Event log description
Field name |
Description |
Example value |
---|---|---|
user |
The username. |
Admin |
timestamp |
Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ. |
2022-05-12T08:11:46.15869Z |
ip_address |
IPv4 address of the event source. |
192.168.174.134 |
node |
The unique name of the device that generated the event. |
utmcore@ersthetatica |
attributes |
Event details in JSON format. |
{"rule":{"logrotate":12,"attributes":{"timezone":"Asia/Dubai"},"id":"66f9de9f-d698-4bec-b3b0-ba65b46d3608","name":"Example log export ftp"} |
event_type |
Event type. |
logexport_rule_updated |
event_severity |
The severity of the event. |
info, warning, error, or critical |
event_origin |
Module where the event occurred. |
core |
event_component |
Component where the event occurred. |
console_auth |
Web access log description
Field name |
Description |
Example value |
||
---|---|---|---|---|
timestamp |
Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ. |
2022-05-12T08:11:46.15869Z |
||
url_categories |
id |
ID of the category to which the URL belongs. |
39 |
|
threat_level |
Threat level for the URL category. |
Available values:
|
||
name |
Name of the category to which the URL belongs. |
Social Networking |
||
bytes_sent |
Number of bytes transmitted from the source to the destination. |
52 |
||
node |
The unique name of the device that generated the event. |
utmcore@ersthetatica |
||
packets_recv |
Number of bytes transmitted from the destination to the source. |
5 |
||
request_method |
Method used to access the URL address (POST, GET, etc.). |
GET |
||
url |
Contains the URL of the requested resource and the protocol used. |
|||
packets_sent |
Number of packets transmitted from the source to the destination. |
2 |
||
action |
Action taken by the device according to the configured policies. |
block |
||
media_type |
The type of the content. |
application/json |
||
host |
Hostname. |
|||
session |
Session ID. |
a7a3cd49-8232-4f1a-962a-3659af89e96f (if System: 00000000-0000-0000-0000-000000000000) |
||
app_protocol |
Application layer protocol and its version. |
HTTP/1.1 |
||
status_code |
Status code. |
302 |
||
bytes_recv |
Number of packets transmitted from the destination to the source. |
100 |
||
http_referer |
Request source URL (HTTP referer). |
|||
decrypted |
Indicates if the content was decrypted. |
true, false |
||
reasons |
The reason why the event was created, e.g. the reason for the site block. |
"url_cats":[{"id":39,"name":"Social Networking","threat_level":3}] |
||
useragent |
Browser useragent. |
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 |
||
source |
zone |
guid |
Unique ID of the traffic source zone. |
d0038912-0d8a-4583-a525-e63950b1da47 |
name |
Source zone name. |
Trusted |
||
country |
Traffic source country. |
AE (a two-letter country code is displayed) |
||
ip |
Source IPv4 address. |
10.10.10.10 |
||
port |
Source port |
Values: 0-65535. |
||
destination |
zone |
guid |
Unique ID of the traffic destination zone. |
3c0b1253-f069-4060-903b-5fec4f465db0 |
name |
Traffic destination zone name. |
Untrusted |
||
country |
The destination country. |
AE (a two-letter country code is displayed) |
||
ip |
Destination IPv4 address. |
192.168.174.134 |
||
port |
Destination port |
Values: 0-65535. |
||
rule |
guid |
Unique ID of the rule triggered to cause the event. |
f93da24d-74f9-4f8c-9e9b-8e6d02346fb4 |
|
name |
The name of the rule. |
Default allow |
||
user |
guid |
Unique ID of the user. |
a7a3cd49-8232-4f1a-962a-3659af89e96f |
|
name |
Username. |
user_name |
||
groups |
guid |
