CommonSecurityLog

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Tables Index

Reference for CommonSecurityLog table in Azure Monitor Logs.

Attribute Value
Category Syslog/CEF
Basic Logs Eligible ✓ Yes (source)
Supports Transformations ✓ Yes (source)
Ingestion API Supported ✓ Yes
Lake-Only Ingestion ✓ Yes (source)
Azure Monitor Tables Reference View Documentation
Azure Monitor Logs Ingestion API View Documentation

Contents

Schema (163 columns)

Source: Azure Monitor documentation

Column Name Type Description
_BilledSize real The record size in bytes
_IsBillable string Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
_ResourceId string A unique identifier for the resource that the record is associated with
_SubscriptionId string A unique identifier for the subscription that the record is associated with
Activity string A string that represents a human-readable and understandable description of the event.
AdditionalExtensions string A placeholder for additional fields. Fields are logged as key-value pairs.
ApplicationProtocol string The protocol used in the application, such as HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on.
CollectorHostName string The hostname of the collector machine running the agent.
CommunicationDirection string Any information about the direction the observed communication has taken. Valid values: 0 = Inbound, 1 = Outbound.
Computer string Host, from Syslog.
DestinationDnsDomain string The DNS part of the fully-qualified domain name (FQDN).
DestinationHostName string The destination that the event refers to in an IP network. The format should be an FQDN associated with the destination node, when a node is available. For example: host.domain.com or host.
DestinationIP string The destination IpV4 address that the event refers to in an IP network.
DestinationMACAddress string The destination MAC address (FQDN).
DestinationNTDomain string The Windows domain name of the destination address.
DestinationPort int Destination port. Valid values: 0 - 65535.
DestinationProcessId int The ID of the destination process associated with the event.
DestinationProcessName string The name of the event's destination process, such as telnetd or sshd.
DestinationServiceName string The service that is targeted by the event. For example: sshd.
DestinationTranslatedAddress string Identifies the translated destination referred to by the event in an IP network, as an IPv4 IP address.
DestinationTranslatedPort int Port after translation, such as a firewall Valid port numbers: 0 - 65535.
DestinationUserID string Identifies the destination user by ID. For example: in Unix, the root user is generally associated with the user ID 0.
DestinationUserName string Identifies the destination user by name.
DestinationUserPrivileges string Defines the destination use's privileges. Valid values: Admninistrator, User, Guest.
DeviceAction string The action mentioned in the event.
DeviceAddress string The IPv4 address of the device generating the event.
DeviceCustomDate1 string One of two timestamp fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
DeviceCustomDate1Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomDate2 string One of two timestamp fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
DeviceCustomDate2Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomFloatingPoint1 real One of four floating point fields available to map fields that do not apply to any other in this dictionary.
DeviceCustomFloatingPoint1Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomFloatingPoint2 real One of four floating point fields available to map fields that do not apply to any other in this dictionary.
DeviceCustomFloatingPoint2Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomFloatingPoint3 real One of four floating point fields available to map fields that do not apply to any other in this dictionary.
DeviceCustomFloatingPoint3Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomFloatingPoint4 real One of four floating point fields available to map fields that do not apply to any other in this dictionary.
DeviceCustomFloatingPoint4Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomIPv6Address1 string One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.
DeviceCustomIPv6Address1Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomIPv6Address2 string One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.
DeviceCustomIPv6Address2Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomIPv6Address3 string One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.
DeviceCustomIPv6Address3Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomIPv6Address4 string One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.
DeviceCustomIPv6Address4Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomNumber1 int Soon to be a deprecated field. Will be replaced by FieldDeviceCustomNumber1.
DeviceCustomNumber1Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomNumber2 int Soon to be a deprecated field. Will be replaced by FieldDeviceCustomNumber2.
DeviceCustomNumber2Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomNumber3 int Soon to be a deprecated field. Will be replaced by FieldDeviceCustomNumber3.
DeviceCustomNumber3Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomString1 string One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
DeviceCustomString1Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomString2 string One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
DeviceCustomString2Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomString3 string One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
DeviceCustomString3Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomString4 string One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
DeviceCustomString4Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomString5 string One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
DeviceCustomString5Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomString6 string One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
DeviceCustomString6Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceDnsDomain string The DNS domain part of the full qualified domain name (FQDN).
DeviceEventCategory string Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example: '/Monitor/Disk/Read'.
DeviceEventClassID string String or integer that serves as a unique identifier per event type.
DeviceExternalID string A name that uniquely identifies the device generating the event.
DeviceFacility string The facility generating the event. For example: auth or local1.
DeviceInboundInterface string The interface on which the packet or data entered the device. For example: ethernet1/2.
DeviceMacAddress string The MAC address of the device generating the event.
DeviceName string The FQDN associated with the device node, when a node is available. For example: host.domain.com or host.
DeviceNtDomain string The Windows domain of the device address.
DeviceOutboundInterface string Interface on which the packet or data left the device.
DevicePayloadId string Unique identifier for the payload associated with the event.
DeviceProduct string String that together with device product and version definitions, uniquely identifies the type of sending device.
DeviceTimeZone string Timezone of the device generating the event.
DeviceTranslatedAddress string Identifies the translated device address that the event refers to, in an IP network. The format is an Ipv4 address.
DeviceVendor string String that together with device product and version definitions, uniquely identifies the type of sending device.
DeviceVersion string String that together with device product and version definitions, uniquely identifies the type of sending device.
EndTime datetime The time at which the activity related to the event ended.
EventCount int A count associated with the event, showing how many times the same event was observed.
EventOutcome string Displays the outcome, usually as 'success' or 'failure'.
EventType int Event type. Value values include: 0: base event, 1: aggregated, 2: correlation event, 3: action event. Note: This event can be omitted for base events.
ExternalID int Soon to be a deprecated field. Will be replaced by ExtID.
ExtID string An ID used by the originating device (will replace legacy ExternalID). Typically, these values have increasing values that are each associated with an event.
FieldDeviceCustomNumber1 long One of three number fields available to map fields that do not apply to any other in this dictionary (will replace legacy DeviceCustomNumber1). Use sparingly and seek a more specific, dictionary supplied field when possible.
FieldDeviceCustomNumber2 long One of three number fields available to map fields that do not apply to any other in this dictionary (will replace legacy DeviceCustomNumber2). Use sparingly and seek a more specific, dictionary supplied field when possible.
FieldDeviceCustomNumber3 long One of three number fields available to map fields that do not apply to any other in this dictionary (will replace legacy DeviceCustomNumber3). Use sparingly and seek a more specific, dictionary supplied field when possible.
FileCreateTime string Time when the file was created.
FileHash string Hash of a file.
FileID string An ID associated with a file, such as the inode.
FileModificationTime string Time when the file was last modified.
FileName string The file's name, without the path.
FilePath string Full path to the file, including the filename. For example: C:\ProgramFiles\WindowsNT\Accessories\wordpad.exe or /usr/bin/zip.
FilePermission string The file's permissions. For example: '2,1,1'.
FileSize int The size of the file in bytes.
FileType string File type, such as pipe, socket, and so on.
FlexDate1 string A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.
FlexDate1Label string The label field is a string and describes the purpose of the flex field.
FlexNumber1 int Number fields available to map Int data that does not apply to any other field in this dictionary.
FlexNumber1Label string The label that describes the value in FlexNumber1
FlexNumber2 int Number fields available to map Int data that does not apply to any other field in this dictionary.
FlexNumber2Label string The label that describes the value in FlexNumber2
FlexString1 string One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.
FlexString1Label string The label field is a string and describes the purpose of the flex field.
FlexString2 string One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.
FlexString2Label string The label field is a string and describes the purpose of the flex field.
IndicatorThreatType string The threat type of the MaliciousIP according to our TI feed.
LogSeverity string A string or integer that describes the importance of the event. Valid string values: Unknown , Low, Medium, High, Very-High Valid integer values are: 0-3 = Low, 4-6 = Medium, 7-8 = High, 9-10 = Very-High.
MaliciousIP string If one of the IP in the message was correlate with the current TI feed we have it will show up here.
MaliciousIPCountry string The country of the MaliciousIP according to the GEO information at the time of the record ingestion.
MaliciousIPLatitude real The Latitude of the MaliciousIP according to the GEO information at the time of the record ingestion.
MaliciousIPLongitude real The Longitude of the MaliciousIP according to the GEO information at the time of the record ingestion.
Message string A message that gives more details about the event.
OldFileCreateTime string Time when the old file was created.
OldFileHash string Hash of the old file.
OldFileID string And ID associated with the old file, such as the inode.
OldFileModificationTime string Time when the old file was last modified.
OldFileName string Name of the old file.
OldFilePath string Full path to the old file, including the filename. For example: C:\ProgramFiles\WindowsNT\Accessories\wordpad.exe or /usr/bin/zip.
OldFilePermission string Permissions of the old file. For example: '2,1,1'.
OldFileSize int The size of the old file in bytes.
OldFileType string File type of the old file, such as a pipe, socket, and so on.
OriginalLogSeverity string A non-mapped version of LogSeverity. For example: Warning/Critical/Info insted of the normilized Low/Medium/High in the LogSeverity Field
ProcessID int Defines the ID of the process on the device generating the event.
ProcessName string Process name associated with the event. For example: in UNIX, the process generating the syslog entry.
Protocol string Transport protocol that identifies the Layer-4 protocol used. Possible values include protocol names, such as TCP or UDP.
Reason string The reason an audit event was generated. For example 'bad password' or 'unknown user'. This could also be an error or return code. Example: '0x1234'.
ReceiptTime string The time at which the event related to the activity was received. Different then the 'Timegenerated' field, which is when the event was recieved in the log collector machine.
ReceivedBytes long Number of bytes transferred inbound.
RemoteIP string The remote IP address, derived from the event's direction value, if possible.
RemotePort string The remote port, derived from the event's direction value, if possible.
ReportReferenceLink string Link to the report of the TI feed.
RequestClientApplication string The user agent associated with the request.
RequestContext string Describes the content from which the request originated, such as the HTTP Referrer.
RequestCookies string Cookies associated with the request.
RequestMethod string The method used to access a URL. Valid values include methods such as POST, GET, and so on.
RequestURL string The URL accessed for an HTTP request, including the protocol. For example: http://www/secure.com.
SentBytes long Number of bytes transferred outbound.
SimplifiedDeviceAction string A mapped version of DeviceAction, such as Denied > Deny.
SourceDnsDomain string The DNS domain part of the complete FQDN.
SourceHostName string Identifies the source that event refers to in an IP network. Format should be a fully qualified domain name (DQDN) associated with the source node, when a node is available. For example: host or host.domain.com.
SourceIP string The source that an event refers to in an IP network, as an IPv4 address.
SourceMACAddress string Source MAC address.
SourceNTDomain string The Windows domain name for the source address.
SourcePort int The source port number. Valid port numbers are 0 - 65535.
SourceProcessId int The ID of the source process associated with the event.
SourceProcessName string The name of the event's source process.
SourceServiceName string The service responsible for generating the event.
SourceSystem string The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
SourceTranslatedAddress string Identifies the translated source that the event refers to in an IP network.
SourceTranslatedPort int Source port after translation, such as a firewall. Valid port numbers are 0 - 65535.
SourceUserID string Identifies the source user by ID.
SourceUserName string Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field.
SourceUserPrivileges string The source user's privileges. Valid values include: Administrator, User, Guest.
StartTime datetime The time when the activity that the event refers to started.
TenantId string The Log Analytics workspace ID
ThreatConfidence string The threat confidence of the MaliciousIP according to our TI feed.
ThreatDescription string The threat description of the MaliciousIP according to our TI feed.
ThreatSeverity int The threat severity of the MaliciousIP according to our TI feed at the time of the record ingestion.
TimeGenerated datetime Event collection time in UTC.
Type string The name of the table

Additional Information

Solutions (80)

This table is used by the following solutions:

Connectors (113)

This table is ingested by the following connectors:

