Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Reference for CommonSecurityLog table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Syslog/CEF |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✓ Yes |
| Azure Monitor Tables Reference | View Documentation |
| Azure Monitor Logs Ingestion API | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| _ResourceId | string | A unique identifier for the resource that the record is associated with |
| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
| Activity | string | A string that represents a human-readable and understandable description of the event. |
| AdditionalExtensions | string | A placeholder for additional fields. Fields are logged as key-value pairs. |
| ApplicationProtocol | string | The protocol used in the application, such as HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. |
| CollectorHostName | string | The hostname of the collector machine running the agent. |
| CommunicationDirection | string | Any information about the direction the observed communication has taken. Valid values: 0 = Inbound, 1 = Outbound. |
| Computer | string | Host, from Syslog. |
| DestinationDnsDomain | string | The DNS part of the fully-qualified domain name (FQDN). |
| DestinationHostName | string | The destination that the event refers to in an IP network. The format should be an FQDN associated with the destination node, when a node is available. For example: host.domain.com or host. |
| DestinationIP | string | The destination IpV4 address that the event refers to in an IP network. |
| DestinationMACAddress | string | The destination MAC address (FQDN). |
| DestinationNTDomain | string | The Windows domain name of the destination address. |
| DestinationPort | int | Destination port. Valid values: 0 - 65535. |
| DestinationProcessId | int | The ID of the destination process associated with the event. |
| DestinationProcessName | string | The name of the event's destination process, such as telnetd or sshd. |
| DestinationServiceName | string | The service that is targeted by the event. For example: sshd. |
| DestinationTranslatedAddress | string | Identifies the translated destination referred to by the event in an IP network, as an IPv4 IP address. |
| DestinationTranslatedPort | int | Port after translation, such as a firewall Valid port numbers: 0 - 65535. |
| DestinationUserID | string | Identifies the destination user by ID. For example: in Unix, the root user is generally associated with the user ID 0. |
| DestinationUserName | string | Identifies the destination user by name. |
| DestinationUserPrivileges | string | Defines the destination use's privileges. Valid values: Admninistrator, User, Guest. |
| DeviceAction | string | The action mentioned in the event. |
| DeviceAddress | string | The IPv4 address of the device generating the event. |
| DeviceCustomDate1 | string | One of two timestamp fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. |
| DeviceCustomDate1Label | string | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| DeviceCustomDate2 | string | One of two timestamp fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. |
| DeviceCustomDate2Label | string | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| DeviceCustomFloatingPoint1 | real | One of four floating point fields available to map fields that do not apply to any other in this dictionary. |
| DeviceCustomFloatingPoint1Label | string | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| DeviceCustomFloatingPoint2 | real | One of four floating point fields available to map fields that do not apply to any other in this dictionary. |
| DeviceCustomFloatingPoint2Label | string | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| DeviceCustomFloatingPoint3 | real | One of four floating point fields available to map fields that do not apply to any other in this dictionary. |
| DeviceCustomFloatingPoint3Label | string | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| DeviceCustomFloatingPoint4 | real | One of four floating point fields available to map fields that do not apply to any other in this dictionary. |
| DeviceCustomFloatingPoint4Label | string | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| DeviceCustomIPv6Address1 | string | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. |
| DeviceCustomIPv6Address1Label | string | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| DeviceCustomIPv6Address2 | string | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. |
| DeviceCustomIPv6Address2Label | string | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| DeviceCustomIPv6Address3 | string | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. |
| DeviceCustomIPv6Address3Label | string | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| DeviceCustomIPv6Address4 | string | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. |
| DeviceCustomIPv6Address4Label | string | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| DeviceCustomNumber1 | int | Soon to be a deprecated field. Will be replaced by FieldDeviceCustomNumber1. |
| DeviceCustomNumber1Label | string | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| DeviceCustomNumber2 | int | Soon to be a deprecated field. Will be replaced by FieldDeviceCustomNumber2. |
| DeviceCustomNumber2Label | string | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| DeviceCustomNumber3 | int | Soon to be a deprecated field. Will be replaced by FieldDeviceCustomNumber3. |
| DeviceCustomNumber3Label | string | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| DeviceCustomString1 | string | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. |
| DeviceCustomString1Label | string | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| DeviceCustomString2 | string | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. |
| DeviceCustomString2Label | string | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| DeviceCustomString3 | string | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. |
| DeviceCustomString3Label | string | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| DeviceCustomString4 | string | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. |
| DeviceCustomString4Label | string | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| DeviceCustomString5 | string | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. |
| DeviceCustomString5Label | string | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| DeviceCustomString6 | string | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. |
| DeviceCustomString6Label | string | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
| DeviceDnsDomain | string | The DNS domain part of the full qualified domain name (FQDN). |
| DeviceEventCategory | string | Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example: '/Monitor/Disk/Read'. |
| DeviceEventClassID | string | String or integer that serves as a unique identifier per event type. |
| DeviceExternalID | string | A name that uniquely identifies the device generating the event. |
| DeviceFacility | string | The facility generating the event. For example: auth or local1. |
| DeviceInboundInterface | string | The interface on which the packet or data entered the device. For example: ethernet1/2. |
| DeviceMacAddress | string | The MAC address of the device generating the event. |
| DeviceName | string | The FQDN associated with the device node, when a node is available. For example: host.domain.com or host. |
| DeviceNtDomain | string | The Windows domain of the device address. |
| DeviceOutboundInterface | string | Interface on which the packet or data left the device. |
| DevicePayloadId | string | Unique identifier for the payload associated with the event. |
| DeviceProduct | string | String that together with device product and version definitions, uniquely identifies the type of sending device. |
| DeviceTimeZone | string | Timezone of the device generating the event. |
| DeviceTranslatedAddress | string | Identifies the translated device address that the event refers to, in an IP network. The format is an Ipv4 address. |
| DeviceVendor | string | String that together with device product and version definitions, uniquely identifies the type of sending device. |
| DeviceVersion | string | String that together with device product and version definitions, uniquely identifies the type of sending device. |
| EndTime | datetime | The time at which the activity related to the event ended. |
| EventCount | int | A count associated with the event, showing how many times the same event was observed. |
| EventOutcome | string | Displays the outcome, usually as 'success' or 'failure'. |
| EventType | int | Event type. Value values include: 0: base event, 1: aggregated, 2: correlation event, 3: action event. Note: This event can be omitted for base events. |
| ExternalID | int | Soon to be a deprecated field. Will be replaced by ExtID. |
| ExtID | string | An ID used by the originating device (will replace legacy ExternalID). Typically, these values have increasing values that are each associated with an event. |
| FieldDeviceCustomNumber1 | long | One of three number fields available to map fields that do not apply to any other in this dictionary (will replace legacy DeviceCustomNumber1). Use sparingly and seek a more specific, dictionary supplied field when possible. |
| FieldDeviceCustomNumber2 | long | One of three number fields available to map fields that do not apply to any other in this dictionary (will replace legacy DeviceCustomNumber2). Use sparingly and seek a more specific, dictionary supplied field when possible. |
| FieldDeviceCustomNumber3 | long | One of three number fields available to map fields that do not apply to any other in this dictionary (will replace legacy DeviceCustomNumber3). Use sparingly and seek a more specific, dictionary supplied field when possible. |
| FileCreateTime | string | Time when the file was created. |
| FileHash | string | Hash of a file. |
| FileID | string | An ID associated with a file, such as the inode. |
| FileModificationTime | string | Time when the file was last modified. |
| FileName | string | The file's name, without the path. |
| FilePath | string | Full path to the file, including the filename. For example: C:\ProgramFiles\WindowsNT\Accessories\wordpad.exe or /usr/bin/zip. |
| FilePermission | string | The file's permissions. For example: '2,1,1'. |
| FileSize | int | The size of the file in bytes. |
| FileType | string | File type, such as pipe, socket, and so on. |
| FlexDate1 | string | A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. |
| FlexDate1Label | string | The label field is a string and describes the purpose of the flex field. |
| FlexNumber1 | int | Number fields available to map Int data that does not apply to any other field in this dictionary. |
| FlexNumber1Label | string | The label that describes the value in FlexNumber1 |
| FlexNumber2 | int | Number fields available to map Int data that does not apply to any other field in this dictionary. |
| FlexNumber2Label | string | The label that describes the value in FlexNumber2 |
| FlexString1 | string | One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. |
| FlexString1Label | string | The label field is a string and describes the purpose of the flex field. |
| FlexString2 | string | One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. |
| FlexString2Label | string | The label field is a string and describes the purpose of the flex field. |
| IndicatorThreatType | string | The threat type of the MaliciousIP according to our TI feed. |
| LogSeverity | string | A string or integer that describes the importance of the event. Valid string values: Unknown , Low, Medium, High, Very-High Valid integer values are: 0-3 = Low, 4-6 = Medium, 7-8 = High, 9-10 = Very-High. |
| MaliciousIP | string | If one of the IP in the message was correlate with the current TI feed we have it will show up here. |
| MaliciousIPCountry | string | The country of the MaliciousIP according to the GEO information at the time of the record ingestion. |
| MaliciousIPLatitude | real | The Latitude of the MaliciousIP according to the GEO information at the time of the record ingestion. |
| MaliciousIPLongitude | real | The Longitude of the MaliciousIP according to the GEO information at the time of the record ingestion. |
| Message | string | A message that gives more details about the event. |
| OldFileCreateTime | string | Time when the old file was created. |
| OldFileHash | string | Hash of the old file. |
| OldFileID | string | And ID associated with the old file, such as the inode. |
| OldFileModificationTime | string | Time when the old file was last modified. |
| OldFileName | string | Name of the old file. |
| OldFilePath | string | Full path to the old file, including the filename. For example: C:\ProgramFiles\WindowsNT\Accessories\wordpad.exe or /usr/bin/zip. |
| OldFilePermission | string | Permissions of the old file. For example: '2,1,1'. |
| OldFileSize | int | The size of the old file in bytes. |
| OldFileType | string | File type of the old file, such as a pipe, socket, and so on. |
| OriginalLogSeverity | string | A non-mapped version of LogSeverity. For example: Warning/Critical/Info insted of the normilized Low/Medium/High in the LogSeverity Field |
| ProcessID | int | Defines the ID of the process on the device generating the event. |
| ProcessName | string | Process name associated with the event. For example: in UNIX, the process generating the syslog entry. |