Unique ID of the group the user is a member of. |
919878b2-e882-49ed-3331-8ec72c3c79cb |
|
name |
Name of the group the user is a member of. |
Default Group |
DNS log description
Field name |
Description |
Example value |
||
---|---|---|---|---|
timestamp |
Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ. |
2022-05-12T08:11:46.15869Z |
||
node |
The unique name of the device that generated the event. |
|||
proto |
Level 4 protocol used. |
UDP |
||
data |
Indicates the data being transmitted. |
{"question":[{"domain":"google.com","type":"A","class":"IN"}], "answer":[{"domain":"google.com","type":"TXT","class":"IN","ttl":5,"data":"Blocked"},{"domain":"google.com","type":"A","class":"IN","ttl":5,"data":"10.10.0.1"}]} |
||
reasons |
The reason why the event was created, e.g. the URL category on which the rule was triggered. |
{"url_cats":[{"id":37,"name":"Search Engines & Portals","threat_level":1}]} |
||
url_categories |
id |
ID of the triggered URL category. |
37 |
|
threat_level |
Threat level of the triggered category. |
Available values:
|
||
name |
Name of the triggered category. |
Search Engines & Portals |
||
source |
zone |
guid |
Unique ID of the traffic source zone. |
d0038912-0d8a-4583-a525-e63950b1da47 |
name |
Traffic source zone name. |
Trusted |
||
country |
Source country name. |
AE (a two-letter country code is displayed) |
||
ip |
IPv4 address of the traffic source. |
10.10.10.10 |
||
port |
Source port |
Values: 0-65535. |
||
destination |
zone |
guid |
Unique ID of the traffic destination zone. |
3c0b1253-f069-4060-903b-5fec4f465db0 |
name |
Traffic destination zone name. |
Untrusted |
||
country |
Destination country name. |
AE (a two-letter country code is displayed) |
||
ip |
IPv4 address of the traffic destination. |
104.19.197.151 |
||
port |
Destination port |
Values: 0-65535. Port 53 is normally used for DNS. |
||
rule |
guid |
Unique ID of the rule triggered to cause the event. |
59e38e06-533a-4771-9664-031c3e8b2e1f |
|
name |
Name of the rule triggered to cause the event. |
Rule1 |
||
user |
guid |
Unique ID of the user. If the user type is Unknown then the ID: 00000000-0000-0000-0000-000000000000. |
a7a3cd49-8232-4f1a-962a-3659af89e96f |
|
name |
The username. |
user1 |
||
groups |
guid |
Unique ID of the group the user is a member of. |
919878b2-e882-49ed-3331-8ec72c3c79cb |
|
name |
Name of the group the user is a member of. |
Default Group |
Traffic log description
Field name |
Description |
Example value |
||
---|---|---|---|---|
timestamp |
Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ. |
2022-05-12T08:11:46.15869Z |
||
bytes_sent |
Number of bytes transmitted from the source to the destination. |
100 |
||
node |
The unique name of the device that generated the event. |
utmcore@ersthetatica |
||
packets_recv |
Number of packets transmitted from the destination to the source. |
1 |
||
proto |
Level 4 protocol used. |
TCP or UDP |
||
packets_sent |
Number of packets transmitted from the source to the destination. |
1 |
||
action |
Action taken by the device according to the configured policies. |
accept |
||
session |
Session ID. |
a7a3cd49-8232-4f1a-962a-3659af89e96f (if System: 00000000-0000-0000-0000-000000000000) |
||
bytes_recv |
Number of bytes transmitted from the destination to the source. |
6 |
||
signatures |
id |
ID of the triggered signature. |
999999 |
|
threat_level |
Threat level of the triggered signature. |
Available values:
|
||
name |
Name of the triggered signature. |
BlackSun Test |
||
application |
id |
Application ID. |
195 |
|
threat_level |
Application threat level. |