Connector Selection Criteria
[Deprecated] Vectra AI Detect via Legacy Agent DeviceEventClassID == "hsc"
DeviceEventClassID !in "health,audit,campaigns,hsc,asc"
DeviceProduct == "X Series"
DeviceVendor == "Vectra Networks"
[Deprecated] Vectra AI Detect via AMA DeviceEventClassID == "hsc"
DeviceEventClassID !in "health,audit,campaigns,hsc,asc"
DeviceProduct == "X Series"
DeviceVendor == "Vectra Networks"
[Deprecated] Akamai Security Events via Legacy Agent DeviceProduct == "akamai_siem"
DeviceVendor == "Akamai"
[Deprecated] Akamai Security Events via AMA DeviceProduct == "akamai_siem"
DeviceVendor == "Akamai"
[Deprecated] Awake Security via Legacy Agent DeviceProduct == "Awake Security"
DeviceVendor == "Arista Networks"
[Deprecated] Aruba ClearPass via Legacy Agent DeviceProduct == "ClearPass"
DeviceVendor == "Aruba Networks"
[Deprecated] Aruba ClearPass via AMA DeviceProduct == "ClearPass"
DeviceVendor == "Aruba Networks"
[Deprecated] Barracuda Web Application Firewall via Legacy Agent DeviceVendor == "Barracuda"
[Deprecated] Broadcom Symantec DLP via Legacy Agent DeviceProduct == "DLP"
DeviceVendor == "Symantec"
[Deprecated] Broadcom Symantec DLP via AMA DeviceProduct == "DLP"
DeviceVendor == "Symantec"
Common Event Format (CEF) DeviceVendor !in "Cisco,Check Point,Palo Alto Networks,Fortinet,F5,Barracuda,ExtraHop,OneIdentity,Zscaler,ForgeRock Inc,Cyber-Ark,illusive,Vectra Networks,Citrix,Darktrace,Akamai,Aruba Networks,CrowdStrike,Symantec,Claroty,Contrast Security,Delinea Software,Thycotic Software,FireEye,Forcepoint CSG,Forcepoint,Forcepoint CASB,iboss,Illumio,Imperva Inc.,Infoblox,Morphisec,Netwrix,Nozomi,Onapsis,OSSEC,PingFederate,RidgeSecurity,SonicWall,Trend Micro,vArmour"
DeviceVendor !in "Cisco,Check Point,Palo Alto Networks,Fortinet,F5,Barracuda,ExtraHop,OneIdentity,Zscaler,ForgeRock Inc,Cyber-Ark,illusive,Vectra Networks,Citrix,Darktrace,Akamai,Aruba Networks,CrowdStrike,Symantec,Claroty,Contrast Security,Delinea Software,Thycotic Software,FireEye,Forcepoint CSG,Forcepoint,Forcepoint CASB,iboss,Illumio,Imperva Inc.,Infoblox,Morphisec,Netwrix,Nozomi,Onapsis,OSSEC,PingFederate,RidgeSecurity,SonicWall,Trend Micro,vArmour,Votiro"
Common Event Format (CEF) via AMA
Cisco ASA via Legacy Agent DeviceProduct == "ASA"
DeviceVendor == "Cisco"
SimplifiedDeviceAction == "Deny"
Cisco ASA/FTD via AMA DeviceProduct in "ASA,FTD"
DeviceVendor == "Cisco"
[Deprecated] Cisco Firepower eStreamer via Legacy Agent Activity == "File Malware Event"
DestinationPort == "80"
DeviceAction != "Allow"
DeviceProduct == "Firepower"
DeviceVendor == "Cisco"
[Deprecated] Cisco Firepower eStreamer via AMA Activity == "File Malware Event"
DestinationPort == "80"
DeviceAction != "Allow"
DeviceProduct == "Firepower"
DeviceVendor == "Cisco"
[Deprecated] Cisco Secure Email Gateway via Legacy Agent DeviceEventClassID == "ESA_CONSOLIDATED_LOG_EVENT"
[Deprecated] Cisco Secure Email Gateway via AMA DeviceEventClassID == "ESA_CONSOLIDATED_LOG_EVENT"
DeviceProduct == "ESA_CONSOLIDATED_LOG_EVENT"
DeviceVendor == "Cisco"
[Deprecated] Citrix WAF (Web App Firewall) via Legacy Agent Activity in "APPFW_SQL,APPFW_STARTURL,APPFW_XSS"
DeviceProduct == "NetScaler"
DeviceVendor == "Citrix"
[Deprecated] Citrix WAF (Web App Firewall) via AMA Activity in "APPFW_SQL,APPFW_STARTURL,APPFW_XSS"
DeviceProduct == "NetScaler"
DeviceVendor == "Citrix"
[Deprecated] Claroty via Legacy Agent DeviceVendor == "Claroty"
[Deprecated] Claroty via AMA DeviceVendor == "Claroty"
Claroty xDome DeviceVendor in "Claroty,Medigate"
Zscaler Internet Access Cloud NSS Audit Log Push Connector DeviceProduct == "NSSAuditlog"
EventOutcome == "Failure"
Zscaler Internet Access Cloud NSS CASB Activity Log Push Connector DeviceAction == "Blocked"
DeviceProduct == "NSSCasbactivitylog"
Zscaler Internet Access Cloud NSS CASB CRM Log Push Connector DeviceAction == "Blocked"
DeviceProduct == "NSSCasbcrmlog"
Zscaler Internet Access Cloud NSS CASB Cloud Storage Log Push Connector DeviceAction == "Blocked"
DeviceProduct == "NSSCasbcloudstoragelog"
Zscaler Internet Access Cloud NSS CASB Collaboration Log Push Connector DeviceAction == "Blocked"
DeviceProduct == "NSSCasbcollablog"
Zscaler Internet Access Cloud NSS CASB Email Log Push Connector DeviceAction == "Blocked"
DeviceProduct == "NSSCasbemaillog"
Zscaler Internet Access Cloud NSS CASB File Sharing Log Push Connector DeviceAction == "Blocked"
DeviceProduct == "NSSCasbfilesharinglog"
Zscaler Internet Access Cloud NSS CASB ITSM Log Push Connector DeviceAction == "Blocked"
DeviceProduct == "NSSCasbitsmlog"
Zscaler Internet Access Cloud NSS CASB Repo Log Push Connector DeviceAction == "Blocked"
DeviceProduct == "NSSCasbrepolog"
Zscaler Internet Access Cloud NSS DNS Log Push Connector DeviceEventClassID == "Blocked"
DeviceProduct == "NSSDNSlog"
Zscaler Internet Access Cloud NSS Email DLP Log Push Connector DeviceAction == "Blocked"
DeviceProduct == "NSSEmaildlplog"
Zscaler Internet Access Cloud NSS Endpoint DLP Log Push Connector DeviceAction == "Blocked"
DeviceProduct == "NSSEndpointdlplog"
Zscaler Internet Access Cloud NSS Firewall Log Push Connector DeviceProduct == "NSSFWlog"
Zscaler Internet Access Cloud NSS Tunnel Log Push Connector DeviceEventClassID in "IPSec Phase1,IPSec Phase2,Tunnel Event"
DeviceProduct == "NSSTunnellog"
Zscaler Internet Access Cloud NSS Web Log Push Connector DeviceEventClassID == "Blocked"
DeviceProduct == "NSSWeblog"
[Deprecated] Contrast Protect via Legacy Agent DeviceVendor == "Contrast Security"
[Deprecated] Contrast Protect via AMA DeviceVendor == "Contrast Security"
[Deprecated] CrowdStrike Falcon Endpoint Protection via Legacy Agent DeviceProduct == "FalconHost"
DeviceVendor == "CrowdStrike"
[Deprecated] CrowdStrike Falcon Endpoint Protection via AMA DeviceProduct == "FalconHost"
DeviceVendor == "CrowdStrike"
[Deprecated] CyberArk Enterprise Password Vault (EPV) Events via Legacy Agent DeviceProduct == "Vault"
DeviceVendor == "Cyber-Ark"
LogSeverity in "10,7"
[Deprecated] CyberArk Privilege Access Manager (PAM) Events via AMA DeviceProduct == "Vault"
DeviceVendor == "Cyber-Ark"
LogSeverity in "10,7"
[Deprecated] AI Analyst Darktrace via Legacy Agent DeviceVendor == "Darktrace"
[Deprecated] AI Analyst Darktrace via AMA DeviceVendor == "Darktrace"
[Deprecated] Delinea Secret Server via AMA Activity has "SECRET - CREATE"
Activity has "SECRET - VIEW"
DeviceProduct == "Secret Server"
DeviceVendor in "Delinea Software,Thycotic Software"
[Deprecated] Delinea Secret Server via Legacy Agent Activity has "SECRET - CREATE"
Activity has "SECRET - VIEW"
DeviceProduct == "Secret Server"
DeviceVendor in "Delinea Software,Thycotic Software"
[Deprecated] ExtraHop Reveal(x) via Legacy Agent DeviceEventClassID == "ExtraHop Detection"
DeviceVendor == "ExtraHop"
[Deprecated] ExtraHop Reveal(x) via AMA DeviceEventClassID == "ExtraHop Detection"
DeviceVendor == "ExtraHop"
[Deprecated] F5 Networks via Legacy Agent DeviceVendor == "F5"
[Deprecated] F5 Networks via AMA DeviceVendor == "F5"
[Deprecated] FireEye Network Security (NX) via Legacy Agent DeviceVendor == "FireEye"
[Deprecated] FireEye Network Security (NX) via AMA DeviceVendor == "FireEye"
[Deprecated] Forcepoint CSG via Legacy Agent Activity == "Blocked"
DeviceProduct in "Email,Web"
DeviceVendor == "Forcepoint CSG"
LogSeverity == "6"
SourceUserID != "Not available"
[Deprecated] Forcepoint CSG via AMA Activity == "Blocked"
DeviceProduct in "Email,Web"
DeviceVendor == "Forcepoint CSG"
LogSeverity == "6"
SourceUserID != "Not available"
[Deprecated] Forcepoint CASB via Legacy Agent DeviceVendor == "Forcepoint CASB"
[Deprecated] Forcepoint CASB via AMA DeviceVendor == "Forcepoint CASB"
[Deprecated] Forcepoint NGFW via Legacy Agent Activity contains "compromise"
DeviceAction == "Terminate"
DeviceProduct == "NGFW"
DeviceVendor == "Forcepoint"
[Deprecated] Forcepoint NGFW via AMA Activity contains "compromise"
DeviceAction == "Terminate"
DeviceProduct == "NGFW"
DeviceVendor == "Forcepoint"
[Deprecated] ForgeRock Identity Platform DeviceAction == "FAILED"
DeviceProduct == "IDM"
DeviceVendor == "ForgeRock Inc"
[Deprecated] Fortinet via Legacy Agent DeviceProduct startswith "Fortigate"
DeviceVendor == "Fortinet"
[Deprecated] Fortinet via AMA DeviceProduct == "Fortigate"
DeviceProduct startswith "Fortigate"
DeviceVendor == "Fortinet"
[Deprecated] Fortinet FortiWeb Web Application Firewall via Legacy Agent DeviceProduct == "Fortiweb"
DeviceProduct has "Fortiweb"
DeviceVendor == "Fortinet"
Fortinet FortiWeb Web Application Firewall via AMA Computer contains "Fortiweb"
DeviceProduct contains "Fortiweb"
DeviceProduct has "Fortiweb"
DeviceVendor == "Fortinet"
DeviceVendor contains "Fortinet"
[Deprecated] Illumio Core via Legacy Agent DeviceCustomString1Label in "dst_vulns,event_href"
DeviceCustomString2Label in "resource_changes,state"
DeviceCustomString4Label in "dst_labels,notifications"
DeviceCustomString6Label == "dst_href"
DeviceVendor == "Illumio"
[Deprecated] Illumio Core via AMA DeviceCustomString1Label in "dst_vulns,event_href"
DeviceCustomString2Label in "resource_changes,state"
DeviceCustomString4Label in "dst_labels,notifications"
DeviceCustomString6Label == "dst_href"
DeviceVendor == "Illumio"
Imperva WAF Gateway Activity == "sql-injection"
DeviceAction == "block"
DeviceProduct == "WAF Gateway"
DeviceVendor in "Imperva,Imperva Inc."
LogSeverity == "High"
[Deprecated] Infoblox Cloud Data Connector via Legacy Agent AdditionalExtensions has "InfobloxRPZ=APP_"
AdditionalExtensions has "InfobloxRPZ=CAT_"
DeviceEventClassID == "DHCP-LEASE-CREATE"
DeviceEventClassID has "DNS"
DeviceEventClassID has "RPZ"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"
[Deprecated] Infoblox Cloud Data Connector via AMA AdditionalExtensions has "InfobloxRPZ=APP_"
AdditionalExtensions has "InfobloxRPZ=CAT_"
DeviceEventClassID == "DHCP-LEASE-CREATE"
DeviceEventClassID has "Audit"
DeviceEventClassID has "DHCP"
DeviceEventClassID has "DNS"
DeviceEventClassID has "RPZ"
DeviceEventClassID has "Service"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"
[Recommended] Infoblox Cloud Data Connector via AMA AdditionalExtensions has "InfobloxRPZ=APP_"
AdditionalExtensions has "InfobloxRPZ=CAT_"
DeviceEventClassID == "DHCP-LEASE-CREATE"
DeviceEventClassID has "Audit"
DeviceEventClassID has "DHCP"
DeviceEventClassID has "DNS"
DeviceEventClassID has "RPZ"
DeviceEventClassID has "Service"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"
[Deprecated] Infoblox SOC Insight Data Connector via AMA DeviceEventClassID == "BloxOne-InsightsNotification-Log"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"
[Recommended] Infoblox SOC Insight Data Connector via AMA DeviceEventClassID == "BloxOne-InsightsNotification-Log"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"
[Deprecated] Infoblox SOC Insight Data Connector via Legacy Agent DeviceEventClassID == "BloxOne-InsightsNotification-Log"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"
IronNet IronDefense DeviceProduct in "IronDefense,IronDome"
DeviceVendor == "IronNet"
[Deprecated] Netwrix Auditor via Legacy Agent DeviceVendor == "Netwrix"
[Deprecated] Netwrix Auditor via AMA DeviceVendor == "Netwrix"
[Deprecated] Nozomi Networks N2OS via Legacy Agent DeviceVendor has "Nozomi"
[Deprecated] Nozomi Networks N2OS via AMA DeviceVendor has "Nozomi"
[Deprecated] OSSEC via Legacy Agent DeviceVendor has "OSSEC"
[Deprecated] OSSEC via AMA DeviceVendor == "OSSEC"
DeviceVendor has "OSSEC"
[Deprecated] Onapsis Platform DeviceProduct == "OSP"
DeviceVendor == "Onapsis"
One Identity Safeguard Activity == "SessionClosed"
DeviceCustomString1Label == "Session ID"
DeviceProduct == "SPS"
DeviceVendor == "OneIdentity"
[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via Legacy Agent DeviceProduct == "LF"
DeviceVendor == "Palo Alto Networks"
[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via AMA DeviceProduct == "LF"
DeviceVendor == "Palo Alto Networks"
[Deprecated] Palo Alto Networks (Firewall) via Legacy Agent Activity == "THREAT"
DeviceProduct has "PAN-OS"
DeviceVendor == "Palo Alto Networks"
[Deprecated] Palo Alto Networks (Firewall) via AMA Activity == "THREAT"
DeviceProduct == "PAN-OS"
DeviceProduct has "PAN-OS"
DeviceVendor == "Palo Alto Networks"
Palo Alto Networks Cortex XDR DeviceAction == "Prevented (Blocked)"
DeviceProduct == "Cortex XDR"
DeviceVendor == "Palo Alto Networks"
LogSeverity == "6"
[Deprecated] PingFederate via Legacy Agent DeviceProduct has "PingFederate"
[Deprecated] PingFederate via AMA DeviceProduct has "PingFederate"
Radiflow iSID via AMA DeviceProduct == "iSID"
DeviceVendor == "radiflow"
[Deprecated] RIDGEBOT - data connector for Microsoft Sentinel DeviceEventClassID == "4001"
DeviceVendor == "RidgeSecurity"
Silverfort Admin Console DeviceEventClassID == "NewIncident"
DeviceProduct == "Admin Console"
DeviceProduct has "Admin Console"
DeviceVendor == "Silverfort"
DeviceVendor has "Silverfort"
Message has "UserBruteForce"
[Deprecated] SonicWall Firewall via Legacy Agent AdditionalExtensions contains "fw_action="
DeviceVendor == "SonicWall"
[Deprecated] SonicWall Firewall via AMA AdditionalExtensions contains "fw_action="
DeviceVendor == "SonicWall"
Threat Intelligence Platforms
[Deprecated] Trend Micro Deep Security via Legacy DeviceProduct startswith "Deep Security"
DeviceVendor has_any "Trend Micro,TrendMicro"
[Deprecated] Trend Micro Apex One via Legacy Agent DeviceProduct == "Apex Central"
DeviceVendor == "Trend Micro"
[Deprecated] Trend Micro Apex One via AMA DeviceProduct == "Apex Central"
DeviceVendor == "Trend Micro"
[Deprecated] Trend Micro TippingPoint via Legacy DeviceProduct == "UnityOne"
VirtualMetric Director Proxy
VirtualMetric DataStream for Microsoft Sentinel
VirtualMetric DataStream for Microsoft Sentinel data lake
[Deprecated] Votiro Sanitization Engine Logs DeviceProduct == "Votiro cloud"
DeviceVendor == "Votiro"
[Deprecated] WireX Network Forensics Platform via Legacy Agent ApplicationProtocol in "DNS,HTTP,TDS"
DeviceProduct == "WireX NFP"
DeviceVendor == "WireX"
[Deprecated] WireX Network Forensics Platform via AMA ApplicationProtocol in "DNS,HTTP,TDS"
DeviceProduct == "WireX NFP"
DeviceVendor == "WireX"
[Deprecated] WithSecure Elements via Connector DeviceVendor == "WithSecure™"
[Deprecated] iboss via Legacy Agent AdditionalExtensions !contains "amaExternalLogService=true"
DeviceVendor == "iboss"
iboss via AMA AdditionalExtensions contains "amaExternalLogService=true"
DeviceVendor == "iboss"
[Deprecated] Illusive Platform via Legacy Agent DeviceEventClassID in "illusive:access,illusive:login,illusive:suspicious"
DeviceProduct == "illusive"
DeviceVendor == "illusive"
Message !contains "hasForensics"
SourceHostName != "Failed to obtain"
[Deprecated] Illusive Platform via AMA DeviceEventClassID in "illusive:access,illusive:login,illusive:suspicious"
DeviceProduct == "illusive"
DeviceVendor == "illusive"
Message !contains "hasForensics"
SourceHostName != "Failed to obtain"
[Deprecated] vArmour Application Controller via Legacy Agent Activity == "POLICY_VIOLATION"
DeviceProduct == "AC"
DeviceVendor == "vArmour"
[Deprecated] vArmour Application Controller via AMA Activity == "POLICY_VIOLATION"
DeviceProduct == "AC"
DeviceVendor == "vArmour"

Content Items Using This Table (278)

Analytic Rules (130)

In solution Acronis Cyber Protect Cloud:

Analytic Rule Selection Criteria
Acronis - Login from Abnormal IP - Low Occurrence DeviceVendor == "Acronis audit"
Acronis - Multiple Endpoints Accessing Malicious URLs DeviceEventClassID == "MaliciousUrlDetected"
DeviceVendor == "Acronis"
Acronis - Multiple Endpoints Infected by Ransomware DeviceEventClassID == "ActiveProtectionBlocksSuspiciousActivity"
DeviceVendor == "Acronis"
Acronis - Multiple Inboxes with Malicious Content Detected DeviceEventClassID in "MaliciousEmailDetectedPerceptionPointWarning,MaliciousURLDetectedInM365MailboxBackup,MalwareDetectedInM365MailboxBackup"
DeviceVendor == "Acronis"

In solution Apache Log4j Vulnerability Detection:

Analytic Rule Selection Criteria
Log4j vulnerability exploit aka Log4Shell IP IOC

In solution AristaAwakeSecurity: DeviceProduct == "Awake Security"
DeviceVendor == "Arista Networks"

Analytic Rule
Awake Security - High Match Counts By Device
Awake Security - High Severity Matches By Device
Awake Security - Model With Multiple Destinations

In solution CiscoASA:

Analytic Rule Selection Criteria
Cisco ASA - average attack detection rate increase DeviceEventClassID == "733100"
Cisco ASA - threat detection message fired DeviceEventClassID in "733101,733102,733103,733104,733105"

In solution CiscoSEG: DeviceEventClassID == "ESA_CONSOLIDATED_LOG_EVENT"

Analytic Rule
Cisco SEG - DLP policy violation
Cisco SEG - Malicious attachment not blocked
Cisco SEG - Multiple large emails sent to external recipient
Cisco SEG - Multiple suspiciuos attachments received
Cisco SEG - Possible outbreak
Cisco SEG - Potential phishing link
Cisco SEG - Suspicious link
Cisco SEG - Suspicious sender domain
Cisco SEG - Unexpected attachment
Cisco SEG - Unexpected link
Cisco SEG - Unscannable attacment

In solution Claroty: DeviceVendor == "Claroty"

Analytic Rule
Claroty - Asset Down
Claroty - Critical baseline deviation
Claroty - Login to uncommon location
Claroty - Multiple failed logins by user
Claroty - Multiple failed logins to same destinations
Claroty - New Asset
Claroty - Policy violation
Claroty - Suspicious activity
Claroty - Suspicious file transfer
Claroty - Threat detected

In solution Contrast Protect:

Analytic Rule Selection Criteria
Contrast Blocks AdditionalExtensions contains "BLOCKED"
DeviceVendor == "Contrast Security"
Contrast Exploits AdditionalExtensions contains "EXPLOITED"
DeviceVendor == "Contrast Security"
Contrast Probes AdditionalExtensions contains "INEFFECTIVE"
AdditionalExtensions contains "PROBED"
DeviceVendor == "Contrast Security"
Contrast Suspicious AdditionalExtensions contains "SUSPICIOUS"
DeviceVendor == "Contrast Security"

In solution CrowdStrike Falcon Endpoint Protection: DeviceProduct == "FalconHost"
DeviceVendor == "CrowdStrike"

Analytic Rule
Critical Severity Detection

In solution FalconFriday: DeviceProduct == "NSSWeblog"
DeviceVendor == "Zscaler"

Analytic Rule
Beacon Traffic Based on Common User Agents Visiting Limited Number of Domains

In solution Fortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel: DeviceProduct has "Fortiweb"
DeviceVendor == "Fortinet"

Analytic Rule
Fortiweb - WAF Allowed threat

In solution GreyNoiseThreatIntelligence:

Analytic Rule Selection Criteria
GreyNoise TI Map IP Entity to CommonSecurityLog

In solution Illusive Platform: DeviceProduct == "illusive"

Analytic Rule
Illusive Incidents Analytic Rule

In solution Infoblox: DeviceEventClassID == "BloxOne-InsightsNotification-Log"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"

Analytic Rule
Infoblox - SOC Insight Detected - CDC Source

In solution Infoblox Cloud Data Connector:

Analytic Rule Selection Criteria
Infoblox - Data Exfiltration Attack DeviceEventClassID has "RPZ"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"
Infoblox - High Threat Level Query Not Blocked Detected DeviceEventClassID has "RPZ"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"
Infoblox - Many High Threat Level Queries From Single Host Detected DeviceEventClassID has "RPZ"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"
Infoblox - Many High Threat Level Single Query Detected DeviceEventClassID has "RPZ"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"
Infoblox - Many NXDOMAIN DNS Responses Detected DeviceEventClassID == "DNS Response"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"
Infoblox - TI - CommonSecurityLog Match Found - MalwareC2
Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"

In solution Infoblox SOC Insights: DeviceEventClassID == "BloxOne-InsightsNotification-Log"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"

Analytic Rule
Infoblox - SOC Insight Detected - CDC Source

In solution IronNet IronDefense: DeviceProduct == "IronDefense"

Analytic Rule
Create Incidents from IronDefense

In solution Lumen Defender Threat Feed:

Analytic Rule Selection Criteria
Lumen TI IPAddress in CommonSecurityLog

In solution Microsoft Defender XDR:

Analytic Rule Selection Criteria
Possible Phishing with CSL and Network Sessions

In solution Network Threat Protection Essentials: Activity == "Deny List updated"
DeviceVendor == "Trend Micro"

Analytic Rule
Network endpoint to host executable correlation

In solution PaloAlto-PAN-OS:

Analytic Rule Selection Criteria
Microsoft COVID-19 file hash indicator matches
Palo Alto - possible internal to external port scanning AdditionalExtensions has "reason=tcp-rst-from-client"
AdditionalExtensions has "reason=tcp-rst-from-server"
ApplicationProtocol == "incomplete"
DestinationPort !in "443,53,389,80,0,880,8888,8080"
DeviceAction !in "reset-both,deny"
Palo Alto - possible nmap scan on with top 100 option DestinationPort in "10000,1025,1026,1027,1028,1029,106,110,111,1110,119,13,135,139,143,1433,144,1720,1723,1755,179,1900,199,2000,2001,2049,21,2121,22,23,25,26,2717,3000,3128,32768,3306,3389,37,389,3986,427,444,445,465,4899,49152,49153,49154,49155,49156,49157,5000,5009,5051,5060,5101,513,514,515,5190,5357,543,5432,544,548,554,5631,5666,5800,587,5900,6000,6001,631,646,6646,7,7070,79,8000,8008,8009,8080,8081,81,8443,873,88,8888,9,9100,990,993,995,9999"
Palo Alto - potential beaconing detected Activity == "TRAFFIC"
DeviceVendor == "Palo Alto Networks"
Palo Alto Threat signatures from Unusual IP addresses DeviceEventClassID in "file,flood,packet,scan,spyware,virus,vulnerability,wildfire,wildfire-virus"
DeviceVendor == "Palo Alto Networks"

In solution PaloAltoCDL: DeviceProduct == "LF"
DeviceVendor == "Palo Alto Networks"

Analytic Rule
PaloAlto - Dropping or denying session with traffic
PaloAlto - File type changed
PaloAlto - Forbidden countries
PaloAlto - Inbound connection to high risk ports
PaloAlto - MAC address conflict
PaloAlto - Possible attack without response
PaloAlto - Possible flooding
PaloAlto - Possible port scan
PaloAlto - Put and post method request in high risk file type
PaloAlto - User privileges was changed

In solution PingFederate: DeviceProduct has "PingFederate"

Analytic Rule
Ping Federate - Abnormal password reset attempts
Ping Federate - Abnormal password resets for user
Ping Federate - Authentication from new IP.
Ping Federate - Forbidden country
Ping Federate - New user SSO success login
Ping Federate - OAuth old version
Ping Federate - Password reset request from unexpected source IP address..
Ping Federate - SAML old version
Ping Federate - Unexpected authentication URL.
Ping Federate - Unexpected country for user
Ping Federate - Unusual mail domain.

