Name
• Process Name
• Process ID
• Object
• Object Name
• Object Type
• Session
• Session Type

Common Applications

Application Tab 67
LogRhythm Schema Dictionary and Guide

• Endpoint devices (for example, Carbon Black)


• Windows logs

Use Case
• Identifying where parent executing process resides on target device.
• Tracking malware installation locations.

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Parent process path must match the parent process ID/name. 
• Do not capture the process path in this field, only the parent process path.
• Parse out the OS-dependent path using whichever separators are native to that OS.

Examples
• Windows Event Log - Sysmon
<Event xmlns='http://Host3/win/2004/08/events/event'><System><Provider
Name='Microsoft-Windows-Sysmon' Guid='{2222222222-C22A-43E0-BF4C-06F5698FFBD9}'/
><EventID>1</EventID><Version>5</Version><Level>Information</Level><Task>Process
Create (rule: ProcessCreate)</Task><Opcode>Info</Opcode><Keywords></
Keywords><TimeCreated SystemTime='2016-09-19T17:50:20.719863700Z'/
><EventRecordID>230097</EventRecordID><Correlation/><Execution ProcessID='3716'
ThreadID='3740'/><Channel>Microsoft-Windows-Sysmon/Operational</
Channel><Computer>LRXM</Computer><Security UserID='NT AUTHORITY\SYSTEM'/></
System><EventData>Process Create:
UtcTime: 2016-09-19 17:50:20.718
ProcessGuid: {FCC7BD93-255C-57E0-0000-22222222222}
ProcessId: 127228
Image: C:\Windows\System32\Host2
CommandLine: Host2 /c echo ffsuli > \\.\pipe\ffsuli
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {2222222222-8F2C-57DC-0000-2222222}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=
811627E612944FE5DADF2A14763A08111143C27E

Application Tab 68
LogRhythm Schema Dictionary and Guide

ParentProcessGuid: {22222222222-8F2B-57DC-0000-2222222222222}
ParentProcessId: 504
ParentImage: C:\Windows\System32\Host1
ParentCommandLine: C:\Windows\system32\Host1</EventData></Event>

ParentImage contains a path to the parent process.

Application Tab 69
LogRhythm Schema Dictionary and Guide

Policy [7.2]
The specific policy referenced (for example, Firewall or Proxy) in a log message.

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type
String

Aliases
Use Alias

Client Console Full Name Policy

Client Console Short Name Policy

Web Console Tab/Name Policy

Elasticsearch Field Name policy

Rule Builder Column Name Policy

Regex Pattern <policy>

NetMon Name Not applicable

Field Relationships
• Group
• Login
• Account
• Domain
• Object (disambiguation—policy was historically stored as object in some cases)

Common Applications
• Firewall
• Antivirus
• IDS/IPS

Application Tab 70
LogRhythm Schema Dictionary and Guide

• Directory
• Vulnerability scanners
• Audit tools
• Proxies
• IT management

Use Case
• Tracking group policy
• Correlating AV and vulnerability scanners
• Compliance
• Policy violations

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Only store explicitly called out Policy values from log.
• You can store policy synonyms (for example, Standard).
• Capture the broadest policy if multiple different policy types are defined in the log.

Examples
• SourceFire IDS
10 02 2016 20:30:22 1.1.1.1 <LOC6:WARN> Oct  2 23:27:07 mtl-corp-sen-01 CORPvDC:
Protocol: TCP, SrcIP: 1.1.1.1, DstIP: 1.1.1.1, SrcPort: 54217, DstPort: 443,
TCPFlags: 0x0, IngressInterface: s1p6, EgressInterface: s1p5, IngressZone:
Ingress_CORP_recflow_FROM_NX, EgressZone: Egress_CORP_recflow_TO_ASA, DE:
Primary Detection Engine (f20ae1fc-2be2-22e3-9bcc-2222222222222), Policy:
RECFLOW_CORP_Sensor, ConnectType: End, AccessControlRuleName:
Rules_Inspection_CORP_RF_Log, AccessControlRuleAction: Allow, UserName: No
Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS,
WebApplication: recflow, InitiatorPackets: 9, ResponderPackets: 9,
InitiatorBytes: 1017, ResponderBytes: 4258, NAPPolicy: RF_CORP_PREPROCESSORS,
DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown,
URLReputation: Risk unknown, URL: https://www.recordflow.biz

Policy is parsed here as it is explicitly called out. NAPPolicy can go unparsed as there is a broader
policy name field.

• Sourcefire IDS

Application Tab 71
LogRhythm Schema Dictionary and Guide

05 22 2014 06:12:49 1.1.1.1 <SLOG:ERRR> 2014-05-22 10:12:47.494


recmetric:SOURCE[recflow.Host4]:REC2604E:[ALARM] Policy[ForTheRecord-Media]
User[recflow\Domain Usersrecflowusers,Medium Mandatory Level@Mandatory Label...
\ercflow,Host4] Process[\SystemRoot\System32\Host2] Action[read_dir] Res[M:
\Media\QueryBuilder]  Effect[DENIED Code (1U,2U,3U,4U,5U,6U,7U,8U,9U,10U,11U,
12P,13P,14U,15U,16U,17A,18U,19M)]

ForTheRecord-Media parses into Policy as it is explicitly called out.

Application Tab 72
LogRhythm Schema Dictionary and Guide

Process ID
System or application process ID.

Data Type
Integer

Aliases
Use Alias

Client Console Full Name Process ID

Client Console Short Name Process ID

Web Console Tab/Name Process ID

Elasticsearch Field Name processId

Rule Builder Column Name ProcessID

Regex Pattern <processid>

NetMon Name Not applicable

Field Relationships
• Process Name
• Parent Process ID
• Parent Process Name
• Parent Process Path

Common Applications
Anything that tracks applications/processes.

Use Case
Identifying what is running on a system.

Application Tab 73
LogRhythm Schema Dictionary and Guide

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Process ID should be the unique identifier (typically a PID).
• Store HEX representation by preference, but allow decimal if that's what log source provides.

Examples
• *nix
03 21 2014 10:13:00 1.1.1.1 <CLK1:INFO> crond[2596]: (root) CMD (/usr/lib64/sa/
sa1 1 1)

In *nix logs, the Process and ProcessID frequently follow the syslog facility and severity. In this case,
crond is followed by the ProcessID 2596 in square braces.

• Cb Response
08 30 2016 02:20:42 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|1.1.1.1623.1033|
watchlist.storage.hit.process|cb_server=cbserver      
cb_version=1.1.1.1623.1033 childproc_count=1   cmdline=C:\\Windows\\system32\
\cmd.exe /c ping provisionserver >nul 2>nul      crossproc_count=1  
filemod_count=0       host_type=workstation     
last_update=2016-08-30T08:02:01.670Z    modload_count=11      
netconn_count=0     os_type=windows    
parent_guid=11111111-0000-2010-01d2-0294ad4c889c parent_id=7575139489111111
parent_name=scsdiscovery.exe     parent_pid=8208      
parent_unique_id=222222222-0000-2010-01d2-0294ad4c889c-00000001       path=c:\
\windows\\syswow64\\cmd.exe     process_guid=222222-0000-097c-01d2-0294b431d3b1
process_id=2222222222222222       process_name=cmd.exe      
process_pid=2428       regmod_count=0      server_name=localhost.localdomain
start=2016-08-30T08:01:24.874Z       timestamp=1472548449.903  
type=watchlist.storage.hit.process      
unique_id=000001c3-0000-097c-01d2-0294b431d3b1-00000001    
username=SYSTEM       watchlist_155=2016-08-30T09:10:02.525745Z     
watchlist_id=155       watchlist_name=Command Line

Process_pid called out specifically.

Application Tab 74
LogRhythm Schema Dictionary and Guide

Process Name
System or application process described by log message.

Data Type
String

Aliases
Use Alias

Client Console Full Name Process

Client Console Short Name Process

Web Console Tab/Name Process Name

Elasticsearch Field Name process

Rule Builder Column Name Process

Regex Pattern <process>

NetMon Name Varies by protocol

Field Relationships
• Parent Process ID
• Parent Process Name
• Parent Process Path
• Process
• Process ID
• Object
• Object Name
• Object Type
• Session
• Session Type

Common Applications
Any application.

Application Tab 75
LogRhythm Schema Dictionary and Guide

Use Case
Monitoring timer jobs (for example, cron, or Windows scheduler).

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
Process Name should contain the identified process (for example, PowerShell.exe).  

Examples
• Cb Response
08 30 2016 02:20:42 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|1.1.1.1623.1033|
watchlist.storage.hit.process|cb_server=cbserver      
cb_version=1.1.1.1623.1033 childproc_count=1   cmdline=C:\\Windows\\system32\
\cmd.exe /c ping provisionserver >nul 2>nul      crossproc_count=1  
filemod_count=0       host_type=workstation     
last_update=2016-08-30T08:02:01.670Z    modload_count=11      
netconn_count=0     os_type=windows    
parent_guid=22221c3-0000-2010-01d2-0294ad4c889c
parent_id=75751394892752222       parent_name=scsdiscovery.exe      
parent_pid=8208    
parent_unique_id=2222222-0000-2010-01d2-0294ad4c889c-00002222       path=c:\
\windows\\syswow64\\cmd.exe    
process_guid=000001c9-2222-097c-01d2-0294b431d3b1
process_id=000001c3-0000-097c-01d2-222222222   process_name=cmd.exe      
process_pid=2428    regmod_count=0      server_name=localhost.localdomain
start=2016-08-30T08:01:24.874Z timestamp=1472548449.903  
type=watchlist.storage.hit.process      
unique_id=000001c3-0000-097c-01d2-0294b431d3b1-00000001    
username=SYSTEM       watchlist_155=2016-08-30T09:10:02.525745Z     
watchlist_id=155       watchlist_name=Command Line

Process_name called out specifically.

• Windows Event Log – System


<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/
event'><System><Provider Name='Service Control Manager' Guid='{222222-
a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/
><EventID Qualifiers='16384'>7036</EventID><Version>0</
Version><Level>Information</Level><Task>None</Task><Opcode></

Application Tab 76
LogRhythm Schema Dictionary and Guide

Opcode><Keywords>Classic</Keywords><TimeCreated
SystemTime='2016-08-01T08:58:46.675586600Z'/><EventRecordID>823261</
EventRecordID><Correlation/><Execution ProcessID='512' ThreadID='8508'/
><Channel>System</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></
System><EventData><Data Name='param1'>Windows Error Reporting Service</
Data><Data Name='param2'>stopped</
Data><Binary>57006500720053007622222222031000000</Binary></EventData></Event>

Param1 in the 7036 event indicates the service (process) status.

• *nix
03 21 2014 10:13:00 1.1.1.1 <CLK1:INFO> crond[2596]: (root) CMD (/usr/lib64/sa/
sa1 1 1)

In *nix logs, the process frequently follows the syslog facility and severity, in this case Cron Daemon.

Application Tab 77
LogRhythm Schema Dictionary and Guide

Quantity
Quantity is a numeric integer count of something.

Data Type
Integer

Aliases
Use Alias

Client Console Full Name Quantity

Client Console Short Name Quantity

Web Console Tab/Name Quantity

Elasticsearch Field Name quantity

Rule Builder Column Name Quantity

Regex Pattern <quantity>

NetMon Name Not applicable

Field Relationships
• Amount
• Rate
• Size

Common Applications
Not heavily used. 

Use Case
Aggregated logs and UDLA queries for fraud detection.

MPE/Data Masking Manipulations

Application Tab 78
LogRhythm Schema Dictionary and Guide

Not applicable.

Usage Standards
• Not used for percentages.
• Not used for currency.
• Used to capture specific integer numbers.
• Use Quantity to represent numbers, and Amount to represent percentages.

Examples
• Unisys Stealth
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/
event'><System><Provider Name='StealthUI'/><EventID Qualifiers='0'>109</
EventID><Level>Information</Level><Task></Task><Keywords>Classic</
Keywords><TimeCreated SystemTime='2016-12-09T05:26:38.000000000Z'/
><EventRecordID>8449</EventRecordID><Channel>Application</Channel><Computer>psb-
stl-em.LRPMBD.local</Computer><Security/></System><EventData><Data>User query
for logs retrieved 19 records out of 1631 total records </Data></EventData></
Event>

Quantity indicates the number of logs retrieved.

Application Tab 79
LogRhythm Schema Dictionary and Guide

Rate
Defines a number per unit of time. Always expressed as a fraction.  

Data Type
Double

Aliases
Use Alias

Client Console Full Name Rate

Client Console Short Name Rate

Web Console Tab/Name Rate

Elasticsearch Field Name rate

Rule Builder Column Name Rate

Regex Pattern <rate>

NetMon Name Not applicable

Field Relationships
• Size
• Quantity
• Amount

Common Applications
Flow rate

Use Case
Determining frequency.

MPE/Data Masking Manipulations

Application Tab 80
LogRhythm Schema Dictionary and Guide

Not applicable.

Usage Standards
• Rarely used except where specifically called out as a rate.
• There is no quantifier of what the time is (second, minute, year, fortnight).

Examples
• SFlow Log
sFlow v5 AGENTIP=1.1.1.1 OPAQUE=flow_sample ENTERPRISE=0 FORMAT=2202
SAMPLENAME=AppOperation INPUTINTERFACE=21 OUTPUTINTERFACE=2 SAMPLEDATA=96
APPLICATION=_ OPERATION=_4 ATTRIBUTES=_ STATUS_DESC=TS REQ_BYTES=2323
RESP_BYTES=34343 USEC=12 STATUS=1 DETAILS=SubAgentId=0 AgentUpTime=142864
DatagramSequence=47998 SampleRate=16384 SamplePool=18939904

SampleRate could be a rate. SamplePool could be a size because it refers to the capacity of the
pool.

Application Tab 81
LogRhythm Schema Dictionary and Guide

Reason [7.2]
The justification for an action or result. 

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type
String

Aliases
Use Alias

Client Console Full Name Reason

Client Console Short Name Reason

Web Console Tab/Name Reason

Elasticsearch Field Name reason

Rule Builder Column Name Reason

Regex Pattern <reason>

NetMon Name Not applicable

Field Relationships
• Action
• Command
• Policy
• Result
• ResponseCode

Common Applications
Understanding why an action or command was executed, or why a result or ResponseCode was generated. 

Application Tab 82
LogRhythm Schema Dictionary and Guide

Use Case
• IDS/IPS
• Email filtering
• Firewall blocking
• Antivirus
• Vulnerability scanning

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• If the log explicitly calls out a policy, use policy instead.
• Reason should be free text. If it is an industry standard code use ResponseCode.
• Result should be used for what and Reason should be used for why.

Examples
• eSafe Email Security
05 01 2012 16:21:21 1.1.1.1 <LOC5:ERRR> eSafeCR: Alert from eSafe    Scan
result: SMTP error  Protocol: SMTP  File Name\Mail Subject:  Business Plan &
Financials  Source: 1.1.1.1  Destination: 1.1.1.1  Mail Sender:
Peter.Store@recordflow.biz  Mail Recipients: pete.store@recordflow.biz  Details:
Delivery Msg #911 - Email b0eeb3e8 NOT sent after multiple retries, likely
reason: 554 delivery error: dd This user doesn't have a recordflow.biz account
(pete.store@recordflow.biz) [0] - recordflow.biz. 

The Reason field (554) parses into ResponseCode because 554 is an SMTP response. The text after
could be parsed into Reason. Obtain other samples to determine whether there is a legitimate
pattern in the log.

• Alcatel-Lucent Wireless Controller


12 10 2012 09:08:56 1.1.1.1 <LOC1:DBUG> Dec 10 09:09:03 DAVE authmgr[1600]:
<124004> <DBUG> <DAVE-03 1.1.1.1>  Setting user 00:00:00:00:00:00 aaa profile to
default-dot1x, reason: bbq_set_aaa_profile_defaults

This is an assumed Policy, but additional logs and product knowledge is needed to confirm. There
would not be a Reason in this log because the reason is that it is policy.

• NetApp CIFS Security Audit Event Log

Application Tab 83
LogRhythm Schema Dictionary and Guide

04/11/2016 16:55 TYPE=FailureAudit USER= COMP=Computer SORC=Security CATG=Logon/


Logoff EVID=537 MESG=Logon Failure:        Reason:           An unexpected error
occurred during logon    User Name:  -     Domain:           -        Logon
Type: 3     Logon Process:    Data ONTAP        Authentication Package:   
Extended Security       Workstation Name: -     Status code:      -       
Substatus code:   -     Caller User Name: -     Caller Domain:    -       
Caller Logon ID:  -     Caller Process ID:      3170862     Transited
Services:   -     Source Network Address: 1.1.1.1     Source Port:      0       
Caller Process Name:

Logon failure is the event, and unexpected error parses into Reason.

Application Tab 84
LogRhythm Schema Dictionary and Guide

Response Code [7.2]


The explicit and well-defined response code for an action or command in a log. Response Code differs from
Result in that response code should be well structured and easily identifiable as a code.

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type
String

Aliases
Use Alias

Client Console Full Name Response Code

Client Console Short Name Response Code

Web Console Tab/Name Response Code

Elasticsearch Field Name responseCode

Rule Builder Column Name ResponseCode

Regex Pattern <responsecode>

NetMon Name Not applicable

Field Relationships
• Status
• Result
• Action
• Command
• VMID

Common Applications
• Web server
• Proxy

Application Tab 85
LogRhythm Schema Dictionary and Guide

• Mail server

Use Case
Anything that captures HTTP or SMTP traffic.

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Response Code should be industry standard. If it is a vendor standard, use VMID.
• If the value is unstructured text, use Result instead.
• This supplants VMID completely for parsing HTTP and SMTP response codes. In other words, VMID should be tied
to a vendor while HTTP codes are an independent standard.
• This field can be extended to non-IT industry response codes. For example, credit card response codes if ATM or
POS logs are parsed, and ICS/SCADA-specific protocols. 

Examples
• IBM WebSphere DataPower Integration
03 23 2014 13:14:32 1.1.1.1 <USER:INFO> Mar 23 13:14:26USABLDRRECFLOW01
[Service_Router][mpgw][info] mpgw(Routing_Int_MPG): trans(1954389697)[1.1.1.1]:
HTTP response code 200 for 'https://1.1.1.1:54010/legacy/eg/aggregate'

200 parsed into Response code.

• Microsoft IIS
::1, Host1st@Host2, 8/25/2015, 15:25:43, W3SVC2, USABLDRRECFLOW01, ::1, 171,
327, 512, 500, 0, GET, /, |88|800a0009|Subscript_out_of_range:_'[number:_1]',

HTTP response code.

• Microsoft ActiveSync 2010


2012-08-26 00:07:52 1.1.1.1 GET /owa/1.1.1.1/scripts/premium/flogon.js - 443 -
1.1.1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.1+(KHTML,
+like+Gecko)+Chrome/21.0.1180.83+Safari/537.1 304 0 0 281

HTTP response code from ActiveSync.

• Microsoft IIS SMTP

Application Tab 86
LogRhythm Schema Dictionary and Guide

2012-03-29 07:30:50 1.1.1.1 USABLDRRECFLOW01SMTPSVC1 CDESMTP 1.1.1.1 0 HELO -


+CDENETMON 250 0 55 14 0 SMTP - - - -

SMTP response code.

• Bluecoat Proxy
06 29 2015 14:26:18 1.1.1.1 <USER:NOTE> date=2015-06-29 time=19:25:57 time-
taken=65 c-ip=1.1.1.1 cs-username=- cs-auth-group=- x-exception-id=- sc-filter-
result=OBSERVED cs-categories="Technology/Internet" cs(Referer)=http://
www.amazon.com/Travel-Mattress-Healing-Magnetic-Cover/dp/B0029OMC6A cs-
status=500 s-action=TCP_NC_MISS cs-method=GET rs(Content-Type)=text/xml cs-uri-
scheme=http cs-host=fls-na.amazon.com cs-uri-port=80 cs-uri-path=/1/amazon-
clicks/1/OP cs-uri-query=?
requestId=1J6GGDGMDB10asdvasehQ2&childRequestId=152CJ96fgnfhjkjTW28Z5AP&widgetNa
me=variant_ads_below_fold&searchResultNumber=1&impressionRankOnAsin=3 cs-uri-
extension=- cs(User-Agent)=Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:
11.0) like Gecko s-ip=1.1.1.1 cs-bytes=1217 rs-bytes=293

Despite Status being the key, the value is an HTTP response code.

Application Tab 87
LogRhythm Schema Dictionary and Guide

Result [7.2]
Result is for the outcome of a command operation or action.  For example, the result of “quarantine" might
be "success."

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type
String

Aliases
Use Alias

Client Console Full Name Result

Client Console Short Name Result

Web Console Tab/Name Result

Elasticsearch Field Name result

Rule Builder Column Name Result

Regex Pattern <result>

NetMon Name Not applicable

Field Relationships
• Action. The Action should be what generated the result.
• Command. A Command could also be a generator of a result.
• Status. Status is similar to Result, but reserved for explicitly defined result values. Result is an outcome, whereas
a Status can be independent of the action. 

Common Applications
• Endpoint protection such as CarbonBlack or Cylance
• IDS/IPS 

Application Tab 88
LogRhythm Schema Dictionary and Guide

Use Case
• Determining whether an action or command succeeded or failed. Validating normal operational process.
• Monitoring backup processes to see if they were successful.

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Result is the outcome of an occurence and should be tied to a command, action, or policy.
• Result should not contain industry standard response codes such as HTTP response codes.
• If given a choice, use VMID/Vendor Info if the log is just a message and not tied to an action/command. Use
Result if the log contains a clear action/command. For example, VMID/Vendor Info might be tied to "Attempted
quarantine" and the result might be "success.”
• Do not take result in the log literally. It could be a result, a VMID, or a status.

Examples
• F5 BIG-IP ASM
03 22 2012 14:19:54 a4eg01-1-admi <LOC1:NOTE> Mar 22 14:19:54 USABLDRRECFLOW01
local/ USABLDRRECFLOW01-1 notice apd[4096]: 01490102:5: de71deef: Access policy
result: Network_Access

Access policy result shows Network Access as the result of a policy being applied. Network Access
parses into Result.

• Vamsoft ORF
01 27 2013 18:54:25 1.1.1.1 <MAIL:INFO> Jan 27 18:52:57
fe80::1111:11e1:31111:dsfsd%13 ORFEE:
SRC:SMTPSVC-1,CLASS:Blacklist,ACT:Reject,FP: OnArrival,IP:1.1.1.1,SND:no-
reply@Host34,RCPT: pstore@Host2;agent414@Host2,TEXT:Email blacklisted by the SPF
test (sender forged per policy of "Host34", SPF result: Fail).

