Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Reference for Syslog table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Syslog/CEF |
| Basic Logs Eligible | ✗ No (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✓ Yes |
| Azure Monitor Tables Reference | View Documentation |
| Azure Monitor Logs Ingestion API | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| _ResourceId | string | A unique identifier for the resource that the record is associated with |
| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
| CollectorHostName | string | Name of the system on which the collector agent is installed. |
| Computer | string | Computer from which the event originated. |
| EventTime | datetime | Date and time that the event was generated. |
| Facility | string | The part of the system that generated the message. |
| HostIP | string | IP address of the system from which the message originated. Depending on network configuration/topology, this may have a blank or placeholder value, especially when the message originates from a remote device. |
| HostName | string | Name of the system from which the message originated. |
| ProcessID | int | ID of the process that generated the message. |
| ProcessName | string | Name of the process that generated the message. |
| SeverityLevel | string | Severity level of the event. |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| SyslogMessage | string | Text of the message. |
| TimeGenerated | datetime | Date and time the record was created. |
| Type | string | The name of the table |
This table is used by the following solutions:
This table is ingested by the following connectors:
In solution CTERA:
| Analytic Rule | Selection Criteria |
|---|---|
| Antivirus Detected an Infected File | SyslogMessage contains "found an infected file" |
| CTERA Mass Access Denied Detection Analytic | ProcessName == "gw-audit" |
| CTERA Mass Deletions Detection Analytic | ProcessName == "gw-audit" |
| CTERA Mass Permissions Changes Detection Analytic | ProcessName == "gw-audit" |
| Ransom Protect Detected a Ransomware Attack | SyslogMessage contains "Ransomware incident detected" |
| Ransom Protect User Blocked | SyslogMessage contains "Ransom Protect mechanism blocked" |
In solution Cisco ISE: ProcessName has_any "CISE,CSCO"
In solution Cisco SD-WAN:
| Analytic Rule | Selection Criteria |
|---|---|
| Cisco SDWAN - IPS Event Threshold | |
| Cisco SDWAN - Intrusion Events | |
| Cisco SDWAN - Maleware Events | |
| Cisco SDWAN - Monitor Critical IPs |
In solution CiscoWSA: ProcessName == "cisco_wsa"
In solution Digital Guardian Data Loss Prevention: SyslogMessage contains "managed_device_id"SyslogMessage contains "number_of_incidents"
In solution ESETPROTECT: ProcessName == "ERAServer"
| Analytic Rule |
|---|
| Threats detected by ESET |
| Website blocked by ESET |
In solution GitLab:
| Analytic Rule | Selection Criteria |
|---|---|
| GitLab - Abnormal number of repositories deleted | Facility == "local7"ProcessName == "GitLab-Audit-Logs" |
| GitLab - Brute-force Attempts | Facility == "local7"ProcessName == "GitLab-Application-Logs" |
| GitLab - External User Added to GitLab | Facility == "local7"ProcessName == "GitLab-Audit-Logs" |
| GitLab - Local Auth - No MFA | Facility == "local7"ProcessName == "GitLab-Audit-Logs" |
| GitLab - Personal Access Tokens creation over time | Facility == "local7"ProcessName == "GitLab-Audit-Logs" |
| GitLab - Repository visibility to Public | Facility == "local7"ProcessName == "GitLab-Audit-Logs" |
| GitLab - User Impersonation | Facility == "local7"ProcessName == "GitLab-Audit-Logs" |
In solution IllumioSaaS: SyslogMessage has "illumio_pce/agent"
In solution Infoblox Cloud Data Connector:
| Analytic Rule | Selection Criteria |
|---|---|
| Infoblox - TI - Syslog Match Found - URL |
In solution Infoblox NIOS:
| Analytic Rule | Selection Criteria |
|---|---|
| Excessive NXDOMAIN DNS Queries | SyslogMessage !has "response:"SyslogMessage has_all "client" |
| Potential DHCP Starvation Attack |
In solution McAfee ePolicy Orchestrator: ProcessName contains "EPOEvents"SyslogMessage contains "<EPOevent>"SyslogMessage contains "<UpdateEvents>"
In solution Nasuni:
| Analytic Rule | Selection Criteria |
|---|---|
| Ransomware Attack Detected | SyslogMessage has "The Filer has detected a new ransomware attack" |
| Ransomware Client Blocked | SyslogMessage has "The Filer has enforced the mitigation policy on volume" |
In solution OracleDatabaseAudit: SyslogMessage contains "Oracle Unified Audit"
In solution Pulse Connect Secure: Facility == "local7"
| Analytic Rule |
|---|
| PulseConnectSecure - Large Number of Distinct Failed User Logins |
| PulseConnectSecure - Potential Brute Force Attempts |
In solution Pure Storage:
| Analytic Rule | Selection Criteria |
|---|---|
| External Fabric Module XFM1 is unhealthy | SyslogMessage has "purity.alert" |
| Pure Controller Failed | SyslogMessage has "purity.alert" |
| Pure Failed Login | SyslogMessage has "invalid username or password"SyslogMessage has "purity.alert" |
In solution Sophos XG Firewall: Facility == "local0"
| Analytic Rule |
|---|
| Excessive Amount of Denied Connections from a Single Source |
| Port Scan Detected |
In solution Symantec Endpoint Protection: ProcessName == "SymantecServer"
| Analytic Rule |
|---|
| Excessive Blocked Traffic Events Generated by User |
| Malware Detected |
In solution Symantec VIP: Facility == "local5"
| Analytic Rule |
|---|
| ClientDeniedAccess |
| Excessive Failed Authentication from Invalid Inputs |
In solution SymantecProxySG: Facility == "local0"
| Analytic Rule |
|---|
| Excessive Denied Proxy Traffic |
| User Accessed Suspicious URL Categories |
In solution Syslog:
| Analytic Rule | Selection Criteria |
|---|---|
| Failed logon attempts in authpriv | Facility == "authpriv"SyslogMessage has "authentication failure"SyslogMessage has "uid=0"SyslogMessage has "user unknown" |
| NRT Squid proxy events related to mining pools | ProcessName contains "squid" |
| SFTP File transfer above threshold | ProcessName has "sftp"SyslogMessage has "bytes read"SyslogMessage has "close"SyslogMessage has "session opened for" |
| SFTP File transfer folder count above threshold | ProcessName has "sftp"SyslogMessage has "bytes read"SyslogMessage has "close"SyslogMessage has "session opened for" |
| SSH - Potential Brute Force | ProcessName == "sshd"SyslogMessage contains "Failed password for invalid user" |
| Squid proxy events for ToR proxies | ProcessName contains "squid" |
| Squid proxy events related to mining pools | ProcessName contains "squid" |
In solution Threat Intelligence:
| Analytic Rule | Selection Criteria |
|---|---|
| TI Map URL Entity to Syslog Data | |
| TI map Domain entity to Syslog |
In solution Threat Intelligence (NEW):
| Analytic Rule | Selection Criteria |
|---|---|
| TI Map URL Entity to Syslog Data | |
| TI map Domain entity to Syslog |
In solution VMWareESXi: ProcessName has_any "hostd-probe,vmkwarning,vpxd-main"
In solution VMware SASE:
| Analytic Rule | Selection Criteria |
|---|---|
| VMware SD-WAN Edge - IDS/IPS Alert triggered (Syslog) | SyslogMessage contains "VCF Alert" |
| VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack | SyslogMessage contains "VCF Drop"SyslogMessage contains "packet too big" |
| VMware SD-WAN Edge - Network Anomaly Detection - RPF Check Failure | SyslogMessage contains "Reverse path forwarding check fail"SyslogMessage contains "VCF Drop" |
In solution Veeam: SyslogMessage has "instanceId"
Standalone Content:
| Analytic Rule | Selection Criteria |
|---|---|
| Failed AzureAD logons but success logon to host | Facility contains "auth"ProcessName != "sudo"SyslogMessage has "Accepted" |
| Failed host logons but success logon to AzureAD | Facility contains "auth"ProcessName != "sudo"SyslogMessage has "from"SyslogMessage has_any "Accepted,Disconnected,Disconnecting,[preauth],disconnect" |
| Multiple Password Reset by user | Facility in "auth,authpriv"SyslogMessage matchesregex ".*password changed for.*" |
| PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack |
In solution Apache Log4j Vulnerability Detection:
| Hunting Query | Selection Criteria |
|---|---|
| Linux security related process termination activity detected | Facility == "user"SyslogMessage has "AUOMS_EXECVE" |
| Possible Container Miner related artifacts detected | Facility == "user"SyslogMessage has "AUOMS_EXECVE" |
| Possible Linux attack toolkit detected via Syslog data | Facility == "user"SyslogMessage has "AUOMS_EXECVE" |
| Possible exploitation of Apache log4j component detected | SyslogMessage has "AUOMS_EXECVE"SyslogMessage has "jndi"SyslogMessage has_any "corba,dns,iiop,ldap,nds,nis,rmi" |
| Suspicious Base64 download activity detected | Facility == "user"SyslogMessage has "AUOMS_EXECVE" |
| Suspicious Shell script detected | Facility == "user"SyslogMessage has "AUOMS_EXECVE" |
| Suspicious manipulation of firewall detected via Syslog data | Facility == "user"SyslogMessage has "AUOMS_EXECVE" |
In solution CTERA: ProcessName == "gw-audit"
| Hunting Query |
|---|
| CTERA Batch Access Denied Detection |
| CTERA Batch File Deletions Detection |
| CTERA Permission Change Detection |
In solution Cisco ISE: ProcessName has_any "CISE,CSCO"
In solution CiscoWSA: ProcessName == "cisco_wsa"
In solution Digital Guardian Data Loss Prevention: SyslogMessage contains "managed_device_id"SyslogMessage contains "number_of_incidents"
In solution McAfee ePolicy Orchestrator: ProcessName contains "EPOEvents"SyslogMessage contains "<EPOevent>"SyslogMessage contains "<UpdateEvents>"
In solution Nasuni: SyslogMessage matchesregex "(nasuni.)([0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{1})"
| Hunting Query |
|---|
| Nasuni File Delete Activity |
In solution OracleDatabaseAudit: SyslogMessage contains "Oracle Unified Audit"
In solution Syslog:
| Hunting Query | Selection Criteria |
|---|---|
| Crypto currency miners EXECVE | |
| Editing Linux scheduled tasks through Crontab | Facility == "cron"ProcessName == "crontab" |
| Linux scheduled task Aggregation | Facility == "cron"ProcessName in "CRON,CROND"SyslogMessage contains "CMD" |
| Rare process running on a Linux host | |
| SCX Execute RunAs Providers | SyslogMessage has "AUOMS_EXECVE" |
| Squid commonly abused TLDs | ProcessName contains "squid" |
| Squid data volume timeseries anomalies | ProcessName contains "squid" |
| Squid malformed requests | ProcessName contains "squid" |
| Suspicious crytocurrency mining related threat activity detected | Facility == "user"SyslogMessage has "AUOMS_EXECVE" |
In solution Threat Intelligence:
| Hunting Query | Selection Criteria |
|---|---|
| TI Map File Entity to Syslog Event |
In solution Threat Intelligence (NEW):
| Hunting Query | Selection Criteria |
|---|---|
| TI Map File Entity to Syslog Event |
In solution VMWareESXi: ProcessName has_any "hostd-probe,vmkwarning,vpxd-main"
Standalone Content:
| Hunting Query | Selection Criteria |
|---|---|
| Disabled accounts using Squid proxy | ProcessName contains "squid" |
| Tracking Password Changes |
In solution Apache Log4j Vulnerability Detection: Facility == "user"SyslogMessage has "AUOMS_EXECVE"SyslogMessage has "jndi"SyslogMessage has_any "corba,dns,iiop,ldap,nds,nis,rmi"
| Workbook |
|---|
| Log4jPostCompromiseHunting |
In solution Barracuda CloudGen Firewall: ProcessName == "box_Firewall_Activity"
| Workbook |
|---|
| Barracuda |
In solution CTERA: ProcessName == "gw-audit"SyslogMessage contains "ctera_audit"SyslogMessage contains "op=delete"
| Workbook |
|---|
| CTERA_Workbook |
In solution Cisco ISE: ProcessName has_any "CISE,CSCO"
| Workbook |
|---|
| CiscoISE |
In solution Cisco SD-WAN:
| Workbook | Selection Criteria |
|---|---|
| CiscoSDWAN |
In solution CiscoMeraki:
| Workbook | Selection Criteria |
|---|---|
| CiscoMerakiWorkbook |
In solution CiscoWSA: ProcessName == "cisco_wsa"
| Workbook |
|---|
| CiscoWSA |
In solution ContinuousDiagnostics&Mitigation:
| Workbook | Selection Criteria |
|---|---|
| ContinuousDiagnostics&Mitigation |
In solution DPDP Compliance:
| Workbook | Selection Criteria |
|---|---|
| DPDPCompliance |
In solution Digital Guardian Data Loss Prevention: SyslogMessage contains "managed_device_id"SyslogMessage contains "number_of_incidents"
| Workbook |
|---|
| DigitalGuardian |
In solution ESETPROTECT: ProcessName == "ERAServer"
| Workbook |
|---|
| ESETPROTECT |
In solution GDPR Compliance & Data Security:
| Workbook | Selection Criteria |
|---|---|
| GDPRComplianceAndDataSecurity |
In solution HIPAA Compliance:
| Workbook | Selection Criteria |
|---|---|
| HIPAACompliance |
In solution IllumioSaaS:
| Workbook | Selection Criteria |
|---|---|
| IllumioAuditableEvents | SyslogMessage has "illumio_pce/agent" |
| IllumioFlowData | SyslogMessage has "illumio_pce/agent" |
| IllumioOnPremHealth | SyslogMessage has "disk=Policy"SyslogMessage has "disk=Traffic"SyslogMessage has "illumio_pce/system_health"SyslogMessage has "src=collector"SyslogMessage has "src=disk_latency"SyslogMessage has "src=flow_analytics" |
In solution Infoblox NIOS: SyslogMessage has "DHCPOFFER"
| Workbook |
|---|
| Infoblox-Workbook-V2 |