In solution Radiflow: DeviceProduct == "iSID"
DeviceVendor == "radiflow"

Analytic Rule
Radiflow - Exploit Detected
Radiflow - Network Scanning Detected
Radiflow - New Activity Detected
Radiflow - Platform Alert
Radiflow - Policy Violation Detected
Radiflow - Suspicious Malicious Activity Detected
Radiflow - Unauthorized Command in Operational Device
Radiflow - Unauthorized Internet Access

In solution RidgeSecurity:

Analytic Rule Selection Criteria
Critical Risks DeviceEventClassID == "4001"
DeviceVendor == "RidgeSecurity"
Vulerabilities DeviceEventClassID startswith "40"
DeviceVendor == "RidgeSecurity"

In solution SecurityThreatEssentialSolution:

Analytic Rule Selection Criteria
Threat Essentials - Time series anomaly for data size transferred to public internet

In solution Silverfort:

Analytic Rule Selection Criteria
Silverfort - Certifried Incident DeviceEventClassID == "NewIncident"
DeviceProduct has "Admin Console"
DeviceVendor has "Silverfort"
Message has "Certifried"
Silverfort - Log4Shell Incident DeviceEventClassID == "NewIncident"
DeviceProduct has "Admin Console"
DeviceVendor has "Silverfort"
Message has "Log4Shell"
Silverfort - NoPacBreach Incident DeviceEventClassID == "NewIncident"
DeviceProduct has "Admin Console"
DeviceVendor has "Silverfort"
Message has "NoPacBreach"
Silverfort - UserBruteForce Incident DeviceEventClassID == "NewIncident"
DeviceProduct has "Admin Console"
DeviceVendor has "Silverfort"
Message has "UserBruteForce"

In solution SonicWall Firewall: Protocol !contains "/"
Protocol contains "-"

Analytic Rule
SonicWall - Capture ATP Malicious File Detection

In solution Threat Intelligence:

Analytic Rule Selection Criteria
TI Map IP Entity to CommonSecurityLog
TI Map URL Entity to PaloAlto Data DeviceAction != "block-url"
DeviceEventClassID == "url"
DeviceVendor == "Palo Alto Networks"
TI map Domain entity to PaloAlto DeviceAction != "block-url"
DeviceEventClassID == "url"
DeviceVendor == "Palo Alto Networks"
TI map Domain entity to PaloAlto CommonSecurityLog DeviceEventClassID == "url"
TI map Email entity to PaloAlto CommonSecurityLog ApplicationProtocol in "pop3,smtp"
DeviceEventClassID == "wildfire"
DeviceVendor == "Palo Alto Networks"
TI map File Hash to CommonSecurityLog Event

In solution Threat Intelligence (NEW):

Analytic Rule Selection Criteria
TI Map IP Entity to CommonSecurityLog
TI Map URL Entity to PaloAlto Data DeviceAction != "block-url"
DeviceEventClassID == "url"
DeviceVendor == "Palo Alto Networks"
TI map Domain entity to PaloAlto DeviceAction != "block-url"
DeviceEventClassID == "url"
DeviceVendor == "Palo Alto Networks"
TI map Domain entity to PaloAlto CommonSecurityLog DeviceEventClassID == "url"
TI map Email entity to PaloAlto CommonSecurityLog ApplicationProtocol in "pop3,smtp"
DeviceEventClassID == "wildfire"
DeviceVendor == "Palo Alto Networks"
TI map File Hash to CommonSecurityLog Event

In solution Trend Micro Apex One: DeviceProduct == "Apex Central"
DeviceVendor == "Trend Micro"

Analytic Rule
ApexOne - Attack Discovery Detection
ApexOne - C&C callback events
ApexOne - Commands in Url
ApexOne - Device access permissions was changed
ApexOne - Inbound remote access connection
ApexOne - Multiple deny or terminate actions on single IP
ApexOne - Possible exploit or execute operation
ApexOne - Spyware with failed response
ApexOne - Suspicious commandline arguments
ApexOne - Suspicious connections

In solution Vectra AI Detect:

Analytic Rule Selection Criteria
Vectra AI Detect - Detections with High Severity DeviceEventClassID != "asc"
DeviceEventClassID != "audit"
DeviceEventClassID != "campaigns"
DeviceEventClassID != "health"
DeviceEventClassID != "hsc"
DeviceProduct == "X Series"
DeviceVendor == "Vectra Networks"
Vectra AI Detect - New Campaign Detected DeviceAction == "START"
DeviceEventClassID contains "campaign"
DeviceProduct == "X Series"
DeviceVendor == "Vectra Networks"
Vectra AI Detect - Suspected Compromised Account DeviceEventClassID == "asc"
DeviceProduct == "X Series"
DeviceVendor == "Vectra Networks"
Vectra AI Detect - Suspected Compromised Host DeviceEventClassID == "hsc"
DeviceProduct == "X Series"
DeviceVendor == "Vectra Networks"
Vectra AI Detect - Suspicious Behaviors by Category DeviceEventClassID != "asc"
DeviceEventClassID != "audit"
DeviceEventClassID != "campaigns"
DeviceEventClassID != "health"
DeviceEventClassID != "hsc"
DeviceProduct == "X Series"
DeviceVendor == "Vectra Networks"
Vectra Account's Behaviors AdditionalExtensions contains "account"
DeviceEventClassID != "asc"
DeviceEventClassID != "audit"
DeviceEventClassID != "campaigns"
DeviceEventClassID != "health"
DeviceEventClassID != "hsc"
DeviceProduct == "X Series"
DeviceVendor == "Vectra Networks"
Vectra Host's Behaviors AdditionalExtensions !has "account"
DeviceEventClassID != "asc"
DeviceEventClassID != "audit"
DeviceEventClassID != "campaigns"
DeviceEventClassID != "health"
DeviceEventClassID != "hsc"
DeviceProduct == "X Series"
DeviceVendor == "Vectra Networks"

In solution Votiro: DeviceProduct == "Votiro cloud"
DeviceVendor == "Votiro"

Analytic Rule
Votiro - File Blocked from Connector
Votiro - File Blocked in Email

In solution Zinc Open Source:

Analytic Rule Selection Criteria
[Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022

In solution Zscaler Internet Access:

Analytic Rule Selection Criteria
Discord CDN Risky File Download DeviceAction != "blocked"
DeviceVendor == "ZScaler"
Request for single resource on domain DeviceAction == "Allowed"
DeviceVendor == "Zscaler"

In solution vArmour Application Controller: Activity == "POLICY_VIOLATION"
DeviceProduct == "AC"
DeviceVendor == "vArmour"

Analytic Rule
vArmour AppController - SMB Realm Traversal

Hunting Queries (74)

In solution Acronis Cyber Protect Cloud:

Hunting Query Selection Criteria
Acronis - ASZ defence: Unauthorized operation is detected and blocked DeviceEventClassID == "ActiveProtectionDetectedAszPartitionAccessed"
DeviceVendor == "Acronis"
Acronis - Agent failed updating more than twice in a day DeviceEventClassID == "AgentAutoUpdateStalled"
DeviceVendor == "Acronis"
Acronis - Agents offline for 2 days or more DeviceEventClassID == "MiniPlanAgentOffline"
DeviceVendor == "Acronis"
Acronis - Audit Log DeviceVendor == "Acronis audit"
Acronis - Cloud Connection Errors DeviceEventClassID in "CloudConnectionAzureApplianceConfigurationFailed,CloudConnectionAzureApplianceDeallocationFailed,CloudConnectionAzureApplianceDeletionFailed,CloudConnectionAzureApplianceEOL,CloudConnectionAzureApplianceFailed,CloudConnectionAzureApplianceUpdateFailed,CloudConnectionAzureCloudAccessExpired,CloudConnectionS3CloudAccessExpired"
DeviceVendor == "Acronis"
Acronis - Endpoints Accessing Malicious URLs DeviceEventClassID == "MaliciousUrlDetected"
DeviceVendor == "Acronis"
Acronis - Endpoints Infected by Ransomware DeviceEventClassID == "ActiveProtectionBlocksSuspiciousActivity"
DeviceVendor == "Acronis"
Acronis - Endpoints with Backup issues DeviceEventClassID in "ArchiveCorrupted,BackupFailed,BackupNotResponding,BackupRecoveryFailed"
DeviceVendor == "Acronis"
Acronis - Endpoints with EDR Incidents DeviceEventClassID in "EDRIOCDetected,EDRIncidentDetected"
DeviceVendor == "Acronis"
Acronis - Endpoints with high failed login attempts DeviceEventClassID == "MiMonitoringFailedLoginAttemptsOverThreshold"
DeviceVendor == "Acronis"
Acronis - Inboxes with Malicious Content DeviceEventClassID in "MaliciousEmailDetectedPerceptionPointWarning,MaliciousURLDetectedInM365MailboxBackup,MalwareDetectedInM365MailboxBackup"
DeviceVendor == "Acronis"
Acronis - Login from Abnormal IP - Low Occurrence DeviceVendor == "Acronis audit"
Acronis - Protection Service Errors DeviceEventClassID in "ActiveProtectionDriverRemediated,ActiveProtectionInvalidNetworkRecoveryPath,ActiveProtectionServiceConflict,ActiveProtectionServiceFailureToApplyPolicy,ActiveProtectionServiceNotAvailable,ActiveProtectionServiceNotRunning,CPSProtectionFailureDetected,ProtectionServiceNotWorking"
DeviceVendor == "Acronis"

In solution Apache Log4j Vulnerability Detection: ApplicationProtocol == "ldap"
DeviceAction has_any "allow"

Hunting Query
Network Connection to New External LDAP Server

In solution CiscoSEG: DeviceEventClassID == "ESA_CONSOLIDATED_LOG_EVENT"

Hunting Query
Cisco SEG - DKIM failures
Cisco SEG - DMARK failures
Cisco SEG - Dropped incoming mails
Cisco SEG - Dropped outgoing mails
Cisco SEG - Failed incoming TLS connections
Cisco SEG - Failed outgoing TLS connections
Cisco SEG - Insecure protocol
Cisco SEG - SPF failures
Cisco SEG - Sources of spam mails
Cisco SEG - Top users receiving spam mails

In solution Claroty: DeviceVendor == "Claroty"

Hunting Query
Claroty - Baseline deviation
Claroty - Conflict assets
Claroty - Critical Events
Claroty - Network scan sources
Claroty - Network scan targets
Claroty - PLC logins
Claroty - Unapproved access
Claroty - Unresolved alerts
Claroty - User failed logins
Claroty - Write and Execute operations

In solution Cyware:

Hunting Query Selection Criteria
Match Cyware Intel Watchlist Items With Common Logs

In solution Endace: Activity == "THREAT"

Hunting Query
Endace - Pivot-to-Vision

In solution Fortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel: DeviceProduct has "Fortiweb"
DeviceVendor == "Fortinet"

Hunting Query
Fortiweb - Unexpected countries
Fortiweb - identify owasp10 vulnerabilities

In solution Legacy IOC based Threat Protection:

Hunting Query Selection Criteria
Retrospective hunt for Forest Blizzard IP IOCs

In solution Lumen Defender Threat Feed:

Hunting Query Selection Criteria
Lumen TI IPAddress indicator in CommonSecurityLog

In solution Network Threat Protection Essentials:

Hunting Query Selection Criteria
Base64 encoded IPv4 address in request url
Risky base64 encoded command in URL

In solution PaloAlto-PAN-OS:

Hunting Query Selection Criteria
Palo Alto - high-risk ports Activity == "TRAFFIC"
DeviceAction != "deny"
DeviceVendor == "Palo Alto Networks"
Palo Alto - potential beaconing detected Activity == "TRAFFIC"
DeviceVendor == "Palo Alto Networks"

In solution PaloAltoCDL: DeviceProduct == "LF"
DeviceVendor == "Palo Alto Networks"

Hunting Query
PaloAlto - Agent versions
PaloAlto - Critical event result
PaloAlto - Destination ports by IPs
PaloAlto - File permission with PUT or POST request
PaloAlto - Incomplete application protocol
PaloAlto - Multiple Deny result by user
PaloAlto - Outdated config vesions
PaloAlto - Rare application layer protocols
PaloAlto - Rare files observed
PaloAlto - Rare ports by user

In solution PingFederate: DeviceProduct has "PingFederate"

Hunting Query
Ping Federate - Authentication URLs
Ping Federate - Authentication from unusual sources
Ping Federate - Failed Authentication
Ping Federate - New users
Ping Federate - Password reset requests
Ping Federate - Rare source IP addresses
Ping Federate - Requests from unusual countries
Ping Federate - SAML subjects
Ping Federate - Top source IP addresses
Ping Federate - Users recently reseted password

In solution Trend Micro Apex One: DeviceProduct == "Apex Central"
DeviceVendor == "Trend Micro"

Hunting Query
ApexOne - Behavior monitoring actions by files
ApexOne - Behavior monitoring event types by users
ApexOne - Behavior monitoring operations by users
ApexOne - Behavior monitoring triggered policy by command line
ApexOne - Channel type by users
ApexOne - Data loss prevention action by IP
ApexOne - Rare application protocols by Ip address
ApexOne - Spyware detection
ApexOne - Suspicious files events
ApexOne - Top sources with alerts

Workbooks (72)

In solution AI Analyst Darktrace: Activity !contains "saas"
Activity contains "Antigena"
Activity contains "Compliance"
Activity contains "iaas"
Activity contains "saas"
DestinationIP !startswith "10"
DestinationIP !startswith "172"
DestinationIP !startswith "192"
DeviceName contains "#"
DeviceProduct in "AI Analyst,Enterprise Immune System"
DeviceVendor == "Darktrace"

Workbook
AIA-Darktrace

In solution AristaAwakeSecurity: DeviceProduct == "Awake Security"
DeviceVendor == "Arista Networks"

Workbook
AristaAwakeSecurityWorkbook

In solution Barracuda CloudGen Firewall: DeviceVendor == "Barracuda"

Workbook
Barracuda

In solution Check Point: DeviceCustomString3 in "DNS Reputation,IP Reputation,URL Reputation"
DeviceProduct in "Anti Malware,Anti-Bot,Anti-Virus,Application Control,DDoS Protector,IPS,Threat Emulation,URL Filtering"
DeviceVendor == "Check Point"
FlexNumber1 in "3,4,5"
LogSeverity in "Critical,High,Medium,Very-High"

Workbook
CheckPoint

In solution CiscoASA: CommunicationDirection contains "inbound"
CommunicationDirection contains "outbound"
DeviceEventClassID in "106100,111008,113012,113015,302010,315011,611102,733100"
DeviceProduct == "ASA"
DeviceVendor == "Cisco"
Message contains "-> inside"
Message contains "-> management"
SimplifiedDeviceAction in "Allow,Built,Deny"

Workbook
Cisco

In solution CiscoSEG: DeviceEventClassID == "ESA_CONSOLIDATED_LOG_EVENT"

Workbook
CiscoSEG

In solution Citrix Web App Firewall: DeviceProduct == "NetScaler"
DeviceVendor == "Citrix"

Workbook
CitrixWAF

In solution Claroty: DeviceVendor == "Claroty"

Workbook
ClarotyOverview

In solution Common Event Format: DeviceProduct has "PAN-OS"

Workbook
CEFOverviewWorkbook

In solution ContinuousDiagnostics&Mitigation:

Workbook Selection Criteria
ContinuousDiagnostics&Mitigation

In solution Contrast Protect: DeviceVendor == "Contrast Security"