| Protocol | string | Transport protocol that identifies the Layer-4 protocol used. Possible values include protocol names, such as TCP or UDP. |
| Reason | string | The reason an audit event was generated. For example 'bad password' or 'unknown user'. This could also be an error or return code. Example: '0x1234'. |
| ReceiptTime | string | The time at which the event related to the activity was received. Different then the 'Timegenerated' field, which is when the event was recieved in the log collector machine. |
| ReceivedBytes | long | Number of bytes transferred inbound. |
| RemoteIP | string | The remote IP address, derived from the event's direction value, if possible. |
| RemotePort | string | The remote port, derived from the event's direction value, if possible. |
| ReportReferenceLink | string | Link to the report of the TI feed. |
| RequestClientApplication | string | The user agent associated with the request. |
| RequestContext | string | Describes the content from which the request originated, such as the HTTP Referrer. |
| RequestCookies | string | Cookies associated with the request. |
| RequestMethod | string | The method used to access a URL. Valid values include methods such as POST, GET, and so on. |
| RequestURL | string | The URL accessed for an HTTP request, including the protocol. For example: http://www/secure.com. |
| SentBytes | long | Number of bytes transferred outbound. |
| SimplifiedDeviceAction | string | A mapped version of DeviceAction, such as Denied > Deny. |
| SourceDnsDomain | string | The DNS domain part of the complete FQDN. |
| SourceHostName | string | Identifies the source that event refers to in an IP network. Format should be a fully qualified domain name (DQDN) associated with the source node, when a node is available. For example: host or host.domain.com. |
| SourceIP | string | The source that an event refers to in an IP network, as an IPv4 address. |
| SourceMACAddress | string | Source MAC address. |
| SourceNTDomain | string | The Windows domain name for the source address. |
| SourcePort | int | The source port number. Valid port numbers are 0 - 65535. |
| SourceProcessId | int | The ID of the source process associated with the event. |
| SourceProcessName | string | The name of the event's source process. |
| SourceServiceName | string | The service responsible for generating the event. |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| SourceTranslatedAddress | string | Identifies the translated source that the event refers to in an IP network. |
| SourceTranslatedPort | int | Source port after translation, such as a firewall. Valid port numbers are 0 - 65535. |
| SourceUserID | string | Identifies the source user by ID. |
| SourceUserName | string | Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. |
| SourceUserPrivileges | string | The source user's privileges. Valid values include: Administrator, User, Guest. |
| StartTime | datetime | The time when the activity that the event refers to started. |
| TenantId | string | The Log Analytics workspace ID |
| ThreatConfidence | string | The threat confidence of the MaliciousIP according to our TI feed. |
| ThreatDescription | string | The threat description of the MaliciousIP according to our TI feed. |
| ThreatSeverity | int | The threat severity of the MaliciousIP according to our TI feed at the time of the record ingestion. |
| TimeGenerated | datetime | Event collection time in UTC. |
| Type | string | The name of the table |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| [Deprecated] Vectra AI Detect via Legacy Agent | DeviceEventClassID == "hsc"DeviceEventClassID !in "health,audit,campaigns,hsc,asc"DeviceProduct == "X Series"DeviceVendor == "Vectra Networks" |
| [Deprecated] Vectra AI Detect via AMA | DeviceEventClassID == "hsc"DeviceEventClassID !in "health,audit,campaigns,hsc,asc"DeviceProduct == "X Series"DeviceVendor == "Vectra Networks" |
| [Deprecated] Akamai Security Events via Legacy Agent | DeviceProduct == "akamai_siem"DeviceVendor == "Akamai" |
| [Deprecated] Akamai Security Events via AMA | DeviceProduct == "akamai_siem"DeviceVendor == "Akamai" |
| [Deprecated] Awake Security via Legacy Agent | DeviceProduct == "Awake Security"DeviceVendor == "Arista Networks" |
| [Deprecated] Aruba ClearPass via Legacy Agent | DeviceProduct == "ClearPass"DeviceVendor == "Aruba Networks" |
| [Deprecated] Aruba ClearPass via AMA | DeviceProduct == "ClearPass"DeviceVendor == "Aruba Networks" |
| [Deprecated] Barracuda Web Application Firewall via Legacy Agent | DeviceVendor == "Barracuda" |
| [Deprecated] Broadcom Symantec DLP via Legacy Agent | DeviceProduct == "DLP"DeviceVendor == "Symantec" |
| [Deprecated] Broadcom Symantec DLP via AMA | DeviceProduct == "DLP"DeviceVendor == "Symantec" |
| Common Event Format (CEF) | DeviceVendor !in "Cisco,Check Point,Palo Alto Networks,Fortinet,F5,Barracuda,ExtraHop,OneIdentity,Zscaler,ForgeRock Inc,Cyber-Ark,illusive,Vectra Networks,Citrix,Darktrace,Akamai,Aruba Networks,CrowdStrike,Symantec,Claroty,Contrast Security,Delinea Software,Thycotic Software,FireEye,Forcepoint CSG,Forcepoint,Forcepoint CASB,iboss,Illumio,Imperva Inc.,Infoblox,Morphisec,Netwrix,Nozomi,Onapsis,OSSEC,PingFederate,RidgeSecurity,SonicWall,Trend Micro,vArmour"DeviceVendor !in "Cisco,Check Point,Palo Alto Networks,Fortinet,F5,Barracuda,ExtraHop,OneIdentity,Zscaler,ForgeRock Inc,Cyber-Ark,illusive,Vectra Networks,Citrix,Darktrace,Akamai,Aruba Networks,CrowdStrike,Symantec,Claroty,Contrast Security,Delinea Software,Thycotic Software,FireEye,Forcepoint CSG,Forcepoint,Forcepoint CASB,iboss,Illumio,Imperva Inc.,Infoblox,Morphisec,Netwrix,Nozomi,Onapsis,OSSEC,PingFederate,RidgeSecurity,SonicWall,Trend Micro,vArmour,Votiro" |
| Common Event Format (CEF) via AMA | |
| Cisco ASA via Legacy Agent | DeviceProduct == "ASA"DeviceVendor == "Cisco" |
| Cisco ASA/FTD via AMA | DeviceProduct in "ASA,FTD"DeviceVendor == "Cisco" |
| [Deprecated] Cisco Firepower eStreamer via Legacy Agent | DeviceProduct == "Firepower"DeviceVendor == "Cisco" |
| [Deprecated] Cisco Firepower eStreamer via AMA | DeviceProduct == "Firepower"DeviceVendor == "Cisco" |
| [Deprecated] Cisco Secure Email Gateway via Legacy Agent | |
| [Deprecated] Cisco Secure Email Gateway via AMA | DeviceProduct == "ESA_CONSOLIDATED_LOG_EVENT"DeviceVendor == "Cisco" |
| [Deprecated] Citrix WAF (Web App Firewall) via Legacy Agent | DeviceProduct == "NetScaler"DeviceVendor == "Citrix" |
| [Deprecated] Citrix WAF (Web App Firewall) via AMA | DeviceProduct == "NetScaler"DeviceVendor == "Citrix" |
| [Deprecated] Claroty via Legacy Agent | |
| [Deprecated] Claroty via AMA | DeviceVendor == "Claroty" |
| Claroty xDome | DeviceVendor in "Claroty,Medigate" |
| Zscaler Internet Access Cloud NSS Audit Log Push Connector | |
| Zscaler Internet Access Cloud NSS CASB Activity Log Push Connector | |
| Zscaler Internet Access Cloud NSS CASB CRM Log Push Connector | |
| Zscaler Internet Access Cloud NSS CASB Cloud Storage Log Push Connector | |
| Zscaler Internet Access Cloud NSS CASB Collaboration Log Push Connector | |
| Zscaler Internet Access Cloud NSS CASB Email Log Push Connector | |
| Zscaler Internet Access Cloud NSS CASB File Sharing Log Push Connector | |
| Zscaler Internet Access Cloud NSS CASB ITSM Log Push Connector | |
| Zscaler Internet Access Cloud NSS CASB Repo Log Push Connector | |
| Zscaler Internet Access Cloud NSS DNS Log Push Connector | |
| Zscaler Internet Access Cloud NSS Email DLP Log Push Connector | |
| Zscaler Internet Access Cloud NSS Endpoint DLP Log Push Connector | |
| Zscaler Internet Access Cloud NSS Firewall Log Push Connector | |
| Zscaler Internet Access Cloud NSS Tunnel Log Push Connector | |
| Zscaler Internet Access Cloud NSS Web Log Push Connector | |
| [Deprecated] Contrast Protect via Legacy Agent | DeviceVendor == "Contrast Security" |
| [Deprecated] Contrast Protect via AMA | DeviceVendor == "Contrast Security" |
| [Deprecated] CrowdStrike Falcon Endpoint Protection via Legacy Agent | DeviceProduct == "FalconHost"DeviceVendor == "CrowdStrike" |
| [Deprecated] CrowdStrike Falcon Endpoint Protection via AMA | DeviceProduct == "FalconHost"DeviceVendor == "CrowdStrike" |
| [Deprecated] CyberArk Enterprise Password Vault (EPV) Events via Legacy Agent | DeviceProduct == "Vault"DeviceVendor == "Cyber-Ark" |
| [Deprecated] CyberArk Privilege Access Manager (PAM) Events via AMA | DeviceProduct == "Vault"DeviceVendor == "Cyber-Ark" |
| [Deprecated] AI Analyst Darktrace via Legacy Agent | DeviceVendor == "Darktrace" |
| [Deprecated] AI Analyst Darktrace via AMA | DeviceVendor == "Darktrace" |
| [Deprecated] Delinea Secret Server via AMA | DeviceProduct == "Secret Server"DeviceVendor in "Delinea Software,Thycotic Software" |
| [Deprecated] Delinea Secret Server via Legacy Agent | DeviceProduct == "Secret Server"DeviceVendor in "Delinea Software,Thycotic Software" |
| [Deprecated] ExtraHop Reveal(x) via Legacy Agent | DeviceEventClassID == "ExtraHop Detection"DeviceVendor == "ExtraHop" |
| [Deprecated] ExtraHop Reveal(x) via AMA | DeviceEventClassID == "ExtraHop Detection"DeviceVendor == "ExtraHop" |
| [Deprecated] F5 Networks via Legacy Agent | DeviceVendor == "F5" |
| [Deprecated] F5 Networks via AMA | DeviceVendor == "F5" |
| [Deprecated] FireEye Network Security (NX) via Legacy Agent | |
| [Deprecated] FireEye Network Security (NX) via AMA | DeviceVendor == "FireEye" |
| [Deprecated] Forcepoint CSG via Legacy Agent | DeviceProduct in "Email,Web"DeviceVendor == "Forcepoint CSG" |
| [Deprecated] Forcepoint CSG via AMA | DeviceProduct in "Email,Web"DeviceVendor == "Forcepoint CSG" |
| [Deprecated] Forcepoint CASB via Legacy Agent | DeviceVendor == "Forcepoint CASB" |
| [Deprecated] Forcepoint CASB via AMA | DeviceVendor == "Forcepoint CASB" |
| [Deprecated] Forcepoint NGFW via Legacy Agent | DeviceProduct == "NGFW"DeviceVendor == "Forcepoint" |
| [Deprecated] Forcepoint NGFW via AMA | DeviceProduct == "NGFW"DeviceVendor == "Forcepoint" |
| [Deprecated] ForgeRock Identity Platform | DeviceProduct == "IDM"DeviceVendor == "ForgeRock Inc" |
| [Deprecated] Fortinet via Legacy Agent | DeviceProduct startswith "Fortigate"DeviceVendor == "Fortinet" |
| [Deprecated] Fortinet via AMA | DeviceProduct == "Fortigate"DeviceProduct startswith "Fortigate"DeviceVendor == "Fortinet" |
| [Deprecated] Fortinet FortiWeb Web Application Firewall via Legacy Agent | DeviceProduct == "Fortiweb"DeviceVendor == "Fortinet" |
| Fortinet FortiWeb Web Application Firewall via AMA | DeviceProduct contains "Fortiweb"DeviceVendor contains "Fortinet" |
| [Deprecated] Illumio Core via Legacy Agent | |
| [Deprecated] Illumio Core via AMA | DeviceVendor == "Illumio" |
| Imperva WAF Gateway | DeviceProduct == "WAF Gateway"DeviceVendor in "Imperva,Imperva Inc." |
| [Deprecated] Infoblox Cloud Data Connector via Legacy Agent | DeviceEventClassID == "DHCP-LEASE-CREATE"DeviceEventClassID has "DNS"DeviceEventClassID has "RPZ"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox" |
| [Deprecated] Infoblox Cloud Data Connector via AMA | DeviceEventClassID == "DHCP-LEASE-CREATE"DeviceEventClassID has "Audit"DeviceEventClassID has "DHCP"DeviceEventClassID has "DNS"DeviceEventClassID has "RPZ"DeviceEventClassID has "Service"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox" |
| [Recommended] Infoblox Cloud Data Connector via AMA | DeviceEventClassID == "DHCP-LEASE-CREATE"DeviceEventClassID has "Audit"DeviceEventClassID has "DHCP"DeviceEventClassID has "DNS"DeviceEventClassID has "RPZ"DeviceEventClassID has "Service"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox" |
| [Deprecated] Infoblox SOC Insight Data Connector via AMA | DeviceEventClassID == "BloxOne-InsightsNotification-Log"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox" |
| [Recommended] Infoblox SOC Insight Data Connector via AMA | DeviceEventClassID == "BloxOne-InsightsNotification-Log"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox" |
| [Deprecated] Infoblox SOC Insight Data Connector via Legacy Agent | DeviceEventClassID == "BloxOne-InsightsNotification-Log"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox" |
| IronNet IronDefense | DeviceProduct in "IronDefense,IronDome"DeviceVendor == "IronNet" |
| [Deprecated] Netwrix Auditor via Legacy Agent | |
| [Deprecated] Netwrix Auditor via AMA | DeviceVendor == "Netwrix" |
| [Deprecated] Nozomi Networks N2OS via Legacy Agent | |
| [Deprecated] Nozomi Networks N2OS via AMA | DeviceVendor has "Nozomi" |
| [Deprecated] OSSEC via Legacy Agent | |
| [Deprecated] OSSEC via AMA | DeviceVendor == "OSSEC" |
| [Deprecated] Onapsis Platform | DeviceProduct == "OSP"DeviceVendor == "Onapsis" |
| One Identity Safeguard | DeviceProduct == "SPS"DeviceVendor == "OneIdentity" |
| [Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via Legacy Agent | |
| [Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via AMA | DeviceProduct == "LF"DeviceVendor == "Palo Alto Networks" |
| [Deprecated] Palo Alto Networks (Firewall) via Legacy Agent | DeviceProduct has "PAN-OS"DeviceVendor == "Palo Alto Networks" |
| [Deprecated] Palo Alto Networks (Firewall) via AMA | DeviceProduct == "PAN-OS"DeviceProduct has "PAN-OS"DeviceVendor == "Palo Alto Networks" |
| Palo Alto Networks Cortex XDR | DeviceProduct == "Cortex XDR"DeviceVendor == "Palo Alto Networks" |
| [Deprecated] PingFederate via Legacy Agent | |
| [Deprecated] PingFederate via AMA | DeviceProduct has "PingFederate" |
| Radiflow iSID via AMA | DeviceProduct == "iSID" |