Available values:
|
||
name |
Application name. |
Youtube |
||
source |
zone |
guid |
Unique ID of the traffic source zone. |
d0038912-0d8a-4583-a525-e63950b1da47 |
name |
Traffic source zone name. |
Trusted |
||
country |
Source country name. |
AE (a two-letter country code is displayed) |
||
ip |
IPv4 address of the traffic source. |
10.10.10.10 |
||
port |
Source port |
Values: 0-65535. |
||
destination |
zone |
guid |
Unique ID of the traffic destination zone. |
3c0b1253-f069-4060-903b-5fec4f465db0 |
name |
Traffic destination zone name. |
Untrusted |
||
country |
Destination country name. |
AE (a two-letter country code is displayed) |
||
ip |
IPv4 address of the traffic destination. |
104.19.197.151 |
||
port |
Destination port |
Values: 0-65535. |
||
nat |
source |
ip |
Source address after reassignment (if NAT rules are configured). |
192.168.117.85 (if NAT is not configured then "nat":null) |
port |
Source port after reassignment (if NAT rules are configured). |
Values: 0-65535 (if NAT is not configured then "nat":null) |
||
destination |
ip |
Destination address after reassignment (if NAT rules are configured). |
64.233.164.198 (if NAT is not configured then "nat":null) |
|
port |
Source port after reassignment (if NAT rules are configured). |
Values: 0-65535 (if NAT is not configured then "nat":null) |
||
rule |
guid |
Unique ID of the rule triggered to cause the event. |
59e38e06-533a-4771-9664-031c3e8b2e1f |
|
type |
Rule type. |
firewall |
||
name |
Name of the rule triggered to cause the event. |
Allow trusted to untrusted |
||
user |
guid |
Unique ID of the user. If the user type is Unknown then the ID: 00000000-0000-0000-0000-000000000000. |
a7a3cd49-8232-4f1a-962a-3659af89e96f |
|
name |
The username. |
Admin |
||
groups |
guid |
Unique ID of the group the user is a member of. |
919878b2-e882-49ed-3331-8ec72c3c79cb |
|
name |
Name of the group the user is a member of. |
Default Group |
IDPS log description
Field name |
Description |
Example value |
||
---|---|---|---|---|
timestamp |
Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ. |
2022-05-12T08:11:46.15869Z |
||
session |
Session ID. |
a7a3cd49-8232-4f1a-962a-3659af89e96f (if System: 00000000-0000-0000-0000-000000000000) |
||
packets_sent |
Number of packets transmitted from the source to the destination. |
1 |
||
packets_recv |
Number of packets transmitted from the destination to the source. |
1 |
||
node |
The unique name of the device that generated the event. |
utmcore@ersthetatica |
||
proto |
Level 4 protocol used. |
TCP or UDP |
||
bytes_sent |
Number of bytes transmitted from the source to the destination. |
100 |
||
bytes_recv |
Number of bytes transmitted from the destination to the source. |
6 |
||
action |
Action taken by the device according to the configured policies. |
accept |
||
application |
id |
Application ID. |
195 |
|
threat_level |
Application threat level. |
Available values:
|
||
name |
Application name. |
Youtube |
||
user |
guid |
Unique ID of the user. If the user type is Unknown then the ID: 00000000-0000-0000-0000-000000000000. |
a7a3cd49-8232-4f1a-962a-3659af89e96f |
|
name |
The username. |
Admin |
||
groups |
guid |
Unique ID of the group the user is a member of. |
919878b2-e882-49ed-3331-8ec72c3c79cb |
|
name |
Name of the group the user is a member of. |
Default Group |
||
rule |
guid |
Unique ID of the rule triggered to cause the event. |
59e38e06-533a-4771-9664-031c3e8b2e1f |
|
name |
Name of the rule triggered to cause the event. |
Allow trusted to untrusted |
||
signatures |
id |
ID of the triggered signature. |