Workbook
ContrastProtect

In solution CrowdStrike Falcon Endpoint Protection: DeviceProduct == "FalconHost"
DeviceVendor == "CrowdStrike"

Workbook
CrowdStrikeFalconEndpointProtection

In solution CyberArk Privilege Access Manager (PAM) Events: DestinationUserPrivileges !contains "ConjurSync"
DestinationUserPrivileges !contains "PSM"
DestinationUserPrivileges !contains "PSMSessions"
DestinationUserPrivileges !contains "PVWAConfig"
DestinationUserPrivileges !contains "PVWAPrivateUserPrefs"
DestinationUserPrivileges !contains "PasswordManager"
DestinationUserPrivileges !contains "PasswordManagerShared"
DestinationUserPrivileges !contains "SharedAuth_Internal"
DestinationUserPrivileges !contains "VaultInternal"
DestinationUserPrivileges contains "ConjurSync"
DeviceAction contains "disable"
DeviceProduct == "Vault"
DeviceVendor == "Cyber-Ark"
OldFileID contains "Error"
OldFileID contains "Failure"
OldFileID contains "error"
SourceUserName !contains "PasswordManager"
SourceUserName contains "Sync_components"
SourceUserName contains "administrator"

Workbook
CyberArkEPV

In solution Delinea Secret Server: Activity == "SECRET - EXPIREDTODAY"
DeviceProduct == "Secret Server"
DeviceVendor in "Delinea Software,Thycotic Software"
LogSeverity == "2"

Workbook
DelineaWorkbook

In solution ExtraHop Reveal(x): DeviceVendor == "ExtraHop"

Workbook
ExtraHopDetectionSummary

In solution Forcepoint CASB: DeviceProduct in "CASB Admin audit log,Cloud Service Monitoring,SaaS Security Gateway"
DeviceVendor == "Forcepoint CASB"

Workbook
ForcepointCASB

In solution Forcepoint CSG: Activity != "Blocked"
DeviceProduct in "Email,Web"
DeviceVendor == "Forcepoint CSG"
LogSeverity in "6,9"
SourceUserID != "Not available"

Workbook
ForcepointCloudSecuirtyGateway

In solution Forcepoint NGFW:

Workbook Selection Criteria
ForcepointNGFW DeviceAction == "Terminate"
DeviceProduct == "NGFW"
DeviceVendor == "Forcepoint"
LogSeverity == "10"
ForcepointNGFWAdvanced Activity in "File_Malware-Blocked,URL_Category-Accounting"
DeviceAction == "Discard"
DeviceAction != "Discard"
DeviceAction != "Terminate"
DeviceFacility == "Inspection"
DeviceProduct in "Alert,Audit"
DeviceVendor in "FORCEPOINT,Forcepoint"
Message contains "Login succeeded"
Message contains "Logout"
Message contains "created"
Message contains "modified"

In solution Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel: Activity contains "forward"
DestinationTranslatedAddress contains "."
DeviceInboundInterface in "port1,port2"
DeviceProduct contains "Fortigate"
DeviceVendor == "Fortinet"

Workbook
Fortigate

In solution Fortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel: DeviceProduct has "Fortiweb"
DeviceVendor == "Fortinet"

Workbook
Fortiweb-workbook

In solution Illusive Platform:

Workbook Selection Criteria
IllusiveADS DeviceEventClassID in "illusive:access,illusive:login,illusive:suspicious"
Message !contains "hasForensics"
SourceHostName != "Failed to obtain"
IllusiveASM DeviceCustomString1 in "CROWN_JEWEL_CREDENTIALS,LOCAL_USER_ADMINISTRATORS,SUSPICIOUS_FILES,USER_CREDENTIALS"
DeviceEventClassID == "illusive:violation"

In solution Infoblox: DeviceEventClassID in "DHCP-LEASE-CREATE,DHCP-LEASE-DELETE,DHCP-LEASE-UPDATE"
DeviceEventClassID has "Audit"
DeviceEventClassID has "DHCP"
DeviceEventClassID has "DNS"
DeviceEventClassID has "RPZ"
DeviceEventClassID has "Service"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"

Workbook
Infoblox_Workbook

In solution Infoblox Cloud Data Connector: DeviceEventClassID in "DHCP-LEASE-CREATE,DHCP-LEASE-DELETE,DHCP-LEASE-UPDATE"
DeviceEventClassID has "DHCP"
DeviceEventClassID has "DNS"
DeviceEventClassID has "RPZ"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"

Workbook
InfobloxCDCB1TDWorkbook

In solution IronNet IronDefense:

Workbook Selection Criteria
IronDefenseAlertDashboard
IronDefenseAlertDetails DeviceProduct == "IronDefense"
LogSeverity in "High,Low,Medium,Very-High"

In solution Lumen Defender Threat Feed:

Workbook Selection Criteria
Lumen-Threat-Feed-Overview

In solution MaturityModelForEventLogManagementM2131:

Workbook Selection Criteria
MaturityModelForEventLogManagement_M2131

In solution NISTSP80053:

Workbook Selection Criteria
NISTSP80053

In solution Onapsis Platform: DeviceVendor == "Onapsis"

Workbook
OnapsisAlarmsOverview

In solution OneIdentity: Activity in "ServerConnect,SessionClosed"
DeviceCustomString1Label == "Session ID"
DeviceProduct == "SPS"
DeviceVendor == "OneIdentity"

Workbook
OneIdentity

In solution Palo Alto - XDR (Cortex): Activity == "WildFire Malware"
DeviceProduct == "Cortex XDR"
DeviceVendor == "Palo Alto Networks"

Workbook
PaloAltoXDR

In solution PaloAlto-PAN-OS:

Workbook Selection Criteria
PaloAltoNetworkThreat Activity == "THREAT"
DeviceEventClassID in "correlation,vulnerability,wildfire"
DeviceEventClassID != "file"
DeviceEventClassID != "url"
DeviceProduct has "PAN-OS"
DeviceVendor == "Palo Alto Networks"
PaloAltoOverview Activity in "THREAT,TRAFFIC,Traffic"
DeviceAction in "alert,block-continue,block-url,continue"
DeviceAction !contains "block"
DeviceAction !contains "deny"
DeviceAction contains "block"
DeviceAction contains "deny"
DeviceEventClassID in "end,file,url,wildfire"
DeviceProduct has "LF"
DeviceProduct has "PAN-OS"
DeviceVendor == "Palo Alto Networks"

In solution PaloAltoCDL: DeviceProduct == "LF"
DeviceVendor == "Palo Alto Networks"

Workbook
PaloAltoCDL

In solution PingFederate: DeviceProduct == "PingFederate"
DeviceProduct has "PingFederate"

Workbook
PingFederate

In solution SOC Handbook:

Workbook Selection Criteria
InvestigationInsights
SecurityStatus

In solution SOX IT Compliance: DeviceVendor has_any "CrowdStrike,Microsoft,Qualys,Tripwire"
Message has_any "change"
Message has_any "record modified"

Workbook
SOXITCompliance

In solution Semperis Directory Services Protector:

Workbook Selection Criteria
SemperisDSPADChanges DeviceEventClassID == "Semperis.DSP.AdChanges"
SemperisDSPNotifications DeviceProduct == "Core Directory"
SemperisDSPQuickviewDashboard DeviceProduct == "Core Directory"
SemperisDSPSecurityIndicators

In solution Silverfort: DeviceProduct has "Admin Console"
DeviceVendor has "Silverfort"
Message !contains "count:"

Workbook
SilverfortWorkbook

In solution SonicWall Firewall: Activity in "Anti-Spyware Detection Alert,Anti-Spyware Prevention Alert,Application Control Detection Alert,Application Control Prevention Alert,IPS Detection Alert,IPS Prevention Alert,Website Blocked"
Computer != "127.0.0.1"
DeviceVendor == "SonicWall"
Protocol !contains "/"
Protocol contains "-"

Workbook
SonicWallFirewall

In solution Trend Micro Apex One: DeviceProduct == "Apex Central"
DeviceVendor == "Trend Micro"

Workbook
TrendMicroApexOne

In solution Trend Micro Deep Security: DeviceProduct startswith "Deep Security"
DeviceVendor has_any "Trend Micro,TrendMicro"

Workbook
TrendMicroDeepSecurityAttackActivity
TrendMicroDeepSecurityOverview

In solution Vectra AI Detect: DeviceCustomString1 == "True"
DeviceCustomString2 == "True"
DeviceEventClassID in "asc,audit,campaigns,health,hsc"
DeviceEventClassID !in "health,audit,campaigns,hsc,asc"
DeviceEventClassID !in "health,audit,campaigns,hsc,asc"
DeviceVendor == "Vectra Networks"
SourceUserName != "All"

Workbook
AIVectraDetectWorkbook

In solution Votiro: DeviceProduct == "Votiro cloud"
DeviceVendor == "Votiro"

Workbook
Votiro Monitoring Dashboard

In solution ZeroTrust(TIC3.0):

Workbook Selection Criteria
ZeroTrustTIC3

In solution Zscaler Internet Access:

Workbook Selection Criteria
NSSAuditLogs DeviceProduct == "NSSAuditlog"
DeviceVendor == "Zscaler"
NSSCASBActivityLogs DeviceProduct == "NSSCasbactivitylog"
DeviceVendor == "Zscaler"
NSSCASBCRMLogs DeviceProduct == "NSSCasbcrmlog"
DeviceVendor == "Zscaler"
NSSCASBCloudStorageLogs DeviceProduct == "NSSCasbcloudstoragelog"
DeviceVendor == "Zscaler"
NSSCASBCollabLogs DeviceProduct == "NSSCasbcollablog"
DeviceVendor == "Zscaler"
NSSCASBEmail DeviceProduct == "NSSCasbemaillog"
DeviceVendor == "Zscaler"
NSSCASBFileSharingLogs DeviceProduct == "NSSCasbfilesharinglog"
DeviceVendor == "Zscaler"
NSSCASBITSMLogs DeviceProduct == "NSSCasbitsmlog"
DeviceVendor == "Zscaler"
NSSCASBRepoLogs DeviceProduct == "NSSCasbrepolog"
DeviceVendor == "Zscaler"
NSSDNSLogs DeviceProduct == "NSSDNSlog"
DeviceVendor == "Zscaler"
NSSEmailDLPLogs DeviceCustomString4Label == "rulelabels"
DeviceEventClassID == "DLP Incident"
DeviceProduct == "NSSEmaildlplog"
DeviceVendor == "Zscaler"
NSSEndpointDLPLogs DeviceProduct == "NSSEndpointdlplog"
DeviceVendor == "Zscaler"
NSSFWLogs Activity !contains "Default"
Activity !contains "Recommended"
DestinationPort != "0"
DeviceEventClassID !contains "Allow"
DeviceEventClassID contains "Allow"
DeviceProduct == "NSSFWlog"
SourcePort != "0"
NSSTunnelLogs DeviceEventClassID in "Tunnel Event,Tunnel Samples"
DeviceProduct == "NSSTunnellog"
DeviceVendor == "Zscaler"
NSSWebLogsOffice365 DestinationServiceName contains "Microsoft"
DestinationServiceName contains "Onedrive"
DestinationServiceName contains "Outlook"
DestinationServiceName contains "Sharepoint"
DestinationServiceName contains "Skype"
DestinationServiceName contains "office.com"
DeviceCustomString2 == "Phishing"
DeviceEventClassID !contains "Allow"
DeviceEventClassID contains "Allow"
DeviceVendor == "Zscaler"
NSSWebLogsOverview DestinationServiceName has_any "Microsoft"
DeviceEventClassID in "Allow,Allowed"
DeviceEventClassID !contains "Allow"
DeviceEventClassID contains "Allow"
DeviceProduct == "NSSWeblog"
DeviceVendor == "Zscaler"
RequestMethod != "None"
SourceUserPrivileges == "Road Warrior"
NSSWebLogsThreats Activity contains "IPS"
DestinationServiceName != "generalbrowsing"
DeviceCustomString3 contains "Behavior"
DeviceCustomString5 != "None"
DeviceCustomString5 != "suspiciousfile"
DeviceCustomString5Label == "threatname"
DeviceEventClassID == "Blocked"
DeviceEventClassID !contains "Allow"
DeviceEventClassID contains "Block"
DeviceProduct == "NSSWeblog"
DeviceVendor == "Zscaler"
SourceUserPrivileges == "Road Warrior"

In solution iboss: DeviceVendor == "iboss"

Workbook
ibossMalwareAndC2
ibossWebUsage

In solution vArmour Application Controller: Activity == "POLICY_VIOLATION"
DeviceProduct == "AC"
DeviceVendor == "vArmour"

Workbook
vArmour_AppContoller_Workbook

Parsers Using This Table (67)

ASIM Parsers (34)

Parser Schema Product Selection Criteria
ASimAuditEventBarracudaCEF AuditEvent Barracuda WAF DeviceProduct in "WAAS,WAF"
DeviceVendor startswith "Barracuda"
ASimAuditEventCrowdStrikeFalconHost AuditEvent CrowdStrike Falcon Endpoint Protection DeviceEventClassID == "UserActivityAuditEvent"
DeviceProduct == "FalconHost"
DeviceVendor == "CrowdStrike"
ASimAuditEventInfobloxBloxOne AuditEvent Infoblox BloxOne DeviceEventClassID has "AUDIT"
DeviceVendor == "Infoblox"
ASimAuthenticationCiscoASA Authentication Cisco Adaptive Security Appliance (ASA) DeviceProduct == "ASA"
DeviceVendor == "Cisco"
ASimAuthenticationCrowdStrikeFalconHost Authentication CrowdStrike Falcon Endpoint Protection DeviceEventClassID in "twoFactorAuthenticate,userAuthenticate"
DeviceProduct == "FalconHost"
DeviceVendor == "CrowdStrike"
ASimAuthenticationFortinetFortigate Authentication Fortigate DeviceEventClassID !in "0100022949,0100022952"
DeviceProduct has "Fortigate"
DeviceVendor == "Fortinet"
ASimAuthenticationPaloAltoCortexDataLake Authentication Palo Alto Cortex Data Lake DeviceEventClassID == "AUTH"
DeviceProduct == "LF"
DeviceVendor == "Palo Alto Networks"
ASimAuthenticationPaloAltoGlobalProtect Authentication Palo Alto PAN-OS GlobalProtect DeviceEventClassID == "GLOBALPROTECT"
DeviceProduct == "PAN-OS"
DeviceVendor == "Palo Alto Networks"
ASimAuthenticationPaloAltoPanOS Authentication Palo Alto PAN-OS DeviceEventClassID startswith "auth"
DeviceProduct == "PAN-OS"
DeviceVendor == "Palo Alto Networks"
ASimDhcpEventInfobloxBloxOne DhcpEvent Infoblox BloxOne DeviceEventClassID has "DHCP"
DeviceVendor == "Infoblox"
ASimDnsFortinetFortiGate Dns Fortinet FortiGate DeviceEventClassID endswith "54000"
DeviceEventClassID endswith "54200"
DeviceEventClassID endswith "54400"
DeviceEventClassID endswith "54401"
DeviceEventClassID endswith "54600"
DeviceEventClassID endswith "54601"
DeviceEventClassID endswith "54800"
DeviceEventClassID endswith "54801"
DeviceEventClassID endswith "54802"
DeviceEventClassID endswith "54803"
DeviceEventClassID endswith "54804"
DeviceEventClassID endswith "54805"
DeviceProduct startswith "Fortigate"
DeviceVendor == "Fortinet"
ASimDnsInfobloxBloxOne Dns Infoblox BloxOne DeviceEventClassID has "DNS"
DeviceVendor == "Infoblox"
ASimDnsZscalerZIA Dns Zscaler ZIA DNS DeviceProduct == "NSSDNSlog"
ASimNetworkSessionBarracudaCEF NetworkSession Barracuda WAF DeviceProduct in "WAAS,WAF"
DeviceVendor startswith "Barracuda"
ASimNetworkSessionCheckPointFirewall NetworkSession CheckPointFirewall DeviceProduct == "VPN-1 & FireWall-1"
ASimNetworkSessionCheckPointSmartDefense NetworkSession CheckPointSmartDefense DeviceProduct == "SmartDefense"
DeviceVendor == "Check Point"
ASimNetworkSessionCiscoASA NetworkSession CiscoASA DeviceEventClassID in "106001,106002,106006,106007,106010,106012,106013,106014,106015,106016,106017,106018,106020,106021,106022,106023,106100,302013,302014,302015,302016,302020,302021,710002,710003,710004,710005"
DeviceProduct == "ASA"
DeviceVendor == "Cisco"
ASimNetworkSessionCiscoFirepower NetworkSession Cisco Firepower DeviceEventClassID has "INTRUSION:400"
DeviceEventClassID has "PV:112"
DeviceEventClassID has "RNA:1003:1"
DeviceEventClassID has_any "INTRUSION:400,PV:112,RNA:1003:1"
DeviceProduct == "Firepower"
DeviceVendor == "Cisco"
ASimNetworkSessionCrowdStrikeFalconHost NetworkSession CrowdStrike Falcon Endpoint Protection DeviceEventClassID in "FirewallMatchEvent,Network Access In A Detection Summary Event"
DeviceEventClassID has "Network Access In A Detection Summary Event"
DeviceProduct == "FalconHost"
DeviceVendor == "CrowdStrike"
ASimNetworkSessionForcePointFirewall NetworkSession ForcePointFirewall ApplicationProtocol startswith "TCP"
ApplicationProtocol startswith "UDP"
DestinationServiceName in "Application-Unknown,Generic-Web-HTTP,Unknown-Encrypted-Application"
DeviceEventClassID in "70734,76508,76509"
DeviceEventClassID != "0"
DeviceEventClassID !in "70383,70393,70734,71009,71040"
DeviceProduct == "Firewall"
DeviceVendor == "FORCEPOINT"
RequestMethod != "UNKNOWN"
ASimNetworkSessionFortinetFortiGate NetworkSession Fortinet FortiGate DeviceProduct startswith "FortiGate"
DeviceVendor == "Fortinet"
ASimNetworkSessionPaloAltoCEF NetworkSession Palo Alto PanOS DeviceProduct == "PAN-OS"
DeviceVendor == "Palo Alto Networks"
ASimNetworkSessionPaloAltoCortexDataLake NetworkSession Palo Alto Cortex Data Lake DeviceEventClassID == "TRAFFIC"
DeviceProduct == "LF"
DeviceVendor == "Palo Alto Networks"
ASimNetworkSessionSonicWallFirewall NetworkSession SonicWall DeviceVendor == "SonicWall"
Protocol !contains "/"
Protocol contains "-"
ASimNetworkSessionZscalerZIA NetworkSession Zscaler ZIA Firewall DeviceProduct == "NSSFWlog"
DeviceVendor == "Zscaler"
ASimWebSessionBarracudaCEF WebSession Barracuda WAF DeviceProduct in "WAAS,WAF"
DeviceVendor startswith "Barracuda"
ASimWebSessionCiscoFirepower WebSession Cisco Firepower DeviceEventClassID in "File:500:1,FileMalware:502:1,FireAMP:125:1"
DeviceEventClassID has "File:500:1"
DeviceEventClassID has "FileMalware:502:1"
DeviceProduct == "Firepower"
DeviceVendor == "Cisco"
ASimWebSessionCitrixNetScaler WebSession Citrix NetScaler DeviceEventClassID == "APPFW"
DeviceProduct == "NetScaler"
DeviceVendor == "Citrix"
ASimWebSessionF5ASM WebSession F5 BIG-IP Application Security Manager (ASM) DeviceProduct == "ASM"
DeviceVendor == "F5"
ASimWebSessionFortinetFortiGate WebSession Fortinet FortiGate DeviceProduct startswith "Fortigate"
DeviceVendor == "Fortinet"
ASimWebSessionPaloAltoCEF WebSession Palo Alto Networks Activity == "THREAT"
DeviceEventClassID == "url"
DeviceProduct == "PAN-OS"
DeviceVendor == "Palo Alto Networks"
ASimWebSessionPaloAltoCortexDataLake WebSession Palo Alto Cortex Data Lake DeviceEventClassID == "THREAT"
DeviceProduct == "LF"
DeviceVendor == "Palo Alto Networks"
ASimWebSessionSonicWallFirewall WebSession SonicWall DestinationIP has ":"
DeviceVendor == "SonicWall"
Protocol !contains "/"
Protocol contains "-"
ASimWebSessionZscalerZIA WebSession Zscaler ZIA DeviceCustomString4 == "None"
DeviceProduct == "NSSWeblog"
DeviceVendor == "Zscaler"
RequestContext == "None"