| [Deprecated] RIDGEBOT - data connector for Microsoft Sentinel | DeviceEventClassID == "4001"DeviceVendor == "RidgeSecurity" |
| Silverfort Admin Console | DeviceEventClassID == "NewIncident"DeviceProduct == "Admin Console"DeviceProduct has "Admin Console"DeviceVendor == "Silverfort"DeviceVendor has "Silverfort" |
| [Deprecated] SonicWall Firewall via Legacy Agent | DeviceVendor == "SonicWall" |
| [Deprecated] SonicWall Firewall via AMA | DeviceVendor == "SonicWall" |
| Threat Intelligence Platforms | |
| [Deprecated] Trend Micro Deep Security via Legacy | |
| [Deprecated] Trend Micro Apex One via Legacy Agent | |
| [Deprecated] Trend Micro Apex One via AMA | DeviceProduct == "Apex Central"DeviceVendor == "Trend Micro" |
| [Deprecated] Trend Micro TippingPoint via Legacy | |
| VirtualMetric Director Proxy | |
| VirtualMetric DataStream for Microsoft Sentinel | |
| VirtualMetric DataStream for Microsoft Sentinel data lake | |
| [Deprecated] Votiro Sanitization Engine Logs | DeviceProduct == "Votiro cloud"DeviceVendor == "Votiro" |
| [Deprecated] WireX Network Forensics Platform via Legacy Agent | DeviceProduct == "WireX NFP"DeviceVendor == "WireX" |
| [Deprecated] WireX Network Forensics Platform via AMA | DeviceProduct == "WireX NFP"DeviceVendor == "WireX" |
| [Deprecated] WithSecure Elements via Connector | DeviceVendor == "WithSecure™" |
| [Deprecated] iboss via Legacy Agent | DeviceVendor == "iboss" |
| iboss via AMA | DeviceVendor == "iboss" |
| [Deprecated] Illusive Platform via Legacy Agent | DeviceEventClassID in "illusive:access,illusive:login,illusive:suspicious"DeviceProduct == "illusive"DeviceVendor == "illusive" |
| [Deprecated] Illusive Platform via AMA | DeviceEventClassID in "illusive:access,illusive:login,illusive:suspicious"DeviceProduct == "illusive"DeviceVendor == "illusive" |
| [Deprecated] vArmour Application Controller via Legacy Agent | DeviceProduct == "AC"DeviceVendor == "vArmour" |
| [Deprecated] vArmour Application Controller via AMA | DeviceProduct == "AC"DeviceVendor == "vArmour" |
In solution Acronis Cyber Protect Cloud:
| Analytic Rule | Selection Criteria |
|---|---|
| Acronis - Login from Abnormal IP - Low Occurrence | DeviceVendor == "Acronis audit" |
| Acronis - Multiple Endpoints Accessing Malicious URLs | DeviceEventClassID == "MaliciousUrlDetected"DeviceVendor == "Acronis" |
| Acronis - Multiple Endpoints Infected by Ransomware | DeviceEventClassID == "ActiveProtectionBlocksSuspiciousActivity"DeviceVendor == "Acronis" |
| Acronis - Multiple Inboxes with Malicious Content Detected | DeviceEventClassID in "MaliciousEmailDetectedPerceptionPointWarning,MaliciousURLDetectedInM365MailboxBackup,MalwareDetectedInM365MailboxBackup"DeviceVendor == "Acronis" |
In solution Apache Log4j Vulnerability Detection:
| Analytic Rule | Selection Criteria |
|---|---|
| Log4j vulnerability exploit aka Log4Shell IP IOC |
In solution AristaAwakeSecurity: DeviceProduct == "Awake Security"DeviceVendor == "Arista Networks"
| Analytic Rule |
|---|
| Awake Security - High Match Counts By Device |
| Awake Security - High Severity Matches By Device |
| Awake Security - Model With Multiple Destinations |
In solution CiscoASA:
| Analytic Rule | Selection Criteria |
|---|---|
| Cisco ASA - average attack detection rate increase | DeviceEventClassID == "733100" |
| Cisco ASA - threat detection message fired | DeviceEventClassID in "733101,733102,733103,733104,733105" |
In solution CiscoSEG: DeviceEventClassID == "ESA_CONSOLIDATED_LOG_EVENT"
In solution Claroty: DeviceVendor == "Claroty"
In solution Contrast Protect: DeviceVendor == "Contrast Security"
| Analytic Rule |
|---|
| Contrast Blocks |
| Contrast Exploits |
| Contrast Probes |
| Contrast Suspicious |
In solution CrowdStrike Falcon Endpoint Protection: DeviceProduct == "FalconHost"DeviceVendor == "CrowdStrike"
| Analytic Rule |
|---|
| Critical Severity Detection |
In solution FalconFriday: DeviceProduct == "NSSWeblog"DeviceVendor == "Zscaler"
| Analytic Rule |
|---|
| Beacon Traffic Based on Common User Agents Visiting Limited Number of Domains |
In solution Fortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel: DeviceProduct has "Fortiweb"DeviceVendor == "Fortinet"
| Analytic Rule |
|---|
| Fortiweb - WAF Allowed threat |
In solution GreyNoiseThreatIntelligence:
| Analytic Rule | Selection Criteria |
|---|---|
| GreyNoise TI Map IP Entity to CommonSecurityLog |
In solution Illusive Platform: DeviceProduct == "illusive"
| Analytic Rule |
|---|
| Illusive Incidents Analytic Rule |
In solution Infoblox: DeviceEventClassID == "BloxOne-InsightsNotification-Log"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox"
| Analytic Rule |
|---|
| Infoblox - SOC Insight Detected - CDC Source |
In solution Infoblox Cloud Data Connector:
| Analytic Rule | Selection Criteria |
|---|---|
| Infoblox - Data Exfiltration Attack | DeviceEventClassID has "RPZ"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox" |
| Infoblox - High Threat Level Query Not Blocked Detected | DeviceEventClassID has "RPZ"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox" |
| Infoblox - Many High Threat Level Queries From Single Host Detected | DeviceEventClassID has "RPZ"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox" |
| Infoblox - Many High Threat Level Single Query Detected | DeviceEventClassID has "RPZ"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox" |
| Infoblox - Many NXDOMAIN DNS Responses Detected | DeviceEventClassID == "DNS Response"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox" |
| Infoblox - TI - CommonSecurityLog Match Found - MalwareC2 | |
| Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains | DeviceProduct == "Data Connector"DeviceVendor == "Infoblox" |
In solution Infoblox SOC Insights: DeviceEventClassID == "BloxOne-InsightsNotification-Log"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox"
| Analytic Rule |
|---|
| Infoblox - SOC Insight Detected - CDC Source |
In solution IronNet IronDefense: DeviceProduct == "IronDefense"
| Analytic Rule |
|---|
| Create Incidents from IronDefense |
In solution Lumen Defender Threat Feed:
| Analytic Rule | Selection Criteria |
|---|---|
| Lumen TI IPAddress in CommonSecurityLog |
In solution Microsoft Defender XDR:
| Analytic Rule | Selection Criteria |
|---|---|
| Possible Phishing with CSL and Network Sessions |
In solution Network Threat Protection Essentials: DeviceVendor == "Trend Micro"
| Analytic Rule |
|---|
| Network endpoint to host executable correlation |
In solution PaloAlto-PAN-OS:
| Analytic Rule | Selection Criteria |
|---|---|
| Microsoft COVID-19 file hash indicator matches | |
| Palo Alto - possible internal to external port scanning | |
| Palo Alto - possible nmap scan on with top 100 option | |
| Palo Alto - potential beaconing detected | DeviceVendor == "Palo Alto Networks" |
| Palo Alto Threat signatures from Unusual IP addresses | DeviceEventClassID in "file,flood,packet,scan,spyware,virus,vulnerability,wildfire,wildfire-virus"DeviceVendor == "Palo Alto Networks" |
In solution PaloAltoCDL: DeviceProduct == "LF"DeviceVendor == "Palo Alto Networks"
In solution PingFederate: DeviceProduct has "PingFederate"
In solution Radiflow: DeviceProduct == "iSID"DeviceVendor == "radiflow"
In solution RidgeSecurity:
| Analytic Rule | Selection Criteria |
|---|---|
| Critical Risks | DeviceEventClassID == "4001"DeviceVendor == "RidgeSecurity" |
| Vulerabilities | DeviceEventClassID startswith "40"DeviceVendor == "RidgeSecurity" |
In solution SecurityThreatEssentialSolution:
| Analytic Rule | Selection Criteria |
|---|---|
| Threat Essentials - Time series anomaly for data size transferred to public internet |
In solution Silverfort: DeviceEventClassID == "NewIncident"DeviceProduct has "Admin Console"DeviceVendor has "Silverfort"
| Analytic Rule |
|---|
| Silverfort - Certifried Incident |
| Silverfort - Log4Shell Incident |
| Silverfort - NoPacBreach Incident |
| Silverfort - UserBruteForce Incident |
In solution SonicWall Firewall:
| Analytic Rule | Selection Criteria |
|---|---|
| SonicWall - Capture ATP Malicious File Detection |
In solution Threat Intelligence:
| Analytic Rule | Selection Criteria |
|---|---|
| TI Map IP Entity to CommonSecurityLog | |
| TI Map URL Entity to PaloAlto Data | DeviceEventClassID == "url"DeviceVendor == "Palo Alto Networks" |
| TI map Domain entity to PaloAlto | DeviceEventClassID == "url"DeviceVendor == "Palo Alto Networks" |
| TI map Domain entity to PaloAlto CommonSecurityLog | DeviceEventClassID == "url" |
| TI map Email entity to PaloAlto CommonSecurityLog | DeviceEventClassID == "wildfire"DeviceVendor == "Palo Alto Networks" |
| TI map File Hash to CommonSecurityLog Event |
In solution Threat Intelligence (NEW):
| Analytic Rule | Selection Criteria |
|---|---|
| TI Map IP Entity to CommonSecurityLog | |
| TI Map URL Entity to PaloAlto Data | DeviceEventClassID == "url"DeviceVendor == "Palo Alto Networks" |
| TI map Domain entity to PaloAlto | DeviceEventClassID == "url"DeviceVendor == "Palo Alto Networks" |
| TI map Domain entity to PaloAlto CommonSecurityLog | DeviceEventClassID == "url" |
| TI map Email entity to PaloAlto CommonSecurityLog | DeviceEventClassID == "wildfire"DeviceVendor == "Palo Alto Networks" |
| TI map File Hash to CommonSecurityLog Event |
In solution Trend Micro Apex One: DeviceProduct == "Apex Central"DeviceVendor == "Trend Micro"
In solution Vectra AI Detect:
| Analytic Rule | Selection Criteria |
|---|---|
| Vectra AI Detect - Detections with High Severity | DeviceEventClassID != "asc"DeviceEventClassID != "audit"DeviceEventClassID != "campaigns"DeviceEventClassID != "health"DeviceEventClassID != "hsc"DeviceProduct == "X Series"DeviceVendor == "Vectra Networks" |
| Vectra AI Detect - New Campaign Detected | DeviceEventClassID contains "campaign"DeviceProduct == "X Series"DeviceVendor == "Vectra Networks" |
| Vectra AI Detect - Suspected Compromised Account | DeviceEventClassID == "asc"DeviceProduct == "X Series"DeviceVendor == "Vectra Networks" |
| Vectra AI Detect - Suspected Compromised Host | DeviceEventClassID == "hsc"DeviceProduct == "X Series"DeviceVendor == "Vectra Networks" |
| Vectra AI Detect - Suspicious Behaviors by Category | DeviceEventClassID != "asc"DeviceEventClassID != "audit"DeviceEventClassID != "campaigns"DeviceEventClassID != "health"DeviceEventClassID != "hsc"DeviceProduct == "X Series"DeviceVendor == "Vectra Networks" |
| Vectra Account's Behaviors | DeviceEventClassID != "asc"DeviceEventClassID != "audit"DeviceEventClassID != "campaigns"DeviceEventClassID != "health"DeviceEventClassID != "hsc"DeviceProduct == "X Series"DeviceVendor == "Vectra Networks" |
| Vectra Host's Behaviors | DeviceEventClassID != "asc"DeviceEventClassID != "audit"DeviceEventClassID != "campaigns"DeviceEventClassID != "health"DeviceEventClassID != "hsc"DeviceProduct == "X Series"DeviceVendor == "Vectra Networks" |
In solution Votiro: DeviceProduct == "Votiro cloud"DeviceVendor == "Votiro"
| Analytic Rule |
|---|
| Votiro - File Blocked from Connector |
| Votiro - File Blocked in Email |
In solution Zinc Open Source:
| Analytic Rule | Selection Criteria |
|---|---|
| [Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022 |
In solution Zscaler Internet Access:
| Analytic Rule | Selection Criteria |
|---|---|
| Discord CDN Risky File Download | DeviceVendor == "ZScaler" |
| Request for single resource on domain | DeviceVendor == "Zscaler" |
In solution vArmour Application Controller: DeviceProduct == "AC"DeviceVendor == "vArmour"
| Analytic Rule |
|---|
| vArmour AppController - SMB Realm Traversal |
Standalone Content:
| Analytic Rule | Selection Criteria |
|---|---|
| Cisco - firewall block but success logon to Microsoft Entra ID | DeviceVendor == "Cisco" |
| CreepyDrive URLs | |
| CreepyDrive request URL sequence | |
| Europium - Hash and IP IOCs - September 2022 | |
| Fortinet - Beacon pattern detected | DeviceVendor == "Fortinet" |
| IP address of Windows host encoded in web request | |
| IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPN | DeviceEventClassID == "globalprotect"DeviceVendor == "Palo Alto Networks" |
| Known Forest Blizzard group domains - July 2019 | |
| M365D Alerts Correlation to non-Microsoft Network device network activity involved in successful sign-in Activity | DeviceProduct startswith "FireWall"DeviceProduct startswith "FortiGate"DeviceProduct startswith "NSSWeblog"DeviceProduct startswith "PAN"DeviceProduct startswith "URL"DeviceProduct startswith "VPN"DeviceVendor has_any "Check Point,Fortinet,Palo Alto Networks,Zscaler" |
| Mercury - Domain, Hash and IP IOCs - August 2022 | |
| Phishing link click observed in Network Traffic | DeviceProduct startswith "FireWall"DeviceProduct startswith "FortiGate"DeviceProduct startswith "NSSWeblog"DeviceProduct startswith "PAN"DeviceProduct startswith "URL"DeviceProduct startswith "VPN"DeviceVendor has_any "Check Point,Fortinet,Palo Alto Networks,Zscaler" |
| Possible contact with a domain generated by a DGA | |
| Prestige ransomware IOCs Oct 2022 | |
| Risky user signin observed in non-Microsoft network device | DeviceProduct startswith "FireWall"DeviceProduct startswith "FortiGate"DeviceProduct startswith "NSSWeblog"DeviceProduct startswith "PAN"DeviceProduct startswith "URL"DeviceProduct startswith "VPN"DeviceVendor has_any "Check Point,Fortinet,Palo Alto Networks,Zscaler" |
| RunningRAT request parameters | |
| Star Blizzard C2 Domains August 2022 | |
| Time series anomaly detection for total volume of traffic | |
| Time series anomaly for data size transferred to public internet | |