999999 |
|
threat_level |
Threat level of the triggered signature. |
Available values:
|
||
name |
Name of the triggered signature. |
BlackSun Test |
||
source |
zone |
guid |
Unique ID of the traffic source zone. |
d0038912-0d8a-4583-a525-e63950b1da47 |
name |
Traffic source zone name. |
Trusted |
||
country |
Source country name. |
AE (a two-letter country code is displayed) |
||
ip |
IPv4 address of the traffic source. |
10.10.10.10 |
||
port |
Source port |
Values: 0-65535. |
||
destination |
zone |
guid |
Unique ID of the traffic destination zone. |
3c0b1253-f069-4060-903b-5fec4f465db0 |
name |
Traffic destination zone name. |
Untrusted |
||
country |
Destination country name. |
AE (a two-letter country code is displayed) |
||
ip |
IPv4 address of the traffic destination. |
104.19.197.151 |
||
port |
Destination port |
Values: 0-65535. |
SCADA log description
Field name |
Description |
Example value |
||
---|---|---|---|---|
timestamp |
Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ. |
2022-05-12T08:11:46.15869Z |
||
pdu_severity |
SCADA severity. |
1 |
||
pdu_func |
Function code (instructs the slave what data the master requires from it or what action to perform). |
12 |
||
pdu_address |
Registry address with which the operation should be performed. |
3154 |
||
node |
The unique name of the device that generated the event. |
utmcore@ersthetatica |
||
details |
pdu_varname |
Variable name. Parameter is mainly used for real-time data exchange. Refers to the MMS protocol. |
VAR |
|
pdu_device |
Address of the device used in the MMS and OPCUA protocols. |
DEV |
||
mb_write_quantity |
Number of values to write (Read Write Register command). |
998 |
||
mb_write_addr |
Start register address to write (Read Write Register command). |
776 |
||
mb_value |
Value to write (for Write Single Coil, Write Single Register commands). |
322 |
||
mb_unit_id |
Device address. |
186 |
||
mb_read_quantity |
Number of values to read (Read Write Register command). |
658 |
||
mb_read_addr |
Start registry address to read (Read Write Register command). |
122 |
||
mb_quantity |
Number of values to read. |
875 |
||
mb_payload |
Register values (for Read Coil, Read Holding Registers, Read Input Registers, Read/Write Multiple registers, Write Multiple Coil commands). |
75be5ecdc24f9883 |
||
mb_or_mask |
OR mask value of the Mask Write Register command. |
1024 |
||
mb_message |
Modbus message. |
exception |
||
mb_exception_code |
Error code. For the error_response message type. |
255 |
||
mb_and_mask |
AND mask value of the Mask Write Register command. |
121 |
||
mb_addr |
Registry address. |
3154 |
||
iec104_msgtype |
Type of the query. |
request, response, error_response |
||
iec104_ioa |
Address of information object, which allows the receiving party to unambiguously identify the type of event. |
23 |
||
iec104_cot |
Reason for transmitting an Application Protocol Data Unit (APDU). |
6 |
||
iec104_asdu |
The ASDU address (COA, or Common Object Address). Refers to the IEC-104 protocol. |
123 |
||
app_protocol |
Application layer protocol |
Modbus |
||
action |
Action taken by the device according to the configured policies. |
pass |
||
source |
zone |
guid |
Unique ID of the traffic source zone. |
d0038912-0d8a-4583-a525-e63950b1da47 |
name |
Traffic source zone name. |
Trusted |
||
country |
Source country name. |
AE (a two-letter country code is displayed) |
||
ip |
IPv4 address of the traffic source. |
10.10.10.10 |
||
port |
Source port |
Values: 0-65535. |
||
destination |
zone |
guid |
Unique ID of the traffic destination zone. |