In solution MaturityModelForEventLogManagementM2131: SyslogMessage contains "runas"SyslogMessage contains "sudo"ProcessName has_any "hostd-probe,vmkwarning,vpxd-main"
| Workbook |
|---|
| MaturityModelForEventLogManagement_M2131 |
In solution McAfee ePolicy Orchestrator: ProcessName contains "EPOEvents"SyslogMessage contains "<EPOevent>"SyslogMessage contains "<UpdateEvents>"
| Workbook |
|---|
| McAfeeePOOverview |
In solution MicrosoftPurviewInsiderRiskManagement: Facility in "auth,authpriv"
| Workbook |
|---|
| InsiderRiskManagement |
In solution NISTSP80053:
| Workbook | Selection Criteria |
|---|---|
| NISTSP80053 |
In solution OracleDatabaseAudit: SyslogMessage contains "Oracle Unified Audit"
| Workbook |
|---|
| OracleDatabaseAudit |
In solution PCI DSS Compliance: SyslogMessage contains "Oracle Unified Audit"
| Workbook |
|---|
| PCIDSSCompliance |
In solution Pulse Connect Secure: Facility == "local7"
| Workbook |
|---|
| PulseConnectSecure |
In solution SOC Handbook:
| Workbook | Selection Criteria |
|---|---|
| InvestigationInsights | |
| SecurityStatus |
In solution SOX IT Compliance: SyslogMessage has_any "ALTER TABLE,CREATE TABLE,DROP TABLE,database modified,schema change"SyslogMessage has_any "auditd stopped,logging stopped,rsyslog stopped,syslog stopped"SyslogMessage has_any "change,config,edit,modified,updated"SyslogMessage has_any "change,config,modified,registry,updated"SyslogMessage has_any "checksum mismatch,file deleted,file modified,file tamper"
| Workbook |
|---|
| SOXITCompliance |
In solution Sophos XG Firewall: Facility == "local0"
| Workbook |
|---|
| SophosXGFirewall |
In solution Symantec Endpoint Protection: ProcessName == "SymantecServer"
| Workbook |
|---|
| SymantecEndpointProtection |
In solution Symantec VIP: Facility == "local5"
| Workbook |
|---|
| SymantecVIP |
In solution SymantecProxySG: Facility == "local0"
| Workbook |
|---|
| SymantecProxySG |
In solution Syslog:
| Workbook | Selection Criteria |
|---|---|
| LinuxMachines |
In solution VMWareESXi: ProcessName has_any "hostd-probe,vmkwarning,vpxd-main"
| Workbook |
|---|
| VMWareESXi |
In solution VMware SASE: SyslogMessage contains "ACTION=VCF"SyslogMessage contains "VCF Alert"
| Workbook |
|---|
| VMwareSASESOCDashboard |
In solution Veeam:
| Workbook | Selection Criteria |
|---|---|
| VeeamDataPlatformMonitoring | SyslogMessage has "instanceId" |
| VeeamSecurityActivities | SyslogMessage has "instanceId"SyslogMessage has "predefined_alarm_id"SyslogMessage has "instanceId" |
In solution ZeroTrust(TIC3.0):
| Workbook | Selection Criteria |
|---|---|
| ZeroTrustTIC3 |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| Barracuda | |
| DCR-Toolkit | |
| DataCollectionHealthMonitoring | |
| Data_Latency_Workbook | |
| DoDZeroTrustWorkbook | |
| InfobloxNIOS | |
| InvestigationInsights | |
| LinuxMachines | |
| Log4jPostCompromiseHunting | Facility == "user"SyslogMessage has "AUOMS_EXECVE"SyslogMessage has "jndi"SyslogMessage has_any "corba,dns,iiop,ldap,nds,nis,rmi" |
| MicrosoftSentinelDeploymentandMigrationTracker | |
| PulseConnectSecure | |
| SecurityStatus | |
| SentinelWorkspaceReconTools | |
| SophosXGFirewall | |
| SymantecProxySG | |
| SymantecVIP | |
| Syslog-Bifurcation | |
| VeeamDataPlatformMonitoring | |
| VeeamSecurityActivites | SyslogMessage has "instanceId"SyslogMessage has "predefined_alarm_id" |
| VeeamSecurityActivities | SyslogMessage has "instanceId"SyslogMessage has "predefined_alarm_id" |
| WatchGuardFireboxWorkbook | |
| WorkspaceUsage | |
| ZeroTrustStrategyWorkbook | |
| syslogoverview |
| Parser | Schema | Product | Selection Criteria |
|---|---|---|---|
| ASimAuditEventCiscoISE | AuditEvent | Cisco ISE | ProcessName has_any "CISE,CSCO" |
| ASimAuditEventCiscoMerakiSyslog | AuditEvent | Cisco Meraki | |
| ASimAuthenticationCiscoIOS | Authentication | Cisco IOS | SyslogMessage has "%SEC_LOGIN-4-LOGIN_FAILED"SyslogMessage has "%SEC_LOGIN-5-LOGIN_SUCCESS"SyslogMessage has "%SYS-6-LOGOUT" |
| ASimAuthenticationCiscoISE | Authentication | Cisco ISE | ProcessName has_any "CISE,CSCO" |
| ASimAuthenticationCiscoISEAdministrator | Authentication | Cisco ISE Administrator | ProcessName has "CISE_Administrative_and_Operational_Audit"SyslogMessage has "Administrator-Login" |
| ASimAuthenticationCiscoMerakiSyslog | Authentication | Cisco Meraki | |
| ASimAuthenticationSshd | Authentication | OpenSSH | ProcessName == "sshd"SyslogMessage has "Failed"SyslogMessage has "but this does not map back to the address"SyslogMessage has "key RSA"SyslogMessage has "publickey"SyslogMessage startswith "Accepted"SyslogMessage startswith "Failed"SyslogMessage startswith "Invalid user"SyslogMessage startswith "Nasty PTR record"SyslogMessage startswith "Timeout"SyslogMessage startswith "message repeated"SyslogMessage startswith "reverse mapping checking getaddrinfo for" |
| ASimAuthenticationSu | Authentication | su | ProcessName == "su"SyslogMessage has_all "pam_unix(su"SyslogMessage startswith "FAILED SU"SyslogMessage startswith "Successful su for" |
| ASimAuthenticationSudo | Authentication | sudo | ProcessName == "sudo"SyslogMessage has "COMMAND="SyslogMessage has "TTY="SyslogMessage has "USER="SyslogMessage has "incorrect password attempts"SyslogMessage has "session closed for user"SyslogMessage has "user NOT in sudoers" |
| ASimDnsInfobloxNIOS | Dns | Infoblox NIOS | ProcessName == "named"SyslogMessage !has "response:"SyslogMessage has_all "client" |
| ASimFileEventLinuxSysmonFileCreated | FileEvent | Microsoft Sysmon for Linux | SyslogMessage has_all "<Provider Name=" |
| ASimFileEventLinuxSysmonFileDeleted | FileEvent | Microsoft Sysmon for Linux | SyslogMessage has "<Provider Name="SyslogMessage has_any "<EventID>23</EventID>,<EventID>26</EventID>" |
| ASimNetworkSessionAppGateSDP | NetworkSession | AppGate SDP | ProcessName in "cz-sessiond,cz-vpnd"SyslogMessage has_all "[AUDIT]"SyslogMessage has_any ":" |
| ASimNetworkSessionCiscoISE | NetworkSession | Cisco ISE | ProcessName has_any "CISE,CSCO" |
| ASimNetworkSessionCiscoMerakiSyslog | NetworkSession | Cisco Meraki | |
| ASimNetworkSessionLinuxSysmon | NetworkSession | Sysmon for Linux | SyslogMessage has_all "<Provider Name=" |
| ASimNetworkSessionWatchGuardFirewareOS | NetworkSession | WatchGuard Fireware OS | SyslogMessage !has "3000-0151"SyslogMessage !has "icmp"SyslogMessage !has "igmp"SyslogMessage !has "msg="SyslogMessage has "3000-0151"SyslogMessage has "icmp"SyslogMessage has "igmp"SyslogMessage has_any "msg_id=" |
| ASimProcessCreateLinuxSysmon | ProcessEvent | Sysmon for Linux | SyslogMessage has_all "<Provider Name=" |
| ASimProcessTerminateLinuxSysmon | ProcessEvent | Sysmon for Linux | SyslogMessage has_all "<Provider Name=" |