| Wazuh - Large Number of Web errors from an IP | DeviceProduct == "Wazuh" |
| Windows host username encoded in base64 web request |
In solution Acronis Cyber Protect Cloud:
| Hunting Query | Selection Criteria |
|---|---|
| Acronis - ASZ defence: Unauthorized operation is detected and blocked | DeviceEventClassID == "ActiveProtectionDetectedAszPartitionAccessed"DeviceVendor == "Acronis" |
| Acronis - Agent failed updating more than twice in a day | DeviceEventClassID == "AgentAutoUpdateStalled"DeviceVendor == "Acronis" |
| Acronis - Agents offline for 2 days or more | DeviceEventClassID == "MiniPlanAgentOffline"DeviceVendor == "Acronis" |
| Acronis - Audit Log | DeviceVendor == "Acronis audit" |
| Acronis - Cloud Connection Errors | DeviceEventClassID in "CloudConnectionAzureApplianceConfigurationFailed,CloudConnectionAzureApplianceDeallocationFailed,CloudConnectionAzureApplianceDeletionFailed,CloudConnectionAzureApplianceEOL,CloudConnectionAzureApplianceFailed,CloudConnectionAzureApplianceUpdateFailed,CloudConnectionAzureCloudAccessExpired,CloudConnectionS3CloudAccessExpired"DeviceVendor == "Acronis" |
| Acronis - Endpoints Accessing Malicious URLs | DeviceEventClassID == "MaliciousUrlDetected"DeviceVendor == "Acronis" |
| Acronis - Endpoints Infected by Ransomware | DeviceEventClassID == "ActiveProtectionBlocksSuspiciousActivity"DeviceVendor == "Acronis" |
| Acronis - Endpoints with Backup issues | DeviceEventClassID in "ArchiveCorrupted,BackupFailed,BackupNotResponding,BackupRecoveryFailed"DeviceVendor == "Acronis" |
| Acronis - Endpoints with EDR Incidents | DeviceEventClassID in "EDRIOCDetected,EDRIncidentDetected"DeviceVendor == "Acronis" |
| Acronis - Endpoints with high failed login attempts | DeviceEventClassID == "MiMonitoringFailedLoginAttemptsOverThreshold"DeviceVendor == "Acronis" |
| Acronis - Inboxes with Malicious Content | DeviceEventClassID in "MaliciousEmailDetectedPerceptionPointWarning,MaliciousURLDetectedInM365MailboxBackup,MalwareDetectedInM365MailboxBackup"DeviceVendor == "Acronis" |
| Acronis - Login from Abnormal IP - Low Occurrence | DeviceVendor == "Acronis audit" |
| Acronis - Protection Service Errors | DeviceEventClassID in "ActiveProtectionDriverRemediated,ActiveProtectionInvalidNetworkRecoveryPath,ActiveProtectionServiceConflict,ActiveProtectionServiceFailureToApplyPolicy,ActiveProtectionServiceNotAvailable,ActiveProtectionServiceNotRunning,CPSProtectionFailureDetected,ProtectionServiceNotWorking"DeviceVendor == "Acronis" |
In solution Apache Log4j Vulnerability Detection:
| Hunting Query | Selection Criteria |
|---|---|
| Network Connection to New External LDAP Server |
In solution CiscoSEG: DeviceEventClassID == "ESA_CONSOLIDATED_LOG_EVENT"
In solution Claroty: DeviceVendor == "Claroty"
In solution Cyware:
| Hunting Query | Selection Criteria |
|---|---|
| Match Cyware Intel Watchlist Items With Common Logs |
In solution Endace:
| Hunting Query | Selection Criteria |
|---|---|
| Endace - Pivot-to-Vision |
In solution Fortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel: DeviceProduct has "Fortiweb"DeviceVendor == "Fortinet"
| Hunting Query |
|---|
| Fortiweb - Unexpected countries |
| Fortiweb - identify owasp10 vulnerabilities |
In solution Legacy IOC based Threat Protection:
| Hunting Query | Selection Criteria |
|---|---|
| Retrospective hunt for Forest Blizzard IP IOCs |
In solution Lumen Defender Threat Feed:
| Hunting Query | Selection Criteria |
|---|---|
| Lumen TI IPAddress indicator in CommonSecurityLog |
In solution Network Threat Protection Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| Base64 encoded IPv4 address in request url | |
| Risky base64 encoded command in URL |
In solution PaloAlto-PAN-OS: DeviceVendor == "Palo Alto Networks"
| Hunting Query |
|---|
| Palo Alto - high-risk ports |
| Palo Alto - potential beaconing detected |
In solution PaloAltoCDL: DeviceProduct == "LF"DeviceVendor == "Palo Alto Networks"
In solution PingFederate: DeviceProduct has "PingFederate"
In solution Trend Micro Apex One: DeviceProduct == "Apex Central"DeviceVendor == "Trend Micro"
Standalone Content: DeviceVendor == "Palo Alto Networks"
| Hunting Query |
|---|
| RareDNSLookupWithDataTransfer |
GitHub Only:
| Hunting Query | Selection Criteria |
|---|---|
| Abnormally Large JPEG Filed Downloaded from New Source | |
| FireEye stolen red teaming tools communications | |
| SQL Alert Correlation with CommonSecurityLogs and AuditLogs | DeviceVendor == "Palo Alto Networks" |
| Storage Alert Correlation with CommonSecurityLogs and StorageLogs | DeviceVendor == "Fortinet" |
| Storage Alerts Correlation with CommonSecurityLogs & AuditLogs | DeviceVendor == "Fortinet" |
In solution AI Analyst Darktrace: DeviceProduct in "AI Analyst,Enterprise Immune System"DeviceVendor == "Darktrace"
| Workbook |
|---|
| AIA-Darktrace |
In solution AristaAwakeSecurity: DeviceProduct == "Awake Security"DeviceVendor == "Arista Networks"
| Workbook |
|---|
| AristaAwakeSecurityWorkbook |
In solution Barracuda CloudGen Firewall: DeviceVendor == "Barracuda"
| Workbook |
|---|
| Barracuda |
In solution Check Point: DeviceProduct in "Anti Malware,Anti-Bot,Anti-Virus,Application Control,DDoS Protector,IPS,Threat Emulation,URL Filtering"DeviceVendor == "Check Point"
| Workbook |
|---|
| CheckPoint |
In solution CiscoASA: DeviceEventClassID in "106100,111008,113012,113015,302010,315011,611102,733100"DeviceProduct == "ASA"DeviceVendor == "Cisco"
| Workbook |
|---|
| Cisco |
In solution CiscoSEG: DeviceEventClassID == "ESA_CONSOLIDATED_LOG_EVENT"
| Workbook |
|---|
| CiscoSEG |
In solution Citrix Web App Firewall: DeviceProduct == "NetScaler"DeviceVendor == "Citrix"
| Workbook |
|---|
| CitrixWAF |
In solution Claroty: DeviceVendor == "Claroty"
| Workbook |
|---|
| ClarotyOverview |
In solution Common Event Format: DeviceProduct has "PAN-OS"
| Workbook |
|---|
| CEFOverviewWorkbook |
In solution ContinuousDiagnostics&Mitigation:
| Workbook | Selection Criteria |
|---|---|
| ContinuousDiagnostics&Mitigation |
In solution Contrast Protect: DeviceVendor == "Contrast Security"
| Workbook |
|---|
| ContrastProtect |
In solution CrowdStrike Falcon Endpoint Protection: DeviceProduct == "FalconHost"DeviceVendor == "CrowdStrike"
| Workbook |
|---|
| CrowdStrikeFalconEndpointProtection |
In solution CyberArk Privilege Access Manager (PAM) Events: DeviceProduct == "Vault"DeviceVendor == "Cyber-Ark"
| Workbook |
|---|
| CyberArkEPV |
In solution Delinea Secret Server: DeviceProduct == "Secret Server"DeviceVendor in "Delinea Software,Thycotic Software"
| Workbook |
|---|
| DelineaWorkbook |
In solution ExtraHop Reveal(x): DeviceVendor == "ExtraHop"
| Workbook |
|---|
| ExtraHopDetectionSummary |
In solution Forcepoint CASB: DeviceProduct in "CASB Admin audit log,Cloud Service Monitoring,SaaS Security Gateway"DeviceVendor == "Forcepoint CASB"
| Workbook |
|---|
| ForcepointCASB |
In solution Forcepoint CSG: DeviceProduct in "Email,Web"DeviceVendor == "Forcepoint CSG"
| Workbook |
|---|
| ForcepointCloudSecuirtyGateway |
In solution Forcepoint NGFW:
| Workbook | Selection Criteria |
|---|---|
| ForcepointNGFW | DeviceProduct == "NGFW"DeviceVendor == "Forcepoint" |
| ForcepointNGFWAdvanced | DeviceProduct in "Alert,Audit"DeviceVendor in "FORCEPOINT,Forcepoint" |
In solution Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel: DeviceProduct contains "Fortigate"DeviceVendor == "Fortinet"
| Workbook |
|---|
| Fortigate |
In solution Fortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel: DeviceProduct has "Fortiweb"DeviceVendor == "Fortinet"
| Workbook |
|---|
| Fortiweb-workbook |
In solution Illusive Platform:
| Workbook | Selection Criteria |
|---|---|
| IllusiveADS | DeviceEventClassID in "illusive:access,illusive:login,illusive:suspicious" |
| IllusiveASM | DeviceEventClassID == "illusive:violation" |
In solution Infoblox: DeviceEventClassID in "DHCP-LEASE-CREATE,DHCP-LEASE-DELETE,DHCP-LEASE-UPDATE"DeviceEventClassID has "Audit"DeviceEventClassID has "DHCP"DeviceEventClassID has "DNS"DeviceEventClassID has "RPZ"DeviceEventClassID has "Service"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox"
| Workbook |
|---|
| Infoblox_Workbook |
In solution Infoblox Cloud Data Connector: DeviceEventClassID in "DHCP-LEASE-CREATE,DHCP-LEASE-DELETE,DHCP-LEASE-UPDATE"DeviceEventClassID has "DHCP"DeviceEventClassID has "DNS"DeviceEventClassID has "RPZ"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox"
| Workbook |
|---|
| InfobloxCDCB1TDWorkbook |
In solution IronNet IronDefense:
| Workbook | Selection Criteria |
|---|---|
| IronDefenseAlertDashboard | |
| IronDefenseAlertDetails | DeviceProduct == "IronDefense" |
In solution Lumen Defender Threat Feed:
| Workbook | Selection Criteria |
|---|---|
| Lumen-Threat-Feed-Overview |
In solution MaturityModelForEventLogManagementM2131:
| Workbook | Selection Criteria |
|---|---|
| MaturityModelForEventLogManagement_M2131 |
In solution NISTSP80053:
| Workbook | Selection Criteria |
|---|---|
| NISTSP80053 |
In solution Onapsis Platform: DeviceVendor == "Onapsis"
| Workbook |
|---|
| OnapsisAlarmsOverview |
In solution OneIdentity: DeviceProduct == "SPS"DeviceVendor == "OneIdentity"
| Workbook |
|---|
| OneIdentity |
In solution Palo Alto - XDR (Cortex): DeviceProduct == "Cortex XDR"DeviceVendor == "Palo Alto Networks"
| Workbook |
|---|
| PaloAltoXDR |
In solution PaloAlto-PAN-OS:
| Workbook | Selection Criteria |
|---|---|
| PaloAltoNetworkThreat | DeviceEventClassID in "correlation,vulnerability,wildfire"DeviceEventClassID != "file"DeviceEventClassID != "url"DeviceProduct has "PAN-OS"DeviceVendor == "Palo Alto Networks" |
| PaloAltoOverview | DeviceEventClassID in "end,file,url,wildfire"DeviceProduct has "LF"DeviceProduct has "PAN-OS"DeviceVendor == "Palo Alto Networks" |
In solution PaloAltoCDL: DeviceProduct == "LF"DeviceVendor == "Palo Alto Networks"
| Workbook |
|---|
| PaloAltoCDL |
In solution PingFederate: DeviceProduct == "PingFederate"DeviceProduct has "PingFederate"
| Workbook |
|---|
| PingFederate |
In solution SOC Handbook:
| Workbook | Selection Criteria |
|---|---|
| InvestigationInsights | |
| SecurityStatus |
In solution SOX IT Compliance: DeviceVendor has_any "CrowdStrike,Microsoft,Qualys,Tripwire"
| Workbook |
|---|
| SOXITCompliance |
In solution Semperis Directory Services Protector:
| Workbook | Selection Criteria |
|---|---|
| SemperisDSPADChanges | DeviceEventClassID == "Semperis.DSP.AdChanges" |
| SemperisDSPNotifications | DeviceProduct == "Core Directory" |
| SemperisDSPQuickviewDashboard | DeviceProduct == "Core Directory" |
| SemperisDSPSecurityIndicators |
In solution Silverfort: DeviceProduct has "Admin Console"DeviceVendor has "Silverfort"
| Workbook |
|---|
| SilverfortWorkbook |
In solution SonicWall Firewall: DeviceVendor == "SonicWall"
| Workbook |
|---|
| SonicWallFirewall |
In solution Trend Micro Apex One: DeviceProduct == "Apex Central"DeviceVendor == "Trend Micro"
| Workbook |
|---|
| TrendMicroApexOne |
In solution Trend Micro Deep Security: DeviceProduct startswith "Deep Security"DeviceVendor has_any "Trend Micro,TrendMicro"
| Workbook |
|---|
| TrendMicroDeepSecurityAttackActivity |
| TrendMicroDeepSecurityOverview |
In solution Vectra AI Detect: DeviceEventClassID in "asc,audit,campaigns,health,hsc"DeviceEventClassID !in "health,audit,campaigns,hsc,asc"DeviceEventClassID !in "health,audit,campaigns,hsc,asc"DeviceVendor == "Vectra Networks"
| Workbook |
|---|
| AIVectraDetectWorkbook |
In solution Votiro: DeviceProduct == "Votiro cloud"DeviceVendor == "Votiro"
| Workbook |
|---|
| Votiro Monitoring Dashboard |
In solution ZeroTrust(TIC3.0):
| Workbook | Selection Criteria |
|---|---|
| ZeroTrustTIC3 |
In solution Zscaler Internet Access:
| Workbook | Selection Criteria |
|---|---|
| NSSAuditLogs | DeviceProduct == "NSSAuditlog"DeviceVendor == "Zscaler" |
| NSSCASBActivityLogs | DeviceProduct == "NSSCasbactivitylog"DeviceVendor == "Zscaler" |
| NSSCASBCRMLogs | DeviceProduct == "NSSCasbcrmlog"DeviceVendor == "Zscaler" |
| NSSCASBCloudStorageLogs | DeviceProduct == "NSSCasbcloudstoragelog"DeviceVendor == "Zscaler" |
| NSSCASBCollabLogs | DeviceProduct == "NSSCasbcollablog"DeviceVendor == "Zscaler" |
| NSSCASBEmail | DeviceProduct == "NSSCasbemaillog"DeviceVendor == "Zscaler" |
| NSSCASBFileSharingLogs | DeviceProduct == "NSSCasbfilesharinglog"DeviceVendor == "Zscaler" |
| NSSCASBITSMLogs | DeviceProduct == "NSSCasbitsmlog"DeviceVendor == "Zscaler" |
| NSSCASBRepoLogs | DeviceProduct == "NSSCasbrepolog"DeviceVendor == "Zscaler" |
| NSSDNSLogs | DeviceProduct == "NSSDNSlog"DeviceVendor == "Zscaler" |
| NSSEmailDLPLogs | DeviceEventClassID == "DLP Incident"DeviceProduct == "NSSEmaildlplog"DeviceVendor == "Zscaler" |
| NSSEndpointDLPLogs | DeviceProduct == "NSSEndpointdlplog"DeviceVendor == "Zscaler" |
| NSSFWLogs | DeviceEventClassID !contains "Allow"DeviceEventClassID contains "Allow"DeviceProduct == "NSSFWlog" |
| NSSTunnelLogs | DeviceEventClassID in "Tunnel Event,Tunnel Samples"DeviceProduct == "NSSTunnellog"DeviceVendor == "Zscaler" |
| NSSWebLogsOffice365 | DeviceEventClassID !contains "Allow"DeviceEventClassID contains "Allow"DeviceVendor == "Zscaler" |
| NSSWebLogsOverview | DeviceEventClassID in "Allow,Allowed"DeviceEventClassID !contains "Allow"DeviceEventClassID contains "Allow"DeviceProduct == "NSSWeblog"DeviceVendor == "Zscaler" |
| NSSWebLogsThreats | DeviceEventClassID == "Blocked"DeviceEventClassID !contains "Allow"DeviceEventClassID contains "Block"DeviceProduct == "NSSWeblog"DeviceVendor == "Zscaler" |
In solution iboss: DeviceVendor == "iboss"