3c0b1253-f069-4060-903b-5fec4f465db0 |
name |
Traffic destination zone name. |
Untrusted |
||
country |
Destination country name. |
AE (a two-letter country code is displayed) |
||
ip |
IPv4 address of the traffic destination. |
104.19.197.151 |
||
port |
Destination port |
Values: 0-65535. |
||
rule |
guid |
Unique ID of the rule triggered to cause the event. |
59e38e06-533a-4771-9664-031c3e8b2e1f |
|
name |
Name of the rule triggered to cause the event. |
SCADA Sample Rule |
SSH inspection log description
Field name |
Description |
Example value |
||
---|---|---|---|---|
timestamp |
Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ. |
2022-05-12T08:11:46.15869Z |
||
node |
The unique name of the device that generated the event. |
utmcore@ersthetatica |
||
command |
Command sent via SSH. |
whoami |
||
app_threat |
Application threat level. |
Available values: from 2 to 10 (set application threat level multiplied by 2) |
||
app_protocol |
Application layer protocol |
SSH or SFTP |
||
app_id |
Application ID. |
195 |
||
action |
Action taken by the device according to the configured policies. |
block |
||
source |
zone |
guid |
Unique ID of the traffic source zone. |
d0038912-0d8a-4583-a525-e63950b1da47 |
name |
Traffic source zone name. |
Trusted |
||
country |
Source country name. |
AE (a two-letter country code is displayed) |
||
ip |
IPv4 address of the traffic source. |
10.10.10.10 |
||
port |
Source port |
Values: 0-65535. |
||
mac |
Source MAC address. |
FA:16:3E:65:1C:B4 |
||
destination |
zone |
guid |
Unique ID of the traffic destination zone. |
3c0b1253-f069-4060-903b-5fec4f465db0 |
name |
Traffic destination zone name. |
Untrusted |
||
country |
Destination country name. |
AE (a two-letter country code is displayed) |
||
ip |
IPv4 address of the traffic destination. |
104.19.197.151 |
||
port |
Destination port |
Values: 0-65535. |
||
rule |
guid |
Unique ID of the rule triggered to cause the event. |
59e38e06-533a-4771-9664-031c3e8b2e1f |
|
name |
Name of the rule triggered to cause the event. |
SSH Rule Example |
||
user |
guid |
Unique ID of the user. If the user type is Unknown then the ID: 00000000-0000-0000-0000-000000000000. |
a7a3cd49-8232-4f1a-962a-3659af89e96f |
|
name |
The username. |
Admin |
||
groups |
guid |
Unique ID of the group the user is a member of. |
919878b2-e882-49ed-3331-8ec72c3c79cb |
|
name |
Name of the group the user is a member of. |
Default Group |
Mail Security Log Description
Field name |
Description |
Example value |
||
---|---|---|---|---|
timestamp |
Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ. |
2022-05-12T08:11:46.15869Z |
||
node |
The unique name of the device that generated the event. |
|||
from |
Sender email. |
|||
to |
Recipient email. |
|||
app_protocol |
Application layer network protocol. |
SMTP |
||
source |
zone |
guid |
Unique ID of the traffic source zone. |
d0038912-0d8a-4583-a525-e63950b1da47 |
name |
Traffic source zone name. |
Trusted |
||
country |
Source country name. |
AE (a two-letter country code is displayed) |
||
ip |
IPv4 address of the traffic source. |
10.10.10.10 |
||
port |
Source port |
Values: 0-65535. |
||
destination |
zone |
guid |
Unique ID of the traffic destination zone. |
3c0b1253-f069-4060-903b-5fec4f465db0 |
name |
Traffic destination zone name. |
Untrusted |
||
country |
Destination country name. |
AE (a two-letter country code is displayed) |
||
ip |
IPv4 address of the traffic destination. |
10.10.10.10 |
||
port |
Destination port |
Values: 0-65535. |
||
rule |
guid |
Unique ID of the rule triggered to cause the event. |