Other Parsers (33)

Parser Solution Selection Criteria
AkamaiSIEMEvent Akamai Security Events DeviceProduct == "akamai_siem"
DeviceVendor == "Akamai"
ArubaClearPass Aruba ClearPass DeviceProduct == "ClearPass"
DeviceVendor == "Aruba Networks"
CiscoSEGEvent CiscoSEG DeviceEventClassID == "ESA_CONSOLIDATED_LOG_EVENT"
CitrixADCEventOld Citrix ADC ⚠️ DeviceProduct == "NetScaler"
DeviceVendor == "Citrix"
ClarotyEvent Claroty DeviceVendor == "Claroty"
CrowdStrikeFalconEventStream CrowdStrike Falcon Endpoint Protection DeviceProduct == "FalconHost"
DeviceVendor == "CrowdStrike"
DragosPushNotificationsToSentinel Dragos DeviceCustomString1 has "None"
DeviceProduct == "Platform"
DeviceVendor == "Dragos"
DeviceVersion == "2"
FireEyeNXEvent FireEye Network Security DeviceVendor == "FireEye"
ForgeRockParser ForgeRock Common Audit for CEF DeviceVendor == "ForgeRock Inc"
Fortiweb Fortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel DeviceProduct has "Fortiweb"
DeviceVendor == "Fortinet"
IllumioCoreEvent Illumio Core DeviceCustomString1Label in "dst_vulns,event_href"
DeviceCustomString2Label in "resource_changes,state"
DeviceCustomString4Label in "dst_labels,notifications"
DeviceCustomString6Label == "dst_href"
DeviceVendor == "Illumio"
InfobloxCDC Infoblox Cloud Data Connector DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"
InfobloxCDC_SOCInsights Infoblox DeviceEventClassID == "BloxOne-InsightsNotification-Log"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"
InfobloxCDC_SOCInsights Infoblox SOC Insights DeviceEventClassID == "BloxOne-InsightsNotification-Log"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"
McAfeeCommonSecurityLog (Legacy) DeviceVendor == "McAfee"
NetwrixAuditor Netwrix Auditor DeviceVendor == "Netwrix"
NozomiNetworksEvents NozomiNetworks DeviceVendor has "Nozomi"
OSSECEvent OSSEC DeviceVendor has "OSSEC"
OneIdentity_Safeguard OneIdentity ⚠️ DeviceVendor == "OneIdentity"
OneIdentity_Safeguard OneIdentity DeviceVendor == "OneIdentity"
PaloAltoCDLEvent PaloAltoCDL DeviceProduct == "LF"
DeviceVendor == "Palo Alto Networks"
PingFederateEvent PingFederate DeviceProduct has "PingFederate"
RadiflowEvent Radiflow DeviceVendor == "radiflow"
StealthBits StealthDefend Parser (Legacy) DeviceProduct == "StealthDEFEND"
DeviceVendor == "STEALTHbits Technologies"
SymantecDLP Broadcom SymantecDLP DeviceProduct == "DLP"
DeviceVendor == "Symantec"
TMApexOneEvent Trend Micro Apex One DeviceProduct == "Apex Central"
DeviceVendor == "Trend Micro"
TrendMicroDeepSecurity Trend Micro Deep Security DeviceProduct startswith "Deep Security"
DeviceVendor has_any "Trend Micro,TrendMicro"
TrendMicroTippingPoint Trend Micro TippingPoint DeviceProduct == "UnityOne"
VotiroEvents Votiro DeviceProduct == "Votiro cloud"
DeviceVendor == "Votiro"
getForgeRockUsers ForgeRock Common Audit for CEF ⚠️ DeviceVendor == "ForgeRock Inc"
ibossUrlEvent iboss DeviceVendor == "iboss"
pfsensefilterlog (Legacy) DeviceEventClassID == "filterlog"
DeviceProduct == "pfsense"
pfsensenginx (Legacy) DeviceEventClassID == "nginx"
DeviceProduct == "pfsense"

⚠️ Parsers marked with ⚠️ are not listed in their Solution JSON file.

Resource Types

This table collects data from the following Azure resource types:

Selection Criteria Summary (214 criteria, 425 total references)

References by type: 108 connectors, 250 content items, 34 ASIM parsers, 33 other parsers.