| Workbook |
|---|
| ibossMalwareAndC2 |
| ibossWebUsage |
In solution vArmour Application Controller: DeviceProduct == "AC"DeviceVendor == "vArmour"
| Workbook |
|---|
| vArmour_AppContoller_Workbook |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| AIA-Darktrace | DeviceProduct in "AI Analyst,Enterprise Immune System"DeviceVendor == "Darktrace" |
| AIVectraDetectWorkbook | DeviceEventClassID in "asc,audit,campaigns,health,hsc"DeviceEventClassID !in "health,audit,campaigns,hsc,asc"DeviceEventClassID !in "health,audit,campaigns,hsc,asc"DeviceVendor == "Vectra Networks" |
| Barracuda | DeviceVendor == "Barracuda" |
| CheckPoint | DeviceProduct in "Anti Malware,Anti-Bot,Anti-Virus,Application Control,DDoS Protector,IPS,Threat Emulation,URL Filtering"DeviceVendor == "Check Point" |
| Cisco | DeviceEventClassID in "106100,111008,113012,113015,302010,315011,611102,733100"DeviceProduct == "ASA"DeviceVendor == "Cisco" |
| CiscoFirepower | DeviceProduct == "FTD"DeviceVendor == "Cisco" |
| CitrixWAF | DeviceProduct == "NetScaler"DeviceVendor == "Citrix" |
| CyberArkEPV | DeviceProduct == "Vault"DeviceVendor == "Cyber-Ark" |
| DataCollectionHealthMonitoring | |
| Data_Latency_Workbook | DeviceVendor contains "Cyber-Ark"DeviceVendor contains "F5"DeviceVendor contains "Forcepoint"DeviceVendor contains "Fortinet"DeviceVendor contains "Imperva Inc."DeviceVendor contains "JSonar"DeviceVendor contains "Sonicwall"DeviceVendor contains "Trend Micro" |
| DelineaWorkbook | DeviceProduct == "Secret Server"DeviceVendor == "Delinea Software" |
| DoDZeroTrustWorkbook | |
| ExchangeCompromiseHunting | |
| ExtraHopDetectionSummary | DeviceVendor == "ExtraHop" |
| ForcepointCASB | DeviceProduct in "CASB Admin audit log,Cloud Service Monitoring,SaaS Security Gateway"DeviceVendor == "Forcepoint CASB" |
| ForcepointCloudSecuirtyGatewayworkbook | DeviceProduct in "Email,Web"DeviceVendor == "Forcepoint CSG" |
| ForcepointNGFW | DeviceProduct == "NGFW"DeviceVendor == "Forcepoint" |
| ForcepointNGFWAdvanced | DeviceProduct in "Alert,Audit"DeviceVendor in "FORCEPOINT,Forcepoint" |
| Fortigate | DeviceProduct contains "Fortigate"DeviceVendor == "Fortinet" |
| IllusiveADS | DeviceEventClassID in "illusive:access,illusive:login,illusive:suspicious" |
| IllusiveASM | DeviceEventClassID == "illusive:violation" |
| InvestigationInsights | |
| IoTAssetDiscovery | DeviceVendor == "Fortinet" |
| MicrosoftSentinelDeploymentandMigrationTracker | DeviceVendor has "Barracuda"DeviceVendor has "Check Point"DeviceVendor has "Cisco"DeviceVendor has "Citrix"DeviceVendor has "CyberArk"DeviceVendor has "ExtraHop"DeviceVendor has "F5"DeviceVendor has "ForgeRock"DeviceVendor has "Fortinet"DeviceVendor has "Illusive"DeviceVendor has "OneIdentity"DeviceVendor has "Palo Alto"DeviceVendor has "Vectra Networks"DeviceVendor has "Zscaler" |
| OnapsisAlarmsOverview | DeviceVendor == "Onapsis" |
| OneIdentity | DeviceProduct == "SPS"DeviceVendor == "OneIdentity" |
| OptimizationWorkbook | |
| PaloAltoNetworkThreat | DeviceEventClassID in "correlation,vulnerability,wildfire"DeviceEventClassID != "file"DeviceEventClassID != "url"DeviceProduct has "PAN-OS"DeviceVendor == "Palo Alto Networks" |
| PaloAltoOverview | DeviceEventClassID in "end,file,url,wildfire"DeviceProduct has "PAN-OS"DeviceVendor == "Palo Alto Networks" |
| SecurityStatus | |
| SentinelWorkspaceReconTools | |
| SolarWindsPostCompromiseHunting | |
| SonicWallFirewall | DeviceVendor == "SonicWall" |
| TrendMicroDeepSecurityAttackActivity | |
| TrendMicroDeepSecurityOverview | |
| UnifiSG | DeviceEventClassID in "DHCP,DNS,Firewall,IPS"DeviceVendor == "Unifi" |
| UserMap | |
| WorkspaceUsage | |
| ZeroTrustStrategyWorkbook | |
| ZscalerFirewall | DeviceEventClassID !contains "Allow"DeviceEventClassID contains "Allow"DeviceProduct == "NSSFWlog" |
| ZscalerOffice365Apps | DeviceEventClassID !contains "Allow"DeviceEventClassID contains "Allow"DeviceVendor == "Zscaler" |
| ZscalerThreats | DeviceEventClassID == "Blocked"DeviceEventClassID !contains "Allow"DeviceEventClassID contains "Block"DeviceProduct == "NSSWeblog"DeviceVendor == "Zscaler" |
| ZscalerWebOverview | DeviceEventClassID in "Allow,Allowed"DeviceEventClassID !contains "Allow"DeviceEventClassID contains "Allow"DeviceProduct == "NSSWeblog"DeviceVendor == "Zscaler" |
| pfsense | DeviceEventClassID == "filterlog"DeviceProduct == "pfsense" |
| Parser | Schema | Product | Selection Criteria |
|---|---|---|---|
| ASimAuditEventBarracudaCEF | AuditEvent | Barracuda WAF | DeviceProduct in "WAAS,WAF"DeviceVendor startswith "Barracuda" |
| ASimAuditEventCrowdStrikeFalconHost | AuditEvent | CrowdStrike Falcon Endpoint Protection | DeviceEventClassID == "UserActivityAuditEvent"DeviceProduct == "FalconHost"DeviceVendor == "CrowdStrike" |
| ASimAuditEventInfobloxBloxOne | AuditEvent | Infoblox BloxOne | DeviceEventClassID has "AUDIT"DeviceVendor == "Infoblox" |
| ASimAuthenticationCiscoASA | Authentication | Cisco Adaptive Security Appliance (ASA) | DeviceProduct == "ASA"DeviceVendor == "Cisco" |
| ASimAuthenticationCrowdStrikeFalconHost | Authentication | CrowdStrike Falcon Endpoint Protection | DeviceEventClassID in "twoFactorAuthenticate,userAuthenticate"DeviceProduct == "FalconHost"DeviceVendor == "CrowdStrike" |
| ASimAuthenticationFortinetFortigate | Authentication | Fortigate | DeviceEventClassID !in "0100022949,0100022952"DeviceProduct has "Fortigate"DeviceVendor == "Fortinet" |
| ASimAuthenticationPaloAltoCortexDataLake | Authentication | Palo Alto Cortex Data Lake | DeviceEventClassID == "AUTH"DeviceProduct == "LF"DeviceVendor == "Palo Alto Networks" |
| ASimAuthenticationPaloAltoGlobalProtect | Authentication | Palo Alto PAN-OS GlobalProtect | DeviceEventClassID == "GLOBALPROTECT"DeviceProduct == "PAN-OS"DeviceVendor == "Palo Alto Networks" |
| ASimAuthenticationPaloAltoPanOS | Authentication | Palo Alto PAN-OS | DeviceEventClassID startswith "auth"DeviceProduct == "PAN-OS"DeviceVendor == "Palo Alto Networks" |
| ASimDhcpEventInfobloxBloxOne | DhcpEvent | Infoblox BloxOne | DeviceEventClassID has "DHCP"DeviceVendor == "Infoblox" |
| ASimDnsFortinetFortiGate | Dns | Fortinet FortiGate | DeviceEventClassID endswith "54000"DeviceEventClassID endswith "54200"DeviceEventClassID endswith "54400"DeviceEventClassID endswith "54401"DeviceEventClassID endswith "54600"DeviceEventClassID endswith "54601"DeviceEventClassID endswith "54800"DeviceEventClassID endswith "54801"DeviceEventClassID endswith "54802"DeviceEventClassID endswith "54803"DeviceEventClassID endswith "54804"DeviceEventClassID endswith "54805"DeviceProduct startswith "Fortigate"DeviceVendor == "Fortinet" |
| ASimDnsInfobloxBloxOne | Dns | Infoblox BloxOne | DeviceEventClassID has "DNS"DeviceVendor == "Infoblox" |
| ASimDnsZscalerZIA | Dns | Zscaler ZIA DNS | DeviceProduct == "NSSDNSlog" |
| ASimNetworkSessionBarracudaCEF | NetworkSession | Barracuda WAF | DeviceProduct in "WAAS,WAF"DeviceVendor startswith "Barracuda" |
| ASimNetworkSessionCheckPointFirewall | NetworkSession | CheckPointFirewall | DeviceProduct == "VPN-1 & FireWall-1"DeviceVendor == "CheckPoint" |
| ASimNetworkSessionCheckPointSmartDefense | NetworkSession | CheckPointSmartDefense | DeviceProduct == "SmartDefense"DeviceVendor == "Check Point" |
| ASimNetworkSessionCiscoASA | NetworkSession | CiscoASA | DeviceEventClassID in "106001,106002,106006,106007,106010,106012,106013,106014,106015,106016,106017,106018,106020,106021,106022,106023,106100,302013,302014,302015,302016,302020,302021,710002,710003,710004,710005"DeviceProduct == "ASA"DeviceVendor == "Cisco" |
| ASimNetworkSessionCiscoFirepower | NetworkSession | Cisco Firepower | DeviceEventClassID has "INTRUSION:400"DeviceEventClassID has "PV:112"DeviceEventClassID has "RNA:1003:1"DeviceEventClassID has_any "INTRUSION:400,PV:112,RNA:1003:1"DeviceProduct == "Firepower"DeviceVendor == "Cisco" |
| ASimNetworkSessionCrowdStrikeFalconHost | NetworkSession | CrowdStrike Falcon Endpoint Protection | DeviceEventClassID in "FirewallMatchEvent,Network Access In A Detection Summary Event"DeviceEventClassID has "Network Access In A Detection Summary Event"DeviceProduct == "FalconHost"DeviceVendor == "CrowdStrike" |
| ASimNetworkSessionForcePointFirewall | NetworkSession | ForcePointFirewall | DeviceEventClassID in "70734,76508,76509"DeviceEventClassID != "0"DeviceEventClassID !in "70383,70393,70734,71009,71040"DeviceProduct == "Firewall"DeviceVendor == "FORCEPOINT" |
| ASimNetworkSessionFortinetFortiGate | NetworkSession | Fortinet FortiGate | DeviceProduct startswith "FortiGate"DeviceVendor == "Fortinet" |
| ASimNetworkSessionPaloAltoCEF | NetworkSession | Palo Alto PanOS | DeviceProduct == "PAN-OS"DeviceVendor == "Palo Alto Networks" |
| ASimNetworkSessionPaloAltoCortexDataLake | NetworkSession | Palo Alto Cortex Data Lake | DeviceEventClassID == "TRAFFIC"DeviceProduct == "LF"DeviceVendor == "Palo Alto Networks" |
| ASimNetworkSessionSonicWallFirewall | NetworkSession | SonicWall | DeviceVendor == "SonicWall" |
| ASimNetworkSessionZscalerZIA | NetworkSession | Zscaler ZIA Firewall | DeviceProduct == "NSSFWlog"DeviceVendor == "Zscaler" |
| ASimWebSessionBarracudaCEF | WebSession | Barracuda WAF | DeviceProduct in "WAAS,WAF"DeviceVendor startswith "Barracuda" |
| ASimWebSessionCiscoFirepower | WebSession | Cisco Firepower | DeviceEventClassID in "File:500:1,FileMalware:502:1,FireAMP:125:1"DeviceEventClassID has "File:500:1"DeviceEventClassID has "FileMalware:502:1"DeviceProduct == "Firepower"DeviceVendor == "Cisco" |
| ASimWebSessionCitrixNetScaler | WebSession | Citrix NetScaler | DeviceEventClassID == "APPFW"DeviceProduct == "NetScaler"DeviceVendor == "Citrix" |
| ASimWebSessionF5ASM | WebSession | F5 BIG-IP Application Security Manager (ASM) | DeviceProduct == "ASM"DeviceVendor == "F5" |
| ASimWebSessionFortinetFortiGate | WebSession | Fortinet FortiGate | DeviceProduct startswith "Fortigate"DeviceVendor == "Fortinet" |
| ASimWebSessionPaloAltoCEF | WebSession | Palo Alto Networks | DeviceEventClassID == "url"DeviceProduct == "PAN-OS"DeviceVendor == "Palo Alto Networks" |
| ASimWebSessionPaloAltoCortexDataLake | WebSession | Palo Alto Cortex Data Lake | DeviceEventClassID == "THREAT"DeviceProduct == "LF"DeviceVendor == "Palo Alto Networks" |
| ASimWebSessionSonicWallFirewall | WebSession | SonicWall | DeviceVendor == "SonicWall" |
| ASimWebSessionZscalerZIA | WebSession | Zscaler ZIA | DeviceProduct == "NSSWeblog"DeviceVendor == "Zscaler" |
| Parser | Solution | Selection Criteria |
|---|---|---|
| AkamaiSIEMEvent | Akamai Security Events | DeviceProduct == "akamai_siem"DeviceVendor == "Akamai" |
| ArubaClearPass | Aruba ClearPass | DeviceProduct == "ClearPass"DeviceVendor == "Aruba Networks" |
| CiscoSEGEvent | CiscoSEG | DeviceEventClassID == "ESA_CONSOLIDATED_LOG_EVENT" |
| CitrixADCEventOld | Citrix ADC ⚠️ | DeviceProduct == "NetScaler"DeviceVendor == "Citrix" |
| ClarotyEvent | Claroty | DeviceVendor == "Claroty" |
| CrowdStrikeFalconEventStream | CrowdStrike Falcon Endpoint Protection | DeviceProduct == "FalconHost"DeviceVendor == "CrowdStrike" |
| DragosPushNotificationsToSentinel | Dragos | DeviceProduct == "Platform"DeviceVendor == "Dragos" |
| FireEyeNXEvent | FireEye Network Security | DeviceVendor == "FireEye" |
| ForgeRockParser | ForgeRock Common Audit for CEF | DeviceVendor == "ForgeRock Inc" |
| Fortiweb | Fortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel | DeviceProduct has "Fortiweb"DeviceVendor == "Fortinet" |
| IllumioCoreEvent | Illumio Core | DeviceVendor == "Illumio" |
| InfobloxCDC | Infoblox Cloud Data Connector | DeviceProduct == "Data Connector"DeviceVendor == "Infoblox" |
| InfobloxCDC_SOCInsights | Infoblox | DeviceEventClassID == "BloxOne-InsightsNotification-Log"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox" |
| InfobloxCDC_SOCInsights | Infoblox SOC Insights | DeviceEventClassID == "BloxOne-InsightsNotification-Log"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox" |
| McAfeeCommonSecurityLog | (Legacy) | DeviceVendor == "McAfee" |
| NetwrixAuditor | Netwrix Auditor | DeviceVendor == "Netwrix" |
| NozomiNetworksEvents | NozomiNetworks | DeviceVendor has "Nozomi" |
| OSSECEvent | OSSEC | DeviceVendor has "OSSEC" |
| OneIdentity_Safeguard | OneIdentity ⚠️ | DeviceVendor == "OneIdentity" |
| OneIdentity_Safeguard | OneIdentity | DeviceVendor == "OneIdentity" |
| PaloAltoCDLEvent | PaloAltoCDL | DeviceProduct == "LF"DeviceVendor == "Palo Alto Networks" |
| PingFederateEvent | PingFederate | DeviceProduct has "PingFederate" |
| RadiflowEvent | Radiflow | DeviceVendor == "radiflow" |
| StealthDefend | (Legacy) | DeviceProduct == "StealthDEFEND"DeviceVendor == "STEALTHbits Technologies" |
| SymantecDLP | Broadcom SymantecDLP | DeviceProduct == "DLP"DeviceVendor == "Symantec" |
| TMApexOneEvent | Trend Micro Apex One | DeviceProduct == "Apex Central"DeviceVendor == "Trend Micro" |
| TrendMicroDeepSecurity | Trend Micro Deep Security | DeviceProduct startswith "Deep Security"DeviceVendor has_any "Trend Micro,TrendMicro" |
| TrendMicroTippingPoint | Trend Micro TippingPoint | DeviceProduct == "UnityOne" |
| VotiroEvents | Votiro | DeviceProduct == "Votiro cloud"DeviceVendor == "Votiro" |
| getForgeRockUsers | ForgeRock Common Audit for CEF ⚠️ | DeviceVendor == "ForgeRock Inc" |
| ibossUrlEvent | iboss | DeviceVendor == "iboss" |
| pfsensefilterlog | (Legacy) | DeviceEventClassID == "filterlog"DeviceProduct == "pfsense" |
| pfsensenginx | (Legacy) | DeviceEventClassID == "nginx"DeviceProduct == "pfsense" |
⚠️ Parsers marked with ⚠️ are not listed in their Solution JSON file.