Fail or SPF Fail parses into Result, reject from the ACT field parses into Action, and Blacklist or
Sender Forged parses into Policy.

• Windows Event Log – Trend Micro AV


<Event xmlns='http://Host3/win/2004/08/events/event'><System><Provider
Name='Trend Micro OfficeScan Server'/><EventID Qualifiers='32773'>600</
EventID><Level>Warning</Level><Task>System</Task><Keywords>Classic</
Keywords><TimeCreated SystemTime='2016-07-26T22:37:03.000000000Z'/

Application Tab 89
LogRhythm Schema Dictionary and Guide

><EventRecordID>152848</EventRecordID><Channel>Application</
Channel><Computer>Host2</Computer><Security UserID='NT AUTHORITY\SYSTEM'/></
System><EventData>Virus/Malware: Unauthorized File Encryption
Endpoint: USABLDRRECFLOW01
Domain: safaware\
File: \\safaware\thinnerapp\lotusnotes\bin\lotus Host1
Date/Time: 7/26/2016 18:35:25
Result: Virus successfully detected, cannot perform the Quarantine action
</EventData></Event>

Showing result of AV scan and attempted remediation action to Quarantine.

• Cisco IDS/IPS
<evStatus eventId="1332222222222228024371874" vendor="Cisco" xmlns="http://
www.cisco.com/cids/2006/08/cidee">> USABLDRRECFLOW01</hostId><appName>mainApp</
appName><appInstanceId>1260</appInstanceId></originator><time offset="-300"
timeZone="GMT-06:00">1345793398595703000</
time><autoUpgradeServerCheck><uri>http://breon.moore@1.1.1.1//swc/esd/
06/273556262/contract/recordflowconsole.pkg</packageFileName><result
status="true"></result></autoUpgradeServerCheck></evStatus>

This is a Result instead of a Status because it represents an outcome of a task or operation. Status
represents a state independent of an operation being performed. AutoUpgradeServerCheck may
parse into Action.

Application Tab 90
LogRhythm Schema Dictionary and Guide

Session
Unique user or system session identifier.  

Data Type
String

Aliases
Use Alias

Client Console Full Name Session

Client Console Short Name Session

Web Console Tab/Name Session

Elasticsearch Field Name session

Rule Builder Column Name Session

Regex Pattern <session>

NetMon Name SessionID

Field Relationships
• Account
• Login
• SessionType
• Protname
• Protnum
• IP Address Fields
• Process
• ProcessID

Common Applications
• SSH
• Remote Desktop
• Telnet
• FTP

Application Tab 91
LogRhythm Schema Dictionary and Guide

• Web Application
• Shell
• Web Browser

Use Case
• NetMon session identifier.
• User session for a web session or computer session.
• Session ID for a VoIP call.
• Session record for a vulnerability scan.

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Unique non-permanent identifier for a user/system session.
• Session Token identifier/number.
• Used for tracking activity associated with a session.
• Not ProcessID.

Examples
• Linux Host
10 15 2010 10:50:31 1.1.1.1 <SAU1:INFO> Oct 15 10:50:30 USABLDRRECFLOW01: [ID
702911 Host7] 700 Auth_method_success, Username: pete.store, Auth method:
keyboard-interactive, Session-Id: 10707

Session-ID parses into Session.

• Windows Event Log


<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/
event'><System><Provider Name='Microsoft-Windows-Security-Auditing'
Guid='{54849625-5478-4994-a5ba-22222222222}'/><EventID>4742</
EventID><Version>0</Version><Level>Information</Level><Task>Computer Account
Management</Task><Opcode>Info</Opcode><Keywords>Audit Success</
Keywords><TimeCreated SystemTime='2016-02-24T19:46:19.175040100Z'/
><EventRecordID>4814831973</EventRecordID><Correlation/><Execution
ProcessID='560' ThreadID='8892'/><Channel>Security</Channel><Computer>
USABLDRRECFLOW01</Computer><Security/></System><EventData><Data
Name='ComputerAccountChange'>-</Data><Data Name='TargetUserName'>
USABLDRRECFLOW01$</Data><Data Name='TargetDomainName'>SAFAWARE</Data><Data
Name='TargetSid'>SAFAWARE\ USABLDRRECFLOW01$</Data><Data
Name='SubjectUserSid'>NT AUTHORITY\ANONYMOUS LOGON</Data><Data

Application Tab 92
LogRhythm Schema Dictionary and Guide

Name='SubjectUserName'>ANONYMOUS LOGON</Data><Data Name='SubjectDomainName'>NT


AUTHORITY</Data><Data Name='SubjectLogonId'>0x3e6</Data><Data
Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data
Name='DisplayName'>-</Data><Data Name='UserPrincipalName'>-</Data><Data
Name='HomeDirectory'>-</Data><Data Name='HomePath'>-</Data><Data
Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data
Name='UserWorkstations'>-</Data><Data Name='PasswordLastSet'>2/24/2016 12:46:19
PM</Data><Data Name='AccountExpires'>-</Data><Data Name='PrimaryGroupId'>-</
Data><Data Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>-</
Data><Data Name='NewUacValue'>-</Data><Data Name='UserAccountControl'>-</
Data><Data Name='UserParameters'>-</Data><Data Name='SidHistory'>-</Data><Data
Name='LogonHours'>-</Data><Data Name='DnsHostName'>-</Data><Data
Name='ServicePrincipalNames'>-</Data></EventData></Event>

SubjectLogonID parses into Session. Used to track user activity from login to logout.

• Windows Event Log


<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/
event'><System><Provider Name='Microsoft-Windows-Security-Auditing'
Guid='{222222-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4624</EventID><Version>0</
Version><Level>Information</Level><Task>Logon</Task><Opcode>Info</
Opcode><Keywords>Audit Success</Keywords><TimeCreated
SystemTime='2016-02-09T00:45:00.703363000Z'/><EventRecordID>2269912024</
EventRecordID><Correlation/><Execution ProcessID='520' ThreadID='12080'/
><Channel>Security</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></
System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data
Name='SubjectUserName'> USABLDRRECFLOW01$</Data><Data
Name='SubjectDomainName'>SAFAWARE</Data><Data Name='SubjectLogonId'>0x3e7</
Data><Data Name='TargetUserSid'>NT AUTHORITY\SYSTEM</Data><Data
Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</
Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data
Name='LogonProcessName'>Advapi  </Data><Data
Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'></
Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data
Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data
Name='KeyLength'>0</Data><Data Name='ProcessId'>0x200</Data><Data
Name='ProcessName'>C:\Windows\System32\services.exe</Data><Data
Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data></EventData></Event>

TargetLogonID is parsed instead of SubjectLogonID. Using Target because it is the initiation of a


new session that can be tracked separate from the initiator session. For example, Process Run As a
different user in Windows.

Application Tab 93
LogRhythm Schema Dictionary and Guide

Session Type [7.2]


The type of session described in the log (for example, console, CLI, or web). This field is free text.  

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type
String (128 characters)

Aliases
Use Alias

Client Console Full Name Session Type

Client Console Short Name Session Type

Web Console Tab/Name Session Type

Elasticsearch Field Name sessionType

Rule Builder Column Name SessionType

Regex Pattern <sessiontype>

NetMon Name Not applicable

Field Relationships
• See IANA Protocol Number and IANA Protocol Name
• Session
• Login
• Account
• Domain
• Process
• ProcessID
• Protname
• Protnum

Common Applications

Application Tab 94
LogRhythm Schema Dictionary and Guide

• Windows security log lists all types of sessions (logon type)


• Linux authentication methods

Use Case
Tracking how users are interacting with a system.

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• SessionType can exist without Session.
• Session can exist without a defined Session Type.

Examples
• Linux Host
10 15 2010 10:50:31 1.1.1.1 <SAU1:INFO> Oct 15 10:50:30 USABLDRRECFLOW01: [ID
702911 Host7] 700 Auth_method_success, Username: pete.store, Auth method:
keyboard-interactive, Session-Id: 10707

Keyboard-Interactive parses into Session Type.

• Windows Event Log


<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/
event'><System><Provider Name='Microsoft-Windows-Security-Auditing'
Guid='{2222222-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4624</
EventID><Version>0</Version><Level>Information</Level><Task>Logon</
Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated
SystemTime='2016-02-09T00:45:00.703363000Z'/><EventRecordID>2269912024</
EventRecordID><Correlation/><Execution ProcessID='520' ThreadID='12080'/
><Channel>Security</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></
System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data
Name='SubjectUserName'>USBO1PDC02$</Data><Data
Name='SubjectDomainName'>SAFAWARE</Data><Data Name='SubjectLogonId'>0x3e7</
Data><Data Name='TargetUserSid'>NT AUTHORITY\SYSTEM</Data><Data
Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</
Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data
Name='LogonProcessName'>Advapi  </Data><Data
Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'></
Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data
Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data

Application Tab 95
LogRhythm Schema Dictionary and Guide

Name='KeyLength'>0</Data><Data Name='ProcessId'>0x200</Data><Data
Name='ProcessName'>C:\Windows\System32\services.exe</Data><Data
Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data></EventData></Event>

LogonType parses into Session Type. Establishes the LogonID as a Service. Service session can be
tracked with Session 0x3e7.

Application Tab 96
LogRhythm Schema Dictionary and Guide

Size
Numeric description of capacity (for example, disk size). Size is best thought of as a limit rather than a
current measurement. Use Amount for non-specific measurements.

Data Type
Double

Aliases
Use Alias

Client Console Full Name Size

Client Console Short Name Size

Web Console Tab/Name Size

Elasticsearch Field Name size

Rule Builder Column Name Size

Regex Pattern <size>

NetMon Name Not applicable

Field Relationships
• Amount
• Quantity
• Rate
• [prefix]Bytes

Common Applications
• IT Operations (drive size)
• CPU usage (for example, threshold limit on a CPU alert)

Use Case

Application Tab 97
LogRhythm Schema Dictionary and Guide

Used in conjunction with other numeric tags such as bytes or megabytes, can show a disk capacity (<size>)
and the usage in <megabytes>.

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Use size for capacity measures, use quantity, amount, or [prefix]bytes for measuring current value.
• If there is no label to an explicit size in the log, use <size> when the value is an integer.

Examples
• Threat Defense
07 18 2015 23:30:02 1.1.1.1 <LOC6:INFO> Jul 18 23:30:02 ATD-3000 ATD2ESM[26906]:
{"CPU Alert": {"CPU Usage":83.7, "CPU Threshold":75.0}}

Size could be based on the CPU Threshold. Amount could be used for the CPU Usage.

Application Tab 98
LogRhythm Schema Dictionary and Guide

Status [7.2]
The vendor's perspective on the state of a system, process, or entity. Status should not be used as the result
of an action. 

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type
String

Aliases
Use Alias

Client Console Full Name Status

Client Console Short Name Status

Web Console Tab/Name Status

Elasticsearch Field Name status

Rule Builder Column Name Status

Regex Pattern <status>

NetMon Name Not applicable

Field Relationships
• ResponseCode
• Action
• Command
• Process
• Result
• Policy

Common Applications
• Inventory trackers

Application Tab 99
LogRhythm Schema Dictionary and Guide

• SNMP analysis
• Heartbeat detection

Use Case
• IT operations
• Deployment monitors

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
Status should refer to the state, not the result of an action. 

Examples
Correct Examples
• Elastic search – red/yellow/green
• Raid array – drive up/down
• Service monitoring – email server up/down

Incorrect Examples
• Cisco Secure ACS
06 06 2013 09:12:45 1.1.1.1 <LOC6:NOTE> Jun  6 09:12:45 USABLDRRECFLOW01
CSCOacs_TACACS_Accounting 0000817989 2 1  AuditSessionId=firemon:
1.1.1.1:tty1:1.1.1.1, Response={Type=Accounting; AcctReply-Status=Success; }

Accounting Status was Success, but this is a Result, not a Status.

• Tectia SSH Server


84479804 | 8/7/2013 4:00:23 AM | None | N/A | USABLDRRECFLOW01 | Information | 0
| SSH Tectia Server | 709 Publickey_auth_warning, Username:
MET_INTNET\SSHVRZCOMM, Algorithm: publickey, "Unknown key type for `d:
\transops\crit\sshusers\SSHBBQCOM\.ssh2\id_rsa_pub' (status: Key type given not
recognized).", Session-Id: 28172

Key value pair showing the status of the public key, but this should be a Reason not a Status.

• Windows Event Log

Application Tab 100


LogRhythm Schema Dictionary and Guide

<Event xmlns='http://Host1/win/2004/08/events/event'><System><Provider
Name='SQLSERVERAGENT'/><EventID Qualifiers='16384'>208</EventID><Level>Warning</
Level><Task>Job Engine</Task><Keywords>Classic</Keywords><TimeCreated
SystemTime='2015-07-23T18:20:39.000000000Z'/><EventRecordID>2042567</
EventRecordID><Channel>Application</Channel><Computer> USABLDRRECFLOW01</
Computer><Security/></System><EventData>SQL Server Scheduled Job 'LogRhythm
Sunday Maintenance' (0x7A222222222E72222F538A9DE038D2F3) - Status: Failed -
Invoked on: 2015-07-23 12:20:38 - Message: The job failed.  The Job was invoked
by User sa.  The last step to run was step 29 (LogRhythm Job Step Validation). 
The job was requested to start at step 29 (LogRhythm Job Step Validation).</
EventData></Event>

Showing a failed status for maintenance job. That is a Result, not a Status.

Application Tab 101


LogRhythm Schema Dictionary and Guide

Subject
Originally meant to be the subject of an email. In 7.2 schema, this field becomes a secondary "category" field
that can be used in several ways. 
Data Type
String (255 characters maximum)

Aliases
Use Alias

Client Console Full Name Subject

Client Console Short Name Subject

Web Console Tab/Name Subject

Elasticsearch Field Name subject

Rule Builder Column Name Subject

Regex Pattern <subject>

NetMon Name Not applicable

Field Relationships
• Email fields (if email) for context
• Look at VMID, Vendor Info, and other category fields before using Subject

Common Applications
• Proxies
• NGFW
• NetMon

Use Case
• Classifying traffic (for example, secondary family of http traffic destinations).
• Categorizing data within the log, not the actual log message (use VMID, Vendor Info instead).
• UEBA—sub category of anomaly type.

Application Tab 102


LogRhythm Schema Dictionary and Guide

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
Use Subject as a category field only if another field is not more directly named (for example, Vendor Info). 

Incorrect Examples
• Microsoft Event Log
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/
event'><System><Provider Name='MetaFrameEvents'/><EventID
Qualifiers='49152'>10001</EventID><Level>Error</Level><Task>None</
Task><Keywords>Classic</Keywords><TimeCreated
SystemTime='2016-07-20T07:13:01.000000000Z'/><EventRecordID>5950393</
EventRecordID><Channel>Application</Channel><Computer> USABLDRRECFLOW01</
Computer><Security/></System><EventData>A usable server cannot be found on which
to launch the application. Application: Citrix AppCenter, Client:
USABLDRRECFLOW01 (address: 1.1.1.1;;;), User pete.store. Check your worker group
definitions and load balancing policies to verify appropriate servers are
assigned for Citrix AppCenter. </EventData></Event>

Based on the current standard this is incorrect; the above parses a description of the event into
Subject. The Vendor Info tag can supplant this usage. This needs to parse into Vendor Info.

• Another Microsoft Event Log


<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/
event'><System><Provider Name='MOVEit Central'/><EventID Qualifiers='32768'>3</
EventID><Level>Warning</Level><Task>None</Task><Keywords>Classic</
Keywords><TimeCreated SystemTime='2016-09-22T01:18:14.000000000Z'/
><EventRecordID>1325287</EventRecordID><Channel>Application</Channel><Computer>
USABLDRRECFLOW01</Computer><Security/></System><EventData>Task "Symitar Email
Notifications": Could not log task end: [Microsoft][SQL Server Native Client
10.0]Communication link failure</EventData></Event>

Subject is parsing the entire event data. This is too broad and makes any kind of normalization
impossible. This should be parsed into multiple fields including Object, Action, and Vendor Info.

• Blue Coat Proxy Log


2016-07-21 20:42:18 3148 1.1.1.1 http://www.amazon.com/Travel-Mattress-Healing-
Magnetic-Cover/dp/B0029OMC6A RCF\Internet_users 1.1.1.1 1.1.1.1 Unavailable -
Host3_exception DENIED "Spam;Malicious Outbound Data/Botnets;Scam/Questionable/

Application Tab 103


LogRhythm Schema Dictionary and Guide

Illegal" -  200 TCP_DENIED GET text/html;%20charset=UTF-8 http Host2 80 /Host1 -


ico "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
1.1.1.1 3323 260 - "none" "none" unavailable

Subject parsing out the web content category. This might be OK if Subject definition is broadened
to something more akin to category.

• Windows Application Event Log


<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
Name='Microsoft-Windows-EventSystem' Guid='{899daace-4868-4295-afcd-9eb8fb497561}'
EventSourceName='EventSystem'/><EventID Qualifiers='32768'>4609</EventID><Version>0</
Version><Level>Warning</Level><Task>Event Service</Task><Opcode></
Opcode><Keywords>Classic</Keywords><TimeCreated
SystemTime='2016-10-21T14:39:07.000000000Z'/><EventRecordID>1919714</
EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</
Channel><Computer> USABLDRRECFLOW01</Computer><Security/></System><EventData><Data
Name='param1'>d:\recflow\com \security.cpp</Data><Data Name='param2'>75</Data><Data
Name='param3'>822706e5</Data></EventData></Event>

Return Code parses into Subject for lack of a better field. Response Code should be used for this
instead.

• Windows Application Event Log


<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/
event'><System><Provider Name='MsiInstaller'/><EventID Qualifiers='0'>11728</
EventID><Level>Information</Level><Task>None</Task><Keywords>Classic</
Keywords><TimeCreated SystemTime='2016-11-15T18:44:56.000000000Z'/
><EventRecordID>38096</EventRecordID><Channel>Application</Channel><Computer>
USABLDRRECFLOW01</Computer><Security UserID='SAFAWARE\pete.store/></
System><EventData><Data>Product: LogRhythm Console -- Configuration completed
successfully.</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</
Data><Data>(NULL)</Data><Data>(NULL)</Data><Data></
Data><Binary>7B38354632314132452D364144432D344638312D384545442111111111111303332
37357D</Binary></EventData></Event>

Another example of an event description in Subject. This could be parsed into Vendor Information.

• Windows Security Event Log


<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/
event'><System><Provider Name='Microsoft-Windows-Security-Auditing'
Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4656</
EventID><Version>1</Version><Level>Information</Level><Task>Removable Storage</

Application Tab 104


LogRhythm Schema Dictionary and Guide

Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated
SystemTime='2016-02-23T00:34:58.244632600Z'/><EventRecordID>7148428</
EventRecordID><Correlation/><Execution ProcessID='504' ThreadID='512'/
><Channel>Security</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></
System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data
Name='SubjectUserName'> USABLDRRECFLOW01$</Data><Data
Name='SubjectDomainName'>SAFAWARE</Data><Data Name='SubjectLogonId'>0x3e7</
Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>File</
Data><Data Name='ObjectName'>\Device\Floppy0</Data><Data Name='HandleId'>0x328</
Data><Data Name='TransactionId'>{00000000-0000-0000-0000-000000000000}</Data></
EventData></Event>

Removeable Storage parses into Subject. Object and Object Name are in use already. Object Type
could be used in this instance, possibly rearranging use of Object and Object Name, as they are File
and \Device\Floppy0, respectively.

Application Tab 105


LogRhythm Schema Dictionary and Guide

URL
The URL referenced or impacted by activity reported in the log.
Data Type
String

Aliases
Use Alias

Client Console Full Name URL

Client Console Short Name URL

Web Console Tab/Name URL

Elasticsearch Field Name url

Rule Builder Column Name URL

Regex Pattern <url>

NetMon Name Not applicable

Field Relationships
• Domain (Domain Impacted)
• Domain Origin
• Session
• Response Code
• Protocol Number
• Protocol Name

Common Applications
• Proxy
• IDS/IPS
• Network monitoring
• Firewall
• Web servers/DNS

Application Tab 106


LogRhythm Schema Dictionary and Guide

Use Case
• Tracking user web activity.
• Tracking and comparing hostile domains with lists of known bad web domains.

MPE/Data Masking Manipulations


Data Masking is used for QNAME format URL (14)DB001560E6EBC5(9)soasdfgtu(3)com(0.

Usage Standards
Do not use the vendor's link to details, which parses into Vendor Info.

Examples
• Blue Coat Proxy
08 27 2011 19:00:00 1.1.1.1 <USER:NOTE> 2011-08-27 02:05:36 151 3.1.4.2 - - -
OBSERVED "Email" http://Host10.com/neo/launch?.rand=6upoddav8e6  204 TCP_NC_MISS
POST text/json http Host10 80 /neo/stat - - "Mozilla/4.0 (compatible; MSIE 8.0;
Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET
CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
1.1.1.1 492 1434 –

Highlighted URL from proxy log parses into URL.

• Windows DNS
11/21/2011 10:14:05 AM 0F8C PACKET  00000000089853C0 UDP Snd 1.1.1.1  fa93 R Q
[8385 A DR NXDOMAIN] A (14)HP001560E6EBC5(9)sonalysts(3)com(0)

(14)DB001560E6EBC5(9)soasdfgtu(3)com(0(14)DB001560E6EBC5(9)soasdfgtu(3)com(0 with length


octets. This is often a use case for data masking to replace the length octet with a period.

Application Tab 107


LogRhythm Schema Dictionary and Guide

User Agent [7.2]


The User Agent string from web server logs (for example, Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36).

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type
String (255 characters maximum)

Aliases
Use Alias

Client Console Full Name User Agent

Client Console Short Name User Agent

Web Console Tab/Name User Agent

Elasticsearch Field Name userAgent

Rule Builder Column Name UserAgent

Regex Pattern <useragent>

NetMon Name Not applicable

Field Relationships
• Full URL

Common Applications
• Web server logs
• Firewalls

Use Case
• Detecting malicious or malformed user agents.

Application Tab 108


LogRhythm Schema Dictionary and Guide

• Searching for user agents as IOCs.

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
Parse the full user agent string into the field.

Examples
• Juniper SSLVPN
07 31 2007 10:24:57 1.1.1.1 <LOC6:INFO> SSLVPN: id=sslvpn sn=0006222222B74
time="2007-07-31 10:24:57" vp_time="2007-07-31 15:24:57 UTC" fw=1.1.1.1 pri=6
m=18 src=1.1.1.1 dst=1.1.1.1 user="pete.store" usr="pete.store"
msg="NetExtender" rule=access-policy proto=NetExtender agent="Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)"

Mozilla/4.0… parses into User Agent.