| ASimUserManagementCiscoISE | UserManagement | Cisco ISE | ProcessName has_any "CISE,CSCO" |
| ASimUserManagementLinuxAuthpriv | UserManagement | Microsoft | Facility == "authpriv"ProcessName in "gpasswd,groupadd,groupdel,groupmod,useradd,userdel,usermod" |
| Parser | Solution | Selection Criteria |
|---|---|---|
| CGFWFirewallActivity | Barracuda CloudGen Firewall | ProcessName == "box_Firewall_Activity" |
| CGFWFirewallActivity | Barracuda CloudGen Firewall ⚠️ | ProcessName == "box_Firewall_Activity" |
| CiscoACIEvent | Cisco ACI | SyslogMessage contains "SYSTEM_MSG"SyslogMessage contains "%LOG_LOCAL" |
| CiscoISEEvent | Cisco ISE | ProcessName has_any "CISE,CSCO" |
| CiscoMeraki | CiscoMeraki | |
| CiscoSyslogFW6LogSummary | Cisco SD-WAN ⚠️ | SyslogMessage has "%FW-6-LOG_SUMMARY:" |
| CiscoSyslogUTD | Cisco SD-WAN ⚠️ | |
| CiscoUCS | Cisco UCS | |
| CiscoWSAEvent | CiscoWSA | ProcessName == "cisco_wsa" |
| CitrixADCEvent | Citrix ADC | |
| CylancePROTECT | Blackberry CylancePROTECT | SyslogMessage contains "AuditLog"SyslogMessage contains "Device,"SyslogMessage contains "DeviceControl"SyslogMessage contains "ScriptControl"SyslogMessage contains "Threat" |
| CylancePROTECT | Blackberry CylancePROTECT ⚠️ | SyslogMessage contains "AuditLog"SyslogMessage contains "Device,"SyslogMessage contains "DeviceControl"SyslogMessage contains "ScriptControl"SyslogMessage contains "Threat" |
| CylancePROTECT-old | Blackberry CylancePROTECT ⚠️ | |
| CylancePROTECT-old | Blackberry CylancePROTECT ⚠️ | |
| DigitalGuardianDLPEvent | Digital Guardian Data Loss Prevention | SyslogMessage contains "managed_device_id"SyslogMessage contains "number_of_incidents" |
| ESETPROTECT | ESETPROTECT | ProcessName == "ERAServer" |
| ESETPROTECT | ESETPROTECT ⚠️ | ProcessName == "ERAServer" |
| ExabeamEvent | Exabeam Advanced Analytics | ProcessName contains "Exabeam" |
| ExabeamEvent | Exabeam Advanced Analytics ⚠️ | ProcessName contains "Exabeam" |
| ForescoutEvent | Forescout (Legacy) | |
| GitLabAccess | GitLab | Facility == "local7"ProcessName == "GitLab-Access-Logs"SyslogMessage contains "HTTP"SyslogMessage has_any "DELETE,GET,PATCH,POST,PUT" |
| GitLabApp | GitLab | Facility == "local7"ProcessName == "GitLab-Application-Logs" |
| GitLabAudit | GitLab | Facility == "local7"ProcessName == "GitLab-Audit-Logs" |
| ISCBind | ISC Bind | SyslogMessage !has "response:"SyslogMessage has_all "client" |
| IllumioSyslogAuditEvents | IllumioSaaS | SyslogMessage has "illumio_pce/agent" |
| IllumioSyslogNetworkTrafficEvents | IllumioSaaS | SyslogMessage has "illumio_pce/collector" |
| InfobloxNIOS | (Legacy) | Facility == "local6"ProcessName in "dhcpd,named"ProcessName !in "dhcp,named" |
| Infoblox_allotherdhcpdTypes | Infoblox NIOS | SyslogMessage has_any "AccessRight,Added,AdminGroup,AdminMember,Created Role,DHCPACK,DHCPDISCOVER,DHCPEXPIRE,DHCPINFORM,DHCPOFFER,DHCPRELEASE,Login_Allowed,Login_Denied,Option,Removed,balanced,balancing,bind,delegatedzone,failover,forwardzone,r-l-e" |
| Infoblox_allotherdnsTypes | Infoblox NIOS | SyslogMessage has_any "client,gss_accept_sec_context" |
| Infoblox_allotherlogTypes | Infoblox NIOS | |
| Infoblox_dhcpack | Infoblox NIOS | SyslogMessage startswith "DHCPACK" |
| Infoblox_dhcpadded | Infoblox NIOS | SyslogMessage has "Added" |
| Infoblox_dhcpbindupdate | Infoblox NIOS | SyslogMessage has "bind" |
| Infoblox_dhcpdiscover | Infoblox NIOS | SyslogMessage startswith "DHCPDISCOVER" |
| Infoblox_dhcpexpire | Infoblox NIOS | SyslogMessage has "DHCPEXPIRE" |
| Infoblox_dhcpinform | Infoblox NIOS | SyslogMessage has "DHCPINFORM" |
| Infoblox_dhcpoffer | Infoblox NIOS | SyslogMessage has "DHCPOFFER" |
| Infoblox_dhcpoption | Infoblox NIOS | SyslogMessage has "Option" |
| Infoblox_dhcpother | Infoblox NIOS | SyslogMessage has_any "AccessRight,AdminGroup,AdminMember,Created Role,Login_Allowed,Login_Denied,balanced,balancing,delegatedzone,failover,forwardzone" |
| Infoblox_dhcprelease | Infoblox NIOS | SyslogMessage has "DHCPRELEASE" |
| Infoblox_dhcpremoved | Infoblox NIOS | SyslogMessage has "Removed" |
| Infoblox_dhcprequest | Infoblox NIOS | SyslogMessage has "DHCPREQUEST" |
| Infoblox_dhcpsession | Infoblox NIOS | SyslogMessage has "r-l-e" |
| Infoblox_dnsclient | Infoblox NIOS | SyslogMessage !has "response:"SyslogMessage has_all "client" |
| Infoblox_dnsgss | Infoblox NIOS | SyslogMessage has "gss_accept_sec_context" |
| Infoblox_dnszone | Infoblox NIOS | SyslogMessage has "zone" |
| IvantiUEMEvent | Ivanti Unified Endpoint Management | SyslogMessage has_all "Alert" |
| JuniperSRX | Juniper SRX | ProcessName == "RT_FLOW"ProcessName in "RT_IDS,sshd"ProcessName !in "sshd,RT_IDS,RT_FLOW" |
| JuniperSRX | Juniper SRX ⚠️ | |
| McAfeeEPOEvent | McAfee ePolicy Orchestrator | ProcessName contains "EPOEvents"SyslogMessage contains "<EPOevent>"SyslogMessage contains "<UpdateEvents>" |
| McAfeeNSPEvent | McAfee Network Security Platform | ProcessName == "SyslogAlertForwarderNSP" |
| OpenVpnEvent | OpenVPN | ProcessName == "openvpn" |
| OracleDatabaseAuditEvent | OracleDatabaseAudit | SyslogMessage contains "Oracle Unified Audit" |
| OracleDatabaseAuditEvent | OracleDatabaseAudit ⚠️ | SyslogMessage contains "Oracle Unified Audit" |
| PulseConnectSecure | Pulse Connect Secure | Facility == "local7" |
| PureStorageFlashArrayParserV1 | Pure Storage | SyslogMessage has "purity.alert" |
| PureStorageFlashBladeParserV1 | Pure Storage | SyslogMessage has "purity.alert" |
| RSASecurIDAMEvent | RSA SecurID | |
| SophosXGFirewall | Sophos XG Firewall | Facility == "local0" |
| StealthwatchEvent | Cisco Secure Cloud Analytics | SyslogMessage has "Stealthwatch" |
| SymantecEndpointProtection | Symantec Endpoint Protection | ProcessName == "SymantecServer" |
| SymantecProxySG | (Legacy) | Facility == "local0" |
| SymantecProxySG | SymantecProxySG | Facility == "local0" |
| SymantecVIP | Symantec VIP | Facility == "local5" |
| SyslogEventTypeData | (Legacy) | |
| SyslogExecve | (Legacy) | |
| SyslogSyscall | (Legacy) | |
| SyslogUserErr | (Legacy) | |
| VMwareESXi | VMWareESXi | ProcessName has_any "hostd-probe,vmkwarning,vpxd-main" |
| Veeam_GetFinishedConfigurationBackupSessions | Veeam | SyslogMessage has "instanceId" |
| Veeam_GetJobFinished | Veeam | SyslogMessage has "instanceId" |
| Veeam_GetSecurityEvents | Veeam | SyslogMessage has "instanceId" |
| Veeam_GetVeeamONEAlarms | Veeam | SyslogMessage has "predefined_alarm_id" |
| WatchGuardFirebox | Watchguard Firebox ⚠️ | |
| WatchGuardFirebox | Watchguard Firebox |
⚠️ Parsers marked with ⚠️ are not listed in their Solution JSON file.