This table collects data from the following Azure resource types:
microsoft.securityinsights/cefmicrosoft.compute/virtualmachinesmicrosoft.conenctedvmwarevsphere/virtualmachinesmicrosoft.azurestackhci/virtualmachinesmicrosoft.scvmm/virtualmachinesmicrosoft.compute/virtualmachinescalesetsReferences by type: 81 connectors, 256 content items, 34 ASIM parsers, 33 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
DeviceProduct has "PingFederate" |
1 | 21 | - | 1 | 23 |
DeviceVendor == "Claroty" |
1 | 21 | - | 1 | 23 |
DeviceProduct == "LF"DeviceVendor == "Palo Alto Networks" |
1 | 21 | - | 1 | 23 |
DeviceProduct == "Apex Central"DeviceVendor == "Trend Micro" |
1 | 21 | - | 1 | 23 |
DeviceEventClassID == "ESA_CONSOLIDATED_LOG_EVENT" |
- | 22 | - | 1 | 23 |
DeviceProduct == "iSID"DeviceVendor == "radiflow" |
- | 8 | - | - | 8 |
DeviceVendor == "Contrast Security" |
2 | 5 | - | - | 7 |
DeviceEventClassID == "BloxOne-InsightsNotification-Log"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox" |
3 | 2 | - | 2 | 7 |
DeviceProduct == "FalconHost"DeviceVendor == "CrowdStrike" |
2 | 2 | - | 1 | 5 |
DeviceVendor == "SonicWall" |
2 | 1 | 2 | - | 5 |
DeviceVendor == "iboss" |
2 | 2 | - | 1 | 5 |
DeviceProduct == "Awake Security"DeviceVendor == "Arista Networks" |
1 | 4 | - | - | 5 |
DeviceProduct == "Votiro cloud"DeviceVendor == "Votiro" |
1 | 3 | - | 1 | 5 |
DeviceProduct has "Fortiweb"DeviceVendor == "Fortinet" |
- | 4 | - | 1 | 5 |
DeviceVendor == "Palo Alto Networks" |
- | 5 | - | - | 5 |
DeviceProduct == "AC"DeviceVendor == "vArmour" |
2 | 2 | - | - | 4 |
DeviceProduct == "NetScaler"DeviceVendor == "Citrix" |
2 | 1 | - | 1 | 4 |
DeviceEventClassID has "RPZ"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox" |
- | 4 | - | - | 4 |
DeviceEventClassID == "NewIncident"DeviceProduct has "Admin Console"DeviceVendor has "Silverfort" |
- | 4 | - | - | 4 |
DeviceEventClassID == "url"DeviceVendor == "Palo Alto Networks" |
- | 4 | - | - | 4 |
DeviceEventClassID != "asc"DeviceEventClassID != "audit"DeviceEventClassID != "campaigns"DeviceEventClassID != "health"DeviceEventClassID != "hsc"DeviceProduct == "X Series"DeviceVendor == "Vectra Networks" |
- | 4 | - | - | 4 |
DeviceProduct == "ClearPass"DeviceVendor == "Aruba Networks" |
2 | - | - | 1 | 3 |
DeviceProduct in "Email,Web"DeviceVendor == "Forcepoint CSG" |
2 | 1 | - | - | 3 |
DeviceProduct == "DLP"DeviceVendor == "Symantec" |
2 | - | - | 1 | 3 |
DeviceProduct == "Secret Server"DeviceVendor in "Delinea Software,Thycotic Software" |
2 | 1 | - | - | 3 |
DeviceProduct == "akamai_siem"DeviceVendor == "Akamai" |
2 | - | - | 1 | 3 |
DeviceProduct == "NGFW"DeviceVendor == "Forcepoint" |
2 | 1 | - | - | 3 |
DeviceProduct == "Vault"DeviceVendor == "Cyber-Ark" |
2 | 1 | - | - | 3 |
DeviceVendor == "Acronis audit" |
- | 3 | - | - | 3 |
DeviceVendor == "Fortinet" |
- | 3 | - | - | 3 |
DeviceProduct startswith "FireWall"DeviceProduct startswith "FortiGate"DeviceProduct startswith "NSSWeblog"DeviceProduct startswith "PAN"DeviceProduct startswith "URL"DeviceProduct startswith "VPN"DeviceVendor has_any "Check Point,Fortinet,Palo Alto Networks,Zscaler" |
- | 3 | - | - | 3 |
DeviceProduct startswith "Deep Security"DeviceVendor has_any "Trend Micro,TrendMicro" |
- | 2 | - | 1 | 3 |
DeviceProduct in "WAAS,WAF"DeviceVendor startswith "Barracuda" |
- | - | 3 | - | 3 |
DeviceProduct == "Firepower"DeviceVendor == "Cisco" |
2 | - | - | - | 2 |
DeviceEventClassID == "ExtraHop Detection"DeviceVendor == "ExtraHop" |
2 | - | - | - | 2 |
DeviceVendor == "Darktrace" |
2 | - | - | - | 2 |
DeviceVendor == "F5" |
2 | - | - | - | 2 |
DeviceProduct startswith "Fortigate"DeviceVendor == "Fortinet" |
1 | - | 1 | - | 2 |
DeviceEventClassID in "illusive:access,illusive:login,illusive:suspicious"DeviceProduct == "illusive"DeviceVendor == "illusive" |
2 | - | - | - | 2 |
DeviceProduct == "Cortex XDR"DeviceVendor == "Palo Alto Networks" |
1 | 1 | - | - | 2 |
DeviceVendor == "Forcepoint CASB" |
2 | - | - | - | 2 |
DeviceProduct == "ASA"DeviceVendor == "Cisco" |
1 | - | 1 | - | 2 |
DeviceProduct == "SPS"DeviceVendor == "OneIdentity" |
1 | 1 | - | - | 2 |
DeviceVendor == "Illumio" |
1 | - | - | 1 | 2 |
DeviceVendor == "Netwrix" |
1 | - | - | 1 | 2 |
DeviceEventClassID == "hsc"DeviceEventClassID !in "health,audit,campaigns,hsc,asc"DeviceProduct == "X Series"DeviceVendor == "Vectra Networks" |
2 | - | - | - | 2 |
DeviceVendor == "FireEye" |
1 | - | - | 1 | 2 |
DeviceProduct == "WireX NFP"DeviceVendor == "WireX" |
2 | - | - | - | 2 |
DeviceEventClassID == "DHCP-LEASE-CREATE"DeviceEventClassID has "Audit"DeviceEventClassID has "DHCP"DeviceEventClassID has "DNS"DeviceEventClassID has "RPZ"DeviceEventClassID has "Service"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox" |
2 | - | - | - | 2 |
DeviceEventClassID == "4001"DeviceVendor == "RidgeSecurity" |
1 | 1 | - | - | 2 |
DeviceVendor == "Barracuda" |
1 | 1 | - | - | 2 |
DeviceVendor has "Nozomi" |
1 | - | - | 1 | 2 |
DeviceEventClassID == "MaliciousUrlDetected"DeviceVendor == "Acronis" |
- | 2 | - | - | 2 |
DeviceEventClassID == "ActiveProtectionBlocksSuspiciousActivity"DeviceVendor == "Acronis" |
- | 2 | - | - | 2 |
DeviceEventClassID in "MaliciousEmailDetectedPerceptionPointWarning,MaliciousURLDetectedInM365MailboxBackup,MalwareDetectedInM365MailboxBackup"DeviceVendor == "Acronis" |
- | 2 | - | - | 2 |
DeviceProduct == "NSSWeblog"DeviceVendor == "Zscaler" |
- | 1 | 1 | - | 2 |
DeviceProduct == "Data Connector"DeviceVendor == "Infoblox" |
- | 1 | - | 1 | 2 |
DeviceProduct == "IronDefense" |
- | 2 | - | - | 2 |
DeviceEventClassID == "url" |
- | 2 | - | - | 2 |
DeviceEventClassID == "wildfire"DeviceVendor == "Palo Alto Networks" |
- | 2 | - | - | 2 |
DeviceProduct == "Core Directory" |
- | 2 | - | - | 2 |
DeviceVendor == "ForgeRock Inc" |
- | - | - | 2 | 2 |
DeviceVendor == "OneIdentity" |
- | - | - | 2 | 2 |
DeviceProduct == "ESA_CONSOLIDATED_LOG_EVENT"DeviceVendor == "Cisco" |
1 | - | - | - | 1 |
DeviceProduct == "PAN-OS"DeviceProduct has "PAN-OS"DeviceVendor == "Palo Alto Networks" |
1 | - | - | - | 1 |
DeviceEventClassID == "NewIncident"DeviceProduct == "Admin Console"DeviceProduct has "Admin Console"DeviceVendor == "Silverfort"DeviceVendor has "Silverfort" |
1 | - | - | - | 1 |
DeviceProduct == "Fortigate"DeviceProduct startswith "Fortigate"DeviceVendor == "Fortinet" |
1 | - | - | - | 1 |
DeviceProduct in "ASA,FTD"DeviceVendor == "Cisco" |
1 | - | - | - | 1 |
DeviceVendor !in "Cisco,Check Point,Palo Alto Networks,Fortinet,F5,Barracuda,ExtraHop,OneIdentity,Zscaler,ForgeRock Inc,Cyber-Ark,illusive,Vectra Networks,Citrix,Darktrace,Akamai,Aruba Networks,CrowdStrike,Symantec,Claroty,Contrast Security,Delinea Software,Thycotic Software,FireEye,Forcepoint CSG,Forcepoint,Forcepoint CASB,iboss,Illumio,Imperva Inc.,Infoblox,Morphisec,Netwrix,Nozomi,Onapsis,OSSEC,PingFederate,RidgeSecurity,SonicWall,Trend Micro,vArmour"DeviceVendor !in "Cisco,Check Point,Palo Alto Networks,Fortinet,F5,Barracuda,ExtraHop,OneIdentity,Zscaler,ForgeRock Inc,Cyber-Ark,illusive,Vectra Networks,Citrix,Darktrace,Akamai,Aruba Networks,CrowdStrike,Symantec,Claroty,Contrast Security,Delinea Software,Thycotic Software,FireEye,Forcepoint CSG,Forcepoint,Forcepoint CASB,iboss,Illumio,Imperva Inc.,Infoblox,Morphisec,Netwrix,Nozomi,Onapsis,OSSEC,PingFederate,RidgeSecurity,SonicWall,Trend Micro,vArmour,Votiro" |
1 | - | - | - | 1 |
DeviceVendor in "Claroty,Medigate" |
1 | - | - | - | 1 |
DeviceProduct == "OSP"DeviceVendor == "Onapsis" |
1 | - | - | - | 1 |
DeviceEventClassID == "DHCP-LEASE-CREATE"DeviceEventClassID has "DNS"DeviceEventClassID has "RPZ"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox" |
1 | - | - | - | 1 |
DeviceVendor == "OSSEC" |
1 | - | - | - | 1 |
DeviceProduct has "PAN-OS"DeviceVendor == "Palo Alto Networks" |
1 | - | - | - | 1 |
DeviceProduct contains "Fortiweb"DeviceVendor contains "Fortinet" |
1 | - | - | - | 1 |
DeviceProduct == "iSID" |
1 | - | - | - | 1 |
DeviceProduct == "IDM"DeviceVendor == "ForgeRock Inc" |
1 | - | - | - | 1 |
DeviceProduct == "WAF Gateway"DeviceVendor in "Imperva,Imperva Inc." |
1 | - | - | - | 1 |
DeviceProduct == "Fortiweb"DeviceVendor == "Fortinet" |
1 | - | - | - | 1 |
DeviceVendor == "WithSecure™" |
1 | - | - | - | 1 |
DeviceProduct in "IronDefense,IronDome"DeviceVendor == "IronNet" |
1 | - | - | - | 1 |
DeviceEventClassID == "733100" |
- | 1 | - | - | 1 |
DeviceEventClassID in "733101,733102,733103,733104,733105" |
- | 1 | - | - | 1 |
DeviceProduct == "illusive" |
- | 1 | - | - | 1 |
DeviceEventClassID == "DNS Response"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox" |
- | 1 | - | - | 1 |
DeviceVendor == "Trend Micro" |
- | 1 | - | - | 1 |
DeviceEventClassID in "file,flood,packet,scan,spyware,virus,vulnerability,wildfire,wildfire-virus"DeviceVendor == "Palo Alto Networks" |
- | 1 | - | - | 1 |
DeviceEventClassID startswith "40"DeviceVendor == "RidgeSecurity" |
- | 1 | - | - | 1 |
DeviceEventClassID == "asc"DeviceProduct == "X Series"DeviceVendor == "Vectra Networks" |
- | 1 | - | - | 1 |
DeviceEventClassID == "hsc"DeviceProduct == "X Series"DeviceVendor == "Vectra Networks" |
- | 1 | - | - | 1 |
DeviceEventClassID contains "campaign"DeviceProduct == "X Series"DeviceVendor == "Vectra Networks" |
- | 1 | - | - | 1 |
DeviceVendor == "ZScaler" |
- | 1 | - | - | 1 |
DeviceVendor == "Zscaler" |
- | 1 | - | - | 1 |
DeviceProduct == "Wazuh" |
- | 1 | - | - | 1 |
DeviceEventClassID == "globalprotect"DeviceVendor == "Palo Alto Networks" |
- | 1 | - | - | 1 |
DeviceVendor == "Cisco" |
- | 1 | - | - | 1 |
DeviceEventClassID == "AgentAutoUpdateStalled"DeviceVendor == "Acronis" |
- | 1 | - | - | 1 |
DeviceEventClassID == "MiniPlanAgentOffline"DeviceVendor == "Acronis" |
- | 1 | - | - | 1 |
DeviceEventClassID in "CloudConnectionAzureApplianceConfigurationFailed,CloudConnectionAzureApplianceDeallocationFailed,CloudConnectionAzureApplianceDeletionFailed,CloudConnectionAzureApplianceEOL,CloudConnectionAzureApplianceFailed,CloudConnectionAzureApplianceUpdateFailed,CloudConnectionAzureCloudAccessExpired,CloudConnectionS3CloudAccessExpired"DeviceVendor == "Acronis" |
- | 1 | - | - | 1 |
DeviceEventClassID in "ArchiveCorrupted,BackupFailed,BackupNotResponding,BackupRecoveryFailed"DeviceVendor == "Acronis" |
- | 1 | - | - | 1 |
DeviceEventClassID in "EDRIOCDetected,EDRIncidentDetected"DeviceVendor == "Acronis" |
- | 1 | - | - | 1 |
DeviceEventClassID == "MiMonitoringFailedLoginAttemptsOverThreshold"DeviceVendor == "Acronis" |
- | 1 | - | - | 1 |
DeviceEventClassID in "ActiveProtectionDriverRemediated,ActiveProtectionInvalidNetworkRecoveryPath,ActiveProtectionServiceConflict,ActiveProtectionServiceFailureToApplyPolicy,ActiveProtectionServiceNotAvailable,ActiveProtectionServiceNotRunning,CPSProtectionFailureDetected,ProtectionServiceNotWorking"DeviceVendor == "Acronis" |
- | 1 | - | - | 1 |
DeviceEventClassID == "ActiveProtectionDetectedAszPartitionAccessed"DeviceVendor == "Acronis" |
- | 1 | - | - | 1 |
DeviceProduct in "AI Analyst,Enterprise Immune System"DeviceVendor == "Darktrace" |
- | 1 | - | - | 1 |
DeviceProduct in "Anti Malware,Anti-Bot,Anti-Virus,Application Control,DDoS Protector,IPS,Threat Emulation,URL Filtering"DeviceVendor == "Check Point" |
- | 1 | - | - | 1 |
DeviceEventClassID in "106100,111008,113012,113015,302010,315011,611102,733100"DeviceProduct == "ASA"DeviceVendor == "Cisco" |
- | 1 | - | - | 1 |
DeviceProduct has "PAN-OS" |
- | 1 | - | - | 1 |
DeviceVendor == "ExtraHop" |
- | 1 | - | - | 1 |
DeviceProduct in "CASB Admin audit log,Cloud Service Monitoring,SaaS Security Gateway"DeviceVendor == "Forcepoint CASB" |
- | 1 | - | - | 1 |
DeviceProduct in "Alert,Audit"DeviceVendor in "FORCEPOINT,Forcepoint" |
- | 1 | - | - | 1 |