Selection Criteria Connectors Content Items ASIM Parsers Other Parsers Total
DeviceProduct == "LF"
DeviceVendor == "Palo Alto Networks"		 2 21 - 1 24
DeviceProduct == "Apex Central"
DeviceVendor == "Trend Micro"		 2 21 - 1 24
DeviceVendor == "Claroty" 2 21 - 1 24
DeviceEventClassID == "ESA_CONSOLIDATED_LOG_EVENT" 1 22 - 1 24
DeviceProduct has "PingFederate" 2 21 - 1 24
DeviceProduct == "iSID"
DeviceVendor == "radiflow"		 1 8 - - 9
DeviceEventClassID == "BloxOne-InsightsNotification-Log"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"		 3 2 - 2 7
DeviceProduct == "FalconHost"
DeviceVendor == "CrowdStrike"		 2 2 - 1 5
DeviceProduct == "Votiro cloud"
DeviceVendor == "Votiro"		 1 3 - 1 5
DeviceProduct == "Awake Security"
DeviceVendor == "Arista Networks"		 1 4 - - 5
DeviceProduct has "Fortiweb"
DeviceVendor == "Fortinet"		 - 4 - 1 5
DeviceProduct startswith "Deep Security"
DeviceVendor has_any "Trend Micro,TrendMicro"		 1 2 - 1 4
Activity == "POLICY_VIOLATION"
DeviceProduct == "AC"
DeviceVendor == "vArmour"		 2 2 - - 4
DeviceEventClassID has "RPZ"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"		 - 4 - - 4
DeviceAction != "block-url"
DeviceEventClassID == "url"
DeviceVendor == "Palo Alto Networks"		 - 4 - - 4
DeviceProduct == "DLP"
DeviceVendor == "Symantec"		 2 - - 1 3
DeviceVendor == "Contrast Security" 2 1 - - 3
DeviceVendor == "FireEye" 2 - - 1 3
DeviceCustomString1Label in "dst_vulns,event_href"
DeviceCustomString2Label in "resource_changes,state"
DeviceCustomString4Label in "dst_labels,notifications"
DeviceCustomString6Label == "dst_href"
DeviceVendor == "Illumio"		 2 - - 1 3
DeviceProduct == "akamai_siem"
DeviceVendor == "Akamai"		 2 - - 1 3
DeviceVendor == "Netwrix" 2 - - 1 3
DeviceProduct == "ClearPass"
DeviceVendor == "Aruba Networks"		 2 - - 1 3
DeviceVendor has "Nozomi" 2 - - 1 3
DeviceVendor == "Acronis audit" - 3 - - 3
DeviceVendor == "iboss" - 2 - 1 3
DeviceProduct in "WAAS,WAF"
DeviceVendor startswith "Barracuda"		 - - 3 - 3
Activity has "SECRET - CREATE"
Activity has "SECRET - VIEW"
DeviceProduct == "Secret Server"
DeviceVendor in "Delinea Software,Thycotic Software"		 2 - - - 2
DeviceProduct == "Vault"
DeviceVendor == "Cyber-Ark"
LogSeverity in "10,7"		 2 - - - 2
DeviceVendor == "Darktrace" 2 - - - 2
DeviceEventClassID == "ExtraHop Detection"
DeviceVendor == "ExtraHop"		 2 - - - 2
DeviceEventClassID in "illusive:access,illusive:login,illusive:suspicious"
DeviceProduct == "illusive"
DeviceVendor == "illusive"
Message !contains "hasForensics"
SourceHostName != "Failed to obtain"		 2 - - - 2
DeviceProduct startswith "Fortigate"
DeviceVendor == "Fortinet"		 1 - 1 - 2
Activity == "Blocked"
DeviceProduct in "Email,Web"
DeviceVendor == "Forcepoint CSG"
LogSeverity == "6"
SourceUserID != "Not available"		 2 - - - 2
DeviceEventClassID == "4001"
DeviceVendor == "RidgeSecurity"		 1 1 - - 2
AdditionalExtensions contains "fw_action="
DeviceVendor == "SonicWall"		 2 - - - 2
Activity contains "compromise"
DeviceAction == "Terminate"
DeviceProduct == "NGFW"
DeviceVendor == "Forcepoint"		 2 - - - 2
DeviceVendor == "Forcepoint CASB" 2 - - - 2
AdditionalExtensions has "InfobloxRPZ=APP_"
AdditionalExtensions has "InfobloxRPZ=CAT_"
DeviceEventClassID == "DHCP-LEASE-CREATE"
DeviceEventClassID has "Audit"
DeviceEventClassID has "DHCP"
DeviceEventClassID has "DNS"
DeviceEventClassID has "RPZ"
DeviceEventClassID has "Service"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"		 2 - - - 2
ApplicationProtocol in "DNS,HTTP,TDS"
DeviceProduct == "WireX NFP"
DeviceVendor == "WireX"		 2 - - - 2
DeviceVendor == "Barracuda" 1 1 - - 2
DeviceProduct == "UnityOne" 1 - - 1 2
DeviceVendor == "F5" 2 - - - 2
Activity == "File Malware Event"
DestinationPort == "80"
DeviceAction != "Allow"
DeviceProduct == "Firepower"
DeviceVendor == "Cisco"		 2 - - - 2
DeviceEventClassID == "hsc"
DeviceEventClassID !in "health,audit,campaigns,hsc,asc"
DeviceProduct == "X Series"
DeviceVendor == "Vectra Networks"		 2 - - - 2
DeviceVendor has "OSSEC" 1 - - 1 2
Activity in "APPFW_SQL,APPFW_STARTURL,APPFW_XSS"
DeviceProduct == "NetScaler"
DeviceVendor == "Citrix"		 2 - - - 2
DeviceEventClassID == "MaliciousUrlDetected"
DeviceVendor == "Acronis"		 - 2 - - 2
DeviceEventClassID == "ActiveProtectionBlocksSuspiciousActivity"
DeviceVendor == "Acronis"		 - 2 - - 2
DeviceEventClassID in "MaliciousEmailDetectedPerceptionPointWarning,MaliciousURLDetectedInM365MailboxBackup,MalwareDetectedInM365MailboxBackup"
DeviceVendor == "Acronis"		 - 2 - - 2
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"		 - 1 - 1 2
Activity == "TRAFFIC"
DeviceVendor == "Palo Alto Networks"		 - 2 - - 2
DeviceEventClassID == "url" - 2 - - 2
ApplicationProtocol in "pop3,smtp"
DeviceEventClassID == "wildfire"
DeviceVendor == "Palo Alto Networks"		 - 2 - - 2
DeviceEventClassID != "asc"
DeviceEventClassID != "audit"
DeviceEventClassID != "campaigns"
DeviceEventClassID != "health"
DeviceEventClassID != "hsc"
DeviceProduct == "X Series"
DeviceVendor == "Vectra Networks"		 - 2 - - 2
DeviceProduct == "NetScaler"
DeviceVendor == "Citrix"		 - 1 - 1 2
DeviceProduct == "Core Directory" - 2 - - 2
DeviceVendor == "ForgeRock Inc" - - - 2 2
DeviceVendor == "OneIdentity" - - - 2 2
DeviceAction == "Prevented (Blocked)"
DeviceProduct == "Cortex XDR"
DeviceVendor == "Palo Alto Networks"
LogSeverity == "6"		 1 - - - 1
DeviceAction == "Blocked"
DeviceProduct == "NSSEndpointdlplog"		 1 - - - 1
DeviceEventClassID == "Blocked"
DeviceProduct == "NSSDNSlog"		 1 - - - 1
DeviceAction == "Blocked"
DeviceProduct == "NSSCasbemaillog"		 1 - - - 1
DeviceAction == "Blocked"
DeviceProduct == "NSSCasbcloudstoragelog"		 1 - - - 1
DeviceAction == "FAILED"
DeviceProduct == "IDM"
DeviceVendor == "ForgeRock Inc"		 1 - - - 1
DeviceVendor !in "Cisco,Check Point,Palo Alto Networks,Fortinet,F5,Barracuda,ExtraHop,OneIdentity,Zscaler,ForgeRock Inc,Cyber-Ark,illusive,Vectra Networks,Citrix,Darktrace,Akamai,Aruba Networks,CrowdStrike,Symantec,Claroty,Contrast Security,Delinea Software,Thycotic Software,FireEye,Forcepoint CSG,Forcepoint,Forcepoint CASB,iboss,Illumio,Imperva Inc.,Infoblox,Morphisec,Netwrix,Nozomi,Onapsis,OSSEC,PingFederate,RidgeSecurity,SonicWall,Trend Micro,vArmour"
DeviceVendor !in "Cisco,Check Point,Palo Alto Networks,Fortinet,F5,Barracuda,ExtraHop,OneIdentity,Zscaler,ForgeRock Inc,Cyber-Ark,illusive,Vectra Networks,Citrix,Darktrace,Akamai,Aruba Networks,CrowdStrike,Symantec,Claroty,Contrast Security,Delinea Software,Thycotic Software,FireEye,Forcepoint CSG,Forcepoint,Forcepoint CASB,iboss,Illumio,Imperva Inc.,Infoblox,Morphisec,Netwrix,Nozomi,Onapsis,OSSEC,PingFederate,RidgeSecurity,SonicWall,Trend Micro,vArmour,Votiro"		 1 - - - 1
Activity == "sql-injection"
DeviceAction == "block"
DeviceProduct == "WAF Gateway"
DeviceVendor in "Imperva,Imperva Inc."
LogSeverity == "High"		 1 - - - 1
DeviceEventClassID in "IPSec Phase1,IPSec Phase2,Tunnel Event"
DeviceProduct == "NSSTunnellog"		 1 - - - 1
DeviceProduct == "OSP"
DeviceVendor == "Onapsis"		 1 - - - 1
DeviceProduct == "ASA"
DeviceVendor == "Cisco"
SimplifiedDeviceAction == "Deny"		 1 - - - 1
DeviceProduct == "Fortigate"
DeviceProduct startswith "Fortigate"
DeviceVendor == "Fortinet"		 1 - - - 1
DeviceProduct == "NSSAuditlog"
EventOutcome == "Failure"		 1 - - - 1
DeviceProduct in "ASA,FTD"
DeviceVendor == "Cisco"		 1 - - - 1
DeviceVendor in "Claroty,Medigate" 1 - - - 1
AdditionalExtensions has "InfobloxRPZ=APP_"
AdditionalExtensions has "InfobloxRPZ=CAT_"
DeviceEventClassID == "DHCP-LEASE-CREATE"
DeviceEventClassID has "DNS"
DeviceEventClassID has "RPZ"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"		 1 - - - 1
DeviceProduct == "Fortiweb"
DeviceProduct has "Fortiweb"
DeviceVendor == "Fortinet"		 1 - - - 1
DeviceProduct == "NSSFWlog" 1 - - - 1
DeviceAction == "Blocked"
DeviceProduct == "NSSCasbrepolog"		 1 - - - 1
DeviceProduct in "IronDefense,IronDome"
DeviceVendor == "IronNet"		 1 - - - 1
DeviceAction == "Blocked"
DeviceProduct == "NSSEmaildlplog"		 1 - - - 1
AdditionalExtensions contains "amaExternalLogService=true"
DeviceVendor == "iboss"		 1 - - - 1
DeviceAction == "Blocked"
DeviceProduct == "NSSCasbcollablog"		 1 - - - 1
DeviceAction == "Blocked"
DeviceProduct == "NSSCasbcrmlog"		 1 - - - 1
DeviceVendor == "OSSEC"
DeviceVendor has "OSSEC"		 1 - - - 1
Activity == "THREAT"
DeviceProduct has "PAN-OS"
DeviceVendor == "Palo Alto Networks"		 1 - - - 1
Activity == "THREAT"
DeviceProduct == "PAN-OS"
DeviceProduct has "PAN-OS"
DeviceVendor == "Palo Alto Networks"		 1 - - - 1
AdditionalExtensions !contains "amaExternalLogService=true"
DeviceVendor == "iboss"		 1 - - - 1
DeviceEventClassID == "Blocked"
DeviceProduct == "NSSWeblog"		 1 - - - 1
DeviceAction == "Blocked"
DeviceProduct == "NSSCasbfilesharinglog"		 1 - - - 1
Activity == "SessionClosed"
DeviceCustomString1Label == "Session ID"
DeviceProduct == "SPS"
DeviceVendor == "OneIdentity"		 1 - - - 1
DeviceVendor == "WithSecure™" 1 - - - 1
DeviceAction == "Blocked"
DeviceProduct == "NSSCasbitsmlog"		 1 - - - 1
Computer contains "Fortiweb"
DeviceProduct contains "Fortiweb"
DeviceProduct has "Fortiweb"
DeviceVendor == "Fortinet"
DeviceVendor contains "Fortinet"		 1 - - - 1
DeviceEventClassID == "ESA_CONSOLIDATED_LOG_EVENT"
DeviceProduct == "ESA_CONSOLIDATED_LOG_EVENT"
DeviceVendor == "Cisco"		 1 - - - 1
DeviceEventClassID == "NewIncident"
DeviceProduct == "Admin Console"
DeviceProduct has "Admin Console"
DeviceVendor == "Silverfort"
DeviceVendor has "Silverfort"
Message has "UserBruteForce"		 1 - - - 1
DeviceAction == "Blocked"
DeviceProduct == "NSSCasbactivitylog"		 1 - - - 1
DeviceEventClassID == "733100" - 1 - - 1
DeviceEventClassID in "733101,733102,733103,733104,733105" - 1 - - 1
AdditionalExtensions contains "BLOCKED"
DeviceVendor == "Contrast Security"		 - 1 - - 1
AdditionalExtensions contains "EXPLOITED"
DeviceVendor == "Contrast Security"		 - 1 - - 1
AdditionalExtensions contains "INEFFECTIVE"
AdditionalExtensions contains "PROBED"
DeviceVendor == "Contrast Security"		 - 1 - - 1
AdditionalExtensions contains "SUSPICIOUS"
DeviceVendor == "Contrast Security"		 - 1 - - 1
DeviceProduct == "NSSWeblog"
DeviceVendor == "Zscaler"		 - 1 - - 1
DeviceProduct == "illusive" - 1 - - 1
DeviceEventClassID == "DNS Response"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"		 - 1 - - 1
DeviceProduct == "IronDefense" - 1 - - 1
Activity == "Deny List updated"
DeviceVendor == "Trend Micro"		 - 1 - - 1
AdditionalExtensions has "reason=tcp-rst-from-client"
AdditionalExtensions has "reason=tcp-rst-from-server"
ApplicationProtocol == "incomplete"
DestinationPort !in "443,53,389,80,0,880,8888,8080"
DeviceAction !in "reset-both,deny"		 - 1 - - 1
DestinationPort in "10000,1025,1026,1027,1028,1029,106,110,111,1110,119,13,135,139,143,1433,144,1720,1723,1755,179,1900,199,2000,2001,2049,21,2121,22,23,25,26,2717,3000,3128,32768,3306,3389,37,389,3986,427,444,445,465,4899,49152,49153,49154,49155,49156,49157,5000,5009,5051,5060,5101,513,514,515,5190,5357,543,5432,544,548,554,5631,5666,5800,587,5900,6000,6001,631,646,6646,7,7070,79,8000,8008,8009,8080,8081,81,8443,873,88,8888,9,9100,990,993,995,9999" - 1 - - 1
DeviceEventClassID in "file,flood,packet,scan,spyware,virus,vulnerability,wildfire,wildfire-virus"
DeviceVendor == "Palo Alto Networks"		 - 1 - - 1
DeviceEventClassID startswith "40"
DeviceVendor == "RidgeSecurity"		 - 1 - - 1
DeviceEventClassID == "NewIncident"
DeviceProduct has "Admin Console"
DeviceVendor has "Silverfort"
Message has "Certifried"		 - 1 - - 1
DeviceEventClassID == "NewIncident"
DeviceProduct has "Admin Console"
DeviceVendor has "Silverfort"
Message has "Log4Shell"		 - 1 - - 1
DeviceEventClassID == "NewIncident"
DeviceProduct has "Admin Console"
DeviceVendor has "Silverfort"
Message has "NoPacBreach"		 - 1 - - 1
DeviceEventClassID == "NewIncident"
DeviceProduct has "Admin Console"
DeviceVendor has "Silverfort"
Message has "UserBruteForce"		 - 1 - - 1
Protocol !contains "/"
Protocol contains "-"		 - 1 - - 1
DeviceEventClassID == "asc"
DeviceProduct == "X Series"
DeviceVendor == "Vectra Networks"		 - 1 - - 1
AdditionalExtensions contains "account"
DeviceEventClassID != "asc"
DeviceEventClassID != "audit"
DeviceEventClassID != "campaigns"
DeviceEventClassID != "health"
DeviceEventClassID != "hsc"
DeviceProduct == "X Series"
DeviceVendor == "Vectra Networks"		 - 1 - - 1
DeviceEventClassID == "hsc"
DeviceProduct == "X Series"
DeviceVendor == "Vectra Networks"		 - 1 - - 1
AdditionalExtensions !has "account"
DeviceEventClassID != "asc"
DeviceEventClassID != "audit"
DeviceEventClassID != "campaigns"
DeviceEventClassID != "health"
DeviceEventClassID != "hsc"
DeviceProduct == "X Series"
DeviceVendor == "Vectra Networks"		 - 1 - - 1
DeviceAction == "START"
DeviceEventClassID contains "campaign"
DeviceProduct == "X Series"
DeviceVendor == "Vectra Networks"		 - 1 - - 1
DeviceAction != "blocked"
DeviceVendor == "ZScaler"		 - 1 - - 1
DeviceAction == "Allowed"
DeviceVendor == "Zscaler"		 - 1 - - 1
DeviceEventClassID == "AgentAutoUpdateStalled"
DeviceVendor == "Acronis"		 - 1 - - 1
DeviceEventClassID == "MiniPlanAgentOffline"
DeviceVendor == "Acronis"		 - 1 - - 1
DeviceEventClassID in "CloudConnectionAzureApplianceConfigurationFailed,CloudConnectionAzureApplianceDeallocationFailed,CloudConnectionAzureApplianceDeletionFailed,CloudConnectionAzureApplianceEOL,CloudConnectionAzureApplianceFailed,CloudConnectionAzureApplianceUpdateFailed,CloudConnectionAzureCloudAccessExpired,CloudConnectionS3CloudAccessExpired"
DeviceVendor == "Acronis"		 - 1 - - 1
DeviceEventClassID in "ArchiveCorrupted,BackupFailed,BackupNotResponding,BackupRecoveryFailed"
DeviceVendor == "Acronis"		 - 1 - - 1
DeviceEventClassID in "EDRIOCDetected,EDRIncidentDetected"
DeviceVendor == "Acronis"		 - 1 - - 1
DeviceEventClassID == "MiMonitoringFailedLoginAttemptsOverThreshold"
DeviceVendor == "Acronis"		 - 1 - - 1
DeviceEventClassID in "ActiveProtectionDriverRemediated,ActiveProtectionInvalidNetworkRecoveryPath,ActiveProtectionServiceConflict,ActiveProtectionServiceFailureToApplyPolicy,ActiveProtectionServiceNotAvailable,ActiveProtectionServiceNotRunning,CPSProtectionFailureDetected,ProtectionServiceNotWorking"
DeviceVendor == "Acronis"		 - 1 - - 1
DeviceEventClassID == "ActiveProtectionDetectedAszPartitionAccessed"
DeviceVendor == "Acronis"		 - 1 - - 1
ApplicationProtocol == "ldap"
DeviceAction has_any "allow"		 - 1 - - 1
Activity == "THREAT" - 1 - - 1
Activity == "TRAFFIC"
DeviceAction != "deny"
DeviceVendor == "Palo Alto Networks"		 - 1 - - 1
Activity !contains "saas"
Activity contains "Antigena"
Activity contains "Compliance"
Activity contains "iaas"
Activity contains "saas"
DestinationIP !startswith "10"
DestinationIP !startswith "172"
DestinationIP !startswith "192"
DeviceName contains "#"
DeviceProduct in "AI Analyst,Enterprise Immune System"
DeviceVendor == "Darktrace"		 - 1 - - 1
DeviceCustomString3 in "DNS Reputation,IP Reputation,URL Reputation"
DeviceProduct in "Anti Malware,Anti-Bot,Anti-Virus,Application Control,DDoS Protector,IPS,Threat Emulation,URL Filtering"
DeviceVendor == "Check Point"
FlexNumber1 in "3,4,5"
LogSeverity in "Critical,High,Medium,Very-High"		 - 1 - - 1
CommunicationDirection contains "inbound"
CommunicationDirection contains "outbound"
DeviceEventClassID in "106100,111008,113012,113015,302010,315011,611102,733100"
DeviceProduct == "ASA"
DeviceVendor == "Cisco"
Message contains "-> inside"
Message contains "-> management"
SimplifiedDeviceAction in "Allow,Built,Deny"		 - 1 - - 1
DeviceProduct has "PAN-OS" - 1 - - 1
DestinationUserPrivileges !contains "ConjurSync"
DestinationUserPrivileges !contains "PSM"
DestinationUserPrivileges !contains "PSMSessions"
DestinationUserPrivileges !contains "PVWAConfig"
DestinationUserPrivileges !contains "PVWAPrivateUserPrefs"
DestinationUserPrivileges !contains "PasswordManager"
DestinationUserPrivileges !contains "PasswordManagerShared"
DestinationUserPrivileges !contains "SharedAuth_Internal"
DestinationUserPrivileges !contains "VaultInternal"
DestinationUserPrivileges contains "ConjurSync"
DeviceAction contains "disable"
DeviceProduct == "Vault"
DeviceVendor == "Cyber-Ark"
OldFileID contains "Error"
OldFileID contains "Failure"
OldFileID contains "error"
SourceUserName !contains "PasswordManager"
SourceUserName contains "Sync_components"
SourceUserName contains "administrator"		 - 1 - - 1
Activity == "SECRET - EXPIREDTODAY"
DeviceProduct == "Secret Server"
DeviceVendor in "Delinea Software,Thycotic Software"
LogSeverity == "2"		 - 1 - - 1
DeviceVendor == "ExtraHop" - 1 - - 1
DeviceProduct in "CASB Admin audit log,Cloud Service Monitoring,SaaS Security Gateway"
DeviceVendor == "Forcepoint CASB"		 - 1 - - 1
Activity != "Blocked"
DeviceProduct in "Email,Web"
DeviceVendor == "Forcepoint CSG"
LogSeverity in "6,9"
SourceUserID != "Not available"		 - 1 - - 1
DeviceAction == "Terminate"
DeviceProduct == "NGFW"
DeviceVendor == "Forcepoint"
LogSeverity == "10"		 - 1 - - 1
Activity in "File_Malware-Blocked,URL_Category-Accounting"
DeviceAction == "Discard"
DeviceAction != "Discard"
DeviceAction != "Terminate"
DeviceFacility == "Inspection"
DeviceProduct in "Alert,Audit"
DeviceVendor in "FORCEPOINT,Forcepoint"
Message contains "Login succeeded"
Message contains "Logout"
Message contains "created"
Message contains "modified"		 - 1 - - 1
Activity contains "forward"
DestinationTranslatedAddress contains "."
DeviceInboundInterface in "port1,port2"
DeviceProduct contains "Fortigate"
DeviceVendor == "Fortinet"		 - 1 - - 1
DeviceEventClassID in "illusive:access,illusive:login,illusive:suspicious"
Message !contains "hasForensics"
SourceHostName != "Failed to obtain"		 - 1 - - 1
DeviceCustomString1 in "CROWN_JEWEL_CREDENTIALS,LOCAL_USER_ADMINISTRATORS,SUSPICIOUS_FILES,USER_CREDENTIALS"
DeviceEventClassID == "illusive:violation"		 - 1 - - 1
DeviceEventClassID in "DHCP-LEASE-CREATE,DHCP-LEASE-DELETE,DHCP-LEASE-UPDATE"
DeviceEventClassID has "Audit"
DeviceEventClassID has "DHCP"
DeviceEventClassID has "DNS"
DeviceEventClassID has "RPZ"
DeviceEventClassID has "Service"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"		 - 1 - - 1
DeviceEventClassID in "DHCP-LEASE-CREATE,DHCP-LEASE-DELETE,DHCP-LEASE-UPDATE"
DeviceEventClassID has "DHCP"
DeviceEventClassID has "DNS"
DeviceEventClassID has "RPZ"
DeviceProduct == "Data Connector"
DeviceVendor == "Infoblox"		 - 1 - - 1
DeviceProduct == "IronDefense"
LogSeverity in "High,Low,Medium,Very-High"		 - 1 - - 1
DeviceVendor == "Onapsis" - 1 - - 1
Activity in "ServerConnect,SessionClosed"
DeviceCustomString1Label == "Session ID"
DeviceProduct == "SPS"
DeviceVendor == "OneIdentity"		 - 1 - - 1
Activity == "WildFire Malware"
DeviceProduct == "Cortex XDR"
DeviceVendor == "Palo Alto Networks"		 - 1 - - 1
Activity == "THREAT"
DeviceEventClassID in "correlation,vulnerability,wildfire"
DeviceEventClassID != "file"
DeviceEventClassID != "url"
DeviceProduct has "PAN-OS"
DeviceVendor == "Palo Alto Networks"		 - 1 - - 1
Activity in "THREAT,TRAFFIC,Traffic"
DeviceAction in "alert,block-continue,block-url,continue"
DeviceAction !contains "block"
DeviceAction !contains "deny"
DeviceAction contains "block"
DeviceAction contains "deny"
DeviceEventClassID in "end,file,url,wildfire"
DeviceProduct has "LF"
DeviceProduct has "PAN-OS"
DeviceVendor == "Palo Alto Networks"		 - 1 - - 1
DeviceProduct == "PingFederate"
DeviceProduct has "PingFederate"		 - 1 - - 1
DeviceEventClassID == "Semperis.DSP.AdChanges" - 1 - - 1
DeviceProduct has "Admin Console"
DeviceVendor has "Silverfort"
Message !contains "count:"		 - 1 - - 1
Activity in "Anti-Spyware Detection Alert,Anti-Spyware Prevention Alert,Application Control Detection Alert,Application Control Prevention Alert,IPS Detection Alert,IPS Prevention Alert,Website Blocked"
Computer != "127.0.0.1"
DeviceVendor == "SonicWall"
Protocol !contains "/"
Protocol contains "-"		 - 1 - - 1
DeviceVendor has_any "CrowdStrike,Microsoft,Qualys,Tripwire"
Message has_any "change"
Message has_any "record modified"		 - 1 - - 1
DeviceCustomString1 == "True"
DeviceCustomString2 == "True"
DeviceEventClassID in "asc,audit,campaigns,health,hsc"
DeviceEventClassID !in "health,audit,campaigns,hsc,asc"
DeviceEventClassID !in "health,audit,campaigns,hsc,asc"
DeviceVendor == "Vectra Networks"
SourceUserName != "All"		 - 1 - - 1
DeviceProduct == "NSSAuditlog"
DeviceVendor == "Zscaler"		 - 1 - - 1
DeviceProduct == "NSSCasbactivitylog"
DeviceVendor == "Zscaler"		 - 1 - - 1
DeviceProduct == "NSSCasbcloudstoragelog"
DeviceVendor == "Zscaler"		 - 1 - - 1
DeviceProduct == "NSSCasbcollablog"
DeviceVendor == "Zscaler"		 - 1 - - 1
DeviceProduct == "NSSCasbcrmlog"
DeviceVendor == "Zscaler"		 - 1 - - 1
DeviceProduct == "NSSCasbemaillog"
DeviceVendor == "Zscaler"		 - 1 - - 1
DeviceProduct == "NSSCasbfilesharinglog"
DeviceVendor == "Zscaler"		 - 1 - - 1
DeviceProduct == "NSSCasbitsmlog"
DeviceVendor == "Zscaler"		 - 1 - - 1
DeviceProduct == "NSSCasbrepolog"
DeviceVendor == "Zscaler"		 - 1 - - 1
DeviceProduct == "NSSDNSlog"
DeviceVendor == "Zscaler"		 - 1 - - 1
DeviceCustomString4Label == "rulelabels"
DeviceEventClassID == "DLP Incident"
DeviceProduct == "NSSEmaildlplog"
DeviceVendor == "Zscaler"		 - 1 - - 1
DeviceProduct == "NSSEndpointdlplog"
DeviceVendor == "Zscaler"		 - 1 - - 1
Activity !contains "Default"
Activity !contains "Recommended"
DestinationPort != "0"
DeviceEventClassID !contains "Allow"
DeviceEventClassID contains "Allow"
DeviceProduct == "NSSFWlog"
SourcePort != "0"		 - 1 - - 1
DeviceEventClassID in "Tunnel Event,Tunnel Samples"
DeviceProduct == "NSSTunnellog"
DeviceVendor == "Zscaler"		 - 1 - - 1
DestinationServiceName contains "Microsoft"
DestinationServiceName contains "Onedrive"
DestinationServiceName contains "Outlook"
DestinationServiceName contains "Sharepoint"
DestinationServiceName contains "Skype"
DestinationServiceName contains "office.com"
DeviceCustomString2 == "Phishing"
DeviceEventClassID !contains "Allow"
DeviceEventClassID contains "Allow"
DeviceVendor == "Zscaler"		 - 1 - - 1
DestinationServiceName has_any "Microsoft"
DeviceEventClassID in "Allow,Allowed"
DeviceEventClassID !contains "Allow"
DeviceEventClassID contains "Allow"
DeviceProduct == "NSSWeblog"
DeviceVendor == "Zscaler"
RequestMethod != "None"
SourceUserPrivileges == "Road Warrior"		 - 1 - - 1
Activity contains "IPS"
DestinationServiceName != "generalbrowsing"
DeviceCustomString3 contains "Behavior"
DeviceCustomString5 != "None"
DeviceCustomString5 != "suspiciousfile"
DeviceCustomString5Label == "threatname"
DeviceEventClassID == "Blocked"
DeviceEventClassID !contains "Allow"
DeviceEventClassID contains "Block"
DeviceProduct == "NSSWeblog"
DeviceVendor == "Zscaler"
SourceUserPrivileges == "Road Warrior"		 - 1 - - 1
DeviceEventClassID == "UserActivityAuditEvent"
DeviceProduct == "FalconHost"
DeviceVendor == "CrowdStrike"		 - - 1 - 1
DeviceEventClassID has "AUDIT"
DeviceVendor == "Infoblox"		 - - 1 - 1
DeviceProduct == "ASA"
DeviceVendor == "Cisco"		 - - 1 - 1
DeviceEventClassID in "twoFactorAuthenticate,userAuthenticate"
DeviceProduct == "FalconHost"
DeviceVendor == "CrowdStrike"		 - - 1 - 1
DeviceEventClassID !in "0100022949,0100022952"
DeviceProduct has "Fortigate"
DeviceVendor == "Fortinet"		 - - 1 - 1
DeviceEventClassID == "AUTH"
DeviceProduct == "LF"
DeviceVendor == "Palo Alto Networks"		 - - 1 - 1
DeviceEventClassID == "GLOBALPROTECT"
DeviceProduct == "PAN-OS"
DeviceVendor == "Palo Alto Networks"		 - - 1 - 1
DeviceEventClassID startswith "auth"
DeviceProduct == "PAN-OS"
DeviceVendor == "Palo Alto Networks"		 - - 1 - 1
DeviceEventClassID has "DHCP"
DeviceVendor == "Infoblox"		 - - 1 - 1
DeviceEventClassID endswith "54000"
DeviceEventClassID endswith "54200"
DeviceEventClassID endswith "54400"
DeviceEventClassID endswith "54401"
DeviceEventClassID endswith "54600"
DeviceEventClassID endswith "54601"
DeviceEventClassID endswith "54800"
DeviceEventClassID endswith "54801"
DeviceEventClassID endswith "54802"
DeviceEventClassID endswith "54803"
DeviceEventClassID endswith "54804"
DeviceEventClassID endswith "54805"
DeviceProduct startswith "Fortigate"
DeviceVendor == "Fortinet"		 - - 1 - 1
DeviceEventClassID has "DNS"
DeviceVendor == "Infoblox"		 - - 1 - 1
DeviceProduct == "NSSDNSlog" - - 1 - 1
DeviceProduct == "VPN-1 & FireWall-1" - - 1 - 1
DeviceProduct == "SmartDefense"
DeviceVendor == "Check Point"		 - - 1 - 1
DeviceEventClassID in "106001,106002,106006,106007,106010,106012,106013,106014,106015,106016,106017,106018,106020,106021,106022,106023,106100,302013,302014,302015,302016,302020,302021,710002,710003,710004,710005"
DeviceProduct == "ASA"
DeviceVendor == "Cisco"		 - - 1 - 1
DeviceEventClassID has "INTRUSION:400"
DeviceEventClassID has "PV:112"
DeviceEventClassID has "RNA:1003:1"
DeviceEventClassID has_any "INTRUSION:400,PV:112,RNA:1003:1"
DeviceProduct == "Firepower"
DeviceVendor == "Cisco"		 - - 1 - 1
DeviceEventClassID in "FirewallMatchEvent,Network Access In A Detection Summary Event"
DeviceEventClassID has "Network Access In A Detection Summary Event"
DeviceProduct == "FalconHost"
DeviceVendor == "CrowdStrike"		 - - 1 - 1
ApplicationProtocol startswith "TCP"
ApplicationProtocol startswith "UDP"
DestinationServiceName in "Application-Unknown,Generic-Web-HTTP,Unknown-Encrypted-Application"
DeviceEventClassID in "70734,76508,76509"
DeviceEventClassID != "0"
DeviceEventClassID !in "70383,70393,70734,71009,71040"
DeviceProduct == "Firewall"
DeviceVendor == "FORCEPOINT"
RequestMethod != "UNKNOWN"		 - - 1 - 1
DeviceProduct startswith "FortiGate"
DeviceVendor == "Fortinet"		 - - 1 - 1
DeviceProduct == "PAN-OS"
DeviceVendor == "Palo Alto Networks"		 - - 1 - 1
DeviceEventClassID == "TRAFFIC"
DeviceProduct == "LF"
DeviceVendor == "Palo Alto Networks"		 - - 1 - 1
DeviceVendor == "SonicWall"
Protocol !contains "/"
Protocol contains "-"		 - - 1 - 1
DeviceProduct == "NSSFWlog"
DeviceVendor == "Zscaler"		 - - 1 - 1
DeviceEventClassID in "File:500:1,FileMalware:502:1,FireAMP:125:1"
DeviceEventClassID has "File:500:1"
DeviceEventClassID has "FileMalware:502:1"
DeviceProduct == "Firepower"
DeviceVendor == "Cisco"		 - - 1 - 1
DeviceEventClassID == "APPFW"
DeviceProduct == "NetScaler"
DeviceVendor == "Citrix"		 - - 1 - 1
DeviceProduct == "ASM"
DeviceVendor == "F5"		 - - 1 - 1
Activity == "THREAT"
DeviceEventClassID == "url"
DeviceProduct == "PAN-OS"
DeviceVendor == "Palo Alto Networks"		 - - 1 - 1
DeviceEventClassID == "THREAT"
DeviceProduct == "LF"
DeviceVendor == "Palo Alto Networks"		 - - 1 - 1
DestinationIP has ":"
DeviceVendor == "SonicWall"
Protocol !contains "/"
Protocol contains "-"		 - - 1 - 1
DeviceCustomString4 == "None"
DeviceProduct == "NSSWeblog"
DeviceVendor == "Zscaler"
RequestContext == "None"		 - - 1 - 1
DeviceVendor == "McAfee" - - - 1 1
DeviceProduct == "StealthDEFEND"
DeviceVendor == "STEALTHbits Technologies"		 - - - 1 1
DeviceEventClassID == "filterlog"
DeviceProduct == "pfsense"		 - - - 1 1
DeviceEventClassID == "nginx"
DeviceProduct == "pfsense"		 - - - 1 1
DeviceCustomString1 has "None"
DeviceProduct == "Platform"
DeviceVendor == "Dragos"
DeviceVersion == "2"		 - - - 1 1
DeviceVendor == "radiflow" - - - 1 1
Total 108 250 34 33 425