• MS IIS Web Log


10 30 2007 15:41:49 USABLDRRECFLOW01/1.1.1.1 <USER:NOTE> Oct 30 15:41:53
recflow/1.1.1.1 IISWebLog 3 2007-10-30 19:41:47 W3SVC414557987 recflow 1.1.1.1
POST /DataPHost2 - 443 - 1.1.1.1 HTTP/1.1 Mozilla/4.0+(compatible;
+MSIE+6.0;+Windows+5.2.3790.0;+MS+.NET+Remoting;+MS+.NET+CLR+1.1.4322.2407+) - -
Host1 200 0 0 2277 1993 0Full UserAgent string capture
• Bluecoat Proxy
2010-03-01 20:23:45 1 1.1.1.1 pete.store safaware\Domain%20Users - OBSERVED
"Sports/Recreation" http://espn.go.com/free-online-games/  200 TCP_HIT GET
image/jpeg http a.espncdn.com 80 /i/espnarcade/GOM/116x67_gom_touch.jpg - jpg
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR
2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)" 1.1.1.1 4318 443 -

Application Tab 109


LogRhythm Schema Dictionary and Guide

Version
The software or hardware device version described in either the process, object, or entity.
Data Type
String

Aliases
Use Alias

Client Console Full Name Version

Client Console Short Name Version

Web Console Tab/Name Version

Elasticsearch Field Name version

Rule Builder Column Name Version

Regex Pattern <version>

NetMon Name Varies by protocol (most commonly ProtocolVersion)

Field Relationships
• Object (version describes object)
• Process (version describes process)
• Entity
• Host Fields
• User Agent (previously version was abused to contain user agent)

Common Applications
• Vulnerability scanners
• Virus scanners
• Asset inventory

Use Case

Application Tab 110


LogRhythm Schema Dictionary and Guide

If multiple versions are contained in log, the priority is to capture the version of the object of the log, not the
version of the product creating the log.

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
Prioritize the version of an end object over the version of a product generating the log.

Examples
Correct Examples
• Cb Response
05 13 2016 19:56:26 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|5.1|
watchlist.storage.hit.binary|cb_server=cbserver cb_version=211
company_name=RecordFlow Technology Ltd. copied_mod_len=1022272
digsig_result=Unsigned digsig_result_code=2148204222 endpoint= USABLDRRECFLOW01|
2 file_desc=SysAid  Agent file_version=1.1.1.1 group=RecordFlow HQ host_count=1
internal_name=AgentStuffManager.dll is_64bit=true is_executable_image=false
last_seen=2016-05-14T02:49:18.142Z legal_copyright=© Copyright 2013 RecordFlow
Technologies Ltd. md5=59E0D058686BD35B0D5C02A4FD8BD0E0observed_filename=c:\
\program files\\sysaid\\agentstuffsmanager.dll orig_mod_len=1022976
original_filename=AgentstuffManager.dll os_type=Windows product_name=SysAid 
Agent product_version=1.1.1.1 server_added_timestamp=2016-05-14T02:49:18.142Z
server_name=localhost.localdomain timestamp=1463194218.586
type=watchlist.storage.hit.binary watchlist_4=2016-05-14T02:50:03.177584Z
watchlist_id=4 watchlist_name=Newly Loaded Modules

File version parses into Version. Cb_version is not parsed because the device sending the log is not
very useful.

• Windows Event Log


10/23/2007 10:07 AM TYPE= USER= Safaware\pete.store COMP= USABLDRRECFLOW01
SORC=BPService CATG=Authentication\Interactive EVID=1000 MESG=Biometric
authentication was performed.    Username: pete.store Domain: Safaware
Workstation: Safaware \ USABLDRRECFLOW01Security score: 75  Threshold: 30 
Enrollment client: BPDave  Authentication client: BPDave  Client version: 3.0 
AuthTag: 222222-dff3-4a70-b1940157ab9d2d22  Effective settings from: pete.store 
Keyboard:

Application Tab 111


LogRhythm Schema Dictionary and Guide

Client Version parses into Version. This could be useful for software auditing.

• CylanceProtect
Cylance08 24 2016 07:11:50 1.1.1.1 <SLOG:WARN> 1 2016-08-24T12:11:30.2394853Z
sysloghost CylancePROTECT - - - Event Type: Device, Event Name: SystemSecurity,
Device Name: USABLDRRECFLOW01, Agent Version: 1.2.1370.119, IP Address: (), MAC
Address: (), Logged On Users: (Safaware\pete.store), OS: Microsoft Windows 7
Enterprise Service Pack 1 x64 6.1.7601

Cylance Agent version parses into Version. This could be used for ensuring all agents are up to date.

Incorrect Examples
• Windows Event Log
4/3/2007 10:50 AM TYPE=FailureAudit USER=User1 COMP=Host1 SORC=Security
CATG=Detailed Tracking EVID=861 MESG=The Windows Firewall has detected an
application listening for incoming traffic.    Name: -  Path: D:
\stuff\jboss-3.2.3\bin\JavaSHost3  Process identifier: 5668  User account:
SYSTEM  User domain: NT AUTHORITY  Service: Yes  RPC server: No  IP version:
IPv4  IP protocol: TCP  Port number: 4087  Allowed: No  User notified: No

IP Version is not the kind of version needed.

• Windows Event Log


<Event xmlns='http://Host2/win/2004/08/events/event'><System><Provider
Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-
a5ba-3e3b0322g22d}'/><EventID>6272</EventID><Version>1</
Version><Level>Information</Level><Task>Network Policy Server</
Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated
SystemTime='2010-06-01T21:40:38.228246300Z'/><EventRecordID>26101649</
EventRecordID><Correlation/><Execution ProcessID='452' ThreadID='1500'/
><Channel>Security</Channel><Computer>Host1</Computer><Security/></
System><EventData>Network Policy Server granted access to a user.    User:  
Security ID:   Safaware\pete.store   Account Name:   pete.store   Account
Domain:   UNR   Fully Qualified Account Name: UNR\rhickok    Client Machine:  
Security ID:   NULL SID   Account Name:   -   Fully Qualified Account Name: -  
OS-Version:   -   Called Station Identifier:  000B8222222   Calling Station
Identifier:  00000000000    NAS:   NAS IPv4 Address:  1.1.1.1   NAS IPv6
Address:  -   NAS Identifier:   -   NAS Port-Type:   Wireless - IEEE 802.11  
NAS Port:   0    RADIUS Client:   Client Friendly Name:  Aruba Controller 1  
Client IP Address:   1.1.1.1    Authentication Details:   Connection Request

Application Tab 112


LogRhythm Schema Dictionary and Guide

Policy Name: Use Windows authentication for all users   Network Policy Name: 
RCF WPA   Authentication Provider:  Windows   Authentication Server:  Host1  
Authentication Type:  MS-CHAPv2   EAP Type:   -   Account Session Identifier:  -
   Logging Results:   Accounting information was written to the local log
file.    Quarantine Information:   Result:    Full Access   Session
Identifier:   -  </EventData></Event>

OS-Version, if populated, would be more appropriate to parse.

Application Tab 113


LogRhythm Schema Dictionary and Guide

Kbytes/Packets Tab
Schema fields that are displayed in the Kybtes/Packets tab of the Web Console. All fields in this section are
polyfields:
• Host (Impacted) Kbytes Rcvd
• Host (Impacted) Kbytes Sent
• Host (Impacted) Kbytes Total
• Host (Impacted) Packets Rcvd
• Host (Impacted) Packets Sent
• Host (Impacted) Packets Total
These fields are calculated from source data that is parsed in fields with different names, different units, or
both.

Kbytes/Packets Tab 114


LogRhythm Schema Dictionary and Guide

[prefix] [Bits/Bytes] [blank/In/Out]


Parsing fields for the size in bytes of the object described in the log.
• bitsin • gigabitsin
• bitsout • gigabitsout
• bytesin • gigabytein
• bytesout • gigabyteout
• kilobitsin • terabitsin
• kilobitsout • terabitsout
• kilobytesin • terabytesin
• kilobytesout • terabytesout
• megabitsin • petabitsin
• megabitsout • petabitsout
• megabytein • petabytesin
• megabyteout • petabytesout

Data Type
Double

Aliases
Use Alias

Client Console Full Name Various

Client Console Short Name Various

Web Console Tab/Name Various

Elasticsearch Field Name Various

Rule Builder Column Name Various

Regex Pattern Various

NetMon Name Various

Field Relationships
Kbytes tab in the Web Console.

Kbytes/Packets Tab 115


LogRhythm Schema Dictionary and Guide

Common Applications
• Network flows
• File sizes

Use Case
Anything measurable in terms of bytes/bits.

MPE/Data Masking Manipulations


Normalized to bytes.

Usage Standards
• Only use once per log (enforced by Super User console).
• Use whichever prefex is the best possible match and let the MPE do the conversion.

Examples
• SQLServer 2012 Error Log
2013-08-01 14:13:23.35 Server      Detected 3839 MB of RAM. This is an
informational message; no user action is required.

Parse 3839 into MegaBytes.

• Adtran Switch
05 10 2014 22:23:57 1.1.1.1 <KERN:INFO> May 10 22:23:54 bbq22222 FIREWALL:
id=firewall time="2014-05-10 22:23:54" fw=BBQ2222 pri=6 rule=23 proto=53/udp
src=1.1.1.1 dst=1.1.1.1 msg="Connection timed out.Bytes transferred : 228 Src
62725 Dst 53 from Private policy-class on interface vlan 1" agent=AdFirewall

Indicating 228 bytes transferred out.

• BlackBerry Enterprise Server


<2013-03-28 15:32:39.268 EDT>:[20945]:<BBQ-BES01_1>:<INFO >:<LAYER = IPPP,
DEVICEPIN = 2ab20a5d, DOMAINNAME = USABLDRRECFLOW01, CONNECTION_TYPE =
DEVICE_CONN, ConnectionId = 1374706373, DURATION(ms) = 7465, MFH_KBytes = 3.479,
MTH_KBytes = 2.946, MFH_PACKET_COUNT = 7, MTH_PACKET_COUNT = 5>  

MFH is Kbytesout MTH is KBytesIn.

Kbytes/Packets Tab 116


LogRhythm Schema Dictionary and Guide

Packets [Total/In/Out]
Number of packets received by Impacted Host (in) or sent by Impacted Host (out) or captured in either
direction (total). Often stored in all three fields.

Data Type
Double

Aliases
Use Alias

Client Console Full Name Host (Impacted) Packets Rcvd


Host (Impacted) Packets Sent
Host (Impacted) Packets Total

Client Console Short Name Not applicable

Web Console Tab/Name Host (Impacted) Packets Rcvd


Host (Impacted) Packets Sent
Host (Impacted) Packets Total

Elasticsearch Field Name itemsPacketsIn


itemsPacketsOut
impactedHostTotalPackets

Rule Builder Column Name PacketsIn


PacketsOut

Regex Pattern <packetsin>


<packetsout>
<packets>

NetMon Name TotalPackets

Field Relationships

Kbytes/Packets Tab 117


LogRhythm Schema Dictionary and Guide

• Packets In/Out
• Items In/Out

Common Applications
Network traffic analysis.

Use Case
• Evaluating how much network traffic a given application generates.
• Measuring average packet size as an indicator of protocol abuse.

MPE/Data Masking Manipulations


Conversion to In/Out.

Usage Standards
Capture total packets if possible.

Examples
• Tectica SSH server
84540711 | 8/8/2013 1:40:01 AM | None | N/A | USABLDRRECFLOW01| Information | 0
| SSH Tectia Server | 1300 Channel inbound statistics, Username: uninitialized,
Session-Id: 29936, Channel Id: 0, Packet count: 15, Packet size: 127

Packet count should be Packets.

Kbytes/Packets Tab 118


LogRhythm Schema Dictionary and Guide

Classification Tab
This section contains the fields displayed in the Classification tab. These fields relate to metadata around
the log, focusing on adding context to the information in other tabs that are more descriptive of the object.
The following fields are on the Classification tab:
• CVE [7.2]
• Severity
• Threat ID [7.2]
• Threat Name [7.2]
• Vendor Info [7.2]
• Vendor Message ID
There are several polyfields and injected/configuration data in this section, including:
• Classification
• Common Event
• Priority
• Direction

Classification Tab 119


LogRhythm Schema Dictionary and Guide

CVE [7.2]
CVE ID (for example, CVE-1999-0003) from vulnerability scan data.

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type
String (64 characters maximum)

Aliases
Use Alias

Client Console Full Name Not applicable

Client Console Short Name Not applicable

Web Console Tab/Name Classification/CVE

Elasticsearch Field Name cve

Rule Builder Column Name CVE

Regex Pattern <cve>

NetMon Name Not applicable

Field Relationships
• Object (prior parsing for CVE)
• VMID (prior parsing for CVE)
• Threat Name
• VMID

Common Applications
• Vulnerability scanners
• F5
• Qualys
• IDS (Bro, Snort)

Classification Tab 120


LogRhythm Schema Dictionary and Guide

• NGFW (Palo Alto, CheckPoint)

Use Case
• Cross referencing threat feeds.
• Finding an entry point for an attack.
• Locating what is vulnerable to CVE and what is the impact if exposed.

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Use most common format standard CVE-YYYY-#######.
• A malformed CVE can be represented as CVE-MAP-NOMATCH. Parse that as a valid CVE because that is what the
log message says.

Examples
• Symantec Endpoint Protection
05 23 2014 20:21:58 1.1.1.1 <LPTR:CRIT> May 23 20:07:35 SymantecServer
USABLDRRECFLOW01: USABLDRRECFLOW01,[SID: 27517] Attack: OpenSSL Heartbleed
CVE-2014-0160 3 attack blocked. Traffic has been blocked for this application:
SYSTEM,Local: 1.1.1.1,Local: 000000000000,Remote: ,Remote: 1.1.1.1,Remote:
000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2014-05-23 19:48:52,End:
2014-05-23 19:48:52,Occurrences: 1,Application: SYSTEM,Location: Coprorate
Network,User: pete.store,Domain: safaware,Local Port 443,Remote Port 52901,CIDS
Signature ID: 27517,CIDS Signature string: Attack: OpenSSL Heartbleed
CVE-2014-0160 3,CIDS Signature SubID: 73036,Intrusion URL: ,Intrusion Payload
URL:

CVE-2014-0160 parsed into CVE.

• Cb Response
05 18 2016 09:51:39 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|511|
feed.storage.hit.binary|
alliance_data_nvd=["10473","10472","10475","10470","10435"]      
alliance_link_nvd=http://web.nvd.nist.gov/view/vuln/detail?
vulnId\=CVE-2013-3353       alliance_score_nvd=100    
alliance_updated_nvd=2015-08-03T23:55:33.000Z       cb_server=cbserver 
cb_version=511      company_name=Adobe Systems Incorporated       computer_name=
USABLDRRECFLOW01  copied_mod_len=7790179     digsig_result=Unsigned      
digsig_result_code=2148204800    endpoint=[" USABLDRRECFLOW01|26","

Classification Tab 121


LogRhythm Schema Dictionary and Guide

USABLDRRECFLOW01|13"," USABLDRRECFLOW01|39"," USABLDRRECFLOW01|35","


USABLDRRECFLOW01|14"]       feed_id=13   feed_name=nvd file_desc=Adobe Acrobat
Annot Plug-In       file_version=1.1.1.1       group=RecordFlow HQ host_count=5
hostname= USABLDRRECFLOW01    ioc_attr={}  ioc_type=md5
ioc_value=4c6b53d9f75cb772e43f65960f905919       is_64bit=false     
is_executable_image=false  last_seen=2016-05-18T00:01:11.682Z      
legal_copyright=Copyright 1984-2012 Adobe Systems Incorporated and its
licensors. All rights reserved.    md5=59E0D058686BD35B0D5C02A4FD8BD0E0   
observed_filename=["c:\\program files (x86)\\adobe\\reader 11.0\\reader\
\plug_ins\\annots.api"]    orig_mod_len=7790179      
original_filename=Annot.api       os_type=Windows     product_name=Adobe Acrobat
Annot  product_version=1.1.1.1    report_id=10435     report_score=100   
sensor_id=14       server_added_timestamp=2016-05-17T15:26:48.469Z      
server_name=localhost.localdomain timestamp=1463589930.842      
type=feed.storage.hit.binary     watchlist_4=2016-05-17T15:30:03.182Z

CVE parsed into CVE field from URL (may not be sustainable). Not predictable enough to parse.

• ForcePoint
10 28 2016 15:22:15 1.1.1.1 <KERN:INFO> CEF:0|FORCEPOINT|Alert|unknown|278069|
HTTP_SHS-Microsoft-Windows-MHTML-Information-Disclosure-CVE-2011-0096-3|7|
spt=3811 destinationServiceName=HTTP deviceExternalId=Davestown node 2
dst=1.1.1.1 requestMethod=POST cat=Potential Compromise requestURL=Host2
app=tcp_service_5080 rt=Oct 28 2016 15:22:14 deviceFacility=Inspection
destinationTranslatedPort=5080 sourceTranslatedPort=3811
destinationTranslatedAddress=1.1.1.1 sourceTranslatedAddress=1.1.1.1 act=Permit
deviceOutboundInterface=2 proto=6 dpt=5080 src=1.1.1.1 dvc=1.1.1.1
dvchost=1.1.1.1 cs1Label=RuleId cs1=1073.1

CVE showing inline within CEF vendor info. Full header could be VMID or VendorInfo.

• McAfee Network Security Manager


03 27 2014 08:29:30 1.1.1.1 <SAU1:WARN> Mar 27 08:29:35 SyslogAlertForwarder:
2014-03-27 08:29:32 EDT!N/A!N/A!22222222222!0x4510fa00!Signature!Medium!Medium!
Unknown!Exploit!code-execution!Inbound!Inconclusive!1.1.1.1!1.1.1.1!80!24683!
http!tcp!BBQ!BBQ!Proxy Traffic (8A-8B)!signature!CVE-2013-3861!Not Forwarded!
Unknown!No error!Unknown!HTTP: JSON Parsing Vulnerability

CVE within exclamation delimiters.

Classification Tab 122


LogRhythm Schema Dictionary and Guide

Severity
The vendor's view of the severity or level of log message. 

Data Type
String

Aliases
Use Alias

Client Console Full Name Severity

Client Console Short Name Severity

Web Console Tab/Name Severity

Elasticsearch Field Name severity

Rule Builder Column Name Severity

Regex Pattern <severity>

NetMon Name Severity for alarms only

Field Relationships
• Status
• VMID
• Vendor Info
• ThreatID
• ThreatName

Common Applications
• Syslog reports severity in the format <loc0:info>, with info being the severity level.
• Windows Event Log severity

Use Case
• Anything that generates alarms or analyzes risk.

Classification Tab 123


LogRhythm Schema Dictionary and Guide

• Almost every log format has a severity.

MPE/Data Masking Manipulations


Multilingual logs might have severity in native language. Use masking to convert to standard English. (See
Windows logs, for example.)

Usage Standards
• Represent the severity the way the vendor/log source does in the clearest text way. Do not attempt to convert
0-5 to low/medium/high or red/yellow/green unless the vendor defines 0 = low.
• Do not misuse for level of confidence (for example, from an AV log).

Examples
• Windows Event Log
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/
event'><System><Provider Name='Microsoft-Windows-Security-Auditing'
Guid='{2222222-5478-4994-a5ba-3e3b0328c30d}'/><EventID>5058</
EventID><Version>0</Version><Level>Information</Level><Task>Other System
Events</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated
SystemTime='2016-02-02T00:24:23.559228400Z'/><EventRecordID>7670651176</
EventRecordID><Correlation/><Execution ProcessID='572' ThreadID='3136'/
><Channel>Security</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></
System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\NETWORK SERVICE</
Data><Data Name='SubjectUserName'> USABLDRRECFLOW01$</Data><Data
Name='SubjectDomainName'>SAFAWARE</Data><Data Name='SubjectLogonId'>0x3e4</
Data><Data Name='ProviderName'>Microsoft Software Key Storage Provider</
Data><Data Name='AlgorithmName'>%%2432</Data><Data Name='KeyName'>le-
a1f08494-0ec3-4902-9d6c-caeeda9ce4f6</Data><Data Name='KeyType'>%%2499</
Data><Data Name='KeyFilePath'>C:
\ProgramData\Microsoft\Crypto\RSA\MachineKeys\222222222229530509a71f1</
Data><Data Name='Operation'>%%2458</Data><Data Name='ReturnCode'>0x0</Data></
EventData></Event>

<Level> tags in Windows indicate severity of the log message.

• Syslog - Apache Access Log


11 14 2013 17:19:04 1.1.1.1 <LOC5:INFO> Nov 14 22:19:04
USABLDRRECFLOW01access_http_log: [14/Nov/2013:22:19:04 +0000] 1.1.1.1 1.1.1.1
HTTP/1.1 "POST /foundation/getStandingsAjax.jsp HTTP/1.1" 2764 https://
www.recordflow.biz

Classification Tab 124


LogRhythm Schema Dictionary and Guide

Any Syslog message contains a header that indicates severity level.

• Syslog – Crowdstrike Falconhost CEF


12 14 2016 11:39:44 1.1.1.1 <USER:NOTE> CEF:0|CrowdStrike|FalconHost|1.0|
DetectionSummaryEvent|Detection Summary Event|2| externalID=222222222222222222
cn2Label=ProcessId cn2=148191318711589 cn1Label=ParentProcessId
cn1=148191316778231 shost=TheNarrowSea suser=IIS1$ msg=An administrative/
reconnaissance tool (xcopy.exe, ping.exe, tasklist.exe, ftp.exe, autoruns.exe)
was spawned under an IIS worker process. fname=systeminfo.exe filePath=\\Device\
\HarddiskVolume1\\Windows\\System32 cs1Label=CommandLine cs1=systeminfo
fileHash=59E0D058686BD35B0D5C02A4FD8BD0E0sntdom=TARGETNET
cs6Label=FalconHostLink cs6=https://falcon.crowdstrike.com/activity/detections/
detail/2222222222/2222222222 cn3Label=Offset cn3=1066147
deviceCustomDate1Label=ProcessStartTime deviceCustomDate1=2016-12-14 18:39:42

In this Syslog example, the Syslog severity is ignored in favor of the CEF format header which
includes its own severity level.

Classification Tab 125


LogRhythm Schema Dictionary and Guide

Threat ID [7.2]
The ID number of a threat when available from an IDS/IPS signature, endpoint protection, or firewall log.

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type
String

Aliases
Use Alias

Client Console Full Name Not applicable

Client Console Short Name Not applicable

Web Console Tab/Name Threat ID

Elasticsearch Field Name threatId

Rule Builder Column Name ThreatID

Regex Pattern <threatid>

NetMon Name Not applicable

Field Relationships
• Threat Name
• VMID
• Vendor Message
• Object
• Object Name
• Object Type
• Process
• Process ID

Common Applications

Classification Tab 126


LogRhythm Schema Dictionary and Guide

• IDS/IPS
• Vulnerability scanners
• Proxy

Use Case
Correlating threats.