DeviceProduct contains "Fortigate"DeviceVendor == "Fortinet" |
- | 1 | - | - | 1 |
DeviceEventClassID in "illusive:access,illusive:login,illusive:suspicious" |
- | 1 | - | - | 1 |
DeviceEventClassID == "illusive:violation" |
- | 1 | - | - | 1 |
DeviceEventClassID in "DHCP-LEASE-CREATE,DHCP-LEASE-DELETE,DHCP-LEASE-UPDATE"DeviceEventClassID has "Audit"DeviceEventClassID has "DHCP"DeviceEventClassID has "DNS"DeviceEventClassID has "RPZ"DeviceEventClassID has "Service"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox" |
- | 1 | - | - | 1 |
DeviceEventClassID in "DHCP-LEASE-CREATE,DHCP-LEASE-DELETE,DHCP-LEASE-UPDATE"DeviceEventClassID has "DHCP"DeviceEventClassID has "DNS"DeviceEventClassID has "RPZ"DeviceProduct == "Data Connector"DeviceVendor == "Infoblox" |
- | 1 | - | - | 1 |
DeviceVendor == "Onapsis" |
- | 1 | - | - | 1 |
DeviceEventClassID in "correlation,vulnerability,wildfire"DeviceEventClassID != "file"DeviceEventClassID != "url"DeviceProduct has "PAN-OS"DeviceVendor == "Palo Alto Networks" |
- | 1 | - | - | 1 |
DeviceEventClassID in "end,file,url,wildfire"DeviceProduct has "LF"DeviceProduct has "PAN-OS"DeviceVendor == "Palo Alto Networks" |
- | 1 | - | - | 1 |
DeviceProduct == "PingFederate"DeviceProduct has "PingFederate" |
- | 1 | - | - | 1 |
DeviceEventClassID == "Semperis.DSP.AdChanges" |
- | 1 | - | - | 1 |
DeviceProduct has "Admin Console"DeviceVendor has "Silverfort" |
- | 1 | - | - | 1 |
DeviceVendor has_any "CrowdStrike,Microsoft,Qualys,Tripwire" |
- | 1 | - | - | 1 |
DeviceEventClassID in "asc,audit,campaigns,health,hsc"DeviceEventClassID !in "health,audit,campaigns,hsc,asc"DeviceEventClassID !in "health,audit,campaigns,hsc,asc"DeviceVendor == "Vectra Networks" |
- | 1 | - | - | 1 |
DeviceProduct == "NSSAuditlog"DeviceVendor == "Zscaler" |
- | 1 | - | - | 1 |
DeviceProduct == "NSSCasbactivitylog"DeviceVendor == "Zscaler" |
- | 1 | - | - | 1 |
DeviceProduct == "NSSCasbcloudstoragelog"DeviceVendor == "Zscaler" |
- | 1 | - | - | 1 |
DeviceProduct == "NSSCasbcollablog"DeviceVendor == "Zscaler" |
- | 1 | - | - | 1 |
DeviceProduct == "NSSCasbcrmlog"DeviceVendor == "Zscaler" |
- | 1 | - | - | 1 |
DeviceProduct == "NSSCasbemaillog"DeviceVendor == "Zscaler" |
- | 1 | - | - | 1 |
DeviceProduct == "NSSCasbfilesharinglog"DeviceVendor == "Zscaler" |
- | 1 | - | - | 1 |
DeviceProduct == "NSSCasbitsmlog"DeviceVendor == "Zscaler" |
- | 1 | - | - | 1 |
DeviceProduct == "NSSCasbrepolog"DeviceVendor == "Zscaler" |
- | 1 | - | - | 1 |
DeviceProduct == "NSSDNSlog"DeviceVendor == "Zscaler" |
- | 1 | - | - | 1 |
DeviceEventClassID == "DLP Incident"DeviceProduct == "NSSEmaildlplog"DeviceVendor == "Zscaler" |
- | 1 | - | - | 1 |
DeviceProduct == "NSSEndpointdlplog"DeviceVendor == "Zscaler" |
- | 1 | - | - | 1 |
DeviceEventClassID !contains "Allow"DeviceEventClassID contains "Allow"DeviceProduct == "NSSFWlog" |
- | 1 | - | - | 1 |
DeviceEventClassID in "Tunnel Event,Tunnel Samples"DeviceProduct == "NSSTunnellog"DeviceVendor == "Zscaler" |
- | 1 | - | - | 1 |
DeviceEventClassID !contains "Allow"DeviceEventClassID contains "Allow"DeviceVendor == "Zscaler" |
- | 1 | - | - | 1 |
DeviceEventClassID in "Allow,Allowed"DeviceEventClassID !contains "Allow"DeviceEventClassID contains "Allow"DeviceProduct == "NSSWeblog"DeviceVendor == "Zscaler" |
- | 1 | - | - | 1 |
DeviceEventClassID == "Blocked"DeviceEventClassID !contains "Allow"DeviceEventClassID contains "Block"DeviceProduct == "NSSWeblog"DeviceVendor == "Zscaler" |
- | 1 | - | - | 1 |
DeviceEventClassID == "UserActivityAuditEvent"DeviceProduct == "FalconHost"DeviceVendor == "CrowdStrike" |
- | - | 1 | - | 1 |
DeviceEventClassID has "AUDIT"DeviceVendor == "Infoblox" |
- | - | 1 | - | 1 |
DeviceEventClassID in "twoFactorAuthenticate,userAuthenticate"DeviceProduct == "FalconHost"DeviceVendor == "CrowdStrike" |
- | - | 1 | - | 1 |
DeviceEventClassID !in "0100022949,0100022952"DeviceProduct has "Fortigate"DeviceVendor == "Fortinet" |
- | - | 1 | - | 1 |
DeviceEventClassID == "AUTH"DeviceProduct == "LF"DeviceVendor == "Palo Alto Networks" |
- | - | 1 | - | 1 |
DeviceEventClassID == "GLOBALPROTECT"DeviceProduct == "PAN-OS"DeviceVendor == "Palo Alto Networks" |
- | - | 1 | - | 1 |
DeviceEventClassID startswith "auth"DeviceProduct == "PAN-OS"DeviceVendor == "Palo Alto Networks" |
- | - | 1 | - | 1 |
DeviceEventClassID has "DHCP"DeviceVendor == "Infoblox" |
- | - | 1 | - | 1 |
DeviceEventClassID endswith "54000"DeviceEventClassID endswith "54200"DeviceEventClassID endswith "54400"DeviceEventClassID endswith "54401"DeviceEventClassID endswith "54600"DeviceEventClassID endswith "54601"DeviceEventClassID endswith "54800"DeviceEventClassID endswith "54801"DeviceEventClassID endswith "54802"DeviceEventClassID endswith "54803"DeviceEventClassID endswith "54804"DeviceEventClassID endswith "54805"DeviceProduct startswith "Fortigate"DeviceVendor == "Fortinet" |
- | - | 1 | - | 1 |
DeviceEventClassID has "DNS"DeviceVendor == "Infoblox" |
- | - | 1 | - | 1 |
DeviceProduct == "NSSDNSlog" |
- | - | 1 | - | 1 |
DeviceProduct == "VPN-1 & FireWall-1"DeviceVendor == "CheckPoint" |
- | - | 1 | - | 1 |
DeviceProduct == "SmartDefense"DeviceVendor == "Check Point" |
- | - | 1 | - | 1 |
DeviceEventClassID in "106001,106002,106006,106007,106010,106012,106013,106014,106015,106016,106017,106018,106020,106021,106022,106023,106100,302013,302014,302015,302016,302020,302021,710002,710003,710004,710005"DeviceProduct == "ASA"DeviceVendor == "Cisco" |
- | - | 1 | - | 1 |
DeviceEventClassID has "INTRUSION:400"DeviceEventClassID has "PV:112"DeviceEventClassID has "RNA:1003:1"DeviceEventClassID has_any "INTRUSION:400,PV:112,RNA:1003:1"DeviceProduct == "Firepower"DeviceVendor == "Cisco" |
- | - | 1 | - | 1 |
DeviceEventClassID in "FirewallMatchEvent,Network Access In A Detection Summary Event"DeviceEventClassID has "Network Access In A Detection Summary Event"DeviceProduct == "FalconHost"DeviceVendor == "CrowdStrike" |
- | - | 1 | - | 1 |
DeviceEventClassID in "70734,76508,76509"DeviceEventClassID != "0"DeviceEventClassID !in "70383,70393,70734,71009,71040"DeviceProduct == "Firewall"DeviceVendor == "FORCEPOINT" |
- | - | 1 | - | 1 |
DeviceProduct startswith "FortiGate"DeviceVendor == "Fortinet" |
- | - | 1 | - | 1 |
DeviceProduct == "PAN-OS"DeviceVendor == "Palo Alto Networks" |
- | - | 1 | - | 1 |
DeviceEventClassID == "TRAFFIC"DeviceProduct == "LF"DeviceVendor == "Palo Alto Networks" |
- | - | 1 | - | 1 |
DeviceProduct == "NSSFWlog"DeviceVendor == "Zscaler" |
- | - | 1 | - | 1 |
DeviceEventClassID in "File:500:1,FileMalware:502:1,FireAMP:125:1"DeviceEventClassID has "File:500:1"DeviceEventClassID has "FileMalware:502:1"DeviceProduct == "Firepower"DeviceVendor == "Cisco" |
- | - | 1 | - | 1 |
DeviceEventClassID == "APPFW"DeviceProduct == "NetScaler"DeviceVendor == "Citrix" |
- | - | 1 | - | 1 |
DeviceProduct == "ASM"DeviceVendor == "F5" |
- | - | 1 | - | 1 |
DeviceEventClassID == "url"DeviceProduct == "PAN-OS"DeviceVendor == "Palo Alto Networks" |
- | - | 1 | - | 1 |
DeviceEventClassID == "THREAT"DeviceProduct == "LF"DeviceVendor == "Palo Alto Networks" |
- | - | 1 | - | 1 |
DeviceVendor == "McAfee" |
- | - | - | 1 | 1 |
DeviceProduct == "StealthDEFEND"DeviceVendor == "STEALTHbits Technologies" |
- | - | - | 1 | 1 |
DeviceEventClassID == "filterlog"DeviceProduct == "pfsense" |
- | - | - | 1 | 1 |
DeviceEventClassID == "nginx"DeviceProduct == "pfsense" |
- | - | - | 1 | 1 |
DeviceProduct == "Platform"DeviceVendor == "Dragos" |
- | - | - | 1 | 1 |
DeviceVendor has "OSSEC" |
- | - | - | 1 | 1 |
DeviceVendor == "radiflow" |
- | - | - | 1 | 1 |
DeviceProduct == "UnityOne" |
- | - | - | 1 | 1 |
| Total | 81 | 256 | 34 | 33 | 404 |
| DeviceProduct | DeviceVendor | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|---|
LF |
Palo Alto Networks |
1 | 21 | 3 | 1 | 26 |
has PingFederate |
1 | 22 | - | 1 | 24 | |
Claroty |
2 | 21 | - | 1 | 24 | |
Apex Central |
Trend Micro |
1 | 21 | - | 1 | 23 |
Data Connector |
Infoblox |
6 | 10 | - | 3 | 19 |
Acronis |
- | 14 | - | - | 14 | |
Palo Alto Networks |
- | 13 | - | - | 13 | |
X Series |
Vectra Networks |
2 | 7 | - | - | 9 |
FalconHost |
CrowdStrike |
2 | 2 | 3 | 1 | 8 |
iSID |
radiflow |
- | 8 | - | - | 8 |
Contrast Security |
2 | 5 | - | - | 7 | |
has Admin Console |
has Silverfort |
1 | 5 | - | - | 6 |
PAN-OS |
Palo Alto Networks |
1 | - | 4 | - | 5 |
SonicWall |
2 | 1 | 2 | - | 5 | |
ASA |
Cisco |
2 | 1 | 2 | - | 5 |
NetScaler |
Citrix |
2 | 1 | 1 | 1 | 5 |
iboss |
2 | 2 | - | 1 | 5 | |
Awake Security |
Arista Networks |
1 | 4 | - | - | 5 |
Votiro cloud |
Votiro |
1 | 3 | - | 1 | 5 |
has Fortiweb |
Fortinet |
- | 4 | - | 1 | 5 |
Firepower |
Cisco |
2 | - | 2 | - | 4 |
has PAN-OS |
Palo Alto Networks |
2 | 2 | - | - | 4 |
AC |
vArmour |
2 | 2 | - | - | 4 |
startswith Fortigate |
Fortinet |
2 | - | 2 | - | 4 |
NSSWeblog |
Zscaler |
- | 3 | 1 | - | 4 |
ClearPass |
Aruba Networks |
2 | - | - | 1 | 3 |
ExtraHop |
2 | 1 | - | - | 3 | |
Email |
Forcepoint CSG |
2 | 1 | - | - | 3 |
Web |
Forcepoint CSG |
2 | 1 | - | - | 3 |
DLP |
Symantec |
2 | - | - | 1 | 3 |
Secret Server |
Delinea Software |
2 | 1 | - | - | 3 |
Secret Server |
Thycotic Software |
2 | 1 | - | - | 3 |
akamai_siem |
Akamai |
2 | - | - | 1 | 3 |
NGFW |
Forcepoint |
2 | 1 | - | - | 3 |
RidgeSecurity |
1 | 2 | - | - | 3 | |
Vault |
Cyber-Ark |
2 | 1 | - | - | 3 |
Acronis audit |
- | 3 | - | - | 3 | |
Fortinet |
- | 3 | - | - | 3 | |
startswith FireWall |
has_any Check Point |
- | 3 | - | - | 3 |
startswith FireWall |
has_any Fortinet |
- | 3 | - | - | 3 |
startswith FireWall |
has_any Palo Alto Networks |
- | 3 | - | - | 3 |
startswith FireWall |
has_any Zscaler |
- | 3 | - | - | 3 |
startswith FortiGate |
has_any Check Point |
- | 3 | - | - | 3 |
startswith FortiGate |
has_any Fortinet |
- | 3 | - | - | 3 |
startswith FortiGate |
has_any Palo Alto Networks |
- | 3 | - | - | 3 |
startswith FortiGate |
has_any Zscaler |
- | 3 | - | - | 3 |
startswith NSSWeblog |
has_any Check Point |
- | 3 | - | - | 3 |
startswith NSSWeblog |
has_any Fortinet |
- | 3 | - | - | 3 |
startswith NSSWeblog |
has_any Palo Alto Networks |
- | 3 | - | - | 3 |
startswith NSSWeblog |
has_any Zscaler |
- | 3 | - | - | 3 |
startswith PAN |
has_any Check Point |
- | 3 | - | - | 3 |
startswith PAN |
has_any Fortinet |
- | 3 | - | - | 3 |
startswith PAN |
has_any Palo Alto Networks |
- | 3 | - | - | 3 |
startswith PAN |
has_any Zscaler |
- | 3 | - | - | 3 |
startswith URL |
has_any Check Point |
- | 3 | - | - | 3 |
startswith URL |
has_any Fortinet |
- | 3 | - | - | 3 |
startswith URL |
has_any Palo Alto Networks |
- | 3 | - | - | 3 |
startswith URL |
has_any Zscaler |
- | 3 | - | - | 3 |
startswith VPN |
has_any Check Point |
- | 3 | - | - | 3 |
startswith VPN |
has_any Fortinet |
- | 3 | - | - | 3 |
startswith VPN |
has_any Palo Alto Networks |
- | 3 | - | - | 3 |
startswith VPN |
has_any Zscaler |
- | 3 | - | - | 3 |
startswith Deep Security |
has_any Trend Micro |
- | 2 | - | 1 | 3 |
startswith Deep Security |
has_any TrendMicro |
- | 2 | - | 1 | 3 |
WAAS |
startswith Barracuda |
- | - | 3 | - | 3 |
WAF |
startswith Barracuda |
- | - | 3 | - | 3 |
Infoblox |
- | - | 3 | - | 3 | |
Darktrace |
2 | - | - | - | 2 | |
F5 |
2 | - | - | - | 2 | |
illusive |
illusive |
2 | - | - | - | 2 |
Cortex XDR |
Palo Alto Networks |
1 | 1 | - | - | 2 |
Forcepoint CASB |
2 | - | - | - | 2 | |
SPS |
OneIdentity |
1 | 1 | - | - | 2 |
!= Cisco |
2 | - | - | - | 2 | |
!= Check Point |
2 | - | - | - | 2 | |
!= Palo Alto Networks |
2 | - | - | - | 2 | |
!= Fortinet |
2 | - | - | - | 2 | |
!= F5 |
2 | - | - | - | 2 | |
!= Barracuda |
2 | - | - | - | 2 | |
!= ExtraHop |
2 | - | - | - | 2 | |
!= OneIdentity |
2 | - | - | - | 2 | |
!= Zscaler |