DeviceProduct / DeviceVendor

DeviceProduct DeviceVendor Connectors Content Items ASIM Parsers Other Parsers Total
LF Palo Alto Networks 2 21 3 1 27
Claroty 3 21 - 1 25
has PingFederate 2 22 - 1 25
Apex Central Trend Micro 2 21 - 1 24
Data Connector Infoblox 6 10 - 3 19
Acronis - 14 - - 14
Palo Alto Networks - 10 - - 10
iSID radiflow 1 8 - - 9
X Series Vectra Networks 2 7 - - 9
FalconHost CrowdStrike 2 2 3 1 8
Contrast Security 2 5 - - 7
has Fortiweb Fortinet 2 4 - 1 7
has Admin Console has Silverfort 1 5 - - 6
SonicWall 2 1 2 - 5
ASA Cisco 2 1 2 - 5
Votiro cloud Votiro 1 3 - 1 5
iboss 2 2 - 1 5
PAN-OS Palo Alto Networks 1 - 4 - 5
Awake Security Arista Networks 1 4 - - 5
NetScaler Citrix 2 1 1 1 5
startswith Fortigate Fortinet 2 - 2 - 4
startswith Deep Security has_any Trend Micro 1 2 - 1 4
startswith Deep Security has_any TrendMicro 1 2 - 1 4
AC vArmour 2 2 - - 4
Firepower Cisco 2 - 2 - 4
has PAN-OS Palo Alto Networks 2 2 - - 4
NSSWeblog Zscaler - 3 1 - 4
Secret Server Delinea Software 2 1 - - 3
Secret Server Thycotic Software 2 1 - - 3
Vault Cyber-Ark 2 1 - - 3
DLP Symantec 2 - - 1 3
ExtraHop 2 1 - - 3
FireEye 2 - - 1 3
Illumio 2 - - 1 3
Email Forcepoint CSG 2 1 - - 3
Web Forcepoint CSG 2 1 - - 3
RidgeSecurity 1 2 - - 3
NGFW Forcepoint 2 1 - - 3
akamai_siem Akamai 2 - - 1 3
has OSSEC 2 - - 1 3
Netwrix 2 - - 1 3
ClearPass Aruba Networks 2 - - 1 3
has Nozomi 2 - - 1 3
Acronis audit - 3 - - 3
WAAS startswith Barracuda - - 3 - 3
WAF startswith Barracuda - - 3 - 3
Infoblox - - 3 - 3
Cortex XDR Palo Alto Networks 1 1 - - 2
NSSDNSlog 1 - 1 - 2
!= Cisco 2 - - - 2
!= Check Point 2 - - - 2
!= Palo Alto Networks 2 - - - 2
!= Fortinet 2 - - - 2
!= F5 2 - - - 2
!= Barracuda 2 - - - 2
!= ExtraHop 2 - - - 2
!= OneIdentity 2 - - - 2
!= Zscaler 2 - - - 2
!= ForgeRock Inc 2 - - - 2
!= Cyber-Ark 2 - - - 2
!= illusive 2 - - - 2
!= Vectra Networks 2 - - - 2
!= Citrix 2 - - - 2
!= Darktrace 2 - - - 2
!= Akamai 2 - - - 2
!= Aruba Networks 2 - - - 2
!= CrowdStrike 2 - - - 2
!= Symantec 2 - - - 2
!= Claroty 2 - - - 2
!= Contrast Security 2 - - - 2
!= Delinea Software 2 - - - 2
!= Thycotic Software 2 - - - 2
!= FireEye 2 - - - 2
!= Forcepoint CSG 2 - - - 2
!= Forcepoint 2 - - - 2
!= Forcepoint CASB 2 - - - 2
!= iboss 2 - - - 2
!= Illumio 2 - - - 2
!= Imperva Inc. 2 - - - 2
!= Infoblox 2 - - - 2
!= Morphisec 2 - - - 2
!= Netwrix 2 - - - 2
!= Nozomi 2 - - - 2
!= Onapsis 2 - - - 2
!= OSSEC 2 - - - 2
!= PingFederate 2 - - - 2
!= RidgeSecurity 2 - - - 2
!= SonicWall 2 - - - 2
!= Trend Micro 2 - - - 2
!= vArmour 2 - - - 2
Darktrace 2 - - - 2
illusive illusive 2 - - - 2
NSSFWlog 1 1 - - 2
Forcepoint CASB 2 - - - 2
WireX NFP WireX 2 - - - 2
Barracuda 1 1 - - 2
UnityOne 1 - - 1 2
F5 2 - - - 2
SPS OneIdentity 1 1 - - 2
IronDefense - 2 - - 2
Zscaler - 2 - - 2
Core Directory - 2 - - 2
pfsense - - - 2 2
ForgeRock Inc - - - 2 2
OneIdentity - - - 2 2
NSSEndpointdlplog 1 - - - 1
NSSCasbemaillog 1 - - - 1
NSSCasbcloudstoragelog 1 - - - 1
IDM ForgeRock Inc 1 - - - 1
!= Votiro 1 - - - 1
WAF Gateway Imperva 1 - - - 1
WAF Gateway Imperva Inc. 1 - - - 1
NSSTunnellog 1 - - - 1
OSP Onapsis 1 - - - 1
Fortigate Fortinet 1 - - - 1
NSSAuditlog 1 - - - 1
FTD Cisco 1 - - - 1
Medigate 1 - - - 1
Fortiweb Fortinet 1 - - - 1
NSSCasbrepolog 1 - - - 1
IronDefense IronNet 1 - - - 1
IronDome IronNet 1 - - - 1
NSSEmaildlplog 1 - - - 1
NSSCasbcollablog 1 - - - 1
NSSCasbcrmlog 1 - - - 1
OSSEC 1 - - - 1
NSSWeblog 1 - - - 1
NSSCasbfilesharinglog 1 - - - 1
WithSecure™ 1 - - - 1
NSSCasbitsmlog 1 - - - 1
contains Fortiweb Fortinet 1 - - - 1
contains Fortiweb contains Fortinet 1 - - - 1
has Fortiweb contains Fortinet 1 - - - 1
ESA_CONSOLIDATED_LOG_EVENT Cisco 1 - - - 1
Admin Console Silverfort 1 - - - 1
Admin Console has Silverfort 1 - - - 1
has Admin Console Silverfort 1 - - - 1
NSSCasbactivitylog 1 - - - 1
illusive - 1 - - 1
Trend Micro - 1 - - 1
ZScaler - 1 - - 1
AI Analyst Darktrace - 1 - - 1
Enterprise Immune System Darktrace - 1 - - 1
Anti Malware Check Point - 1 - - 1
Anti-Bot Check Point - 1 - - 1
Anti-Virus Check Point - 1 - - 1
Application Control Check Point - 1 - - 1
DDoS Protector Check Point - 1 - - 1
IPS Check Point - 1 - - 1
Threat Emulation Check Point - 1 - - 1
URL Filtering Check Point - 1 - - 1
has PAN-OS - 1 - - 1
CASB Admin audit log Forcepoint CASB - 1 - - 1
Cloud Service Monitoring Forcepoint CASB - 1 - - 1
SaaS Security Gateway Forcepoint CASB - 1 - - 1
Alert FORCEPOINT - 1 - - 1
Alert Forcepoint - 1 - - 1
Audit FORCEPOINT - 1 - - 1
Audit Forcepoint - 1 - - 1
contains Fortigate Fortinet - 1 - - 1
Onapsis - 1 - - 1
has LF Palo Alto Networks - 1 - - 1
PingFederate - 1 - - 1
has_any CrowdStrike - 1 - - 1
has_any Microsoft - 1 - - 1
has_any Qualys - 1 - - 1
has_any Tripwire - 1 - - 1
Vectra Networks - 1 - - 1
NSSAuditlog Zscaler - 1 - - 1
NSSCasbactivitylog Zscaler - 1 - - 1
NSSCasbcloudstoragelog Zscaler - 1 - - 1
NSSCasbcollablog Zscaler - 1 - - 1
NSSCasbcrmlog Zscaler - 1 - - 1
NSSCasbemaillog Zscaler - 1 - - 1
NSSCasbfilesharinglog Zscaler - 1 - - 1
NSSCasbitsmlog Zscaler - 1 - - 1
NSSCasbrepolog Zscaler - 1 - - 1
NSSDNSlog Zscaler - 1 - - 1
NSSEmaildlplog Zscaler - 1 - - 1
NSSEndpointdlplog Zscaler - 1 - - 1
NSSTunnellog Zscaler - 1 - - 1
has Fortigate Fortinet - - 1 - 1
VPN-1 & FireWall-1 - - 1 - 1
SmartDefense Check Point - - 1 - 1
Firewall FORCEPOINT - - 1 - 1
startswith FortiGate Fortinet - - 1 - 1
NSSFWlog Zscaler - - 1 - 1
ASM F5 - - 1 - 1
McAfee - - - 1 1
StealthDEFEND STEALTHbits Technologies - - - 1 1
Platform Dragos - - - 1 1
radiflow - - - 1 1

Activity

Value Connectors Content Items ASIM Parsers Other Parsers Total
THREAT 2 3 1 - 6
POLICY_VIOLATION 2 2 - - 4
TRAFFIC - 4 - - 4
has SECRET - CREATE 2 - - - 2
has SECRET - VIEW 2 - - - 2
Blocked 2 - - - 2
contains compromise 2 - - - 2
File Malware Event 2 - - - 2
SessionClosed 1 1 - - 2
APPFW_SQL 2 - - - 2
APPFW_STARTURL 2 - - - 2
APPFW_XSS 2 - - - 2
sql-injection 1 - - - 1
Deny List updated - 1 - - 1
!contains saas - 1 - - 1
contains Antigena - 1 - - 1
contains Compliance - 1 - - 1
contains iaas - 1 - - 1
contains saas - 1 - - 1
SECRET - EXPIREDTODAY - 1 - - 1
!= Blocked - 1 - - 1
File_Malware-Blocked - 1 - - 1
URL_Category-Accounting - 1 - - 1
contains forward - 1 - - 1
ServerConnect - 1 - - 1
WildFire Malware - 1 - - 1
Traffic - 1 - - 1
Anti-Spyware Detection Alert - 1 - - 1
Anti-Spyware Prevention Alert - 1 - - 1
Application Control Detection Alert - 1 - - 1
Application Control Prevention Alert - 1 - - 1
IPS Detection Alert - 1 - - 1
IPS Prevention Alert - 1 - - 1
Website Blocked - 1 - - 1
!contains Default - 1 - - 1
!contains Recommended - 1 - - 1
contains IPS - 1 - - 1

AdditionalExtensions

Value Connectors Content Items ASIM Parsers Other Parsers Total
has InfobloxRPZ=APP_ 3 - - - 3
has InfobloxRPZ=CAT_ 3 - - - 3
contains fw_action= 2 - - - 2
contains amaExternalLogService=true 1 - - - 1
!contains amaExternalLogService=true 1 - - - 1
contains BLOCKED - 1 - - 1
contains EXPLOITED - 1 - - 1
contains INEFFECTIVE - 1 - - 1
contains PROBED - 1 - - 1
contains SUSPICIOUS - 1 - - 1
has reason=tcp-rst-from-client - 1 - - 1
has reason=tcp-rst-from-server - 1 - - 1
contains account - 1 - - 1
!has account - 1 - - 1

ApplicationProtocol

Value Connectors Content Items ASIM Parsers Other Parsers Total
DNS 2 - - - 2
HTTP 2 - - - 2
TDS 2 - - - 2
pop3 - 2 - - 2
smtp - 2 - - 2
incomplete - 1 - - 1
ldap - 1 - - 1
startswith TCP - - 1 - 1
startswith UDP - - 1 - 1