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Signatures
• Numeric or string identifiers for threats under different names

Examples
• Cisco IDS/IPS
<sd:evIdsAlert eventId="222222222" vendor="Cisco" severity="high"
xmlns:sd="http://example.org/2003/08/sdee">bhiips xmlns:cid="http://
www.cisco.com/cids/2006/08/cidee">sensorApp xmlns:cid="http://www.cisco.com/
cids/2006/08/cidee">9055 offset="-300"
timeZone="GMT-05:00">1232562570119108000</sd:time><sd:signature
description="MSSQL Resolution Service Stack Overflow" id="4703"
cid:version="S367" cid:type="other" cid:created="20000101" xmlns:cid="http://
www.cisco.com/cids/2006/08/cidee">0 sample truncated. 

Signature ID of a threat detectedeStreamer.

• eStreamer
LOGTYPE=INT_EVT_51_IPV4 R_ID=24105 R_REV=9 S_IP=1.1.1.1 S_PORT=58730
D_IP=1.1.1.1 D_PORT=8080 U_ID=0 U= R_NAME=MALWARE-OTHER HTTP POST request to a
GIF file CLASSIFICATION_ID=22 CLASSIFICATION=Detection of a Non-Standard
Protocol or Event PROT_NUM=6 PROT= ING_IF=s1p5 EG_IF=s1p1 BLOCKED=NotBlocked
MANAGED_DEV_ID=9 EVT_ID=263305 EVT_T=01/15/2015 20:42:56 GEN_ID=1 PRI_ID=2
PRI=medium IMPACT_FLAGS=MonitoredHost, MappedHost, ServerPortOrIp IMPACT=Orange
BBQ_LABEL=0 VLAN_ID=0 POL=Intrusion Policy - Corporate AP_PROT=HTTP
ACS_CTL_R=File Inspection Rule ACS_CTL_POL=Access Control Policy - CORPORATE
nnq_nnq_Z=Corporate EG_bbq_Z=OOB

Classification Tab 127


LogRhythm Schema Dictionary and Guide

R_ID=24105 is the Threat ID from this IDS signature log.

• Symantec Endpoint
05 22 2014 11:08:02 1.1.1.1 <LPTR:CRIT> May 22 10:55:13 SymantecServer
USABLDRRECFLOW01: USABLDRRECFLOW01,[SID: 25238] Fake App Attack: Misleading
Application Website attack blocked. Traffic has been blocked for this
application: \DEVICE\HARDDISKVOLUME1\PROGRAM
FILES\GOOGLE\CHROME\APPLICATION\CHROME.EXE,Local: 1.1.1.1,Local:
000000000000,Remote: ,Remote: 1.1.1.1,Remote: 000000000000,Inbound,TCP,Intrusion
ID: 0,Begin: 2014-05-22 10:53:42,End: 2014-05-22 10:53:42,Occurrences:
1,Application: /DEVICE/HARDDISKVOLUME1/PROGRAM FILES/GOOGLE/CHROME/APPLICATION/
CHROME.EXE,Location: Coprorate Network,User: Christina_McCloud,Domain:
INDY,Local Port 4295,Remote Port 80,CIDS Signature ID: 25238,CIDS Signature
string: Fake App Attack: Misleading Application Website,CIDS Signature SubID:
70185,Intrusion URL: pcfaster.info/usdown/?
sence=asdifas892nsndsafusaljnsxckad,Intrusion Payload URL:

SID is the signature ID of the detected threat.

Classification Tab 128


LogRhythm Schema Dictionary and Guide

Threat Name [7.2]


The name of a threat described in the log message (for example, malware, exploit name, or signature name).
Do not overload with Policy. 

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type
String

Aliases
Use Alias

Client Console Full Name Not applicable

Client Console Short Name Not applicable

Web Console Tab/Name Threat Name

Elasticsearch Field Name threatName

Rule Builder Column Name ThreatName

Regex Pattern <threatname>

NetMon Name Not applicable

Field Relationships
• Threat ID
• VMID
• Vendor Message
• Object
• Object Name
• Object Type
• Process
• ProcessID
• Policy
• Reason

Classification Tab 129


LogRhythm Schema Dictionary and Guide

Common Applications
• IDS/IPS
• Vulnerability scanners
• Proxy

Use Case
• Threat Name frequency for reporting.
• Identifying threats.

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Signature names
• Malware names
• Vulnerability names
• Exploit names
• Can be used independently of Threat ID (for example, AV detections, or identifying malicious processes or
objects)

Examples
• Cisco IDS/IPS
<sd:evIdsAlert eventId="2222222222222" vendor="Cisco" severity="high"
xmlns:sd="http://example.org/2003/08/sdee">bhiips xmlns:cid="http://
www.cisco.com/cids/2006/08/cidee">sensorApp xmlns:cid="http://www.cisco.com/
cids/2006/08/cidee">9055 offset="-300"
timeZone="GMT-05:00">1232562570119108000</sd:time><sd:signature
description="MSSQL Resolution Service Stack Overflow" id="4703"
cid:version="S367" cid:type="other" cid:created="20000101" xmlns:cid="http://
www.cisco.com/cids/2006/08/cidee">0:...log sample truncated.

The description describes the threat indicated by signature ID 4703.

• Qualys Vulnerability Scanner


HOSTIP=1.1.1.1 HOSTNAME= USABLDRRECFLOW01HOSTOS=Linux 2.6 PORT= PROTOCOL=
QID=115731 DETECTIONTYPE=Potential STATUS=New FIRSTFOUND=2010-10-05 01:20:11Z
LASTFOUND=2010-10-05 01:20:11Z VULNERABILITY=Apache 1.3 and 2.0 Web Server
Multiple Vulnerabilities VULNERABILITYTYPE=Vulnerability or Potential
Vulnerability CATEGORY=Local SEVERITYLEVEL=3 PATCHABLE=1 KBLASTUPDATE=2010-09-13

Classification Tab 130


LogRhythm Schema Dictionary and Guide

18:52:19Z CVE=CVE-2006-5752(http://cve.mitre.org/cgi-bin/cvename.cgi?
name=CVE-2006-5752),CVE-2007-3304(http://cve.mitre.org/cgi-bin/cvename.cgi?
name=CVE-2007-3304)

Name of vulnerability.

• eStreamer
LOGTYPE=INT_EVT_51_IPV4 R_ID=24105 R_REV=9 S_IP=1.1.1.1 S_PORT=58730
D_IP=1.1.1.1 D_PORT=8080 U_ID=0 U= R_NAME=MALWARE-OTHER HTTP POST request to a
GIF file CLASSIFICATION_ID=22 CLASSIFICATION=Detection of a Non-Standard
Protocol or Event PROT_NUM=6 PROT= ING_IF=s1p5 EG_IF=s1p1 BLOCKED=NotBlocked
MANAGED_DEV_ID=9 EVT_ID=263305 EVT_T=01/15/2015 20:42:56 GEN_ID=1 PRI_ID=2
PRI=medium IMPACT_FLAGS=MonitoredHost, MappedHost, ServerPortOrIp IMPACT=Orange
MPLS_LABEL=0 VLAN_ID=0 POL=Intrusion Policy - Corporate AP_PROT=HTTP
ACS_CTL_R=File Inspection Rule ACS_CTL_POL=Access Control Policy - CORPORATE
ING_SEC_Z=Corporate BBQ_SEC_Z=OOB

R_NAME represents the signature ID (R_ID=24105) of the threat.

• Symantec Endpoint
05 22 2014 11:08:02 1.1.1.1 <LPTR:CRIT> May 22 10:55:13 SymantecServer
USABLDRRECFLOW01USABLDRRECFLOW01,[SID: 25238] Fake App Attack: Misleading
Application Website attack blocked. Traffic has been blocked for this
application: \DEVICE\HARDDISKVOLUME1\PROGRAM
FILES\GOOGLE\CHROME\APPLICATION\CHROME.EXE,Local: 1.1.1.1,Local:
000000000000,Remote: ,Remote: 1.1.1.1,Remote: 000000000000,Inbound,TCP,Intrusion
ID: 0,Begin: 2014-05-22 10:53:42,End: 2014-05-22 10:53:42,Occurrences:
1,Application: /DEVICE/HARDDISKVOLUME1/PROGRAM FILES/GOOGLE/CHROME/APPLICATION/
CHROME.EXE,Location: Coprorate Network,User: pete.store,Domain: safaware,Local
Port 4295,Remote Port 80,CIDS Signature ID: 25238,CIDS Signature string: Fake
App Attack: Misleading Application Website,CIDS Signature SubID: 70185,Intrusion
URL: recordflow.biz,Intrusion Payload URL:

“Fake App Attack: Misleading Application Website attack” is the name of the possible threat
detected of signature ID 25238.

Classification Tab 131


LogRhythm Schema Dictionary and Guide

Vendor Info [7.2]


Description of specific vendor log or event identifier for the log. Human readable elaboration that directly
correlates to the VMID.

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type
String

Aliases
Use Alias

Client Console Full Name Not applicable

Client Console Short Name Not applicable

Web Console Tab/Name Vendor Info

Elasticsearch Field Name vendorInfo

Rule Builder Column Name VendorInfo

Regex Pattern <vendorinfo>

NetMon Name Not applicable

Field Relationships
• VMID
• Subject

Common Applications
Any device that generates predetermined message types or categories that are differentiated by a brief
description or identification number.

Use Case

Classification Tab 132


LogRhythm Schema Dictionary and Guide

Understanding VMID for correlating events without depending on the rule name, common event/
classification.

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• To be used when VMID is present.
• To be used rarely when VMID is not present.
• Capturing long event descriptions such as a sentence.
• Not for subrules.

Examples
• Windows Event Log Security
<Event xmlns='http://Host2/win/2004/08/events/event'><System><Provider
Name='Microsoft-Windows-Security-Auditing' Guid='{2222222-5478-4994-
a5ba-3e3b0328c30d}'/><EventID>4663</EventID><Version>0</
Version><Level>Information</Level><Task>Kernel Object</Task><Opcode>Info</
Opcode><Keywords>Audit Success</Keywords><TimeCreated
SystemTime='2009-07-07T23:24:49.212Z'/><EventRecordID>451107</
EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='88'/
><Channel>Security</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></
System><EventData>An attempt was made to access an object.
Subject:
   Security ID:        USABLDRRECFLOW01\Administrator
   Account Name:       Administrator
   Account Domain:            USABLDRRECFLOW01
   Logon ID:           0x2a9fe
Object:
   Object Server:      Security
   Object Type: SymbolicLink
   Object Name: \GLOBAL??\C:
   Handle ID:   0x3c0
Process Information:
   Process ID:  0x8d0
   Process Name: C:\Windows\Host10

Classification Tab 133


LogRhythm Schema Dictionary and Guide

Access Request Information:


   Accesses:    Use symbolic link               
   Access Mask: 0x1</EventData></Event>

Describes in human readable form what the event ID (VMID) translates to.

• CyberArk Privileged Threat Analytics


CEF:0|CyberArk|PTA|3.1|21|Suspected credentials theft|9|duser=pete.store dst=
USABLDRRECFLOW01cs2Label=eventID cs2=5b720c983420f5222222d
deviceCustomDate1Label=detectionDate deviceCustomDate1=1422836202000
cs3Label=link cs3=https://1.1.1.1/incidents/5b722222224979d

Suspected Credentials Theft describes VMID 21.

Classification Tab 134


LogRhythm Schema Dictionary and Guide

Vendor Message ID
The specific vendor log or event identifier for the log used to describe a type of event. 

Data Type
String

Aliases
Use Alias

Client Console Full Name Vendor Message ID

Client Console Short Name Vendor Message ID

Web Console Tab/Name Vendor Message ID

Elasticsearch Field Name vendorMessageId

Rule Builder Column Name VMID

Regex Pattern <vmid>

NetMon Name Not applicable

Field Relationships
• Vendor Information
• Threat Name
• Threat ID

Common Applications
Any device that generates predetermined message types or categories that are differentiated by a brief
description or identification number.

Use Case
Correlating events.

Classification Tab 135


LogRhythm Schema Dictionary and Guide

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Describes or identifies an event type
• Sometimes human readable
• Usually numeric
• Can be used for subrules
• Indexed field, do not use subrule tags when making subrules off VMID
• Not for Response Codes
• Not for Threat IDs (signatures)
• Not Event Record ID

Examples
• Windows Event Log Security
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/
event'><System><Provider Name='Microsoft-Windows-Security-Auditing'
Guid='{222222222-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4624</
EventID><Version>0</Version><Level>Information</Level><Task>Logon</
Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated
SystemTime='2016-02-09T00:45:00.703363000Z'/><EventRecordID>2269912024</
EventRecordID><Correlation/><Execution ProcessID='520' ThreadID='12080'/
><Channel>Security</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></
System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data
Name='SubjectUserName'> USABLDRRECFLOW01$</Data><Data
Name='SubjectDomainName'>SAFAWARE</Data><Data Name='SubjectLogonId'>0x3e7</
Data><Data Name='TargetUserSid'>NT AUTHORITY\SYSTEM</Data><Data
Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</
Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data
Name='LogonProcessName'>Advapi  </Data><Data
Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'></
Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data
Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data
Name='KeyLength'>0</Data><Data Name='ProcessId'>0x200</Data><Data
Name='ProcessName'>C:\Windows\System32\services.exe</Data><Data
Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data></EventData></Event>

The Event ID number is the Vendor Message ID. Event Record ID is not Vendor Message ID. This
describes the individual instance of a log.

• Cisco ASA

Classification Tab 136


LogRhythm Schema Dictionary and Guide

02 03 2015 08:37:17 1.1.1.1 <LOC3:NOTE> :Feb 03 08:37:17 PST: %ASA-


session-5-302013: Built outbound TCP connection 1001222224 for outside:
1.1.1.1/80 (1.1.1.1/80) to shr-web-prod:1.1.1.1/58291 (1.1.1.1/58291)

For Cisco ASA and Cisco products generally, this is where the identifier for the type of event is kept.

• FireEye Web MPS


02 01 2016 17:13:19 1.1.1.1 <LOC4:WARN> fenotify-609081.warning: CEF:0|FireEye|
MPS|1.1.1.1875|IM|infection-match|1|rt=Feb 01 2016 23:13:10 UTC src=1.1.1.1
cn3Label=cncPort cn3=80 cn2Label=sid cn2=84575103 shost=
USABLDRRECFLOW01proto=tcp spt=51997 dst=1.1.1.1 cs5Label=cncHost cs5=1.1.1.1
dvchost= USABLDRRECFLOW01dvc=1.1.1.1 smac=00:00:00:00:00:00 cn1Label=vlan cn1=0
dpt=80 externalId=609081 cs4Label=link cs4=https://romaslcmp01.mayo.edu/
event_stream/events_for_bot?ev_id\=609081 act=blocked cs6Label=channel cs6=GET
THINGS dmac=00:00:00:00:00:00 cs1Label=sname cs1=Exploit.Kit.Angler

For FireEye Web MPS, and CEF messages generally, the type of event is described here in a human
readable form.

Classification Tab 137


LogRhythm Schema Dictionary and Guide

Host Tab
The Host Tab contains fields that help identify the impacted or origin host, such as IP, hostname, MAC
address, and so on.
The following fields are on the Host tab:
• DIP/DestinationIP/Impacted IP
• DIPv4
• DIPv6
• DIPv6E
• Impacted Hostname
• Impacted Hostname or IP
• Impacted Interface
• Impacted MAC Address
• Impacted NAT IP
• IP Address (Origin)
• Origin Hostname
• Origin Hostname or IP
• Origin Interface
• Origin MAC Address
• Origin NAT IP
• Serial Number [7.2]
• SIPv4
• SIPv6
• SIPv6E
Many fields in this tab are polyfields including:
• Host (Origin)
• Host (Impacted)
• IP Address (Origin)
• IP Address (Impacted)
• Hostname (Origin)
• Hostname (Impacted)
• Known Host (Origin)
• Known Host (Impacted)

Host Tab 138


LogRhythm Schema Dictionary and Guide

DIP/DestinationIP/Impacted IP
The host IP that was affected by the activity (for example, target or server). Destination IP in IPv4 or IPv6
format.

Data Type
IP

Aliases
Use Alias

Client Console Full Name Host (Impacted)

Client Console Short Name Not applicable

Web Console Tab/Name Host (Impacted)

Elasticsearch Field Name impactedIp

Rule Builder Column Name DIP

Regex Pattern <dip>

NetMon Name Not applicable

Field Relationships
• SIP • Origin NAT Port
• SIPv4 • Impacted Port
• SIPv6 • Impacted NAT Port
• SIPv6E • Origin MAC Address
• Origin Hostname • Impacted MAC Address
• Origin Hostname or IP • Origin Interface
• Origin NAT IP • Impacted Interface
• DIPv4 • Origin Domain
• DIPv6 • Impacted Domain
• DIPv6E • Origin Login
• Impacted Hostname • Impacted Account
• Impacted Hostname or IP • IANA Protocol Number
• Impacted NAT IP • IANA Protocol Name
• Origin Port

Host Tab 139


LogRhythm Schema Dictionary and Guide

Common Applications
Networked equipment

Use Case
Host context

MPE/Data Masking Manipulations


Polyfield – Impacted Host

Usage Standards
• Do not override/overload, use <dip> not (?<dip>.*?).
• Impacted is server (In Client-Server Model).
• Impacted is Target (In Attacker-Target Model).
• Use when you see an Impacted IP address IPv4 or IPv6, unless it is an IPv4 address mapped to IPv6, in which
case use <dipv6e>.

Examples
• FireEye Web MPS
02 01 2016 17:13:19 1.1.1.1 <LOC4:WARN> fenotify-609081.warning: CEF:0|FireEye|
MPS|1.1.1.1875|IM|infection-match|1|rt=Feb 01 2016 23:13:10 UTC src=1.1.1.1
cn3Label=cncPort cn3=80 cn2Label=sid cn2=84575103 shost=
USABLDRRECFLOW01proto=tcp spt=51997 dst=1.1.1.1 cs5Label=cncHost cs5=1.1.1.1
dvchost=romaslcmp01 dvc=1.1.1.1 smac=00:00:00:00:00:00 cn1Label=vlan cn1=0
dpt=80 externalId=609081 cs4Label=link cs4=THINGS dmac=00:00:00:00:00:00
cs1Label=sname cs1=Exploit.Kit.AnglerDIPv4

Src= in this instance is the host IP impacted by the infection match described in the log. (Attacker-
Target). Dst= is the command and control server and therefore the closest Origin (attacker) to be
inferred from the log.

• Brocade Switch
03 01 2017 02:08:41 1.1.1.1 <LOC6:NOTE> Mar  1 02:08:38
USABLDRRECFLOW01dataplane[2287]: fw rule INTERNAL-IN:10000 block udp(17) src=
USABLDRRECFLOW01/0:00:00:0a:ea:e8/fe80::e0c0:f0f0:e00c:2029(546) dst=/
22:22:2:1:0:2/ff22::2:2(547) len=159 hoplimit=1 len=119

Dst= IPv6 address following the MAC ID. Network context showing direction src->dst.

Host Tab 140


LogRhythm Schema Dictionary and Guide

DIPv4
Constituent element of <dip> for only IPv4 parsing (not generally used).

Data Type
IP

Aliases
Use Alias

Client Console Full Name Host (Impacted)

Client Console Short Name Not applicable

Web Console Tab/Name Host (Impacted)

Elasticsearch Field Name impactedIpV4

Rule Builder Column Name DIP

Regex Pattern <dipv4>

NetMon Name Not applicable

Field Relationships
• Nested element of <dip> default regex
• Cannot be used with <dipv6>

Common Applications
IPv4 only network equipment

Use Case
Use when parsing a log that only contains IPv4 addresses where the very small performance gain over the
standard DIP parsing field is necessary.

MPE/Data Masking Manipulations

Host Tab 141


LogRhythm Schema Dictionary and Guide

Polyfield – Impacted Host

Usage Standards
• This field is rarely used.
• Is redundant to <dip>.
• If you are 100% certain an IPv4 address will always appear.
• Only use if you need an extremely minute performance improvement.

Examples
• Trend Micro Deep Security
11 19 2014 08:21:12 10.100.6.64 <LOC0:INFO> Nov 19 03:25:07 USABLDRRECFLOW01
dsa_mpnp: REASON=IPv4_Packet HOSTID=230078 ACT=Deny IN=0C:0B:05:07:B0:05 OUT=
MAC=00:00:00:00:00:00:00:BE:00:00:00:0D:00:0d SRC=2.2.2.2 DST=1.1.1.1 LEN=86
PROTO=ICMP SPT=0 DPT=0 CNT=1

Host Tab 142


LogRhythm Schema Dictionary and Guide

DIPv6
Constituent element of <sip> for only IPv6 parsing (not generally used).

Data Type
IP

Aliases
Use Alias

Client Console Full Name Host (Impacted)

Client Console Short Name Not applicable

Web Console Tab/Name Host (Impacted)

Elasticsearch Field Name impactedIpV6

Rule Builder Column Name DIP

Regex Pattern <dipv6>

NetMon Name Not applicable

Field Relationships
<dipv6> is a nested element of <dip>

Common Applications
IPv6 only network equipment

Use Case
Use when parsing a log that only contains IPv6 addresses where the very small performance gain over the
standard DIP parsing field is necessary.

MPE/Data Masking Manipulations


Polyfield – Impacted Host

Host Tab 143


LogRhythm Schema Dictionary and Guide

Usage Standards
• This is rarely used.
• Is redundant to <dip>.
• If you are 100% certain an IPv4 address will always appear.
• Use if you need an extremely minute performance improvement.

Examples
• Trend Micro Deep Security
11 19 2014 08:21:12 10.100.6.64 <LOC0:INFO> Nov 19 03:25:07 USABLDRRECFLOW01
dsa_mpnp: REASON=IPv6_Packet HOSTID=230078 ACT=Deny IN=0C:0B:05:07:B0:05 OUT=
MAC=00:00:00:00:00:00:00:BE:00:00:00:0D:00:0d SRC=fe80:0:0:0:0cd0:000f:bd2f:000b
DST=ff01:0:0:0:0:0:0:1 LEN=86 PROTO=ICMPv6 SPT=0 DPT=0 CNT=1

DST= shows impacted IPv6 Address.

Host Tab 144


LogRhythm Schema Dictionary and Guide

DIPv6E
The Impacted IPv4 IP address that was mapped to (for example, target or server).