This table collects data from the following Azure resource types:
microsoft.operationalinsights/workspacesmicrosoft.containerservice/managedclustersmicrosoft.kubernetes/connectedclustersmicrosoft.compute/virtualmachinesmicrosoft.conenctedvmwarevsphere/virtualmachinesmicrosoft.azurestackhci/virtualmachinesmicrosoft.scvmm/virtualmachinesmicrosoft.compute/virtualmachinescalesetsmicrosoft.hybridcontainerservice/provisionedclustersReferences by type: 5 connectors, 335 content items, 18 ASIM parsers, 59 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
SyslogMessage has "instanceId" |
- | 112 | - | 3 | 115 |
ProcessName has_any "CISE,CSCO" |
- | 21 | 4 | 1 | 26 |
ProcessName contains "EPOEvents"SyslogMessage contains "<EPOevent>"SyslogMessage contains "<UpdateEvents>" |
- | 25 | - | 1 | 26 |
ProcessName has_any "hostd-probe,vmkwarning,vpxd-main" |
- | 25 | - | 1 | 26 |
SyslogMessage contains "Oracle Unified Audit" |
- | 22 | - | 2 | 24 |
ProcessName == "cisco_wsa" |
- | 22 | - | 1 | 23 |
SyslogMessage contains "managed_device_id"SyslogMessage contains "number_of_incidents" |
- | 21 | - | 1 | 22 |
SyslogMessage has "illumio_pce/agent" |
- | 8 | - | 1 | 9 |
Facility == "local0" |
- | 6 | - | 3 | 9 |
Facility == "local7"ProcessName == "GitLab-Audit-Logs" |
- | 6 | - | 1 | 7 |
ProcessName contains "squid" |
- | 7 | - | - | 7 |
Facility == "user"SyslogMessage has "AUOMS_EXECVE" |
- | 7 | - | - | 7 |
ProcessName == "gw-audit" |
- | 6 | - | - | 6 |
ProcessName == "ERAServer" |
- | 3 | - | 2 | 5 |
Facility == "local7" |
- | 3 | - | 1 | 4 |
SyslogMessage has "purity.alert" |
- | 2 | - | 2 | 4 |
ProcessName == "SymantecServer" |
- | 3 | - | 1 | 4 |
Facility == "local5" |
- | 3 | - | 1 | 4 |
SyslogMessage has_all "<Provider Name=" |
- | - | 4 | - | 4 |
Facility != "cron" |
3 | - | - | - | 3 |
SyslogMessage !has "response:"SyslogMessage has_all "client" |
- | 1 | - | 2 | 3 |
ProcessName == "box_Firewall_Activity" |
- | 1 | - | 2 | 3 |
Facility == "local7"ProcessName == "GitLab-Application-Logs" |
- | 1 | - | 1 | 2 |
ProcessName has "sftp"SyslogMessage has "bytes read"SyslogMessage has "close"SyslogMessage has "session opened for" |
- | 2 | - | - | 2 |
SyslogMessage has "DHCPOFFER" |
- | 1 | - | 1 | 2 |
SyslogMessage contains "AuditLog"SyslogMessage contains "Device,"SyslogMessage contains "DeviceControl"SyslogMessage contains "ScriptControl"SyslogMessage contains "Threat" |
- | - | - | 2 | 2 |
ProcessName contains "Exabeam" |
- | - | - | 2 | 2 |
ProcessName == "sysmon" |
1 | - | - | - | 1 |
ProcessName == "gw-audit"SyslogMessage contains "gw-audit[-]:"SyslogMessage contains "portal portal[-]:" |
1 | - | - | - | 1 |
SyslogMessage contains "found an infected file" |
- | 1 | - | - | 1 |
SyslogMessage contains "Ransomware incident detected" |
- | 1 | - | - | 1 |
SyslogMessage contains "Ransom Protect mechanism blocked" |
- | 1 | - | - | 1 |
SyslogMessage has "The Filer has detected a new ransomware attack" |
- | 1 | - | - | 1 |
SyslogMessage has "The Filer has enforced the mitigation policy on volume" |
- | 1 | - | - | 1 |
SyslogMessage has "invalid username or password"SyslogMessage has "purity.alert" |
- | 1 | - | - | 1 |
Facility == "authpriv"SyslogMessage has "authentication failure"SyslogMessage has "uid=0"SyslogMessage has "user unknown" |
- | 1 | - | - | 1 |
ProcessName == "sshd"SyslogMessage contains "Failed password for invalid user" |
- | 1 | - | - | 1 |
SyslogMessage contains "VCF Alert" |
- | 1 | - | - | 1 |
SyslogMessage contains "VCF Drop"SyslogMessage contains "packet too big" |
- | 1 | - | - | 1 |
SyslogMessage contains "Reverse path forwarding check fail"SyslogMessage contains "VCF Drop" |
- | 1 | - | - | 1 |
Facility contains "auth"ProcessName != "sudo"SyslogMessage has "Accepted" |
- | 1 | - | - | 1 |
Facility contains "auth"ProcessName != "sudo"SyslogMessage has "from"SyslogMessage has_any "Accepted,Disconnected,Disconnecting,[preauth],disconnect" |
- | 1 | - | - | 1 |
Facility in "auth,authpriv"SyslogMessage matchesregex ".*password changed for.*" |
- | 1 | - | - | 1 |
SyslogMessage has "AUOMS_EXECVE"SyslogMessage has "jndi"SyslogMessage has_any "corba,dns,iiop,ldap,nds,nis,rmi" |
- | 1 | - | - | 1 |
SyslogMessage matchesregex "(nasuni.)([0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{1})" |
- | 1 | - | - | 1 |
Facility == "cron"ProcessName in "CRON,CROND"SyslogMessage contains "CMD" |
- | 1 | - | - | 1 |
Facility == "cron"ProcessName == "crontab" |
- | 1 | - | - | 1 |
SyslogMessage has "AUOMS_EXECVE" |
- | 1 | - | - | 1 |
Facility == "user"SyslogMessage has "AUOMS_EXECVE"SyslogMessage has "jndi"SyslogMessage has_any "corba,dns,iiop,ldap,nds,nis,rmi" |
- | 1 | - | - | 1 |
ProcessName == "gw-audit"SyslogMessage contains "ctera_audit"SyslogMessage contains "op=delete" |
- | 1 | - | - | 1 |