CommunicationDirection

Value Connectors Content Items ASIM Parsers Other Parsers Total
contains inbound - 1 - - 1
contains outbound - 1 - - 1

Computer

Value Connectors Content Items ASIM Parsers Other Parsers Total
contains Fortiweb 1 - - - 1
!= 127.0.0.1 - 1 - - 1

DestinationIP

Value Connectors Content Items ASIM Parsers Other Parsers Total
!startswith 10 - 1 - - 1
!startswith 172 - 1 - - 1
!startswith 192 - 1 - - 1
has : - - 1 - 1

DestinationPort

Value Connectors Content Items ASIM Parsers Other Parsers Total
80 2 - - - 2
!= 0 - 2 - - 2
!= 443 - 1 - - 1
!= 53 - 1 - - 1
!= 389 - 1 - - 1
!= 80 - 1 - - 1
!= 880 - 1 - - 1
!= 8888 - 1 - - 1
!= 8080 - 1 - - 1
10000 - 1 - - 1
1025 - 1 - - 1
1026 - 1 - - 1
1027 - 1 - - 1
1028 - 1 - - 1
1029 - 1 - - 1
106 - 1 - - 1
110 - 1 - - 1
111 - 1 - - 1
1110 - 1 - - 1
119 - 1 - - 1
13 - 1 - - 1
135 - 1 - - 1
139 - 1 - - 1
143 - 1 - - 1
1433 - 1 - - 1
144 - 1 - - 1
1720 - 1 - - 1
1723 - 1 - - 1
1755 - 1 - - 1
179 - 1 - - 1
1900 - 1 - - 1
199 - 1 - - 1
2000 - 1 - - 1
2001 - 1 - - 1
2049 - 1 - - 1
21 - 1 - - 1
2121 - 1 - - 1
22 - 1 - - 1
23 - 1 - - 1
25 - 1 - - 1
26 - 1 - - 1
2717 - 1 - - 1
3000 - 1 - - 1
3128 - 1 - - 1
32768 - 1 - - 1
3306 - 1 - - 1
3389 - 1 - - 1
37 - 1 - - 1
389 - 1 - - 1
3986 - 1 - - 1
427 - 1 - - 1
444 - 1 - - 1
445 - 1 - - 1
465 - 1 - - 1
4899 - 1 - - 1
49152 - 1 - - 1
49153 - 1 - - 1
49154 - 1 - - 1
49155 - 1 - - 1
49156 - 1 - - 1
49157 - 1 - - 1
5000 - 1 - - 1
5009 - 1 - - 1
5051 - 1 - - 1
5060 - 1 - - 1
5101 - 1 - - 1
513 - 1 - - 1
514 - 1 - - 1
515 - 1 - - 1
5190 - 1 - - 1
5357 - 1 - - 1
543 - 1 - - 1
5432 - 1 - - 1
544 - 1 - - 1
548 - 1 - - 1
554 - 1 - - 1
5631 - 1 - - 1
5666 - 1 - - 1
5800 - 1 - - 1
587 - 1 - - 1
5900 - 1 - - 1
6000 - 1 - - 1
6001 - 1 - - 1
631 - 1 - - 1
646 - 1 - - 1
6646 - 1 - - 1
7 - 1 - - 1
7070 - 1 - - 1
79 - 1 - - 1
8000 - 1 - - 1
8008 - 1 - - 1
8009 - 1 - - 1
8080 - 1 - - 1
8081 - 1 - - 1
81 - 1 - - 1
8443 - 1 - - 1
873 - 1 - - 1
88 - 1 - - 1
8888 - 1 - - 1
9 - 1 - - 1
9100 - 1 - - 1
990 - 1 - - 1
993 - 1 - - 1
995 - 1 - - 1
9999 - 1 - - 1

DestinationServiceName

Value Connectors Content Items ASIM Parsers Other Parsers Total
contains Microsoft - 1 - - 1
contains Onedrive - 1 - - 1
contains Outlook - 1 - - 1
contains Sharepoint - 1 - - 1
contains Skype - 1 - - 1
contains office.com - 1 - - 1
has_any Microsoft - 1 - - 1
!= generalbrowsing - 1 - - 1
Application-Unknown - - 1 - 1
Generic-Web-HTTP - - 1 - 1
Unknown-Encrypted-Application - - 1 - 1

DestinationTranslatedAddress

Value Connectors Content Items ASIM Parsers Other Parsers Total
contains . - 1 - - 1

DestinationUserPrivileges

Value Connectors Content Items ASIM Parsers Other Parsers Total
!contains ConjurSync - 1 - - 1
!contains PSM - 1 - - 1
!contains PSMSessions - 1 - - 1
!contains PVWAConfig - 1 - - 1
!contains PVWAPrivateUserPrefs - 1 - - 1
!contains PasswordManager - 1 - - 1
!contains PasswordManagerShared - 1 - - 1
!contains SharedAuth_Internal - 1 - - 1
!contains VaultInternal - 1 - - 1
contains ConjurSync - 1 - - 1

DeviceAction

Value Connectors Content Items ASIM Parsers Other Parsers Total
Blocked 10 - - - 10
!= block-url - 4 - - 4
Terminate 2 1 - - 3
!= Allow 2 - - - 2
!= deny - 2 - - 2
Prevented (Blocked) 1 - - - 1
FAILED 1 - - - 1
block 1 - - - 1
!= reset-both - 1 - - 1
START - 1 - - 1
!= blocked - 1 - - 1
Allowed - 1 - - 1
has_any allow - 1 - - 1
contains disable - 1 - - 1
Discard - 1 - - 1
!= Discard - 1 - - 1
!= Terminate - 1 - - 1
alert - 1 - - 1
block-continue - 1 - - 1
block-url - 1 - - 1
continue - 1 - - 1
!contains block - 1 - - 1
!contains deny - 1 - - 1
contains block - 1 - - 1
contains deny - 1 - - 1

DeviceCustomString1

Value Connectors Content Items ASIM Parsers Other Parsers Total
CROWN_JEWEL_CREDENTIALS - 1 - - 1
LOCAL_USER_ADMINISTRATORS - 1 - - 1
SUSPICIOUS_FILES - 1 - - 1
USER_CREDENTIALS - 1 - - 1
True - 1 - - 1
has None - - - 1 1

DeviceCustomString1Label

Value Connectors Content Items ASIM Parsers Other Parsers Total
dst_vulns 2 - - 1 3
event_href 2 - - 1 3
Session ID 1 1 - - 2

DeviceCustomString2

Value Connectors Content Items ASIM Parsers Other Parsers Total
True - 1 - - 1
Phishing - 1 - - 1

DeviceCustomString2Label

Value Connectors Content Items ASIM Parsers Other Parsers Total
resource_changes 2 - - 1 3
state 2 - - 1 3

DeviceCustomString3

Value Connectors Content Items ASIM Parsers Other Parsers Total
DNS Reputation - 1 - - 1
IP Reputation - 1 - - 1
URL Reputation - 1 - - 1
contains Behavior - 1 - - 1

DeviceCustomString4

Value Connectors Content Items ASIM Parsers Other Parsers Total
None - - 1 - 1

DeviceCustomString4Label

Value Connectors Content Items ASIM Parsers Other Parsers Total
dst_labels 2 - - 1 3
notifications 2 - - 1 3
rulelabels - 1 - - 1

DeviceCustomString5

Value Connectors Content Items ASIM Parsers Other Parsers Total
!= None - 1 - - 1
!= suspiciousfile - 1 - - 1

DeviceCustomString5Label

Value Connectors Content Items ASIM Parsers Other Parsers Total
threatname - 1 - - 1

DeviceCustomString6Label

Value Connectors Content Items ASIM Parsers Other Parsers Total
dst_href 2 - - 1 3

DeviceEventClassID

Value Connectors Content Items ASIM Parsers Other Parsers Total
ESA_CONSOLIDATED_LOG_EVENT 2 22 - 1 25
has RPZ 3 6 - - 9
!= health 2 6 - - 8
!= audit 2 6 - - 8
!= campaigns 2 6 - - 8
!= hsc 2 6 - - 8
!= asc 2 6 - - 8
url - 7 1 - 8
BloxOne-InsightsNotification-Log 3 2 - 2 7
has DNS 3 2 1 - 6
DHCP-LEASE-CREATE 3 2 - - 5
has DHCP 2 2 1 - 5
NewIncident 1 4 - - 5
wildfire - 5 - - 5
hsc 2 2 - - 4
!contains Allow - 4 - - 4
Blocked 2 1 - - 3
illusive:access 2 1 - - 3
illusive:login 2 1 - - 3
illusive:suspicious 2 1 - - 3
has Audit 2 1 - - 3
has Service 2 1 - - 3
contains Allow - 3 - - 3
ExtraHop Detection 2 - - - 2
4001 1 1 - - 2
Tunnel Event 1 1 - - 2
MaliciousUrlDetected - 2 - - 2
ActiveProtectionBlocksSuspiciousActivity - 2 - - 2
MaliciousEmailDetectedPerceptionPointWarning - 2 - - 2
MaliciousURLDetectedInM365MailboxBackup - 2 - - 2
MalwareDetectedInM365MailboxBackup - 2 - - 2
733100 - 2 - - 2
file - 2 - - 2
vulnerability - 2 - - 2
asc - 2 - - 2
106100 - 1 1 - 2
DHCP-LEASE-DELETE - 2 - - 2
DHCP-LEASE-UPDATE - 2 - - 2
IPSec Phase1 1 - - - 1
IPSec Phase2 1 - - - 1
733101 - 1 - - 1
733102 - 1 - - 1
733103 - 1 - - 1
733104 - 1 - - 1
733105 - 1 - - 1
DNS Response - 1 - - 1
flood - 1 - - 1
packet - 1 - - 1
scan - 1 - - 1
spyware - 1 - - 1
virus - 1 - - 1
wildfire-virus - 1 - - 1
startswith 40 - 1 - - 1
contains campaign - 1 - - 1
AgentAutoUpdateStalled - 1 - - 1
MiniPlanAgentOffline - 1 - - 1
CloudConnectionAzureApplianceConfigurationFailed - 1 - - 1
CloudConnectionAzureApplianceDeallocationFailed - 1 - - 1
CloudConnectionAzureApplianceDeletionFailed - 1 - - 1
CloudConnectionAzureApplianceEOL - 1 - - 1
CloudConnectionAzureApplianceFailed - 1 - - 1
CloudConnectionAzureApplianceUpdateFailed - 1 - - 1
CloudConnectionAzureCloudAccessExpired - 1 - - 1
CloudConnectionS3CloudAccessExpired - 1 - - 1
ArchiveCorrupted - 1 - - 1
BackupFailed - 1 - - 1
BackupNotResponding - 1 - - 1
BackupRecoveryFailed - 1 - - 1
EDRIOCDetected - 1 - - 1
EDRIncidentDetected - 1 - - 1
MiMonitoringFailedLoginAttemptsOverThreshold - 1 - - 1
ActiveProtectionDriverRemediated - 1 - - 1
ActiveProtectionInvalidNetworkRecoveryPath - 1 - - 1
ActiveProtectionServiceConflict - 1 - - 1
ActiveProtectionServiceFailureToApplyPolicy - 1 - - 1
ActiveProtectionServiceNotAvailable - 1 - - 1
ActiveProtectionServiceNotRunning - 1 - - 1
CPSProtectionFailureDetected - 1 - - 1
ProtectionServiceNotWorking - 1 - - 1
ActiveProtectionDetectedAszPartitionAccessed - 1 - - 1
111008 - 1 - - 1
113012 - 1 - - 1
113015 - 1 - - 1
302010 - 1 - - 1
315011 - 1 - - 1
611102 - 1 - - 1
illusive:violation - 1 - - 1
correlation - 1 - - 1
!= file - 1 - - 1
!= url - 1 - - 1
end - 1 - - 1
Semperis.DSP.AdChanges - 1 - - 1
audit - 1 - - 1
campaigns - 1 - - 1
health - 1 - - 1
DLP Incident - 1 - - 1
Tunnel Samples - 1 - - 1
Allow - 1 - - 1
Allowed - 1 - - 1
contains Block - 1 - - 1
UserActivityAuditEvent - - 1 - 1
has AUDIT - - 1 - 1
twoFactorAuthenticate - - 1 - 1
userAuthenticate - - 1 - 1
!= 0100022949 - - 1 - 1
!= 0100022952 - - 1 - 1
AUTH - - 1 - 1
GLOBALPROTECT - - 1 - 1
startswith auth - - 1 - 1
endswith 54000 - - 1 - 1
endswith 54200 - - 1 - 1
endswith 54400 - - 1 - 1
endswith 54401 - - 1 - 1
endswith 54600 - - 1 - 1
endswith 54601 - - 1 - 1
endswith 54800 - - 1 - 1
endswith 54801 - - 1 - 1
endswith 54802 - - 1 - 1
endswith 54803 - - 1 - 1
endswith 54804 - - 1 - 1
endswith 54805 - - 1 - 1
106001 - - 1 - 1
106002 - - 1 - 1
106006 - - 1 - 1
106007 - - 1 - 1
106010 - - 1 - 1
106012 - - 1 - 1
106013 - - 1 - 1
106014 - - 1 - 1
106015 - - 1 - 1
106016 - - 1 - 1
106017 - - 1 - 1
106018 - - 1 - 1
106020 - - 1 - 1
106021 - - 1 - 1
106022 - - 1 - 1
106023 - - 1 - 1
302013 - - 1 - 1
302014 - - 1 - 1
302015 - - 1 - 1
302016 - - 1 - 1
302020 - - 1 - 1
302021 - - 1 - 1
710002 - - 1 - 1
710003 - - 1 - 1
710004 - - 1 - 1
710005 - - 1 - 1
has INTRUSION:400 - - 1 - 1
has PV:112 - - 1 - 1
has RNA:1003:1 - - 1 - 1
has_any INTRUSION:400 - - 1 - 1
has_any PV:112 - - 1 - 1
has_any RNA:1003:1 - - 1 - 1
FirewallMatchEvent - - 1 - 1
Network Access In A Detection Summary Event - - 1 - 1
has Network Access In A Detection Summary Event - - 1 - 1
70734 - - 1 - 1
76508 - - 1 - 1
76509 - - 1 - 1
!= 0 - - 1 - 1
!= 70383 - - 1 - 1
!= 70393 - - 1 - 1
!= 70734 - - 1 - 1
!= 71009 - - 1 - 1
!= 71040 - - 1 - 1
TRAFFIC - - 1 - 1
File:500:1 - - 1 - 1
FileMalware:502:1 - - 1 - 1
FireAMP:125:1 - - 1 - 1
has File:500:1 - - 1 - 1
has FileMalware:502:1 - - 1 - 1
APPFW - - 1 - 1
THREAT - - 1 - 1
filterlog - - - 1 1
nginx - - - 1 1

DeviceFacility

Value Connectors Content Items ASIM Parsers Other Parsers Total
Inspection - 1 - - 1

DeviceInboundInterface

Value Connectors Content Items ASIM Parsers Other Parsers Total
port1 - 1 - - 1
port2 - 1 - - 1

DeviceName

Value Connectors Content Items ASIM Parsers Other Parsers Total
contains # - 1 - - 1

DeviceVersion

Value Connectors Content Items ASIM Parsers Other Parsers Total
2 - - - 1 1

EventOutcome

Value Connectors Content Items ASIM Parsers Other Parsers Total
Failure 1 - - - 1

FlexNumber1

Value Connectors Content Items ASIM Parsers Other Parsers Total
3 - 1 - - 1
4 - 1 - - 1
5 - 1 - - 1

LogSeverity

Value Connectors Content Items ASIM Parsers Other Parsers Total
6 3 1 - - 4
10 2 1 - - 3
High 1 2 - - 3
7 2 - - - 2
Medium - 2 - - 2
Very-High - 2 - - 2
Critical - 1 - - 1
2 - 1 - - 1
9 - 1 - - 1
Low - 1 - - 1

Message

Value Connectors Content Items ASIM Parsers Other Parsers Total
!contains hasForensics 2 1 - - 3
has UserBruteForce 1 1 - - 2
has Certifried - 1 - - 1
has Log4Shell - 1 - - 1
has NoPacBreach - 1 - - 1
contains -> inside - 1 - - 1
contains -> management - 1 - - 1
contains Login succeeded - 1 - - 1
contains Logout - 1 - - 1
contains created - 1 - - 1
contains modified - 1 - - 1
!contains count: - 1 - - 1
has_any change - 1 - - 1
has_any record modified - 1 - - 1

OldFileID

Value Connectors Content Items ASIM Parsers Other Parsers Total
contains Error - 1 - - 1
contains Failure - 1 - - 1
contains error - 1 - - 1

Protocol

Value Connectors Content Items ASIM Parsers Other Parsers Total
!contains / - 2 2 - 4
contains - - 2 2 - 4

RequestContext

Value Connectors Content Items ASIM Parsers Other Parsers Total
None - - 1 - 1

RequestMethod

Value Connectors Content Items ASIM Parsers Other Parsers Total
!= None - 1 - - 1
!= UNKNOWN - - 1 - 1

SimplifiedDeviceAction

Value Connectors Content Items ASIM Parsers Other Parsers Total
Deny 1 1 - - 2
Allow - 1 - - 1
Built - 1 - - 1

SourceHostName

Value Connectors Content Items ASIM Parsers Other Parsers Total
!= Failed to obtain 2 1 - - 3

SourcePort

Value Connectors Content Items ASIM Parsers Other Parsers Total
!= 0 - 1 - - 1

SourceUserID

Value Connectors Content Items ASIM Parsers Other Parsers Total
!= Not available 2 1 - - 3

SourceUserName

Value Connectors Content Items ASIM Parsers Other Parsers Total
!contains PasswordManager - 1 - - 1
contains Sync_components - 1 - - 1
contains administrator - 1 - - 1
!= All - 1 - - 1

SourceUserPrivileges

Value Connectors Content Items ASIM Parsers Other Parsers Total
Road Warrior - 2 - - 2

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Tables Index