Data Type
IP

Aliases
Use Alias

Client Console Full Name Host (Impacted)

Client Console Short Name Not applicable

Web Console Tab/Name Host (Impacted)

Elasticsearch Field Name impactedIpV6

Rule Builder Column Name DIP

Regex Pattern <dipv6e>

NetMon Name Not applicable

Field Relationships
• SIP • Origin NAT Port
• SIPv4 • Impacted Port
• SIPv6 • Impacted NAT Port
• SIPv6E • Origin MAC Address
• Origin Hostname • Impacted MAC Address
• Origin Hostname or IP • Origin Interface
• Origin NAT IP • Impacted Interface
• DIP • Origin Domain
• DIPv4 • Impacted Domain
• DIPv6 • Origin Login
• Impacted Hostname • Impacted Account
• Impacted Hostname or IP • IANA Protocol Number
• Impacted NAT IP • IANA Protocol Name
• Origin Port

Host Tab 145


LogRhythm Schema Dictionary and Guide

Common Applications
Networked equipment

Use Case
Host context

MPE/Data Masking Manipulations


Polyfield – Origin Host

Usage Standards
• Do not override/overload, use <dipv6e> not (?<dipv6e>.*?).
• Impacted is Server (In Client-Server Model).
• Impacted is Target (In Attacker-Target Model).
• Use when you see an Impacted IPv4 address mapped to IPv6.

Examples
• Windows Event Log
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/
event'><System><Provider Name='Microsoft-Windows-Iphlpsvc'
Guid='{66a5c15c-4f8e-4044-bf6e-71d896038977}'/><EventID>4200</
EventID><Version>0</Version><Level>Information</Level><Task>None</
Task><Opcode>Info</Opcode><Keywords></Keywords><TimeCreated
SystemTime='2016-08-02T19:20:14.492842100Z'/><EventRecordID>5823520</
EventRecordID><Correlation/><Execution ProcessID='920' ThreadID='3936'/
><Channel>System</Channel><Computer> USABLDRRECFLOW01</Computer><Security
UserID='NT AUTHORITY\SYSTEM'/></System><EventData><Data Name='ProtocolType'>1</
Data><Data Name='Interface'>isatap.{f7eec065-6118-437c-8414-eeeeeeeeeeeee}</
Data><Data Name='Address'>fe80::5efe:1.1.1.1</Data></EventData></Event>

Impacted Address is IPv4 address mapped to IPV6. Traditional IP parsers do not work with this type
of address.

Host Tab 146


LogRhythm Schema Dictionary and Guide

Impacted Hostname
The host that was affected by the activity (for example, target or server).

Data Type
String

Aliases
Use Alias

Client Console Full Name Host (Impacted)

Client Console Short Name Not applicable

Web Console Tab/Name Host (Impacted)

Elasticsearch Field Name impactedName

Rule Builder Column Name DName

Regex Pattern <dname>

NetMon Name Not applicable

Field Relationships
• SIP • Origin NAT Port
• SIPv4 • Impacted Port
• SIPv6 • Impacted NAT Port
• SIPv6E • Origin MAC Address
• Origin Hostname • Impacted MAC Address
• Origin Hostname or IP • Origin Interface
• Origin NAT IP • Impacted Interface
• DIP • Origin Domain
• DIPv4 • Impacted Domain
• DIPv6 • Origin Login
• DIPv6E • Impacted Account
• Impacted Hostname or IP • IANA Protocol Number
• Impacted NAT IP • IANA Protocol Name
• Origin Port

Host Tab 147


LogRhythm Schema Dictionary and Guide

Common Applications
Networked equipment

Use Case
Host context

MPE/Data Masking Manipulations


Polyfield – Impacted Host

Usage Standards
• Impacted is Server (In Client-Server Model).
• Impacted is Target (In Attacker-Target Model).
• Can be used for parsing fully qualified domain names for non-world wide web context hostnames.

Examples
• Windows Event Log
<Event xmlns='http://Host2/win/2004/08/events/event'><System><Provider
Name='NETLOGON'/><EventID Qualifiers='0'>5805</EventID><Level></
Level><Task>None</Task><Keywords></Keywords><TimeCreated
SystemTime='2014-02-06T06:03:06.000000000Z'/><EventRecordID>156578</
EventRecordID><Channel>System</Channel><Computer> USABLDRRECFLOW01</
Computer><Security/></System><EventData>The session setup from the computer
USABLDRRECFLOW02failed to authenticate. The following error occurred:
Access is denied.</EventData></Event>

<Computer> is the origin of the log message here, but also the domain controller which the origin is
trying to authenticate against and is therefore impacted. Client-Server (origin-impacted)
relationship applies here. Computer client trying to authenticate is the origin of the request to the
server.

Host Tab 148


LogRhythm Schema Dictionary and Guide

Impacted Hostname or IP
The host that was affected by the activity (for example, target or server).

Data Type
• String
• IP

Aliases
Use Alias

Client Console Full Name Host (Impacted)

Client Console Short Name Not applicable

Web Console Tab/Name Host (Impacted)

Elasticsearch Field Name impactedName, impactedIp

Rule Builder Column Name Not applicable

Regex Pattern (<dipn>)

NetMon Name Not applicable

Field Relationships
• SIP • Origin NAT Port
• SIPv4 • Impacted Port
• SIPv6 • Impacted NAT Port
• SIPv6E • Origin MAC Address
• Origin Hostname • Impacted MAC Address
• Origin Hostname or IP • Origin Interface
• Origin NAT IP • Impacted Interface
• DIP • Origin Domain
• DIPv4 • Impacted Domain
• DIPv6 • Origin Login
• DIPv6E • Impacted Account
• Impacted Hostname • IANA Protocol Number
• Impacted NAT IP • IANA Protocol Name
• Origin Port

Host Tab 149


LogRhythm Schema Dictionary and Guide

Common Applications
Not applicable

Use Case
See DIP/DestinationIP/Impacted IP and Impacted Hostname.

MPE/Data Masking Manipulations


See DIP/DestinationIP/Impacted IP and Impacted Hostname.

Usage Standards
• Use when a log can contain either an IP or a hostname in the same location.
• Must be wrapped in parenthesis to function (<dipn>).
• Do not overload/override.

Examples
• Aruba Clear Pass
• 10 22 2015 16:23:22 1.1.1.1 <LOC1:INFO> 2015-10-22 16:23:22,956 [Th 12047 Req
8677508 SessId R0014aec9-06-5628c022] INFO  RadiusServer.Radius - rlm_ldap: found
user host/ USABLDRRECFLOW01com in AD:dc-del4-1.synapse.com
• 10 22 2015 13:58:51 1.1.1.1 <LOC1:INFO> 2015-10-22 13:58:51,299 [Th 7649 Req
1708827 SessId R00060774-01-5628c16b] INFO  RadiusServer.Radius - rlm_ldap:
searching for user 000000000 in AD:1.1.1.1

Server being queried (impacted) in log can be represented by an IP or a Hostname.

• Cisco Router
• 03 02 2009 11:26:27 ATC-CW2K <LOC0:CRIT> Mar  2 11:26:54 USABLDRRECFLOW01ITMGSC:
%local0-2-EVENT: 09$Partition=0]PartitionName=&)MODE=3;Alert ID=00061D0}Event
ID=001KMPZ|Status=Active^Severity=Critical^Managed Object=1.1.1.1^Managed Object
Type=Wireless^CUSTID=Security_Group^CUSTREV=*^Description=HighQueueDropRate::Comp
onent=IF-1.1.1.1/1 [Do0];Type=IEEE80211;OutputPacketNoErrorRate=0.11666667 
PPS;DuplexMode=FULLDUPLEX;InputPacketQueueDropRate=0.0125 
PPS;InputPacketQueueDropPct=48.07692 
%;MaxSpeed=54000000;OutputPacketQueueDropPct=0.0
• 03 02 2009 11:24:57 ATC-CW2K <LOC0:CRIT> Mar  2 11:25:24 USABLDRRECFLOW01 ITMGSC:
%local0-2-EVENT: 09$Partition=0]PartitionName=&)MODE=3;Alert ID=0002O5E}Event
ID=001KMPT|Status=Active^Severity=Critical^Managed Object=Host2^Managed Object
Type=Routers^CUSTID=Security_Group^CUSTREV=*^Description=Unresponsive::Component=
1.1.1.1 [Host2];IPStatus=OK;InterfaceName=IF-Host2/19 [Gi0/0.80] [1.1.1.1] [WAAS
INTERFACE];InterfaceType=L2VLAN;InterfaceOperStatus=UP;NetworkNumber=1.1.1.1;Inte
r

Host Tab 150


LogRhythm Schema Dictionary and Guide

In the above two logs Managed Object= can contain either a hostname or an IP address. In both
cases, the host/IP are impacted as the object being managed not the manager.

Host Tab 151


LogRhythm Schema Dictionary and Guide

Impacted Interface
The network port or interface which was affected by the activity (for example, target or server).

Data Type
String

Aliases
Use Alias

Client Console Full Name Interface (Impacted)

Client Console Short Name Not applicable

Web Console Tab/Name Interface (Impacted)

Elasticsearch Field Name impactedInterface

Rule Builder Column Name DInterface

Regex Pattern <dinterface>

NetMon Name Not applicable

Field Relationships
• SIP • Origin Port
• SIPv4 • Origin NAT Port
• SIPv6 • Impacted Port
• SIPv6E • Impacted NAT Port
• Origin Hostname • Origin MAC Address
• Origin Hostname or IP • Impacted MAC Address
• Origin NAT IP • Impacted Interface
• DIP • Origin Domain
• DIPv4 • Impacted Domain
• DIPv6 • Origin Login
• DIPv6E • Impacted Account
• Impacted Hostname • IANA Protocol Number
• Impacted Hostname or IP • IANA Protocol Name
• Impacted NAT IP

Host Tab 152


LogRhythm Schema Dictionary and Guide

Common Applications
• Switches
• Firewalls
• Network equipment

Use Case
Troubleshooting connectivity.

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Impacted is Server (In Client-Server Model).
• Impacted is Target (In Attacker-Target Model).
• If you have more than just a port number (for example, a switch ID), capture full interface name including switch
ID.
• A Wireless Access Point can be an interface.

Examples
• Aerohive Access Point
05 28 2013 18:38:30 1.1.1.1 <LOC6:INFO> ah_auth: Notify driver to disassoc
2222:cccc:ffff from wifi1.3

Disassociation of client from access point where the AP is impacted server. The client-server (origin-
impacted) relationship applies.

• FortiGate
02 25 2010 13:56:25 1.1.1.1 <LOC5:ALRT> date=2010-02-25 time=13:56:25
devname=FG3222222222 device_id=FG22222222222 log_id=0419016384 type=ips
subtype=signature pri=alert fwver=040003 severity=critical carrier_ep="N/A"
profile="scan" src=1.1.1.1 dst=1.1.1.1 src_int="port1" dst_int="port2"
policyid=48 serial=1514122225 status=detected proto=6 service=2612/tcp
vd="root" count=1 src_port=80 dst_port=2612 attack_id=107347979
sensor="all_default" ref="http://Host1/ids/VID107347979" user="N/A" group="N/A"
incident_serialno=128862693 msg="http_decoder: HTTP.Request.Smuggling"

Firewall log showing a signature detection with interface destination (impacted). In this case, the
destination (impacted) is represented as destination from the Firewall perspective.

Host Tab 153


LogRhythm Schema Dictionary and Guide

Impacted MAC Address


The MAC Address that was affected by the activity.

Data Type
String

Aliases
Use Alias

Client Console Full Name MAC Address (Impacted)

Client Console Short Name Not applicable

Web Console Tab/Name MAC Address (Impacted)

Elasticsearch Field Name impactedMac

Rule Builder Column Name DMAC

Regex Pattern <dmac>

NetMon Name DestMAC

Field Relationships
• SIP • Origin Port
• SIPv4 • Origin NAT Port
• SIPv6 • Impacted Port
• SIPv6E • Impacted NAT Port
• Origin Hostname • Origin MAC Address
• Origin Hostname or IP • Origin Interface
• Origin NAT IP • Impacted Interface
• DIP • Origin Domain
• DIPv4 • Impacted Domain
• DIPv6 • Origin Login
• DIPv6E • Impacted Account
• Impacted Hostname • IANA Protocol Number
• Impacted Hostname or IP • IANA Protocol Name
• Impacted NAT IP

Host Tab 154


LogRhythm Schema Dictionary and Guide

Common Applications
• Firewall
• IDS/IPS
• Vulnerability scanners

Use Case
• Differentiating hosts and interfaces.
• Detecting MAC ID cloning.

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Can be in any format of MAC address
• MM:MM:MM:SS:SS:SS
• MM-MM-MM-SS-SS-SS
• MMM.MMM.SSS.SSS
• MM MM MM SS SS SS
• Impacted is Server (In Client-Server Model)
• Impacted is Target (In Attacker-Target Model)

Examples
• FireEye Web MPS
02 01 2016 17:13:19 1.1.1.1 <LOC4:WARN> fenotify-609081.warning: CEF:0|FireEye|
MPS|1.1.1.1875|IM|infection-match|1|rt=Feb 01 2016 23:13:10 UTC src=1.1.1.1
cn3Label=cncPort cn3=80 cn2Label=sid cn2=84575103 shost=
USABLDRRECFLOW01proto=tcp spt=51997 dst=1.1.1.1 cs5Label=cncHost cs5=1.1.1.1
dvchost= USABLDRRECFLOW01dvc=1.1.1.1 smac=00:00:00:00:00:00 cn1Label=vlan cn1=0
dpt=80 externalId=609081 cs4Label=link cs4=THINGS dmac=00:00:00:00:00:00
cs1Label=sname cs1=Exploit.Kit.AnglerDIPv4

smac= in this log is the target MAC Address (impacted).

• Brocade Switch
03 01 2017 02:08:41 1.1.1.1 <LOC6:NOTE> Mar  1 02:08:38 ch3p1gw4
dataplane[2287]: fw rule INTERNAL-IN:10000 block udp(17)
src=dp0p160p1/0:50:56:9a:ea:e8/fe80::e9c4:f7f6:e72c:2029(546) dst=/33:33:0:1:0:2
/ff02::1:2(547) len=159 hoplimit=1 len=119

Host Tab 155


LogRhythm Schema Dictionary and Guide

dst= with a possible destination hostname followed by destination (impacted) MAC Address.

Host Tab 156


LogRhythm Schema Dictionary and Guide

Impacted NAT IP
The Impacted Network Address Translated IP address (for example, target or server).

Data Type
IP

Aliases
Use Alias

Client Console Full Name NAT IP Address (Impacted)

Client Console Short Name Not applicable

Web Console Tab/Name NAT IP Address (Impacted)

Elasticsearch Field Name impactedNatIp

Rule Builder Column Name DNATIP

Regex Pattern <dnatip>

NetMon Name Not applicable

Field Relationships
• SIP • Origin NAT Port
• SIPv4 • Impacted Port
• SIPv6 • Impacted NAT Port
• SIPv6E • Origin MAC Address
• Origin Hostname • Impacted MAC Address
• Origin Hostname or IP • Origin Interface
• Origin NAT IP • Impacted Interface
• DIP • Origin Domain
• DIPv4 • Impacted Domain
• DIPv6 • Origin Login
• DIPv6E • Impacted Account
• Impacted Hostname • IANA Protocol Number
• Impacted Hostname or IP • IANA Protocol Name
• Origin Port

Host Tab 157


LogRhythm Schema Dictionary and Guide

Common Applications
Network equipment

Use Case
Internal host context

MPE/Data Masking Manipulations


Polyfield – Impacted Host

Usage Standards
• Do not override/overload, use <dnatip> not (?<dnatip>.*?).
• NAT Impacted is Server (In Client-Server Model).
• NAT Impacted is Target (In Attacker-Target Model).
• Use when you see an Impacted IP address IPv4 or IPv6.

Examples
• Cisco Netflow
02 19 2014 06:40:29 NetFlow V9 CONN_ID=- Src=1.1.1.1 SPort=62173 InIfc=4
Dst=1.1.1.1 DPort=8080 OutIfc=3 Prot=6 ICMP_IPV4_TYPE=- ICMP_IPV4_CODE=-
XLATE_SRC_ADDR_IPV4=- XLATE_DST_ADDR_IPV4=- XLATE_SRC_PORT=- XLATE_DST_PORT=-
FW_EVENT=- FW_EXT_EVENT=- EVENT_TIME_MSEC=- IN_PERMANENT_BYTES=-
DETAILS=CONN_ID=1632431052 ICMP_IPV4_TYPE=0 ICMP_IPV4_CODE=0
XLATE_SRC_ADDR_IPV4=1.1.1.1 XLATE_DST_ADDR_IPV4=1.1.1.1 XLATE_SRC_PORT=61695
XLATE_DST_PORT=8080 FW_EVENT=2 FW_EXT_EVENT=2015 EVENT_TIME_MSEC=1392835229440
IN_PERMANENT_BYTES=8807 DefaultDevice TemplateID=263

XLATE-DST-ADDR (Translated) indicates an impacted IP (destination in a network context) that


utilizes Network Address Translation (NAT). SIP and DIP (Origin and Impacted) are indicated here
with src= and dst=.

Host Tab 158


LogRhythm Schema Dictionary and Guide

IP Address (Origin)
The IP address of the origin system. Often referred to as Source IP (in NetMon, Rule Builder and other parts
of the system). 

Data Type
• IP
• IPv4 in octets
• IPv6 (no support for CIDR or IPv6e)

Aliases
Use Alias

Client Console Full Name Host (Origin)

Client Console Short Name Not applicable

Web Console Tab/Name IP Address (Origin)

Elasticsearch Field Name originIp

Rule Builder Column Name SIP

Regex Pattern <sip>

NetMon Name SrcIP

Field Relationships
• SIPv4 • Origin NAT Port
• SIPv6 • Impacted Port
• SIPv6E • Impacted NAT Port
• Origin Hostname • Origin MAC Address
• Origin Hostname or IP • Impacted MAC Address
• Origin NAT IP • Origin Interface
• DIP • Impacted Interface
• DIPv4 • Origin Domain
• DIPv6 • Impacted Domain
• DIPv6E • Origin Login
• Impacted Hostname • Impacted Account
• Impacted Hostname or IP • IANA Protocol Number

Host Tab 159


LogRhythm Schema Dictionary and Guide

• Impacted NAT IP • IANA Protocol Name


• Origin Port

Common Applications
Everything that communicates through a network.

Use Case
Indicating the host relationship to the log message—for example, if it is an origin threat, impacted by a
threat, the client, or the server.

MPE/Data Masking Manipulations


Polyfield – Origin Host

Usage Standards
• Do not override/overload, use <sip> not (?<sip>.*?).
• Origin is Client (In Client-Server Model).
• Origin is Attacker (In Attacker-Target Model).
• Use when you see an Origin IP address IPv4 or IPv6, unless it is an IPv4 address mapped to IPv6, in which case
use <sipv6e>.

Examples
• Office 365
TS=2016-10-20T20:22:23 SESSID=8b157afd-eb80-45e4-926f-222222222
COMMAND=AnonymousLinkUsed USERTYPE=Regular USERKEY=anonymous WORKLOAD=SharePoint
RESULTCODE= OBJECT= https://www.recordflow.biz /Shared Documents/
abuse_ch_copy.txt USER=anonymous SIP=1.1.1.1 ITEMTYPE=File
EVENTSOURCE=SharePoint USERAGENT=Mozilla/5.0 (Windows NT 6.3; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36 DOMAIN=
FILENAME= DESTINATION= DESTINATIONFILENAME= USERSHAREDWITH= SHARINGTYPE=
MODIFIEDPROPERTIES=

SIP (IPv4) in this case is Origin (source) connecting to O365 Cloud service. Client-Server are Origin-
Impacted in this context.

• LogBinder
Jun 11 14:53:48 1.1.1.1 25000 LOGbinder EX|2.0|success|
2014-06-11T14:53:48.0000000-05:00|Undocumented Exchange mailbox operation|
name="occurred" label="Occurred" value="6/11/2014 2:53:48 PM"|name="operation"
label="Operation" value=""|name="result" label="Result" value="Succeeded"|

Host Tab 160


LogRhythm Schema Dictionary and Guide

name="originatingserver" label="Originating Server" value=" USABLDRRECFLOW01


(14.02.0341.000)"|name="mailboxguid" label="Mailbox GUID"
value="9db94f90-2222-2222-b6c8-48200020026f"|name="mailboxowner" label="Mailbox
Owner" value="n/a"|name="mailboxownerupn" label="Mailbox Owner UPN"
value="pete.store@recordflow.biz"|name="mailboxownersid" label="Mailbox Owner
SID" value="S-1-5-21-2141518605-3280587107-2299868870-500"|name="folderid"
label="Folder ID" value="n/a"|name="foldername" label="Folder Name" value="\
\Inbox"|name="performedusername" label="Performed User Name"
value="Administrator"|name="performedusersid" label="Performed User SID"
value="S-1-5-21-222222222222-3280587107-2299868870-500"|
name="performedlogontype" label="Performed Logon Type" value="Owner"|
name="clientinfo" label="Client Info" value="Client\=OWA"|name="clientipaddress"
label="Client IP Address" value="fe80::b000:00c0:e000:f00e%00"|
name="clientprocessname" label="Client Process Name" value="n/a"|
name="clientversion" label="Client Version" value="n/a"|name="additionalinfo"
label="Additional Information" value="Owner\= [Administrator]; LastAccessed\=
[2013-03-06T04:41:48.0670508-05:00];"

IPv6 address for client. Client-Server are Origin-Impacted in this context.

Host Tab 161


LogRhythm Schema Dictionary and Guide

Origin Hostname
The hostname from which activity originated (for example, attacker or client).

Data Type
String

Aliases
Use Alias

Client Console Full Name Host (Origin)

Client Console Short Name Not applicable

Web Console Tab/Name Host (Origin)

Elasticsearch Field Name originHostName

Rule Builder Column Name SName

Regex Pattern <sname>

NetMon Name Not applicable

Field Relationships
• SIP • Origin NAT Port
• SIPv4 • Impacted Port
• SIPv6 • Impacted NAT Port
• SIPv6E • Origin MAC Address
• Origin Hostname or IP • Impacted MAC Address
• Origin NAT IP • Origin Interface
• DIP • Impacted Interface
• DIPv4 • Origin Domain
• DIPv6 • Impacted Domain
• DIPv6E • Origin Login
• Impacted Hostname • Impacted Account
• Impacted Hostname or IP • IANA Protocol Number
• Impacted NAT IP • IANA Protocol Name
• Origin Port

Host Tab 162


LogRhythm Schema Dictionary and Guide

Common Applications
Networked equipment.

Use Case
Host context

MPE/Data Masking Manipulations


Polyfield – Origin Host

Usage Standards
• Origin is Client (In Client-Server Model).
• Origin is Attacker (In Attacker-Target Model).
• Can be used for parsing fully qualified domain names for non-world wide web context hostnames.