59e38e06-533a-4771-9664-031c3e8b2e1f |
|
name |
Name of the rule triggered to cause the event. |
Mail security rule |
||
user |
guid |
Unique ID of the user. |
a7a3cd49-8232-4f1a-962a-3659af89e96f |
|
name |
The username. |
user_name |
||
groups |
guid |
Unique ID of the group the user is a member of. |
919878b2-e882-49ed-3331-8ec72c3c79cb |
|
name |
Name of the group the user is a member of. |
Default Group |
Endpoint Event Log Description
Field name |
Description |
Example value |
||
---|---|---|---|---|
user_name |
The username. |
DESKTOP-0731NFQ\\Username |
||
timestamp |
Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ. |
2022-05-12T08:11:46.15869Z |
||
status |
The result of executing a WMI or SNMP query. |
OK, Error |
||
source_name |
Log event source. |
Microsoft-Windows-Security-Auditing |
||
endpoint_name |
Endpoint device or sensor name. |
DESKTOP-0731NFQ |
||
endpoint_id |
Endpoint device or sensor ID. |
35fb5820-74db-4eac-b05b-d01bc284c4e8 |
||
node |
The ID of the endpoint device or node on which the sensor is running. |
35fb5820-74db-4eac-b05b-d01bc284c4e8 |
||
log_level |
Event type. |
Success audit, Warning, Details, Rejection audit, Error |
||
log_file |
Type of the log containing important information on the software and hardware events. |
Security (security log file), Application (application log file), System (system log file), Windows PowerShell |
||
log_event_type |
Log event type. |
1 (error), 2 (warning), 3 (information), 4 (audit success), 5 (audit failure). |
||
log_event_id |
Event ID. |
4672 |
||
log_event_code |
Log event code. |
14056 |
||
log_category_string |
The event's category. |
Special Logon |
||
insertion_string |
The insertion string is the EventData block of the Windows event data. |
Windows DefenderSECURITY_PRODUCT_STATE_ON |
||
error |
The WMI or SNMP error that occurred as a result of the query. |
0 |
||
data |
Detailed information about the event. |
The startup type of the "Windows Module Installer" service has been changed from "Automatic" to "Manual". |
||
counter_id |
The ID of the counter added to the WMI and SNMP sensor. |
35fb5820-74db-4eac-b05b-d01bc284c4e8 |
||
computer_name |
Computer name |
DESKTOP-0731NFQ |
Endpoint Rule Log Description
Field name |
Description |
Example value |
||
---|---|---|---|---|
url_categories |
id |
ID of the category to which the URL belongs. |
39 |
|
threat level |
Threat level for the URL category. |
Available values:
|
||
name |
Name of the category to which the URL belongs. |
Social Networking |
||
timestamp |
Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ. |
2022-05-12T08:11:46.15869Z |
||
endpoint_name |
Endpoint device name. |
DESKTOP-0731NFQ |
||
endpoint_id |
The endpoint device ID. |
35fb5820-74db-4eac-b05b-d01bc284c4e8 |
||
media_type |
The type of the content. |
application/json |
||
ip_protocol |
Number of the network protocol used. |
4 |
||
host |
Hostname. |
|||
app_name |
Application to which the firewall rule was applied. |
C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe |
||
action |
Action taken by the device according to the configured policies. |
drop, accept, nat |
||
source |
ip |
Source IPv4 address. |
10.10.10.10 |
|
port |
Source port |
Values: 0-65535. |
||
destination |
ip |
Destination IPv4 address. |
104.19.197.151 |
|
port |
Destination port |
Values: 0-65535. |
||
rule |
guid |
Unique ID of the rule triggered to cause the event. |
f93da24d-74f9-4f8c-9e9b-8e6d02346fb4 |
|
name |
Name of the rule triggered to cause the event. |
Default allow |
Endpoint Application Log Description
Field name |