2 | - | - | - | 2 | |
!= ForgeRock Inc |
2 | - | - | - | 2 | |
!= Cyber-Ark |
2 | - | - | - | 2 | |
!= illusive |
2 | - | - | - | 2 | |
!= Vectra Networks |
2 | - | - | - | 2 | |
!= Citrix |
2 | - | - | - | 2 | |
!= Darktrace |
2 | - | - | - | 2 | |
!= Akamai |
2 | - | - | - | 2 | |
!= Aruba Networks |
2 | - | - | - | 2 | |
!= CrowdStrike |
2 | - | - | - | 2 | |
!= Symantec |
2 | - | - | - | 2 | |
!= Claroty |
2 | - | - | - | 2 | |
!= Contrast Security |
2 | - | - | - | 2 | |
!= Delinea Software |
2 | - | - | - | 2 | |
!= Thycotic Software |
2 | - | - | - | 2 | |
!= FireEye |
2 | - | - | - | 2 | |
!= Forcepoint CSG |
2 | - | - | - | 2 | |
!= Forcepoint |
2 | - | - | - | 2 | |
!= Forcepoint CASB |
2 | - | - | - | 2 | |
!= iboss |
2 | - | - | - | 2 | |
!= Illumio |
2 | - | - | - | 2 | |
!= Imperva Inc. |
2 | - | - | - | 2 | |
!= Infoblox |
2 | - | - | - | 2 | |
!= Morphisec |
2 | - | - | - | 2 | |
!= Netwrix |
2 | - | - | - | 2 | |
!= Nozomi |
2 | - | - | - | 2 | |
!= Onapsis |
2 | - | - | - | 2 | |
!= OSSEC |
2 | - | - | - | 2 | |
!= PingFederate |
2 | - | - | - | 2 | |
!= RidgeSecurity |
2 | - | - | - | 2 | |
!= SonicWall |
2 | - | - | - | 2 | |
!= Trend Micro |
2 | - | - | - | 2 | |
!= vArmour |
2 | - | - | - | 2 | |
Illumio |
1 | - | - | 1 | 2 | |
Netwrix |
1 | - | - | 1 | 2 | |
FireEye |
1 | - | - | 1 | 2 | |
WireX NFP |
WireX |
2 | - | - | - | 2 |
Barracuda |
1 | 1 | - | - | 2 | |
has Nozomi |
1 | - | - | 1 | 2 | |
IronDefense |
- | 2 | - | - | 2 | |
Zscaler |
- | 2 | - | - | 2 | |
Core Directory |
- | 2 | - | - | 2 | |
pfsense |
- | - | - | 2 | 2 | |
ForgeRock Inc |
- | - | - | 2 | 2 | |
OneIdentity |
- | - | - | 2 | 2 | |
ESA_CONSOLIDATED_LOG_EVENT |
Cisco |
1 | - | - | - | 1 |
Admin Console |
Silverfort |
1 | - | - | - | 1 |
Admin Console |
has Silverfort |
1 | - | - | - | 1 |
has Admin Console |
Silverfort |
1 | - | - | - | 1 |
Fortigate |
Fortinet |
1 | - | - | - | 1 |
FTD |
Cisco |
1 | - | - | - | 1 |
!= Votiro |
1 | - | - | - | 1 | |
Medigate |
1 | - | - | - | 1 | |
OSP |
Onapsis |
1 | - | - | - | 1 |
OSSEC |
1 | - | - | - | 1 | |
contains Fortiweb |
contains Fortinet |
1 | - | - | - | 1 |
iSID |
1 | - | - | - | 1 | |
IDM |
ForgeRock Inc |
1 | - | - | - | 1 |
WAF Gateway |
Imperva |
1 | - | - | - | 1 |
WAF Gateway |
Imperva Inc. |
1 | - | - | - | 1 |
Fortiweb |
Fortinet |
1 | - | - | - | 1 |
WithSecure™ |
1 | - | - | - | 1 | |
IronDefense |
IronNet |
1 | - | - | - | 1 |
IronDome |
IronNet |
1 | - | - | - | 1 |
illusive |
- | 1 | - | - | 1 | |
Trend Micro |
- | 1 | - | - | 1 | |
ZScaler |
- | 1 | - | - | 1 | |
Wazuh |
- | 1 | - | - | 1 | |
Cisco |
- | 1 | - | - | 1 | |
AI Analyst |
Darktrace |
- | 1 | - | - | 1 |
Enterprise Immune System |
Darktrace |
- | 1 | - | - | 1 |
Anti Malware |
Check Point |
- | 1 | - | - | 1 |
Anti-Bot |
Check Point |
- | 1 | - | - | 1 |
Anti-Virus |
Check Point |
- | 1 | - | - | 1 |
Application Control |
Check Point |
- | 1 | - | - | 1 |
DDoS Protector |
Check Point |
- | 1 | - | - | 1 |
IPS |
Check Point |
- | 1 | - | - | 1 |
Threat Emulation |
Check Point |
- | 1 | - | - | 1 |
URL Filtering |
Check Point |
- | 1 | - | - | 1 |
has PAN-OS |
- | 1 | - | - | 1 | |
CASB Admin audit log |
Forcepoint CASB |
- | 1 | - | - | 1 |
Cloud Service Monitoring |
Forcepoint CASB |
- | 1 | - | - | 1 |
SaaS Security Gateway |
Forcepoint CASB |
- | 1 | - | - | 1 |
Alert |
FORCEPOINT |
- | 1 | - | - | 1 |
Alert |
Forcepoint |
- | 1 | - | - | 1 |
Audit |
FORCEPOINT |
- | 1 | - | - | 1 |
Audit |
Forcepoint |
- | 1 | - | - | 1 |
contains Fortigate |
Fortinet |
- | 1 | - | - | 1 |
Onapsis |
- | 1 | - | - | 1 | |
has LF |
Palo Alto Networks |
- | 1 | - | - | 1 |
PingFederate |
- | 1 | - | - | 1 | |
has_any CrowdStrike |
- | 1 | - | - | 1 | |
has_any Microsoft |
- | 1 | - | - | 1 | |
has_any Qualys |
- | 1 | - | - | 1 | |
has_any Tripwire |
- | 1 | - | - | 1 | |
Vectra Networks |
- | 1 | - | - | 1 | |
NSSAuditlog |
Zscaler |
- | 1 | - | - | 1 |
NSSCasbactivitylog |
Zscaler |
- | 1 | - | - | 1 |
NSSCasbcloudstoragelog |
Zscaler |
- | 1 | - | - | 1 |
NSSCasbcollablog |
Zscaler |
- | 1 | - | - | 1 |
NSSCasbcrmlog |
Zscaler |
- | 1 | - | - | 1 |
NSSCasbemaillog |
Zscaler |
- | 1 | - | - | 1 |
NSSCasbfilesharinglog |
Zscaler |
- | 1 | - | - | 1 |
NSSCasbitsmlog |
Zscaler |
- | 1 | - | - | 1 |
NSSCasbrepolog |
Zscaler |
- | 1 | - | - | 1 |
NSSDNSlog |
Zscaler |
- | 1 | - | - | 1 |
NSSEmaildlplog |
Zscaler |
- | 1 | - | - | 1 |
NSSEndpointdlplog |
Zscaler |
- | 1 | - | - | 1 |
NSSFWlog |
- | 1 | - | - | 1 | |
NSSTunnellog |
Zscaler |
- | 1 | - | - | 1 |
has Fortigate |
Fortinet |
- | - | 1 | - | 1 |
NSSDNSlog |
- | - | 1 | - | 1 | |
VPN-1 & FireWall-1 |
CheckPoint |
- | - | 1 | - | 1 |
SmartDefense |
Check Point |
- | - | 1 | - | 1 |
Firewall |
FORCEPOINT |
- | - | 1 | - | 1 |
startswith FortiGate |
Fortinet |
- | - | 1 | - | 1 |
NSSFWlog |
Zscaler |
- | - | 1 | - | 1 |
ASM |
F5 |
- | - | 1 | - | 1 |
McAfee |
- | - | - | 1 | 1 | |
StealthDEFEND |
STEALTHbits Technologies |
- | - | - | 1 | 1 |
Platform |
Dragos |
- | - | - | 1 | 1 |
has OSSEC |
- | - | - | 1 | 1 | |
radiflow |
- | - | - | 1 | 1 | |
UnityOne |
- | - | - | 1 | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
ESA_CONSOLIDATED_LOG_EVENT |
- | 22 | - | 1 | 23 |
has RPZ |
3 | 6 | - | - | 9 |
!= health |
2 | 6 | - | - | 8 |
!= audit |
2 | 6 | - | - | 8 |
!= campaigns |
2 | 6 | - | - | 8 |
!= hsc |
2 | 6 | - | - | 8 |
!= asc |
2 | 6 | - | - | 8 |
url |
- | 7 | 1 | - | 8 |
BloxOne-InsightsNotification-Log |
3 | 2 | - | 2 | 7 |
has DNS |
3 | 2 | 1 | - | 6 |
NewIncident |
1 | 4 | - | - | 5 |
DHCP-LEASE-CREATE |
3 | 2 | - | - | 5 |
has DHCP |
2 | 2 | 1 | - | 5 |
wildfire |
- | 5 | - | - | 5 |
hsc |
2 | 2 | - | - | 4 |
!contains Allow |
- | 4 | - | - | 4 |
illusive:access |
2 | 1 | - | - | 3 |
illusive:login |
2 | 1 | - | - | 3 |
illusive:suspicious |
2 | 1 | - | - | 3 |
has Audit |
2 | 1 | - | - | 3 |
has Service |
2 | 1 | - | - | 3 |
contains Allow |
- | 3 | - | - | 3 |
ExtraHop Detection |
2 | - | - | - | 2 |
4001 |
1 | 1 | - | - | 2 |
MaliciousUrlDetected |
- | 2 | - | - | 2 |
ActiveProtectionBlocksSuspiciousActivity |
- | 2 | - | - | 2 |
MaliciousEmailDetectedPerceptionPointWarning |
- | 2 | - | - | 2 |
MaliciousURLDetectedInM365MailboxBackup |
- | 2 | - | - | 2 |
MalwareDetectedInM365MailboxBackup |
- | 2 | - | - | 2 |
733100 |
- | 2 | - | - | 2 |
file |
- | 2 | - | - | 2 |
vulnerability |
- | 2 | - | - | 2 |
asc |
- | 2 | - | - | 2 |
106100 |
- | 1 | 1 | - | 2 |
DHCP-LEASE-DELETE |
- | 2 | - | - | 2 |
DHCP-LEASE-UPDATE |
- | 2 | - | - | 2 |
733101 |
- | 1 | - | - | 1 |
733102 |
- | 1 | - | - | 1 |
733103 |
- | 1 | - | - | 1 |
733104 |
- | 1 | - | - | 1 |
733105 |
- | 1 | - | - | 1 |
DNS Response |
- | 1 | - | - | 1 |
flood |
- | 1 | - | - | 1 |
packet |
- | 1 | - | - | 1 |
scan |
- | 1 | - | - | 1 |
spyware |
- | 1 | - | - | 1 |
virus |
- | 1 | - | - | 1 |
wildfire-virus |
- | 1 | - | - | 1 |
startswith 40 |
- | 1 | - | - | 1 |
contains campaign |
- | 1 | - | - | 1 |
globalprotect |
- | 1 | - | - | 1 |
AgentAutoUpdateStalled |
- | 1 | - | - | 1 |
MiniPlanAgentOffline |
- | 1 | - | - | 1 |
CloudConnectionAzureApplianceConfigurationFailed |
- | 1 | - | - | 1 |
CloudConnectionAzureApplianceDeallocationFailed |
- | 1 | - | - | 1 |
CloudConnectionAzureApplianceDeletionFailed |
- | 1 | - | - | 1 |
CloudConnectionAzureApplianceEOL |
- | 1 | - | - | 1 |
CloudConnectionAzureApplianceFailed |
- | 1 | - | - | 1 |
CloudConnectionAzureApplianceUpdateFailed |
- | 1 | - | - | 1 |
CloudConnectionAzureCloudAccessExpired |
- | 1 | - | - | 1 |
CloudConnectionS3CloudAccessExpired |
- | 1 | - | - | 1 |
ArchiveCorrupted |
- | 1 | - | - | 1 |
BackupFailed |
- | 1 | - | - | 1 |
BackupNotResponding |
- | 1 | - | - | 1 |
BackupRecoveryFailed |
- | 1 | - | - | 1 |
EDRIOCDetected |
- | 1 | - | - | 1 |
EDRIncidentDetected |
- | 1 | - | - | 1 |
MiMonitoringFailedLoginAttemptsOverThreshold |
- | 1 | - | - | 1 |
ActiveProtectionDriverRemediated |
- | 1 | - | - | 1 |
ActiveProtectionInvalidNetworkRecoveryPath |
- | 1 | - | - | 1 |
ActiveProtectionServiceConflict |
- | 1 | - | - | 1 |
ActiveProtectionServiceFailureToApplyPolicy |
- | 1 | - | - | 1 |
ActiveProtectionServiceNotAvailable |
- | 1 | - | - | 1 |
ActiveProtectionServiceNotRunning |
- | 1 | - | - | 1 |
CPSProtectionFailureDetected |
- | 1 | - | - | 1 |
ProtectionServiceNotWorking |
- | 1 | - | - | 1 |
ActiveProtectionDetectedAszPartitionAccessed |
- | 1 | - | - | 1 |
111008 |
- | 1 | - | - | 1 |
113012 |
- | 1 | - | - | 1 |
113015 |
- | 1 | - | - | 1 |
302010 |
- | 1 | - | - | 1 |
315011 |
- | 1 | - | - | 1 |
611102 |
- | 1 | - | - | 1 |
illusive:violation |
- | 1 | - | - | 1 |
correlation |
- | 1 | - | - | 1 |
!= file |
- | 1 | - | - | 1 |
!= url |
- | 1 | - | - | 1 |
end |
- | 1 | - | - | 1 |
Semperis.DSP.AdChanges |
- | 1 | - | - | 1 |
audit |
- | 1 | - | - | 1 |
campaigns |
- | 1 | - | - | 1 |
health |
- | 1 | - | - | 1 |
DLP Incident |
- | 1 | - | - | 1 |
Tunnel Event |
- | 1 | - | - | 1 |
Tunnel Samples |
- | 1 | - | - | 1 |
Allow |
- | 1 | - | - | 1 |
Allowed |
- | 1 | - | - | 1 |
Blocked |
- | 1 | - | - | 1 |
contains Block |
- | 1 | - | - | 1 |
UserActivityAuditEvent |
- | - | 1 | - | 1 |
has AUDIT |
- | - | 1 | - | 1 |
twoFactorAuthenticate |
- | - | 1 | - | 1 |
userAuthenticate |
- | - | 1 | - | 1 |
!= 0100022949 |
- | - | 1 | - | 1 |
!= 0100022952 |
- | - | 1 | - | 1 |
AUTH |
- | - | 1 | - | 1 |
GLOBALPROTECT |
- | - | 1 | - | 1 |
startswith auth |
- | - | 1 | - | 1 |
endswith 54000 |
- | - | 1 | - | 1 |
endswith 54200 |
- | - | 1 | - | 1 |
endswith 54400 |
- | - | 1 | - | 1 |
endswith 54401 |
- | - | 1 | - | 1 |
endswith 54600 |
- | - | 1 | - | 1 |
endswith 54601 |
- | - | 1 | - | 1 |
endswith 54800 |
- | - | 1 | - | 1 |
endswith 54801 |
- | - | 1 | - | 1 |
endswith 54802 |
- | - | 1 | - | 1 |
endswith 54803 |
- | - | 1 | - | 1 |
endswith 54804 |
- | - | 1 | - | 1 |
endswith 54805 |
- | - | 1 | - | 1 |
106001 |
- | - | 1 | - | 1 |
106002 |
- | - | 1 | - | 1 |
106006 |
- | - | 1 | - | 1 |
106007 |
- | - | 1 | - | 1 |
106010 |
- | - | 1 | - | 1 |
106012 |
- | - | 1 | - | 1 |
106013 |
- | - | 1 | - | 1 |
106014 |
- | - | 1 | - | 1 |
106015 |
- | - | 1 | - | 1 |
106016 |
- | - | 1 | - | 1 |
106017 |
- | - | 1 | - | 1 |
106018 |
- | - | 1 | - | 1 |
106020 |
- | - | 1 | - | 1 |
106021 |
- | - | 1 | - | 1 |
106022 |
- | - | 1 | - | 1 |
106023 |
- | - | 1 | - | 1 |
302013 |
- | - | 1 | - | 1 |
302014 |
- | - | 1 | - | 1 |
302015 |
- | - | 1 | - | 1 |
302016 |
- | - | 1 | - | 1 |
302020 |
- | - | 1 | - | 1 |
302021 |
- | - | 1 | - | 1 |
710002 |
- | - | 1 | - | 1 |
710003 |
- | - | 1 | - | 1 |
710004 |
- | - | 1 | - | 1 |
710005 |
- | - | 1 | - | 1 |
has INTRUSION:400 |
- | - | 1 | - | 1 |
has PV:112 |
- | - | 1 | - | 1 |
has RNA:1003:1 |
- | - | 1 | - | 1 |
has_any INTRUSION:400 |
- | - | 1 | - | 1 |
has_any PV:112 |
- | - | 1 | - | 1 |
has_any RNA:1003:1 |
- | - | 1 | - | 1 |
FirewallMatchEvent |
- | - | 1 | - | 1 |
Network Access In A Detection Summary Event |
- | - | 1 | - | 1 |
has Network Access In A Detection Summary Event |
- | - | 1 | - | 1 |
70734 |
- | - | 1 | - | 1 |
76508 |
- | - | 1 | - | 1 |
76509 |
- | - | 1 | - | 1 |
!= 0 |
- | - | 1 | - | 1 |
!= 70383 |
- | - | 1 | - | 1 |
!= 70393 |
- | - | 1 | - | 1 |
!= 70734 |
- | - | 1 | - | 1 |
!= 71009 |
- | - | 1 | - | 1 |
!= 71040 |
- | - | 1 | - | 1 |
TRAFFIC |
- | - | 1 | - | 1 |
File:500:1 |
- | - | 1 | - | 1 |
FileMalware:502:1 |
- | - | 1 | - | 1 |
FireAMP:125:1 |
- | - | 1 | - | 1 |
has File:500:1 |
- | - | 1 | - | 1 |
has FileMalware:502:1 |
- | - | 1 | - | 1 |
APPFW |
- | - | 1 | - | 1 |
THREAT |
- | - | 1 | - | 1 |
filterlog |
- | - | - | 1 | 1 |
nginx |
- | - | - | 1 | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