Examples
• Windows Event Log
<Event xmlns='http://Host2/win/2004/08/events/event'><System><Provider
Name='NETLOGON'/><EventID Qualifiers='0'>5805</EventID><Level></
Level><Task>None</Task><Keywords></Keywords><TimeCreated
SystemTime='2014-02-06T06:03:06.000000000Z'/><EventRecordID>156578</
EventRecordID><Channel>System</Channel><Computer> USABLDRRECFLOW01</
Computer><Security/></System><EventData>The session setup from the computer
USABLDRRECFLOW02 failed to authenticate. The following error occurred:
Access is denied.</EventData></Event>

Origin Host is the system trying to authenticate. <Computer> is the origin of the log message here,
but also the domain controller which the origin is trying to authenticate against. Client-Server
(origin-impacted) relationship applies here.

Host Tab 163


LogRhythm Schema Dictionary and Guide

Origin Hostname or IP
The hostname or IP from which activity originated (for example, attacker or client).

Data Type
• String
• IP

Aliases
Use Alias

Client Console Full Name Host (Origin)

Client Console Short Name Not applicable

Web Console Tab/Name Host (Origin)

Elasticsearch Field Name originName, originIp

Rule Builder Column Name SIP, SName

Regex Pattern (<sipn>)

NetMon Name Not applicable

Field Relationships
• SIP • Origin NAT Port
• SIPv4 • Impacted Port
• SIPv6 • Impacted NAT Port
• SIPv6E • Origin MAC Address
• Origin Hostname • Impacted MAC Address
• Origin NAT IP • Origin Interface
• DIP • Impacted Interface
• DIPv4 • Origin Domain
• DIPv6 • Impacted Domain
• DIPv6E • Origin Login
• Impacted Hostname • Impacted Account
• Impacted Hostname or IP • IANA Protocol Number
• Impacted NAT IP • IANA Protocol Name
• Origin Port

Host Tab 164


LogRhythm Schema Dictionary and Guide

Common Applications
See IP Address (Origin) and Origin Hostname.

Use Case
See IP Address (Origin) and Origin Hostname.

MPE/Data Masking Manipulations


See IP Address (Origin) and Origin Hostname.

Usage Standards
• Use when a log can contain either an IP or a hostname in the same location.
• Must be wrapped in parenthesis to function (<sipn>).
• Do not overload or override.

Examples
• Windows Event Log
• <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/
event'><System><Provider Name='Microsoft-Windows-Time-Service'
Guid='{06edcfeb-0fd0-4e53-acca-a6f8bbf81bcb}'/><EventID>37</EventID><Version>0</
Version><Level>Information</Level><Task>None</Task><Opcode>Info</
Opcode><Keywords></Keywords><TimeCreated
SystemTime='2016-08-02T19:21:10.521541000Z'/><EventRecordID>5823536</
EventRecordID><Correlation/><Execution ProcessID='968' ThreadID='6580'/
><Channel>System</Channel><Computer> USABLDRRECFLOW01</Computer><Security
UserID='NT AUTHORITY\LOCAL SERVICE'/></System><EventData
Name='TMP_EVENT_TIME_SOURCE_REACHABLE'><Data Name='TimeSource'> USABLDRRECFLOW01
(ntp.d|1.1.1.1:123->1.1.1.1:123)</Data></EventData></Event>
• <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/
event'><System><Provider Name='Microsoft-Windows-Time-Service'
Guid='{06edcfeb-0fd0-4e53-acca-a6f8bbf81bcb}'/><EventID>37</EventID><Version>0</
Version><Level>Information</Level><Task>None</Task><Opcode>Info</
Opcode><Keywords></Keywords><TimeCreated
SystemTime='2016-09-10T02:47:47.934071900Z'/><EventRecordID>534913</
EventRecordID><Correlation/><Execution ProcessID='1008' ThreadID='7908'/
><Channel>System</Channel><Computer> USABLDRRECFLOW01</Computer><Security
UserID='NT AUTHORITY\LOCAL SERVICE'/></System><EventData
Name='TMP_EVENT_TIME_SOURCE_REACHABLE'><Data Name='TimeSource'>1.1.1.1,0x8
(ntp.m|0x8|1.1.1.1:123->1.1.1.1:123)</Data></EventData></Event>

TimeSource can either be an IP or a hostname in these examples.

Host Tab 165


LogRhythm Schema Dictionary and Guide

Origin Interface
The network port or interface from which the activity originated (for example, attacker or client).

Data Type
String

Aliases
Use Alias

Client Console Full Name Interface (Origin)

Client Console Short Name Not applicable

Web Console Tab/Name Interface (Origin)

Elasticsearch Field Name originInterface

Rule Builder Column Name sinterface

Regex Pattern <sinterface>

NetMon Name Not applicable

Field Relationships
• SIP • Origin Port
• SIPv4 • Origin NAT Port
• SIPv6 • Impacted Port
• SIPv6E • Impacted NAT Port
• Origin Hostname • Origin MAC Address
• Origin Hostname or IP • Impacted MAC Address
• Origin NAT IP • Impacted Interface
• DIP • Origin Domain
• DIPv4 • Impacted Domain
• DIPv6 • Origin Login
• DIPv6E • Impacted Account
• Impacted Hostname • IANA Protocol Number
• Impacted Hostname or IP • IANA Protocol Name
• Impacted NAT IP

Host Tab 166


LogRhythm Schema Dictionary and Guide

Common Applications
• Switches
• Firewalls
• Network equipment

Use Case
Troubleshooting connectivity.

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Origin is Client (In Client-Server Model).
• Origin is Attacker (In Attacker-Target Model).
• If you have more than just a port number (for example, a switch ID), capture full interface name including switch
ID.
• A Wireless Access Point can be an interface.

Examples
• FortiGate
02 25 2010 13:56:25 1.1.1.1 <LOC5:ALRT> date=2010-02-25 time=13:56:25
devname=FG322222222222222 device_id=FG2222222222 log_id=0419016384 type=ips
subtype=signature pri=alert fwver=040003 severity=critical carrier_ep="N/A"
profile="scan" src=1.1.1.1 dst=1.1.1.1 src_int="port1" dst_int="port2"
policyid=48 serial=23455436 status=detected proto=6 service=2612/tcp vd="root"
count=1 src_port=80 dst_port=2612 attack_id=107347979 sensor="all_default"
ref="http://Host1/ids/VID107347979" user="N/A" group="N/A"
incident_serialno=128862663 msg="http_decoder: HTTP.Request.Smuggling"

Firewall log showing a signature detection with interface src (origin). In this case, the possible
attacker (origin) is represented as source from the Firewall perspective.

• Squid Proxy
2014/05/01 10:45:29| Accepting  spoofing HTTP connections at 1.1.1.1:3128, FD
14.

Connection origin showing IP and corresponding interface.

• Juniper Firewall

Host Tab 167


LogRhythm Schema Dictionary and Guide

08 23 2016 09:56:43 1.1.1.1 <USER:INFO> 1 2016-08-23T14:56:42.429Z


USABLDRRECFLOW01 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@1.1.1.1.2.40 source-
address="1.1.1.1" source-port="57101" destination-address="1.1.1.1" destination-
port="443" service-name="junos-https" nat-source-address="1.1.1.1" nat-source-
port="57101" nat-destination-address="1.1.1.1" nat-destination-port="443" src-
nat-rule-type="static rule" src-nat-rule-name="ARUBA_RAP_WLC3600_xlate" dst-nat-
rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-
name="EMEA_ARUBA_GUEST_ACCESS" source-zone-name="FRONTEND_DMZ" destination-zone-
name="INTERNET" session-id-32="83048" username="N/A" roles="N/A" packet-
incoming-interface="reth5.0" application="UNKNOWN" nested-application="UNKNOWN"
encrypted="UNKNOWN"]

Showing inbound interface in flow.

• Cisco Router
10 09 2016 01:59:26 1.1.1.1 <LOC7:ERRR> Original Address=1.1.1.1 39296: Oct  9
01:59:48: %ILPOWER-3-CONTROLLER_PORT_ERR: Controller port error, Interface
Gi4/0/38: Power Controller reports Short detected

Parse full interface Gi4/0/38.

Host Tab 168


LogRhythm Schema Dictionary and Guide

Origin MAC Address


The MAC Address from which activity originated.

Data Type
String

Aliases
Use Alias

Client Console Full Name MAC Address (Origin)

Client Console Short Name Not applicable

Web Console Tab/Name MAC Address (Origin)

Elasticsearch Field Name originMac

Rule Builder Column Name SMAC

Regex Pattern <smac>

NetMon Name SrcMAC

Field Relationships
• SIP • Origin Port
• SIPv4 • Origin NAT Port
• SIPv6 • Impacted Port
• SIPv6E • Impacted NAT Port
• Origin Hostname • Impacted MAC Address
• Origin Hostname or IP • Origin Interface
• Origin NAT IP • Impacted Interface
• DIP • Origin Domain
• DIPv4 • Impacted Domain
• DIPv6 • Origin Login
• DIPv6E • Impacted Account
• Impacted Hostname • IANA Protocol Number
• Impacted Hostname or IP • IANA Protocol Name
• Impacted NAT IP

Host Tab 169


LogRhythm Schema Dictionary and Guide

Common Applications
• Firewall
• IDS/IPS
• Vulnerability scanners

Use Case
• Differentiating hosts and interfaces.
• Detecting MAC ID cloning.

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Can be in any format of MAC address:
• MM:MM:MM:SS:SS:SS
• MM-MM-MM-SS-SS-SS
• MMM.MMM.SSS.SSS
• MM MM MM SS SS SS
• Origin is Client (In Client-Server Model)
• Origin is Attacker (In Attacker-Target Model)

Examples
• FireEye Web MPS
02 01 2016 17:13:19 1.1.1.1 <LOC4:WARN> fenotify-609081.warning: CEF:0|FireEye|
MPS|1.1.1.1875|IM|infection-match|1|rt=Feb 01 2016 23:13:10 UTC src=1.1.1.1
cn3Label=cncPort cn3=80 cn2Label=sid cn2=84575103 shost= https://
www.recordflow.biz proto=tcp spt=51997 dst=1.1.1.1 cs5Label=cncHost cs5=1.1.1.1
dvchost= USABLDRRECFLOW01dvc=1.1.1.1 smac=00:00:00:00:00:00 cn1Label=vlan cn1=0
dpt=80 externalId=609081 cs4Label=link cs4=THING dmac=00:00:00:00:00:00
cs1Label=sname cs1=Exploit.Kit.AnglerDIPv4

Dmac= in this log is the attacker MAC Address (origin).

• Brocade Switch
03 01 2017 02:08:41 1.1.1.1 <LOC6:NOTE> Mar  1 02:08:38
USABLDRRECFLOW01dataplane[2287]: fw rule INTERNAL-IN:10000 block udp(17) src=
USABLDRRECFLOW01/0:00:00:00:00:00/IPV6Address dst=/00:00:00:00/0000::0:0(547)
len=159 hoplimit=1 len=119

Host Tab 170


LogRhythm Schema Dictionary and Guide

Src= with hostname followed by origin MAC Address. Network traffic shown src->dst will be origin-
>impacted.

• Windows Event Log – DHCP Ops


<Event xmlns='http://Host2/win/2004/08/events/event'><System><Provider
Name='Microsoft-Windows-DHCP-Server' Guid='{6d64f02c-a125-4dac-9a01-
f0555b41ca84}'/><EventID>20097</EventID><Version>0</Version><Level>Information</
Level><Task>None</Task><Opcode>Info</Opcode><Keywords></Keywords><TimeCreated
SystemTime='2014-10-07T00:13:02.116745100Z'/><EventRecordID>445336</
EventRecordID><Correlation/><Execution ProcessID='1320' ThreadID='2952'/
><Channel>Microsoft-Windows-Dhcp-Server/FilterNotifications</Channel><Computer>
USABLDRRECFLOW01</Computer><Security UserID='NT AUTHORITY\NETWORK SERVICE'/></
System><EventData>DHCP Services were denied to machine with hardware address
00-00-00-00-00-00, hardware type 1 and FQDN/Hostname USABLDRRECFLOW01because it
did not match any entry in the Allow List.</EventData></Event>

Origin MAC Address with dashes instead of colons.

Host Tab 171


LogRhythm Schema Dictionary and Guide

Origin NAT IP
The Network Address Translated IP from which activity originated (for example, attacker or client).

Data Type
IP

Aliases
Use Alias

Client Console Full Name NAT IP Address (Origin)

Client Console Short Name Not applicable

Web Console Tab/Name NAT IP Address (Origin)

Elasticsearch Field Name originNatIp

Rule Builder Column Name SNATIP

Regex Pattern <snatip>

NetMon Name Not applicable

Field Relationships
• SIP • Origin NAT Port
• SIPv4 • Impacted Port
• SIPv6 • Impacted NAT Port
• SIPv6E • Origin MAC Address
• Origin Hostname • Impacted MAC Address
• Origin Hostname or IP • Origin Interface
• DIP • Impacted Interface
• DIPv4 • Origin Domain
• DIPv6 • Impacted Domain
• DIPv6E • Origin Login
• Impacted Hostname • Impacted Account
• Impacted Hostname or IP • IANA Protocol Number
• Impacted NAT IP • IANA Protocol Name
• Origin Port

Host Tab 172


LogRhythm Schema Dictionary and Guide

Common Applications
Network equipment

Use Case
Internal host context

MPE/Data Masking Manipulations


Polyfield – Origin Host

Usage Standards
• Do not override/overload, use <snatip> not (?<snatip>.*?).
• NAT Origin is Client (In Client-Server Model).
• NAT Origin is Attacker (In Attacker-Target Model).
• Use when you see an Origin IP address IPv4 or IPv6.

Examples
• Cisco Netflow
02 19 2014 06:40:29 NetFlow V9 CONN_ID=- Src=1.1.1.1 SPort=62173 InIfc=4
Dst=1.1.1.1 DPort=8080 OutIfc=3 Prot=6 ICMP_IPV4_TYPE=- ICMP_IPV4_CODE=-
XLATE_SRC_ADDR_IPV4=- XLATE_DST_ADDR_IPV4=- XLATE_SRC_PORT=- XLATE_DST_PORT=-
FW_EVENT=- FW_EXT_EVENT=- EVENT_TIME_MSEC=- IN_PERMANENT_BYTES=-
DETAILS=CONN_ID=1632431052 ICMP_IPV4_TYPE=0 ICMP_IPV4_CODE=0
XLATE_SRC_ADDR_IPV4=1.1.1.1 XLATE_DST_ADDR_IPV4=1.1.1.1 XLATE_SRC_PORT=61695
XLATE_DST_PORT=8080 FW_EVENT=2 FW_EXT_EVENT=2015 EVENT_TIME_MSEC=1392835229440
IN_PERMANENT_BYTES=8807 DefaultDevice TemplateID=263

XLATE-SRC-ADDR indicates an origin IP (source in a network context) utilizing Network Address


Translation (NAT). SIP and DIP (Origin and Impacted) are indicated here with src= and dst=.

Host Tab 173


LogRhythm Schema Dictionary and Guide

Serial Number [7.2]


The hardware or software serial number in a log message. Should be a permanent, unique identifier of what
it is identifying.

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type
String (128 characters maximum)

Aliases
Use Alias

Client Console Full Name Serial Number

Client Console Short Name Not applicable

Web Console Tab/Name Serial Number

Elasticsearch Field Name serialNumber

Rule Builder Column Name SerialNumber

Regex Pattern <serialnumber>

NetMon Name Not applicable

Field Relationships
• This field was previously an overload of object and subject.
• Session is often used for what are called serial numbers, but are closer to session identifiers.

Common Applications
• Palo Alto
• Juniper
• F5
• Asset management systems

Host Tab 174


LogRhythm Schema Dictionary and Guide

Use Case
Uniquely identify systems.

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Serial Number is only used for data that uniquely identifies an object, device or application. It is not meant to be
used for defining a "session" or "record id."
• Only overload this field with GUID when S/N not present when the GUID is permanent.

Examples
Correct Examples
• Avaya Secure Access Link Remote Access Log
Jun 21 16:29:30 Host2ldomain Host1 xgEnterpriseProxy: Device registered with
server https://Host4/eMessage: model: SessionMgr, serial number: (000)222-2222

Serial Number describes the device being registered to the server.

• Bluecat Adonis
03 19 2013 14:34:17 1.1.1.1 <LOC1:INFO> Mar 19 14:34:17
USABLDRRECFLOW01named[4476]: info: zone 10.in-addr.arpa/IN/Internal: transferred
serial 324442789: TSIG 'view13530'

Serial used in DNS transaction.

Ambiguous Examples
• FortiGate
03 27 2016 12:24:47 1.1.1.1 <LOC5:ALRT> date=2016-03-27 time=12:24:47
devname=SLAVE devid=FG222222222222222222 logid=0419016384 type=utm subtype=ips
eventtype=signature level=alert vd="Front_End" severity=high srcip=1.1.1.1
dstip=1.1.1.1 srcintf="port14" dstintf="port13" policyid=1897
sessionid=3487142146 action=detected proto=6 service=HTTPS
attack="OpenSSL.ChangeCipherSpec.Injection" srcport=50077 dstport=443
hostname="recordflow.biz" direction=outgoing attackid=38738 profile="All-All-
All" ref="http://www.fortinet.com/ids/VID38738" incidentserialno=981770026

Host Tab 175


LogRhythm Schema Dictionary and Guide

msg="applications3: OpenSSL.ChangeCipherSpec.Injection," crscore=30


crlevel=high

Incidentserialno correlates logs describing a single incident, and is closer to a session or record ID
than a serial number.

• Cisco Telepresence VCS


04 26 2016 18:07:35 1.1.1.1 <USER:NOTE> 2016-04-26T18:07:36-04:00 radvcsx tvcs:
Event="Search Completed" Reason="Not Found" Service="H323" Src-alias-type="H323"
Src-alias="pima_373@Host5" Dst-alias-type="E164" Dst-alias="93516#9#935" Call-
serial-number="e2c39d22-cd9f-222c-a2ea-7b57a39239fc"
Tag="f420cf74-2222-45d6-989a-76e32d94525a" Detail="found:false, searchtype:LRQ"
Level="1" UTCTime="2016-04-26 22:07:36,027"

Call-Serial-Number is closer to a session in this context.

Host Tab 176


LogRhythm Schema Dictionary and Guide

SIPv4
Constituent element of <sip> for only IPv4 parsing (not generally used). Completely redundant to SIP. 

Data Type
IP

Aliases
Use Alias

Client Console Full Name Host (Origin)

Client Console Short Name Not applicable

Web Console Tab/Name Host (Origin)

Elasticsearch Field Name originIpV4

Rule Builder Column Name SIP

Regex Pattern <sipv4>

NetMon Name Not applicable

Field Relationships
• Nested element of <sip> default regex
• Can not be used with <sipv6>

Common Applications
IPv4 only network equipment.

Use Case
For more information, see IP Address (Origin).

MPE/Data Masking Manipulations


Polyfield – Origin Host

Host Tab 177


LogRhythm Schema Dictionary and Guide

Usage Standards
• This field is rarely used because it is redundant to <sip>.
• If you are 100% certain an IPv4 address will always appear.
• Only use if you need an extremely minute performance improvement.

Examples
Not applicable.

Host Tab 178


LogRhythm Schema Dictionary and Guide

SIPv6
Constituent element of <sip> for only IPv6 parsing (not generally used).

Data Type
IP

Aliases
Use Alias

Client Console Full Name Host (Origin)

Client Console Short Name Not applicable

Web Console Tab/Name Host (Origin)

Elasticsearch Field Name originIpV6

Rule Builder Column Name SIP

Regex Pattern <sipv6>

NetMon Name Not applicable

Field Relationships
• Nested element of <sip> default regex
• Can not be used with <sipv4>

Common Applications
IPv6 only network equipment.

Use Case
For more information, see IP Address (Origin).

MPE/Data Masking Manipulations


Polyfield – Origin Host

Host Tab 179


LogRhythm Schema Dictionary and Guide

Usage Standards
• This is rarely used.
• Is redundant to <sip>.
• If you are 100% certain an IPv6 address will always appear.
• Use if you need an extremely minute performance improvement.

Examples
• Trend Micro Deep Security
11 19 2014 08:21:12 10.100.6.64 <LOC0:INFO> Nov 19 03:25:07 USABLDRRECFLOW01
dsa_mpnp: REASON=IPv6_Packet HOSTID=230078 ACT=Deny IN=0C:0B:05:07:B0:05 OUT=
MAC=00:00:00:00:00:00:00:BE:00:00:00:0D:00:0d SRC=fe80:0:0:0:0cd0:000f:bd2f:000b
DST=ff01:0:0:0:0:0:0:1 LEN=86 PROTO=ICMPv6 SPT=0 DPT=0 CNT=1

SRC= shows origin IPv6 Address.

Host Tab 180


LogRhythm Schema Dictionary and Guide

SIPv6E
The IPv4 IP address mapped to IPv6e from which activity originated (for example, attacker or client).

Data Type
IP

Aliases
Use Alias

Client Console Full Name Host (Origin)

Client Console Short Name Not applicable

Web Console Tab/Name Host (Origin)

Elasticsearch Field Name originIpV6

Rule Builder Column Name SIP

Regex Pattern <sipv6e>

NetMon Name Not applicable

Field Relationships
• SIP • Origin NAT Port
• SIPv4 • Impacted Port
• SIPv6 • Impacted NAT Port
• Origin Hostname • Origin MAC Address
• Origin Hostname or IP • Impacted MAC Address
• Origin NAT IP • Origin Interface
• DIP • Impacted Interface
• DIPv4 • Origin Domain
• DIPv6 • Impacted Domain
• DIPv6E • Origin Login
• Impacted Hostname • Impacted Account
• Impacted Hostname or IP • IANA Protocol Number
• Impacted NAT IP • IANA Protocol Name
• Origin Port

Host Tab 181


LogRhythm Schema Dictionary and Guide

Common Applications
Networked equipment.

Use Case
Host context

MPE/Data Masking Manipulations


Polyfield – Origin Host

Usage Standards
• Do not override/overload, use <sipv6e> not (?<sipv6e>.*?).
• Origin is Client (In Client-Server Model).
• Origin is Attacker (In Attacker-Target Model).
• Use when you see an Origin IPv4 address mapped to IPv6.