Description |
Example value |
||
---|---|---|---|---|
user_name |
Name of the user whose account is logged in on the endpoint device. |
DESKTOP-0731NFQ\\User |
||
timestamp |
Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ. |
2022-05-12T08:11:46.15869Z |
||
endpoint_name |
Endpoint device or sensor name. |
DESKTOP-0731NFQ |
||
endpoint_id |
Endpoint device or sensor ID. |
35fb5820-74db-4eac-b05b-d01bc284c4e8 |
||
process_id |
Process ID. |
3916 |
||
hash |
The application hash. |
B4CE5C3495FEA0A4FDBAC8ABDCD199F7E4CA8C1F |
||
app_name |
Application that was started/stopped. |
C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe |
||
action |
Action (application start or stop). |
start, stop |
||
version |
The application version. |
6.2.19041.746 |
||
subject |
Signature subject. |
Microsoft Corporation |
||
issuer |
The issuer of the application's certificate. |
Microsoft Windows Production PCA 2011 |
||
cmd_line |
Command line prompt. |
C:\\Windows\\system32\\svchost.exe -k wsappx -p -s AppXSvc |
||
session_id |
Session ID. |
1656038456 |
Endpoint Hardware Log Description
Field name |
Description |
Example value |
||
---|---|---|---|---|
timestamp |
Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ. |
2022-05-12T08:11:46.15869Z |
||
endpoint_name |
Endpoint device or sensor name. |
DESKTOP-0731NFQ |
||
endpoint_id |
Endpoint device or sensor ID. |
35fb5820-74db-4eac-b05b-d01bc284c4e8 |
||
action |
Action (connect or remove a device). |
add_device, remove_device |
||
device_name |
The name of the device that was added or removed. |
Generic USB Hub |
||
device_id |
Device ID. |
USB\\VID_0E0F&PID_0002\\6&201153C1&0&7 |
||
service |
A Windows driver that allows the computer to communicate with hardware/device. |
USBHUB3 |
Windows Active Directory Log Description
Field name |
Description |
Example value |
||
---|---|---|---|---|
timestamp |
Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ. |
2022-05-12T08:11:46.15869Z |
||
node_name |
A name that uniquely identifies the UserGate device generating this event. |
|||
endpoint_id |
ID of the endpoint that is the source of the event. |
16535060-5a1a-4e92-8331-239406ec34da |
||
endpoint_name |
Имя конечного устройства --- источника события (UserGate клиента, сенсора WMI итд.). |
dep.local |
||
user_name |
The "User" field from AD log. |
user1.dep.local |
||
log_level |
The "Keywords" field from AD log. |
Audit Success |
||
log_category_string |
Event category code in the AD log. |
Group Membership |
||
log_file |
Windows log file. |
Security |
||
source_name |
The "Source" field from AD log. |
Microsoft-Windows-Security-Auditing |
||
data |
Event description in the AD log. |
Group membership information. Subject: \tSecurity ID:\t\tS-1-0-0 \tAccount Name:\t\t- \tAccount Domain:\t\t- \tLogon ID:\t\t0x0 Logon Type:\t\t\t3 New Logon: \tSecurity ID:\t\tS-1-5-21-3795870133-5220325-2125745684-1103 \tAccount Name:\t\tuser1 \tAccount Domain:\t\tDEP \tLogon ID:\t\t0x7A25A21 Event in sequence:\t\t1 of 1 Group Membership:\t\t\t \t\t%{S-1-5-21-3795870133-5220325-2125745684-513} \t\t%{S-1-1-0} \t\t%{S-1-5-32-544} \t\t%{S-1-5-32-555} \t\t%{S-1-5-32-545} \t\t%{S-1-5-32-554} \t\t%{S-1-5-2} \t\t%{S-1-5-11} \t\t%{S-1-5-15} \t\t%{S-1-5-21-3795870133-5220325-2125745684-512} \t\t%{S-1-5-21-3795870133-5220325-2125745684-572} \t\t%{S-1-5-64-10} \t\t%{S-1-16-12288} The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. This event is generated when the Audit Group Membership subcategory is configured. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session. |
||
computer_name |
