The following table maps the vendor fields to the LogPoint taxonomy:
Vendor Fields |
LogPoint Fields |
|---|---|
Action Type |
action_type |
Action |
action |
Actual action |
action |
Admin |
user |
Application |
application |
Application hash |
hash |
Application name |
application |
Application path |
path |
Application type |
application_type |
Application Version |
application_version |
Begin |
start_ts |
Category |
category |
category set |
event_category |
Category type |
category |
Certificate issuer |
certificate_issuer |
Certificate serial number |
certificate_serial_number |
Certificate signer |
certificate_signer |
Certificate thumbprint |
certificate_hash |
CIDS Signature ID |
cids_signature_id |
CIDS Signature string |
cids_signature |
CIDS Signature SubID |
cids_signature_subid |
COH Engine Version |
coh_engine_version |
Command |
command |
Company |
organization |
Company name |
organization |
Computer |
workstation |
Computer name |
workstation |
Confidence |
confidence |
Detection Source |
detection_source |
Detection Score |
detection_score |
Detection Submissions |
detection_submission |
Detection type |
detection_type |
Device ID |
device_id |
Disposition |
disposition |
Domain |
domain |
Domain Name |
domain |
Download site |
download_site |
Downloaded by |
downloaded_by |
Duration (seconds) |
duration |
End |
end_ts |
End Time |
end_ts |
Event time |
event_ts |
File size (bytes) |
datasize |
First Seen |
first_seen |
Group |
group |
Group Name |
group |
Hash type |
cipher |
Infected |
infection_count |
infected file count |
infection_count |
Inserted |
insert_ts |
Intensive Protection Level |
protection_level |
Intrusion ID |
intrusion_id |
Intrusion Payload URL |
intrusion_payload_url |
Intrusion URL |
url |
IP Address |
host_address |
Last update time |
last_update_ts |
Local Host |
source_address |
Local Host IP |
source_address |
Local Host MAC |
source_hardware_address |
Local Port |
source_port |
Location |
location |
MD5 |
hash |
Occurrences |
occurrence_count |
Omitted |
omission_count |
Permitted application reason |
reason |
Prevalence |
prevalence |
Remote Host IP |
destination_address |
Remote Host MAC |
destination_hardware_address |
Remote Host Name |
destination_host |
Remote Port |
destination_port |
Requested action |
requested_action |
Risk |
malware |
Risk Level |
threat_level |
Risk name |
malware |
Risk type |
threat_type |
Rule |
rule |
Scan ID |
scan_id |
Secondary action |
secondary_action |
Sensitivity |
sensitivity |
Server |
server |
Server Name |
server |
SHA_256 |
hash_sha256 |
Signing timestamp |
signing_time |
Site |
site |
Source computer |
source_workstation |
Source IP |
source_address |
Source |
event_source |
Threats |
threat_count |
Total files |
file_count |
URL Tracking Status |
url_tracking_status |
User |
user |
User1 |
user |
User2 |
caller_user |
User Name |
user |
Web domain |
web_domain |
The following table lists labels for actions related to the Symantec EndPoint Protection:
Action |
Labels |
|---|---|
Virus found |
Malware, Risk, Detect, Virus |
Security risk found |
Security,Risk,Detect |
SONAR detection now permitted |
SONAR,Detect,Risk |
Compressed File |
File,Compression,Risk |
Malicious Site |
Malicious |
Web Attack |
Web,Attack |
Quarantined |
Quarantine |
disabled |
Disable |
enabled |
Enable |
Allowed |
Allow |
Blocked |
Deny |
Virus and Spyware Definitions |
Malware,Spyware,Definition |
Intrusion Prevention Signature |
Signature |
SONAR Definitions |
SONAR Definition |
Intrusion Prevention |
Intrusion,Prevention |
OS Attack |
OS,Attack |
scan |
Scan |
Completed |
Complete |
install,success |
Installation,Successful |
install,fail |
Installation,Fail |
block traffic |
Deny,Traffic |
Block access |
Access,Deny |
malware |
Malware |
Traffic blocked |
Deny,Traffic |
Traffic has been blocked for this application |
Deny,Application,Traffic |
The following table lists labels for Event IDs related to the Symantec Antivirus:
Event ID |
Labels |
|---|---|
45 |
Integrity,Protection |
7 |
Virus,Malware,File,Load |
The following tables lists labels for actions related to the Symantec EmailGateway:
Action |
Labels |
|---|---|
Quarantined |
Quarantine,Email |
Blocked |
Block,Email |
Allow |
Allow,Email |
The following tables lists labels for Event IDs related to the Symantec Mail Security:
Event ID |
Labels |
|---|---|
303 |
Policy,Violate |
381 |
Policy,Violate |
291 |
Policy,Violate |
218 |
Policy,Violate |
236 |
Quarantine,Directory,Exceed,Limit |
30 |
Virus,Malware,Definition,Update,Successful |