Examples
• Townsend Alliance LogAgent
11 02 2015 22:10:02 1.1.1.1 <ALRT:INFO> Nov  2 22:09:39 USABLDRRECFLOW01QAUDJRN:
[PW@0 event="PW-Invalid user or password" event_type="Q-Signon failed profile
disabled" actual_type="PW-Q" user_profile="PSTORE" device="" jrn_seq="6849716"
timestamp="20151102220939315000" job_name="QZSOSIGN" user_name="QUSER"
job_number="535772" eff_user="QUSER" ip_addr="::ffff:1.1.1.1" port="52584"]

::ffff:1.1.1.1 is an IPv4 IP mapped to IPv6. Traditional <sip> and <dip> IP parsers do not work with
this type of IP.

Host Tab 182


LogRhythm Schema Dictionary and Guide

Identity Tab
The identity tab contains metadata fields related to the user associated with the action or object in the log.
The following fields are on the Identity tab:
• Account > User (Impacted)
• Group
• Login > User (Origin)
• Recipient
• Sender
This tab contains one polyfield: User (Impacted).
This tab contains four Identity Analytics fields: User Identity (Origin), User Identity (Impacted), Sender
Identity, and Recipient Identity.
Identity Analytics fields aggregate multiple identifiers for a user/email into a single unique ID. Each Identity
Field is mapped to the corresponding MPE metadata field described in this section. These fields are not
available for parsing. For more information about Identity Analytics fields, see Identity-Derived Data.

Identity Tab 183


LogRhythm Schema Dictionary and Guide

Account > User (Impacted)


The user or system account impacted by activity reported in the log.

Data Type
String

Aliases
Use Alias

Client Console Full Name User (Impacted)

Client Console Short Name Not applicable

Web Console Tab/Name User (Impacted)

Elasticsearch Field Name account

Rule Builder Column Name Account

Regex Pattern <account>

NetMon Name Not applicable

Field Relationships
• SIP • Origin Port
• SIPv4 • Origin NAT Port
• SIPv6 • Impacted Port
• SIPv6E • Impacted NAT Port
• Origin Hostname • Origin MAC Address
• Origin Hostname or IP • Impacted MAC Address
• Origin NAT IP • Origin Interface
• DIP • Impacted Interface
• DIPv4 • Origin Domain
• DIPv6 • Impacted Domain
• DIPv6E • Origin Login
• Impacted Hostname • IANA Protocol Number
• Impacted Hostname or IP • IANA Protocol Name
• Impacted NAT IP

Identity Tab 184


LogRhythm Schema Dictionary and Guide

Common Applications
Any applications, systems or devices that utilize accounts.

Use Case
Correlating or monitoring user activity.

MPE/Data Masking Manipulations


Mapped to User Identity (Impacted)

Usage Standards
• Use to indicate the user or account that is being altered or logged off a system by another user or system
account.
• Use for User Accounts and System Accounts.

Examples
• Windows Event Log
<Event xmlns='http://Host2/win/2004/08/events/event'><System><Provider
Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-
a5ba-3e3b0328c30d}'/><EventID>4738</EventID><Version>0</
Version><Level>Information</Level><Task>User Account Management</
Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated
SystemTime='2014-02-26T13:18:11.277015700Z'/><EventRecordID>1635656743</
EventRecordID><Correlation/><Execution ProcessID='524' ThreadID='4900'/
><Channel>Security</Channel><Computer> USABLDRRECFLOW01Computer><Security/></
System><EventData>A user account was changed.
Subject:
       Security ID:        safaware\pete.store
       Account Name:       pete.store
       Account Domain:            safaware
       Logon ID:           0x7b1adb067
Target Account:
       Security ID:        S-1-5-21-2222222-2222222222-2222222222-90119
       Account Name:       LHR-Reception
       Account Domain:            safaware
Changed Attributes:

Identity Tab 185


LogRhythm Schema Dictionary and Guide

       SAM Account Name:   -


       Display Name:       -
       User Principal Name:       -
       Home Directory:            -
       Home Drive:         -
       Script Path:        -
       Profile Path:       -
       User Workstations:  -
       Password Last Set:  -
       Account Expires:           -
       Primary Group ID:   -
       AllowedToDelegateTo:       -
       Old UAC Value:             0x15
       New UAC Value:             0x211
       User Account Control:     
              'Password Not Required' - Disabled
              'Don't Expire Password' - Enabled
       User Parameters:    -
       SID History:        -
       Logon Hours:        -
Additional Information:
       Privileges:         -</EventData></Event>

Target in Windows indicates Impacted. In this log, the Target Account (Impacted) is being modified
by Subject Account (Origin).

Identity Tab 186


LogRhythm Schema Dictionary and Guide

Group
The user group or role impacted by activity reported in the log. Do not use for entity group (zone or domain). 

Data Type
String

Aliases
Use Alias

Client Console Full Name Group

Client Console Short Name Not applicable

Web Console Tab/Name Group

Elasticsearch Field Name group

Rule Builder Column Name Group

Regex Pattern <group>

NetMon Name Not applicable

Field Relationships
• Login
• Account
• Domain
• Session
• SessionType
• Policy

Common Applications
• AD group
• Linux user group
• Security role

Use Case

Identity Tab 187


LogRhythm Schema Dictionary and Guide

• Capturing active directory organizational unit.


• Capturing certificate organizational units.

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
• Not Zone (internet, network, security).
• Only to capture explicitly called out (user) group, organizational units, and roles.

Examples
• Cylance
08 16 2016 22:42:18 1.1.1.1 <USER:NOTE> 250 <44>1 2016-08-17T04:42:20.0816805Z
sysloghost CylancePROTECT - - - Event Type: AuditLog, Event Name: ZoneAddDevice,
Message: Zone: Corporate; Devices: USABLDRRECFLOW01, , User: Dave Foss
(pete.store@recordflow.biz) pete.store@recordflow.biz)

Corporate Zone is parsed here.

• AWS
TS=2015-07-03T07:15:21Z ACCT=22222222222 RSRC=sg-22222222222 ARN=
USABLDRRECFLOW01:security-group/sg- USABLDRRECFLOW01CREATETS=
STS=ResourceDiscovered REG=us-west-2 RSRCTYP=AWS::EC2::SecurityGroup
DETALS=ownerid=9052222962 groupname=launch-wizard-1 groupid=gg22222
description=launch-wizard-1 created 2015-07-03T00:07:57.767-07:00
vpcid=vpc-22222226

Groupname= parses into Group. Is explicit as a group.

• Salesforce
EVT_TYP=RestApi TS=2015-07-13T22:37:51Z REQ_ID=3z1tWodgfdgdH5TjAgF-
ORG_ID=00D00000000001 U_N=pete.store@recordflow.biz.isvdev01 RUN_T=77 CPU_T=19
CLNT_IP=1.1.1.1 URI=/services/data/v33.0/query

Organization ID parsed (specific to LogRhythm in this example).

Identity Tab 188


LogRhythm Schema Dictionary and Guide

Login > User (Origin)


The host IP that was affected by the activity (for example, target or server). Destination IP in IPv4 or IPv6
format.

Data Type
String

Aliases
Use Alias

Client Console Full Name User (Origin)

Client Console Short Name Not applicable

Web Console Tab/Name User (Origin)

Elasticsearch Field Name login

Rule Builder Column Name Login

Regex Pattern <login>

NetMon Name Not applicable

Field Relationships
• SIP • Origin Port
• SIPv4 • Origin NAT Port
• SIPv6 • Impacted Port
• SIPv6E • Impacted NAT Port
• Origin Hostname • Origin MAC Address
• Origin Hostname or IP • Impacted MAC Address
• Origin NAT IP • Origin Interface
• DIP • Impacted Interface
• DIPv4 • Origin Domain
• DIPv6 • Impacted Domain
• DIPv6E • Impacted Account
• Impacted Hostname • IANA Protocol Number
• Impacted Hostname or IP • IANA Protocol Name
• Impacted NAT IP

Identity Tab 189


LogRhythm Schema Dictionary and Guide

Common Applications
Any applications, systems or devices that utilize accounts.

Use Case
Correlating or monitoring user activity.

MPE/Data Masking Manipulations


Mapped to User Identity (Origin)

Usage Standards
• Use to indicate the user or system account that is performing altering another account or logging in to a system.
• Use for User Accounts and System Accounts.

Examples
• Windows Event Log
<Event xmlns='http://Host2/win/2004/08/events/event'><System><Provider
Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-
a5ba-3e3b0328c30d}'/><EventID>4738</EventID><Version>0</
Version><Level>Information</Level><Task>User Account Management</
Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated
SystemTime='2014-02-26T13:18:11.277015700Z'/><EventRecordID>1635656743</
EventRecordID><Correlation/><Execution ProcessID='524' ThreadID='4900'/
><Channel>Security</Channel><Computer> USABLDRRECFLOW01Computer><Security/></
System><EventData>A user account was changed.
Subject:
       Security ID:        Safaware\pete.store
       Account Name:       pete.store
       Account Domain:            safaware
       Logon ID:           0x7b1adb067
Target Account:
       Security ID:        S-1-5-21-2222222-22222222-22222-90119
       Account Name:       dave.store
       Account Domain:            safaware
Changed Attributes:
       SAM Account Name:   -

Identity Tab 190


LogRhythm Schema Dictionary and Guide

       Display Name:       -


       User Principal Name:       -
       Home Directory:            -
       Home Drive:         -
       Script Path:        -
       Profile Path:       -
       User Workstations:  -
       Password Last Set:  -
       Account Expires:           -
       Primary Group ID:   -
       AllowedToDelegateTo:       -
       Old UAC Value:             0x15
       New UAC Value:             0x211
       User Account Control:     
              'Password Not Required' - Disabled
              'Don't Expire Password' - Enabled
       User Parameters:    -
       SID History:        -
       Logon Hours:        -
Additional Information:
       Privileges:         -</EventData></Event>

Subject in Windows indicates Origin. In this log, the Subject Account (Origin) is modifying the Target
Account (Impacted).

• Cisco Clean Access Appliance


03 28 2010 14:55:50 1.1.1.1 <USER:INFO> Perfigo: Authentication:
[00:00:00:00:00:00 ## 1.1.1.1] escribne - Successfully logged in, Provider:
conncoll, L2 MAC address: 00:00:00:00:00:00, Role: Students, OS: Macintosh OSX

User logon event. Listed user is the client (origin) connecting to a server (impacted) (client-server).

Identity Tab 191


LogRhythm Schema Dictionary and Guide

Recipient
The recipient of an email or called to number for a VoIP log.

Data Type
String

Aliases
Use Alias

Client Console Full Name Recipient

Client Console Short Name Not applicable

Web Console Tab/Name Recipient

Elasticsearch Field Name recipient

Rule Builder Column Name Recipient

Regex Pattern <recipient>

NetMon Name Not applicable

Field Relationships
• Sender
• Subject
• Session
• Session Type

Common Applications
• Email logs
• VoIP logs
• Instant messaging services

Use Case
Tracking malware infection vector.

Identity Tab 192


LogRhythm Schema Dictionary and Guide

MPE/Data Masking Manipulations


Mapped to Recipient Identity.

Usage Standards
• Recipient shall not be used for identifying the direction of network traffic or network zones.
• Only used for destination email, destination caller, chat, instant messaging, or other communication mediums,
such as
• AOL Instant Messenger
• IRC
• Lync
• Skype
• Google Hangouts
• Fax

Examples
• ColdFusion Mailsent Log
"Information","scheduler-2","12/28/11","09:14:33",,"Mail: 'Web site submission
from Pete Store' From:'NoReply@recordflow.biz' To:'mdaveman@recordlow.com' was
successfully sent using smtp.recordflow.biz"

To email parsed appropriately.

• Cisco Telepresence Video Communications Server


04 26 2016 16:40:14 1.1.1.1 <USER:NOTE> 2016-04-26T16:40:14-04:00 radvcsx tvcs:
Event="Call Attempted" Service="SIP" Src-ip="1.1.1.1" Src-port="1196" Src-alias-
type="SIP" Src-alias="sip:pete.store@Host5" Dst-alias-type="SIP" Dst-
alias="sip:dpackl@Host5" Call-serial-number="d415c222-
fd22-47fd-8d0a-222b1a351460" Tag="02e3b418-f67b-408b-22b2-adafea222e32"
Protocol="TLS" Auth="NO" Level="1" UTCTime="2016-04-26 20:40:14,467"

Dst-Alias in this case a VoIP call destination.

• Cisco Unified Comm Mgr (Call Mgr)


05 22 2012 15:05:49 1.1.1.1 <LOC7:WARN> 750: May 22 2012 20:05:49.41 UTC : 
%UC_CALLMANAGER-4-MaliciousCall: %[Called Party Number=2755][Called Device Name=
USABLDRRECFLOW01][Called Display Name=Jason Riggins][Calling Party Number=2378]
[Calling Device Name= USABLDRRECFLOW01][Calling Display Name=Dave Store Test]
[App ID=Cisco CallManager][Cluster ID=StandAloneCluster][Node ID=KaM-CCM2-SubT]:
A malicious call has been identified

Identity Tab 193


LogRhythm Schema Dictionary and Guide

Another VoIP call destination.

Identity Tab 194


LogRhythm Schema Dictionary and Guide

Sender
The sender of an email or the caller number for a VoIP log. Must relate to a specific user, or unique address in
the case of a phone call or email. 

Data Type
String

Aliases
Use Alias

Client Console Full Name Sender

Client Console Short Name Not applicable

Web Console Tab/Name Sender

Elasticsearch Field Name sender

Rule Builder Column Name Sender

Regex Pattern <sender>

NetMon Name Not applicable

Field Relationships
• Recipient
• Subject
• Session
• Session Type

Common Applications
• Email logs
• VoIP logs

Use Case
• Identify spam traffic by looking at top senders of email.

Identity Tab 195


LogRhythm Schema Dictionary and Guide

• Track ransomware back to source/spread pattern.

MPE/Data Masking Manipulations


Mapped to Sender Identity.

Usage Standards
• Sender shall not be used for identifying the direction of network traffic or network zones.
• Only used for origin email, origin caller, chat, instant messaging, or other communication mediums, such as
• AOL Instant Messenger
• IRC
• Lync
• Skype
• Google Hangouts
• Fax

Examples
• ColdFusion Mailsent Log
"Information","scheduler-2","12/28/11","09:14:33",,"Mail: 'Web site submission
from Donna Hirt' From:'NoReply@recordflow.biz'
To:'mcoffman@sagepointadvisor.com' was successfully sent using mta23.colo.lan"

From email parsed appropriately.

• Cisco Telepresence Video Communications Server


04 26 2016 16:40:14 1.1.1.1 <USER:NOTE> 2016-04-26T16:40:14-04:00 radvcsx tvcs:
Event="Call Attempted" Service="SIP" Src-ip="1.1.1.1" Src-port="1196" Src-alias-
type="SIP" Src-alias="sip:pete_store@Host5" Dst-alias-type="SIP" Dst-
alias="sip:dpack@Host5" Call-serial-number="d415c736-
fd67-47fd-8d0a-892b1a351460" Tag="02e3b418-f67b-408b-92b2-adafea551e32"
Protocol="TLS" Auth="NO" Level="1" UTCTime="2016-04-26 20:40:14,467"

Src-Alias in this case a VoIP call origin.

• Cisco Unified Comm Mgr (Call Mgr)


05 22 2012 15:05:49 1.1.1.1 <LOC7:WARN> 750: May 22 2012 20:05:49.41 UTC : 
%UC_CALLMANAGER-4-MaliciousCall: %[Called Party Number=2755][Called Device
Name=SEP002414B3815B][Called Display Name=Jason Riggins][Calling Party
Number=2378][Calling Device Name=recflow00001][Calling Display Name=recflow Test
][App ID=Cisco CallManager][Cluster ID=StandAloneCluster][Node ID=rec-flow-001]:
A malicious call has been identified

Identity Tab 196


LogRhythm Schema Dictionary and Guide

Another VoIP call origin.

Identity Tab 197


LogRhythm Schema Dictionary and Guide

Location Tab
The Location tab contains fields that attempt to identify a physical or logical location for the object
referenced in a log.
The Location fields are either polyfields or enrichment fields added after parsing:
• Entity (Origin)
• Entity (Impacted)
• Zone (Origin)
• Zone (Impacted)
• Location (Origin)
• Location (Impacted)
• Country (Origin)

Location Tab 198


LogRhythm Schema Dictionary and Guide

Log Tab
The Log tab contains metadata that describe the log source rather than the log itself.
Most of these fields are generated by the log source type or agent configuration. They are not parsed into the
schema from the raw log:
• Log count
• Log source entity
• Log source type
• Log source host
• Log source
• Log sequence number (from Agent)

Log Tab 199


LogRhythm Schema Dictionary and Guide

Network Tab
The Network tab contains fields that relate to the networks associated with the origin and impacted host.
The following fields are on the Network tab:
• Domain [7.2]
• Impacted NAT Port
• Impacted Port
• Origin NAT Port
• Origin Port
Several of the network fields are polyfields or are auto-calculated based on the entity structure:
• Network (Origin)
• Network (Impacted)
• Protocol

Network Tab 200


LogRhythm Schema Dictionary and Guide

Domain [7.2]
The Windows or DNS domain name referenced or impacted by activity reported in the log.

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type
String

Aliases
Use Alias

Client Console Full Name Domain (Impacted)

Client Console Short Name Not applicable

Web Console Tab/Name Domain (Impacted)

Elasticsearch Field Name domain

Rule Builder Column Name Domain

Regex Pattern <domain>

NetMon Name Not applicable

Field Relationships
• SIP • Origin Port
• SIPv4 • Origin NAT Port
• SIPv6 • Impacted Port
• SIPv6E • Impacted NAT Port
• Origin Hostname • Origin MAC Address
• Origin Hostname or IP • Impacted MAC Address
• Origin NAT IP • Origin Interface
• DIP • Impacted Interface
• DIPv4 • Origin Domain
• DIPv6 • Origin Login
• DIPv6E • Impacted Account

Network Tab 201


LogRhythm Schema Dictionary and Guide

• Impacted Hostname • IANA Protocol Number


• Impacted Hostname or IP • IANA Protocol Name
• Impacted NAT IP

Common Applications
• WebpProxy
• Network monitoring
• Active Directory
• SSO

Use Case
Correlating user activity across domains.

MPE/Data Masking Manipulations


Not applicable.

Usage Standards
Used for capturing an Active Directory Domain name.

Examples
• Windows Event Log
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/
event'><System><Provider Name='Microsoft-Windows-Security-Auditing'
Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4742</
EventID><Version>0</Version><Level>Information</Level><Task>Computer Account
Management</Task><Opcode>Info</Opcode><Keywords>Audit Success</
Keywords><TimeCreated SystemTime='2016-02-26T03:09:41.988899400Z'/
><EventRecordID>2283625151</EventRecordID><Correlation/><Execution
ProcessID='520' ThreadID='1140'/><Channel>Security</Channel><Computer>
USABLDRRECFLOW01</Computer><Security/></System><EventData><Data
Name='ComputerAccountChange'>-</Data><Data
Name='TargetUserName'>USLT0752CROBB$</Data><Data
Name='TargetDomainName'>SAFAWARE</Data><Data Name='TargetSid'>SAFAWARE\
USABLDRRECFLOW01$</Data><Data Name='SubjectUserSid'>SAFAWARE\pete.store</
Data><Data Name='SubjectUserName'>pete.store</Data><Data
Name='SubjectDomainName'>SAFAWARE</Data><Data
Name='SubjectLogonId'>0x14af66a2b</Data><Data Name='PrivilegeList'>-</Data><Data
Name='SamAccountName'>-</Data><Data Name='DisplayName'>-</Data><Data
Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data
Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data

Network Tab 202


LogRhythm Schema Dictionary and Guide

Name='ProfilePath'>-</Data><Data Name='UserWorkstations'>-</Data><Data
Name='PasswordLastSet'>-</Data><Data Name='AccountExpires'>-</Data><Data
Name='PrimaryGroupId'>-</Data><Data Name='AllowedToDelegateTo'>-</Data><Data
Name='OldUacValue'>0x80</Data><Data Name='NewUacValue'>0x81</Data><Data
Name='UserAccountControl'>
              %%2080</Data><Data Name='UserParameters'>-</Data><Data
Name='SidHistory'>-</Data><Data Name='LogonHours'>-</Data><Data
Name='DnsHostName'>-</Data><Data Name='ServicePrincipalNames'>-</Data></
EventData></Event>

TargetDomainName is the Domain of the impacted user in this Account Management event. In
Windows Event Logging, Subject refers to Origin and Target refers to Impacted.

Network Tab 203


LogRhythm Schema Dictionary and Guide

Impacted NAT Port


The Network Address Translated (NAT) port to which activity is targeted—for example, server or target port.

Data Type
Integer

Aliases
Use Alias

Client Console Full Name TCP/UDP Port (Impacted)

Client Console Short Name Not applicable

Web Console Tab/Name TCP/UDP Port (Impacted)

Elasticsearch Field Name impactedNatPort

Rule Builder Column Name DNATPort

Regex Pattern <snatport>

NetMon Name Not applicable

Field Relationships
• SIP • Origin Port
• SIPv4 • Origin NAT Port
• SIPv6 • Impacted Port
• SIPv6E • Origin MAC Address
• Origin Hostname • Impacted MAC Address
• Origin Hostname or IP • Origin Interface
• Origin NAT IP • Impacted Interface
• DIP • Origin Domain
• DIPv4 • Impacted Domain
• DIPv6 • Origin Login
• DIPv6E • Impacted Account
• Impacted Hostname • IANA Protocol Number
• Impacted Hostname or IP • IANA Protocol Name
• Impacted NAT IP

Network Tab 204


LogRhythm Schema Dictionary and Guide

Common Applications
Any network connected application or device.

Use Case
Host and application contexts.

MPE/Data Masking Manipulations


Used to help in determining Application.

Usage Standards
• Use to indicate the Network Address Translated (NAT) impacted port number associated with a server or
targeted host.
• Origin is Server (In Client-Server Model).
• Target is Impacted (In Attacker-Target Model).

Examples
• Cisco Netflow
02 19 2014 06:40:29 NetFlow V9 CONN_ID=- Src=1.1.1.1 SPort=62173 InIfc=4
Dst=1.1.1.1 DPort=8080 OutIfc=3 Prot=6 ICMP_IPV4_TYPE=- ICMP_IPV4_CODE=-
XLATE_SRC_ADDR_IPV4=- XLATE_DST_ADDR_IPV4=- XLATE_SRC_PORT=- XLATE_DST_PORT=-
FW_EVENT=- FW_EXT_EVENT=- EVENT_TIME_MSEC=- IN_PERMANENT_BYTES=-
DETAILS=CONN_ID=1632431052 ICMP_IPV4_TYPE=0 ICMP_IPV4_CODE=0
XLATE_SRC_ADDR_IPV4=1.1.1.1 XLATE_DST_ADDR_IPV4=1.1.1.1 XLATE_SRC_PORT=61695
XLATE_DST_PORT=8080 FW_EVENT=2 FW_EXT_EVENT=2015 EVENT_TIME_MSEC=1392835229440
IN_PERMANENT_BYTES=8807 DefaultDevice TemplateID=263

XLATE_DST_PORT shows the translation IPs destination (impacted) port. In a network flow context,
destination and impacted are synonymous.