SyslogMessage has "disk=Policy"SyslogMessage has "disk=Traffic"SyslogMessage has "illumio_pce/system_health"SyslogMessage has "src=collector"SyslogMessage has "src=disk_latency"SyslogMessage has "src=flow_analytics" |
- | 1 | - | - | 1 |
SyslogMessage contains "runas"SyslogMessage contains "sudo"ProcessName has_any "hostd-probe,vmkwarning,vpxd-main" |
- | 1 | - | - | 1 |
Facility in "auth,authpriv" |
- | 1 | - | - | 1 |
SyslogMessage has_any "ALTER TABLE,CREATE TABLE,DROP TABLE,database modified,schema change"SyslogMessage has_any "auditd stopped,logging stopped,rsyslog stopped,syslog stopped"SyslogMessage has_any "change,config,edit,modified,updated"SyslogMessage has_any "change,config,modified,registry,updated"SyslogMessage has_any "checksum mismatch,file deleted,file modified,file tamper" |
- | 1 | - | - | 1 |
SyslogMessage has "instanceId"SyslogMessage has "predefined_alarm_id"SyslogMessage has "instanceId" |
- | 1 | - | - | 1 |
SyslogMessage contains "ACTION=VCF"SyslogMessage contains "VCF Alert" |
- | 1 | - | - | 1 |
SyslogMessage has "%SEC_LOGIN-4-LOGIN_FAILED"SyslogMessage has "%SEC_LOGIN-5-LOGIN_SUCCESS"SyslogMessage has "%SYS-6-LOGOUT" |
- | - | 1 | - | 1 |
ProcessName has "CISE_Administrative_and_Operational_Audit"SyslogMessage has "Administrator-Login" |
- | - | 1 | - | 1 |
ProcessName == "sshd"SyslogMessage has "Failed"SyslogMessage has "but this does not map back to the address"SyslogMessage has "key RSA"SyslogMessage has "publickey"SyslogMessage startswith "Accepted"SyslogMessage startswith "Failed"SyslogMessage startswith "Invalid user"SyslogMessage startswith "Nasty PTR record"SyslogMessage startswith "Timeout"SyslogMessage startswith "message repeated"SyslogMessage startswith "reverse mapping checking getaddrinfo for" |
- | - | 1 | - | 1 |
ProcessName == "su"SyslogMessage has_all "pam_unix(su"SyslogMessage startswith "FAILED SU"SyslogMessage startswith "Successful su for" |
- | - | 1 | - | 1 |
ProcessName == "sudo"SyslogMessage has "COMMAND="SyslogMessage has "TTY="SyslogMessage has "USER="SyslogMessage has "incorrect password attempts"SyslogMessage has "session closed for user"SyslogMessage has "user NOT in sudoers" |
- | - | 1 | - | 1 |
ProcessName == "named"SyslogMessage !has "response:"SyslogMessage has_all "client" |
- | - | 1 | - | 1 |
SyslogMessage has "<Provider Name="SyslogMessage has_any "<EventID>23</EventID>,<EventID>26</EventID>" |
- | - | 1 | - | 1 |
ProcessName in "cz-sessiond,cz-vpnd"SyslogMessage has_all "[AUDIT]"SyslogMessage has_any ":" |
- | - | 1 | - | 1 |
SyslogMessage !has "3000-0151"SyslogMessage !has "icmp"SyslogMessage !has "igmp"SyslogMessage !has "msg="SyslogMessage has "3000-0151"SyslogMessage has "icmp"SyslogMessage has "igmp"SyslogMessage has_any "msg_id=" |
- | - | 1 | - | 1 |
Facility == "authpriv"ProcessName in "gpasswd,groupadd,groupdel,groupmod,useradd,userdel,usermod" |
- | - | 1 | - | 1 |
Facility == "local6"ProcessName in "dhcpd,named"ProcessName !in "dhcp,named" |
- | - | - | 1 | 1 |
SyslogMessage contains "SYSTEM_MSG"SyslogMessage contains "%LOG_LOCAL" |
- | - | - | 1 | 1 |
SyslogMessage has "%FW-6-LOG_SUMMARY:" |
- | - | - | 1 | 1 |
SyslogMessage has "Stealthwatch" |
- | - | - | 1 | 1 |
Facility == "local7"ProcessName == "GitLab-Access-Logs"SyslogMessage contains "HTTP"SyslogMessage has_any "DELETE,GET,PATCH,POST,PUT" |
- | - | - | 1 | 1 |
SyslogMessage has "illumio_pce/collector" |
- | - | - | 1 | 1 |
SyslogMessage has_any "AccessRight,Added,AdminGroup,AdminMember,Created Role,DHCPACK,DHCPDISCOVER,DHCPEXPIRE,DHCPINFORM,DHCPOFFER,DHCPRELEASE,Login_Allowed,Login_Denied,Option,Removed,balanced,balancing,bind,delegatedzone,failover,forwardzone,r-l-e" |
- | - | - | 1 | 1 |
SyslogMessage has_any "client,gss_accept_sec_context" |
- | - | - | 1 | 1 |
SyslogMessage startswith "DHCPACK" |
- | - | - | 1 | 1 |
SyslogMessage has "Added" |
- | - | - | 1 | 1 |
SyslogMessage has "bind" |
- | - | - | 1 | 1 |
SyslogMessage startswith "DHCPDISCOVER" |
- | - | - | 1 | 1 |
SyslogMessage has "DHCPEXPIRE" |
- | - | - | 1 | 1 |
SyslogMessage has "DHCPINFORM" |
- | - | - | 1 | 1 |
SyslogMessage has "Option" |
- | - | - | 1 | 1 |
SyslogMessage has_any "AccessRight,AdminGroup,AdminMember,Created Role,Login_Allowed,Login_Denied,balanced,balancing,delegatedzone,failover,forwardzone" |
- | - | - | 1 | 1 |
SyslogMessage has "DHCPRELEASE" |
- | - | - | 1 | 1 |
SyslogMessage has "Removed" |
- | - | - | 1 | 1 |
SyslogMessage has "DHCPREQUEST" |
- | - | - | 1 | 1 |
SyslogMessage has "r-l-e" |
- | - | - | 1 | 1 |
SyslogMessage has "gss_accept_sec_context" |
- | - | - | 1 | 1 |
SyslogMessage has "zone" |
- | - | - | 1 | 1 |
SyslogMessage has_all "Alert" |
- | - | - | 1 | 1 |
ProcessName == "RT_FLOW"ProcessName in "RT_IDS,sshd"ProcessName !in "sshd,RT_IDS,RT_FLOW" |
- | - | - | 1 | 1 |