Windows node from the AD log where the event took place. |
DC1.dep.local |
||
insertion_string |
Parameters of the AD log event after message parsing. |
['S-1-0-0', '-', '-', '0x0', 'S-1-5-21-3795870133-5220325-2125745684-1103', 'user1', 'DEP', '0x7a25a21', '3', '1', '1', '\ \ \\t\\t% {S-1-5-21-3795870133-5220325-2125745684-513}\ \ \\t\\t%{S-1-1-0}\ \ \\t\\t%{S-1-5-32-544}\ \ \\t\\t%{S-1-5-32-555}\ \ \\t\\t%{S-1-5-32-545}\ \ \\t\\t%{S-1-5-32-554}\ \ \\t\\t%{S-1-5-2}\ \ \\t\\t%{S-1-5-11} \ \ \\t\\t%{S-1-5-15}\ \ \\t\\t%{S-1-5-21-3795870133-5220325-2125745684-512}\ \ \\t\\t%{S-1-5-21-3795870133-5220325-2125745684-572}\ \ \\t\\t%{S-1-5-64-10}\ \ \\t\\t%{S-1-16-12288}'] |
||
error |
Error code from the AD log that occurred while receiving data. |
0 |
||
status |
Error description from the AD log that occurred while receiving data. |
|||
counter_id |
Counter ID of the WMI sensor. |
login_logout |
||
log_event_code |
The "Event code" field from AD log. |
4627 |
||
log_event_id |
The "Event ID" field from AD log. |
4627 |
||
log_event_type |
Windows log even type (System/Security/Application etc.) |
4 |
Syslog Description
Field name |
Description |
Example value |
||
---|---|---|---|---|
timestamp |
Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ. |
2022-05-12T08:11:46.15869Z |
||
node |
The unique name of the device that generated the event. |
|||
syslog_facility |
Syslog event source type. Example: user-level messages. For more information about Syslog facility values, see RFC 5424. |
1 |
||
syslog_severity |
Syslog event severity level. Example: warning. For more information about Syslog severity values, see RFC 5424. |
4 |
||
computer_name |
The name of the device where the event occurred. |
node1 |
||
app_name |
Application triggering the event. |
org.gnome.Shell.desktop |
||
process_id |
PID of the process triggering the event. |
3036 |
||
data |
The event description. |
[3603:3603:1130/125201.838651:ERROR:CONSOLE(6)] \"console.assert\", source: devtools://devtools/bundled/devtools-frontend/front_end/panels/console/console.js (6) |
||
rule |
guid |
Unique ID of the rule triggered to cause the event. |
16535060-5a1a-4e92-8331-239406ec34da |
|
name |
Name of the rule triggered to cause the event. |
Example - Allow user-level messages |
UserID log description
Field name |
Description |
Example value |
||
---|---|---|---|---|
timestamp |
Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ. |
2022-05-12T08:11:46.15869Z |
||
node |
The unique name of the device that generated the event. |
|||
reasons |
The reason why the event was created. |
{\"user_groups_sids\":[\"S-1-5-21-3795870133-5220325-2125745684-513\",\"S-1-5-21-3795870133-5220325-2125745684-512\",\"S-1-5-21-3795870133-5220325-2125745684-572\"], \"user_sid\":\"S-1-5-21-3795870133-5220325-2125745684-1103\",\"login\":\"user1\",\"domain\":\"DEV\",\"event_id\":4624} |
||
action |
Action taken by the device according to the configured policies. |
login |
||
src_ip |
IPv4 address of the event source. |
10.10.0.11 |
||
rule |
guid |
Unique ID of the rule triggered to cause the event. |
16535060-5a1a-4e92-8331-239406ec34da |
|
name |
Name of the rule triggered to cause the event. |
dev.local |
||
user |
guid |
Unique ID of the user. If the user type is Unknown then the ID: 00000000-0000-0000-0000-000000000000. |
745591c3-9d21-092d-8db4-5b9b0000044f |
|
name |
The username. |
user1 |
||
groups |
guid |
Unique ID of the group the user is a member of. |
aa218609-8716-9252-df20-88c43a0d0bf6 |
|
name |
Name of the group the user is a member of. |
CN=Domain Users,CN=Users,DC=dev,DC=local |