10 21 2016 10:16:50 10.3.10.52 <LOC0:INFO> Oct 21 10:16:50 192.168.1.9
EVID:0022 Denial of service detected 181.222.137.14:40089 -> FTPServer.acme.com:1723 UDP
{
"keyField": "messageId",
"count": 1,
"classificationId": 2500,
"classificationName": "Denial Of Service",
"classificationTypeName": "Security",
"commonEventName": "Host Denial Of Service",
"commonEventId": 1034537,
"direction": 3,
"directionName": "External",
"entityId": 7,
"entityName": "Child2B",
"impactedEntityName": "Global Entity",
"impactedHost": "161.200.1.6",
"impactedIp": "161.200.1.6",
"impactedLocation": "Thailand, Krung Thep Maha Nakhon, Bangkok",
"impactedCountry": "Thailand",
"impactedRegion": "Krung Thep Maha Nakhon",
"impactedCity": "Bangkok",
"impactedPort": 401,
"impactedZoneName": "External",
"logDate": 1477045118000,
"logMessage": "10 21 2016 10:18:38 10.3.10.52 <LOC0:INFO> Oct 21 10:18:38 192.168.1.6 EVID:0022 Denial of service detected 238.231.189.41:40037 -> 161.200.1.6:401 UDP",
"logSourceHost": "192.168.1.6",
"logSourceHostId": 20,
"logSourceHostName": "192.168.1.6",
"logSourceId": 39,
"logSourceName": "192.168.1.6 LR SyslogGen",
"logSourceType": 105,
"logSourceTypeName": "Syslog - LogRhythm Syslog Generator",
"messageId": "807988387",
"messageTypeEnum": 2,
"mpeRuleId": 30272,
"mpeRuleName": "Denial of Service",
"normalDate": 1477066718007,
"normalDateMin": 1477066718007,
"normalMsgDateMax": 1477066718007,
"originEntityId": -100,
"originEntityName": "Global Entity",
"originHostId": -1,
"originHost": "238.231.189.41",
"originIp": "238.231.189.41",
"originPort": 40037,
"originZone": 3,
"originZoneName": "External",
"priority": 47,
"protocolId": 17,
"protocolName": "UDP",
"serviceId": 3580,
"serviceName": "UPS - Uninterruptible Power Supply",
"portProtocol": "UPS - Uninterruptible Power Supply",
"vendorMessageId": "0022"
}
vs
{
logDate : "2016-10-18T20:18:17Z",
priority : 47,
logSourceName : "Syslog - LogRhythm Syslog Generator",
...
listMatches : [14, 48, 103],
extensions : [ {
key : "emailAttachments",
value : "babyPicture.jpg",
type : "String",
} ]
}
Repositories
Name: "High Risk" Capacity: 50% Filter: priority >= 70
Name: "Financial Servers" Capacity: 30% Filter: originIp in list:financialServers
Name: "SSH Traffic" Capacity: 20% Filter: application == "SSH - Secure Shell"