ProcessName == "SyslogAlertForwarderNSP" |
- | - | - | 1 | 1 |
ProcessName == "openvpn" |
- | - | - | 1 | 1 |
SyslogMessage has "predefined_alarm_id" |
- | - | - | 1 | 1 |
| Total | 5 | 335 | 18 | 59 | 417 |
| Facility | ProcessName | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|---|
has_any hostd-probe |
- | 26 | - | 1 | 27 | |
has_any vmkwarning |
- | 26 | - | 1 | 27 | |
has_any vpxd-main |
- | 26 | - | 1 | 27 | |
has_any CISE |
- | 21 | 4 | 1 | 26 | |
has_any CSCO |
- | 21 | 4 | 1 | 26 | |
contains EPOEvents |
- | 25 | - | 1 | 26 | |
cisco_wsa |
- | 22 | - | 1 | 23 | |
local0 |
- | 6 | - | 3 | 9 | |
gw-audit |
1 | 7 | - | - | 8 | |
user |
- | 8 | - | - | 8 | |
local7 |
GitLab-Audit-Logs |
- | 6 | - | 1 | 7 |
contains squid |
- | 7 | - | - | 7 | |
ERAServer |
- | 3 | - | 2 | 5 | |
local7 |
- | 3 | - | 1 | 4 | |
SymantecServer |
- | 3 | - | 1 | 4 | |
local5 |
- | 3 | - | 1 | 4 | |
!= cron |
3 | - | - | - | 3 | |
authpriv |
- | 3 | - | - | 3 | |
sshd |
- | 1 | 1 | 1 | 3 | |
box_Firewall_Activity |
- | 1 | - | 2 | 3 | |
local7 |
GitLab-Application-Logs |
- | 1 | - | 1 | 2 |
has sftp |
- | 2 | - | - | 2 | |
contains auth |
!= sudo |
- | 2 | - | - | 2 |
auth |
- | 2 | - | - | 2 | |
contains Exabeam |
- | - | - | 2 | 2 | |
sysmon |
1 | - | - | - | 1 | |
cron |
CRON |
- | 1 | - | - | 1 |
cron |
CROND |
- | 1 | - | - | 1 |
cron |
crontab |
- | 1 | - | - | 1 |
has CISE_Administrative_and_Operational_Audit |
- | - | 1 | - | 1 | |
su |
- | - | 1 | - | 1 | |
sudo |
- | - | 1 | - | 1 | |
named |
- | - | 1 | - | 1 | |
cz-sessiond |
- | - | 1 | - | 1 | |
cz-vpnd |
- | - | 1 | - | 1 | |
authpriv |
gpasswd |
- | - | 1 | - | 1 |
authpriv |
groupadd |
- | - | 1 | - | 1 |
authpriv |
groupdel |
- | - | 1 | - | 1 |
authpriv |
groupmod |
- | - | 1 | - | 1 |
authpriv |
useradd |
- | - | 1 | - | 1 |
authpriv |
userdel |
- | - | 1 | - | 1 |
authpriv |
usermod |
- | - | 1 | - | 1 |
local6 |
dhcpd |
- | - | - | 1 | 1 |
local6 |
named |
- | - | - | 1 | 1 |
local6 |
!= dhcp |
- | - | - | 1 | 1 |
local6 |
!= named |
- | - | - | 1 | 1 |
local7 |
GitLab-Access-Logs |
- | - | - | 1 | 1 |
RT_FLOW |
- | - | - | 1 | 1 | |
RT_IDS |
- | - | - | 1 | 1 | |
!= sshd |
- | - | - | 1 | 1 | |
!= RT_IDS |
- | - | - | 1 | 1 | |
!= RT_FLOW |
- | - | - | 1 | 1 | |
SyslogAlertForwarderNSP |
- | - | - | 1 | 1 | |
openvpn |
- | - | - | 1 | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
has instanceId |
- | 114 | - | 3 | 117 |
contains <EPOevent> |
- | 25 | - | 1 | 26 |
contains <UpdateEvents> |
- | 25 | - | 1 | 26 |
contains Oracle Unified Audit |
- | 22 | - | 2 | 24 |
contains managed_device_id |
- | 21 | - | 1 | 22 |
contains number_of_incidents |
- | 21 | - | 1 | 22 |
has AUOMS_EXECVE |
- | 10 | - | - | 10 |
has illumio_pce/agent |
- | 8 | - | 1 | 9 |
has purity.alert |
- | 3 | - | 2 | 5 |
!has response: |
- | 1 | 1 | 2 | 4 |
has_all client |
- | 1 | 1 | 2 | 4 |
has_all <Provider Name= |
- | - | 4 | - | 4 |
has bytes read |
- | 2 | - | - | 2 |
has close |
- | 2 | - | - | 2 |
has session opened for |
- | 2 | - | - | 2 |
contains VCF Alert |
- | 2 | - | - | 2 |
contains VCF Drop |
- | 2 | - | - | 2 |
has jndi |
- | 2 | - | - | 2 |
has_any corba |
- | 2 | - | - | 2 |
has_any dns |
- | 2 | - | - | 2 |
has_any iiop |
- | 2 | - | - | 2 |
has_any ldap |
- | 2 | - | - | 2 |
has_any nds |
- | 2 | - | - | 2 |
has_any nis |
- | 2 | - | - | 2 |
has_any rmi |
- | 2 | - | - | 2 |
has DHCPOFFER |
- | 1 | - | 1 | 2 |
has_any change |
- | 2 | - | - | 2 |
has_any config |
- | 2 | - | - | 2 |
has_any modified |
- | 2 | - | - | 2 |
has_any updated |
- | 2 | - | - | 2 |
has predefined_alarm_id |
- | 1 | - | 1 | 2 |
contains AuditLog |
- | - | - | 2 | 2 |
contains Device, |
- | - | - | 2 | 2 |
contains DeviceControl |
- | - | - | 2 | 2 |
contains ScriptControl |
- | - | - | 2 | 2 |
contains Threat |
- | - | - | 2 | 2 |
has_any AccessRight |
- | - | - | 2 | 2 |
has_any AdminGroup |
- | - | - | 2 | 2 |
has_any AdminMember |
- | - | - | 2 | 2 |
has_any Created Role |
- | - | - | 2 | 2 |
has_any Login_Allowed |
- | - | - | 2 | 2 |
has_any Login_Denied |
- | - | - | 2 | 2 |
has_any balanced |
- | - | - | 2 | 2 |
has_any balancing |
- | - | - | 2 | 2 |
has_any delegatedzone |
- | - | - | 2 | 2 |
has_any failover |
- | - | - | 2 | 2 |
has_any forwardzone |
- | - | - | 2 | 2 |
contains gw-audit[-]: |
1 | - | - | - | 1 |
contains portal portal[-]: |
1 | - | - | - | 1 |
contains found an infected file |
- | 1 | - | - | 1 |
contains Ransomware incident detected |
- | 1 | - | - | 1 |
contains Ransom Protect mechanism blocked |
- | 1 | - | - | 1 |
has The Filer has detected a new ransomware attack |
- | 1 | - | - | 1 |
has The Filer has enforced the mitigation policy on volume |
- | 1 | - | - | 1 |
has invalid username or password |
- | 1 | - | - | 1 |