Network Tab 205


LogRhythm Schema Dictionary and Guide

Impacted Port
The port to which activity is targeted (for example, server or target port).

Data Type
Integer

Aliases
Use Alias

Client Console Full Name TCP/UDP Port (Impacted)

Client Console Short Name Not applicable

Web Console Tab/Name TCP/UDP Port (Impacted)

Elasticsearch Field Name impactedPort

Rule Builder Column Name DPort

Regex Pattern <dport>

NetMon Name Not applicable

Field Relationships
• SIP • Origin Port
• SIPv4 • Origin NAT Port
• SIPv6 • Impacted NAT Port
• SIPv6E • Origin MAC Address
• Origin Hostname • Impacted MAC Address
• Origin Hostname or IP • Origin Interface
• Origin NAT IP • Impacted Interface
• DIP • Origin Domain
• DIPv4 • Impacted Domain
• DIPv6 • Origin Login
• DIPv6E • Impacted Account
• Impacted Hostname • IANA Protocol Number
• Impacted Hostname or IP • IANA Protocol Name
• Impacted NAT IP

Network Tab 206


LogRhythm Schema Dictionary and Guide

Common Applications
Any network connected application or device.

Use Case
Host and application contexts.

MPE/Data Masking Manipulations


Used to help in determining Application.

Usage Standards
• Use to indicate the impacted port number associated with a server or targeted host.
• Origin is Server (In Client-Server Model).
• Target is Impacted (In Attacker-Target Model).

Examples
• FireEye Web MPS
02 01 2016 17:13:19 1.1.1.1 <LOC4:WARN> fenotify-609081.warning: CEF:0|FireEye|
MPS|1.1.1.1875|IM|infection-match|1|rt=Feb 01 2016 23:13:10 UTC src=1.1.1.1
cn3Label=cncPort cn3=80 cn2Label=sid cn2=84575103 shost=
USABLDRRECFLOW01proto=tcp spt=51997 dst=1.1.1.1 cs5Label=cncHost cs5=1.1.1.1
dvchost= USABLDRRECFLOW01dvc=1.1.1.1 smac=00:00:00:00:00:00 cn1Label=vlan cn1=0
dpt=80 externalId=609081 cs4Label=link cs4URL act=blocked cs6Label=channel
cs6=GET Stuff dmac=00:00:00:00:00:00 cs1Label=sname cs1=Exploit.Kit.AnglerDIPv4

Spt= in this case is the impacted (target) port in the attacker-target paradigm.

• Cisco Next Generation Firewall


CISCONGFW EVENT Ev_Id=610 Ev_Severity=6 Ev_TypeId=HTTP_COMPLETE Ev_SrcId=32
Ev_RecvTime=2/24/2013 10:04:34 PM Ev_MetaData=0 Smx_Config_Version=2
Identity_Source=0 Smx_Policy_Id=0 Flow_ConnId=456 Smx_Egress_Interface_Id=0
Smx_Ingress_Interface_Id=0 Avc_App_Id=300003 Ev_GenTime=2/24/2013 10:04:09 PM
Flow_Protocol=6 Flow_SrcIp=1.1.1.1 Flow_DstIp=1.1.1.1 Flow_SrcPort=60221
Flow_DstPort=80 Ev_Producer_Id=5 Flow_Transaction_Id=0 Url=recordflow.biz
Flow_DstHostName=recordflow.biz Smx_Policy_Id=0 Flow_Bytes_Sent=391
Http_Response_Status=302 Flow_Bytes_Received=647

Impacted port (destination in a network traffic flow context).

Network Tab 207


LogRhythm Schema Dictionary and Guide

• Cisco ISE
02 10 2014 13:54:24 1.1.1.1 <LOC6:NOTE> Feb 10 13:54:43 USABLDRRECFLOW01
CISE_Failed_Attempts 0000217969 2 0 2014-02-10 13:54:43.264 +02:00 0008145644
5413 NOTICE Failed-Attempt: RADIUS Accounting-Request dropped,
ConfigVersionId=143, Device IP Address=1.1.1.1, Device Port=1646,
DestinationIPAddress=1.1.1.1, DestinationPort=1646, Protocol=Radius,
NetworkDeviceName=Switch_ USABLDRRECFLOW01, NAS-IP-Address=1.1.1.1, NAS-
Port=50023, Service-Type=Framed, Acct-Status-Type=Start, Acct-Delay-Time=20,
Acct-Session-Id=000022222, Acct-Authentic=Local, NAS-Port-Type=Ethernet, NAS-
Port-Id=GigabitEthernet0/23, cisco-av-pair=connect-progress=Call Up,
AcsSessionID= USABLDRRECFLOW01/151856948/212124, FailureReason=11038 RADIUS
Accounting-Request header contains invalid Authenticator field, Step=11004,
Step=11017, Step=11038, Step=5413, NetworkDeviceGroups=Device Type#All Device
Types#Switch, NetworkDeviceGroups=Location#All Locations#HQ,
NetworkDeviceGroups=Unit#All Units#Networking, NetworkDeviceGroups=ACS Group#All
ACS Groups, ACS Group=ACS Group#All ACS Groups,

Destination Port (Impacted) is the server port being authenticated against (Client-Server
relationship).

Network Tab 208


LogRhythm Schema Dictionary and Guide

Origin NAT Port


The Network Address Translated (NAT) port from which activity originated (for example, client or attacker
port).

Data Type
Integer

Aliases
Use Alias

Client Console Full Name TCP/UDP Port (Origin)

Client Console Short Name Not applicable

Web Console Tab/Name TCP/UDP Port (Origin)

Elasticsearch Field Name originNatPort

Rule Builder Column Name SNATPort

Regex Pattern <snatport>

NetMon Name Not applicable

Field Relationships
• SIP • Origin Port
• SIPv4 • Origin NAT Port
• SIPv6 • Impacted Port
• SIPv6E • Impacted NAT Port
• Origin Hostname • Origin MAC Address
• Origin Hostname or IP • Impacted MAC Address
• Origin NAT IP • Origin Interface
• DIP • Impacted Interface
• DIPv4 • Origin Domain
• DIPv6 • Impacted Domain
• DIPv6E • Origin Login
• Impacted Hostname • Impacted Account
• Impacted Hostname or IP • IANA Protocol Number
• Impacted NAT IP • IANA Protocol Name

Network Tab 209


LogRhythm Schema Dictionary and Guide

Common Applications
Any network connected application or device.

Use Case
Host and application contexts.

MPE/Data Masking Manipulations


Used to help in determining Application.

Usage Standards
• Use to indicate the Network Address Translated (NAT) origin port number associated with a client or attacker
host where Origin is Client (In Client-Server Model).
• Origin is Attacker (In Attacker-Target Model).

Examples
• Cisco Netflow
02 19 2014 06:40:29 NetFlow V9 CONN_ID=- Src=1.1.1.1 SPort=62173 InIfc=4
Dst=1.1.1.1 DPort=8080 OutIfc=3 Prot=6 ICMP_IPV4_TYPE=- ICMP_IPV4_CODE=-
XLATE_SRC_ADDR_IPV4=- XLATE_DST_ADDR_IPV4=- XLATE_SRC_PORT=- XLATE_DST_PORT=-
FW_EVENT=- FW_EXT_EVENT=- EVENT_TIME_MSEC=- IN_PERMANENT_BYTES=-
DETAILS=CONN_ID=1632431052 ICMP_IPV4_TYPE=0 ICMP_IPV4_CODE=0
XLATE_SRC_ADDR_IPV4=1.1.1.1 XLATE_DST_ADDR_IPV4=1.1.1.1 XLATE_SRC_PORT=61695
XLATE_DST_PORT=8080 FW_EVENT=2 FW_EXT_EVENT=2015 EVENT_TIME_MSEC=1392835229440
IN_PERMANENT_BYTES=8807 DefaultDevice TemplateID=263

XLATE_SRC_PORT shows the translation IP’s source (origin) port. In a network flow context, origin
and source are synonymous.

Network Tab 210


LogRhythm Schema Dictionary and Guide

Origin Port
The port from which activity originated (for example, client or attacker port).

Data Type
Integer

Aliases
Use Alias

Client Console Full Name TCP/UDP Port (Origin)

Client Console Short Name Not applicable

Web Console Tab/Name TCP/UDP Port (Origin)

Elasticsearch Field Name originPort

Rule Builder Column Name SPort

Regex Pattern <sport>

NetMon Name Not applicable

Field Relationships
• SIP • Origin NAT Port
• SIPv4 • Impacted Port
• SIPv6 • Impacted NAT Port
• SIPv6E • Origin MAC Address
• Origin Hostname • Impacted MAC Address
• Origin Hostname or IP • Origin Interface
• Origin NAT IP • Impacted Interface
• DIP • Origin Domain
• DIPv4 • Impacted Domain
• DIPv6 • Origin Login
• DIPv6E • Impacted Account
• Impacted Hostname • IANA Protocol Number
• Impacted Hostname or IP • IANA Protocol Name
• Impacted NAT IP

Network Tab 211


LogRhythm Schema Dictionary and Guide

Common Applications
Any network connected application or device.

Use Case
Host and application contexts.

MPE/Data Masking Manipulations


Used to help in determining Application.

Usage Standards
• Use to indicate the origin port number associated with a client or attacker host.
• Origin is Client (In Client-Server Model).
• Origin is Attacker (In Attacker-Target Model).

Examples
• FireEye Web MPS
02 01 2016 17:13:19 1.1.1.1 <LOC4:WARN> fenotify-609081.warning: CEF:0|FireEye|
MPS|1.1.1.1875|IM|infection-match|1|rt=Feb 01 2016 23:13:10 UTC src=1.1.1.1
cn3Label=cncPort cn3=80 cn2Label=sid cn2=84575103 shost=
USABLDRRECFLOW01proto=tcp spt=51997 dst=1.1.1.1 cs5Label=cncHost cs5=1.1.1.1
dvchost= USABLDRRECFLOW01 dvc=1.1.1.1 smac=00:00:00:00:00:00 cn1Label=vlan cn1=0
dpt=80 externalId=609081 cs4Label=link cs4=STUFF dmac=00:00:00:00:00:00
cs1Label=sname cs1=Exploit.Kit.AnglerDIPv4

Dpt= is Origin in this case as it is the port used by the attacker ip (dst).

• Cisco Next Generation Firewall


CISCONGFW EVENT Ev_Id=610 Ev_Severity=6 Ev_TypeId=HTTP_COMPLETE Ev_SrcId=32
Ev_RecvTime=2/24/2013 10:04:34 PM Ev_MetaData=0 Smx_Config_Version=2
Identity_Source=0 Smx_Policy_Id=0 Flow_ConnId=456 Smx_Egress_Interface_Id=0
Smx_Ingress_Interface_Id=0 Avc_App_Id=300003 Ev_GenTime=2/24/2013 10:04:09 PM
Flow_Protocol=6 Flow_SrcIp=1.1.1.1 Flow_DstIp=1.1.1.1 Flow_SrcPort=60221
Flow_DstPort=80 Ev_Producer_Id=5 Flow_Transaction_Id=0 Url=recordflow.biz
Flow_DstHostName=recordflow.bizSmx_Policy_Id=0 Flow_Bytes_Sent=391
Http_Response_Status=302 Flow_Bytes_Received=647

Origin port (source in a network traffic flow context).

Network Tab 212


LogRhythm Schema Dictionary and Guide

• Cisco ISE
02 10 2014 13:54:24 1.1.1.1 <LOC6:NOTE> Feb 10 13:54:43 USABLDRRECFLOW01
CISE_Failed_Attempts 0000217969 2 0 2014-02-10 13:54:43.264 +02:00 0008145644
5413 NOTICE Failed-Attempt: RADIUS Accounting-Request dropped,
ConfigVersionId=143, Device IP Address=1.1.1.1, Device Port=1646,
DestinationIPAddress=1.1.1.1, DestinationPort=1646, Protocol=Radius,
NetworkDeviceName=Switch_3560-X_2, NAS-IP-Address=1.1.1.1, NAS-Port=50023,
Service-Type=Framed, Acct-Status-Type=Start, Acct-Delay-Time=20, Acct-Session-
Id=00002222, Acct-Authentic=Local, NAS-Port-Type=Ethernet, NAS-Port-
Id=GigabitEthernet0/23, cisco-av-pair=connect-progress=Call Up, AcsSessionID=
USABLDRRECFLOW01/151856948/212124, FailureReason=11038 RADIUS Accounting-Request
header contains invalid Authenticator field, Step=11004, Step=11017, Step=11038,
Step=5413, NetworkDeviceGroups=Device Type#All Device Types#Switch,
NetworkDeviceGroups=Location#All Locations#HQ, NetworkDeviceGroups=Unit#All
Units#Networking, NetworkDeviceGroups=ACS Group#All ACS Groups, ACS Group=ACS
Group#All ACS Groups,

Device Port shows the originating RADIUS request Port for the corresponding device IP. Destination
(Impacted) is the server being authenticated against (Client-Server relationship).

Network Tab 213


LogRhythm Schema Dictionary and Guide

Other MPE Fields


These fields do not immediately map to a tab in the Web Console:
• Items In
• Items Out
• [Tag1-Tag5]

Other MPE Fields 214


LogRhythm Schema Dictionary and Guide

[Tag1-Tag5]
Used only for subrules, and are invisible to the end user.

Data Type
String

Aliases
Use Alias

Client Console Full Name Not applicable

Client Console Short Name Not applicable

Web Console Tab/Name Not applicable

Elasticsearch Field Name Not applicable

Rule Builder Column Name Tag1, Tag2, Tag3, Tag4, Tag5

Regex Pattern <tag1>, <tag2>, <tag3>, <tag4>, <tag5>

NetMon Name Not applicable

Field Relationships
Any field you do not use to create subrules—for example, command.

Common Applications
Not applicable.

Use Case
Creating subrules not based on VMID, ThreatID, or Severity.

MPE/Data Masking Manipulations


They are invisible outside of MPE Rule Builder.

Other MPE Fields 215


LogRhythm Schema Dictionary and Guide

Usage Standards
If you want to create a subrule of a value not captured into VMID, ThreatID, or Severity, a tag must be nested
within the existing metatag.

Examples
These tags can be used in a wide variety of situations. Because these fields do not appear as parsed fields
outside of the rule builder, refer to the usage standards to determine when to use these fields. 

Other MPE Fields 216


LogRhythm Schema Dictionary and Guide

Items In
Items—not otherwise defined specifically—received from a device, system, or process.

Data Type
Double

Aliases
Use Alias

Client Console Full Name Not applicable

Client Console Short Name Not applicable

Web Console Tab/Name Not applicable

Elasticsearch Field Name itemsPacketsIn

Rule Builder Column Name ItemsIn

Regex Pattern <itemsin>

NetMon Name Not applicable

Field Relationships
• Packets In
• Packets Out
• Bytes In/Bytes Out

Common Applications
Devices that send and receive nonspecific item types.

Use Case
• Inventory control
• Phone logs

Other MPE Fields 217


LogRhythm Schema Dictionary and Guide

MPE/Data Masking Manipulations


• Polyfield
• <items> tag can be used for a single item value.
• In rule builder, parses in itemsin/itemsout.

Usage Standards
• Use when bytes, bits, or packets in field is not appropriate
• Use for the number of objects transferred in.

Examples
• A10 Networks Load Balancer
09 08 2011 12:36:04 1.1.1.1 <LOC0:INFO> USABLDRRECFLOW01: [HA]<6> Sent 577,
Received 559, Duplicate Id's 0, Wrong Group 0, Missed 0, Inaccurate Time 0

Total received Items.

• SharePoint Audit
9/5/2008 5:03:44 PM event=100 account=safaware\pete.store userid=922
machinename= machineip= doclocation=ncsportal locationtype=0 eventname=
eventsource=1 sourcename= eventdata=<Export><RequestedBy>safaware\pete.store</
RequestedBy><Completed /><TotalItems>5</TotalItems><TotalSizeInBytes>120703</
TotalSizeInBytes></Export>

Total Items could be parsed into <items>.

Other MPE Fields 218


LogRhythm Schema Dictionary and Guide

Items Out
Items—not otherwise defined specifically—received from a device, system, or process.

Data Type
Double

Aliases
Use Alias

Client Console Full Name Not applicable

Client Console Short Name Not applicable

Web Console Tab/Name Not applicable

Elasticsearch Field Name itemsPacketsOut

Rule Builder Column Name ItemsOut

Regex Pattern <itemsout>

NetMon Name Not applicable

Field Relationships
• Items In
• Packets In
• Packets Out
• Bytes In/Bytes Out

Common Applications
Devices that send and receive nonspecific item types.

Use Case
• Inventory control
• Phone logs

Other MPE Fields 219


LogRhythm Schema Dictionary and Guide

MPE/Data Masking Manipulations


• Polyfield
• <items> tag can be used for a single item value.
• In rule builder, parses into itemsin/itemsout.

Usage Standards
• Use when bytes, bits, or packets out field is not appropriate.
• Number of objects transferred out.

Examples
• A10 Networks Load Balancer
09 08 2011 12:36:04 1.1.1.1 <LOC0:INFO> USABLDRRECFLOW01: [HA]<6> Sent 577,
Received 559, Duplicate Id's 0, Wrong Group 0, Missed 0, Inaccurate Time 0

Total received Items.

Other MPE Fields 220


LogRhythm Schema Dictionary and Guide

Derived Data
Derived data is not parsed in the schema, but is instead inferred and built from other metadata fields. 

Derived Data 221


LogRhythm Schema Dictionary and Guide

Identity-Derived Data
Identity-Derived data is augmented by LogRhythm’s Identity feature. If you have configured known identities
and have the feature enabled, then these fields are populated with known identity data.

Display Field Description Associated Data Sources

User Identity (Origin) The identity that has the login in the User Only matches login Identifier fields
(Origin) field associated with it.

User Identity (Impacted) The identity that has the User (Impacted) Only matches login Identifier fields
field associated with it.

Recipient Identity Identity that has the Recipient's email Only matches email Identifier fields
address associated with it.

Sender Identity Identity that has the Sender's email Only matches email Identifier fields
address associated with it.

Derived Data 222


LogRhythm Schema Dictionary and Guide

Log-Derived Data
Derived data is generated based on information about the parser (for example, Common Event), on post
processing information parsed out of the log (for example, Duration), or contextual information linking the
log data to an entity or host (for example, Priority). The following fields are Log-Derived data where the value
of the field is not part of the original log. 

Display Field Description Associated Data


Sources

Application Tab

Application Application derived by IANA protocol and port number or directly Protocol Number
assigned in MPE processing settings.  Protocol Name
Origin/Impacted
Port

Known Application derived from IANA protocol and port number. If a known Protocol Name
Application application cannot be derived, it is displayed as unknown.  Protocol Number
Origin/Impacted
Port

Duration Duration is a polyfield for capturing time derived. Time Start


Time End
Days
Hours
Minutes
Seconds
Milliseconds
Microseconds
Nanoseconds

Classification Tab

Classification Value is determined based on the MPE Rule’s assigned Common Assigned
Event.
Classification choice is a secondary effect of choosing the correct
common event for a rule. Each common event has a classification
and the classification is automatically associated to the log via the
common event selection.

Common Event Value is determined based on the MPE Rule’s assigned Common Assigned
Event. 

Priority Value is determined based on the Risk-Based Priority (RBP) Risk-Based Priority
calculation.

Derived Data 223


LogRhythm Schema Dictionary and Guide

Display Field Description Associated Data


Sources

Direction Indicates the directional flow of data between the Origin Host and the Origin/Impacted
Impacted Host — Inbound, Outbound, Internal, External, or Host
Unknown. 

MPE Rule Name Name of rule that matched, assigned on rule creation. Assigned

Host Tab

Host (Origin) Origin host derived from Origin IP Address, Origin Hostname, or both. IP Address (Origin)
Hostname (Origin)

Host (Impacted) Impacted host derived from Impacted IP Address, Impacted IP Address
Hostname, or both. (Impacted)
Hostname
(Impacted)

Known Host A value determined by mapping parsed origin host identifiers, such as IP Address (Origin)
(Origin) IP address or hostname, to a LogRhythm host record. Hostname (Origin)
LogRhythm Host
Record

Known Host A value determined by mapping parsed impacted host identifiers, IP Address
(Impacted) such as IP address or hostname, to a LogRhythm host record. (Impacted)
Hostname
(Impacted)
LogRhythm Host
Record

Location Tab

Entity (Origin) A value determined based on the origin host's assigned entity. IP Address (Origin)
Hostname (Origin)
Entity

Entity (Impacted) A value determined based on the impacted host's assigned entity. IP Address
(Impacted)
Hostname
(Impacted)
Entity

Zone (Origin) A value determined based on the zone of the origin host – Internal, IP Address (Origin)
External, DMZ, or Unknown.

Derived Data 224


LogRhythm Schema Dictionary and Guide

Display Field Description Associated Data


Sources

Zone (Impacted) A value determined based on the zone of the impacted host – IP Address
Internal, External, DMZ, or Unknown. (Impacted)

Location (Origin) A value determined by resolving the parsed origin IP address against IP Address (Origin)
a Geo-IP database. 

Location A value determined by resolving the parsed impacted IP address IP Address


(Impacted) against a Geo-IP database.  (Impacted)

Country (Origin) The country in which the determined origin location exists.  IP Address (Origin)

Country The country in which the determined impacte location exists. IP Address
(Impacted) (Impacted)

Log Tab

Log Date/Normal Timestamp when the log was generated or received, corrected to Agent
Date UTC.

Log Count The number of identical log messages received. Agent

Log Source Entity The entity to which the log source belongs. Agent

Log Source Type The device or application from which a log was received. Agent

Log Source Host The origin host from which the log was received. Agent

Log Source The assigned name of a log source. Agent

Log Sequence The sequence in which a log was collected, generated by the Agent. Agent
Number

Log Message The raw log message. Agent

First Log Date Timestamp when the first identical log message was received. Agent

Last Log Date Timestamp when the last identical log message was received. Agent

Network Tab

Network (Origin) A value determined by mapping the origin IP address to a LogRhythm IP Address (Origin)
network record. LogRhythm Network
Record

Derived Data 225


LogRhythm Schema Dictionary and Guide

Display Field Description Associated Data


Sources

Network A value determined by mapping the impacted IP address to a IP Address


(Impacted) LogRhythm network record. (Impacted)
LogRhythm Network
Record

Derived Data 226

You might also like