has authentication failure |
- | 1 | - | - | 1 |
has uid=0 |
- | 1 | - | - | 1 |
has user unknown |
- | 1 | - | - | 1 |
contains Failed password for invalid user |
- | 1 | - | - | 1 |
contains packet too big |
- | 1 | - | - | 1 |
contains Reverse path forwarding check fail |
- | 1 | - | - | 1 |
has Accepted |
- | 1 | - | - | 1 |
has from |
- | 1 | - | - | 1 |
has_any Accepted |
- | 1 | - | - | 1 |
has_any Disconnected |
- | 1 | - | - | 1 |
has_any Disconnecting |
- | 1 | - | - | 1 |
has_any [preauth] |
- | 1 | - | - | 1 |
has_any disconnect |
- | 1 | - | - | 1 |
contains CMD |
- | 1 | - | - | 1 |
contains ctera_audit |
- | 1 | - | - | 1 |
contains op=delete |
- | 1 | - | - | 1 |
has disk=Policy |
- | 1 | - | - | 1 |
has disk=Traffic |
- | 1 | - | - | 1 |
has illumio_pce/system_health |
- | 1 | - | - | 1 |
has src=collector |
- | 1 | - | - | 1 |
has src=disk_latency |
- | 1 | - | - | 1 |
has src=flow_analytics |
- | 1 | - | - | 1 |
contains runas |
- | 1 | - | - | 1 |
contains sudo |
- | 1 | - | - | 1 |
has_any ALTER TABLE |
- | 1 | - | - | 1 |
has_any CREATE TABLE |
- | 1 | - | - | 1 |
has_any DROP TABLE |
- | 1 | - | - | 1 |
has_any database modified |
- | 1 | - | - | 1 |
has_any schema change |
- | 1 | - | - | 1 |
has_any auditd stopped |
- | 1 | - | - | 1 |
has_any logging stopped |
- | 1 | - | - | 1 |
has_any rsyslog stopped |
- | 1 | - | - | 1 |
has_any syslog stopped |
- | 1 | - | - | 1 |
has_any edit |
- | 1 | - | - | 1 |
has_any registry |
- | 1 | - | - | 1 |
has_any checksum mismatch |
- | 1 | - | - | 1 |
has_any file deleted |
- | 1 | - | - | 1 |
has_any file modified |
- | 1 | - | - | 1 |
has_any file tamper |
- | 1 | - | - | 1 |
contains ACTION=VCF |
- | 1 | - | - | 1 |
has %SEC_LOGIN-4-LOGIN_FAILED |
- | - | 1 | - | 1 |
has %SEC_LOGIN-5-LOGIN_SUCCESS |
- | - | 1 | - | 1 |
has %SYS-6-LOGOUT |
- | - | 1 | - | 1 |
has Administrator-Login |
- | - | 1 | - | 1 |
has Failed |
- | - | 1 | - | 1 |
has but this does not map back to the address |
- | - | 1 | - | 1 |
has key RSA |
- | - | 1 | - | 1 |
has publickey |
- | - | 1 | - | 1 |
startswith Accepted |
- | - | 1 | - | 1 |
startswith Failed |
- | - | 1 | - | 1 |
startswith Invalid user |
- | - | 1 | - | 1 |
startswith Nasty PTR record |
- | - | 1 | - | 1 |
startswith Timeout |
- | - | 1 | - | 1 |
startswith message repeated |
- | - | 1 | - | 1 |
startswith reverse mapping checking getaddrinfo for |
- | - | 1 | - | 1 |
has_all pam_unix(su |
- | - | 1 | - | 1 |
startswith FAILED SU |
- | - | 1 | - | 1 |
startswith Successful su for |
- | - | 1 | - | 1 |
has COMMAND= |
- | - | 1 | - | 1 |
has TTY= |
- | - | 1 | - | 1 |
has USER= |
- | - | 1 | - | 1 |
has incorrect password attempts |
- | - | 1 | - | 1 |
has session closed for user |
- | - | 1 | - | 1 |
has user NOT in sudoers |
- | - | 1 | - | 1 |
has <Provider Name= |
- | - | 1 | - | 1 |
has_any <EventID>23</EventID> |
- | - | 1 | - | 1 |
has_any <EventID>26</EventID> |
- | - | 1 | - | 1 |
has_all [AUDIT] |
- | - | 1 | - | 1 |
has_any : |
- | - | 1 | - | 1 |
!has 3000-0151 |
- | - | 1 | - | 1 |
!has icmp |
- | - | 1 | - | 1 |
!has igmp |
- | - | 1 | - | 1 |
!has msg= |
- | - | 1 | - | 1 |
has 3000-0151 |
- | - | 1 | - | 1 |
has icmp |
- | - | 1 | - | 1 |
has igmp |
- | - | 1 | - | 1 |
has_any msg_id= |
- | - | 1 | - | 1 |
contains SYSTEM_MSG |
- | - | - | 1 | 1 |
contains %LOG_LOCAL |
- | - | - | 1 | 1 |
has %FW-6-LOG_SUMMARY: |
- | - | - | 1 | 1 |
has Stealthwatch |
- | - | - | 1 | 1 |
contains HTTP |
- | - | - | 1 | 1 |
has_any DELETE |
- | - | - | 1 | 1 |
has_any GET |
- | - | - | 1 | 1 |
has_any PATCH |
- | - | - | 1 | 1 |
has_any POST |
- | - | - | 1 | 1 |
has_any PUT |
- | - | - | 1 | 1 |
has illumio_pce/collector |
- | - | - | 1 | 1 |
has_any Added |
- | - | - | 1 | 1 |
has_any DHCPACK |
- | - | - | 1 | 1 |
has_any DHCPDISCOVER |
- | - | - | 1 | 1 |
has_any DHCPEXPIRE |
- | - | - | 1 | 1 |
has_any DHCPINFORM |
- | - | - | 1 | 1 |
has_any DHCPOFFER |
- | - | - | 1 | 1 |
has_any DHCPRELEASE |
- | - | - | 1 | 1 |
has_any Option |
- | - | - | 1 | 1 |
has_any Removed |
- | - | - | 1 | 1 |
has_any bind |
- | - | - | 1 | 1 |
has_any r-l-e |
- | - | - | 1 | 1 |
has_any client |
- | - | - | 1 | 1 |
has_any gss_accept_sec_context |
- | - | - | 1 | 1 |
startswith DHCPACK |
- | - | - | 1 | 1 |
has Added |
- | - | - | 1 | 1 |
has bind |
- | - | - | 1 | 1 |
startswith DHCPDISCOVER |
- | - | - | 1 | 1 |
has DHCPEXPIRE |
- | - | - | 1 | 1 |
has DHCPINFORM |
- | - | - | 1 | 1 |
has Option |
- | - | - | 1 | 1 |
has DHCPRELEASE |
- | - | - | 1 | 1 |
has Removed |
- | - | - | 1 | 1 |
has DHCPREQUEST |
- | - | - | 1 | 1 |
has r-l-e |
- | - | - | 1 | 1 |
has gss_accept_sec_context |
- | - | - | 1 | 1 |
has zone |
- | - | - | 1 | 1 |
has_all Alert |
- | - | - | 1 | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