Beruflich Dokumente
Kultur Dokumente
Example Queries:
Free text search: "bwalth01" or "130.64.205.66"
All Juniper VPN activity: deviceVendor contains "Juniper" AND deviceProduct = "Netscreen VPN"
All traffic going to a particular IP: destinationAddress = "94.100.18.41"
All traffic to a set of IP addresses: destinationAddress IN [seim:"130.64.205.66","130.64.205.72","130.64.205.178"]
All failed login attempts: categoryBehavior CONTAINS "Verify" AND categoryOutcome = "/Failure"
Example Load Balancer log (for when you need Load Balancer specific searches): Rule Log-to-Arcsite <;SERVER_CONNECTED>;: Got
connection: Client(130.64.177.249:61338)<;>;(130.64.212.185:443)LTM(10.250.136.10:61338)<;>;(10.250.136.82:443)Server
CategoryObject - the type of device associated with this event. Usually among:
/Actor/User
/Host
/Host/Application
/Host/Application/Database
/Host/Application/Service
/Host/Application/Service/Email
/Host/Operating System
/Host/Resource
/Host/Resource/Interface
/Host/Resource/Memory
Network
CategorySignificance - the reported event significance type. Usually among:
/Hostile
/Informational
/Informational/Error
/Informational/Normal
/Informational/Warning
/Normal
/Recon
/Rule/Action/Success
/Suspicious
transportProtocol - usually among:
TCP
UDP
ICMP
IGMP
DeviceProduct - the brand name of the product which triggered the event. Examples:
Apache
ArcSight
CiscoRouter
Device Product
IntruShield
IP Flow
Logger
Microsoft Windows
Mobility Controller
Netscreen VPN
NSM
NT syslog
Peoplesoft Financials
Peoplesoft HR
Sendmail
Switch
Tomcat
Unix
WebLogic
DeviceVendor - the brand name of the owner/vendor of the product. Examples:
Apache
ArcSight
Aruba Networks
BEA
CISCO
Extreme Networks
IP Flow
Juniper
McAfee
Microsoft
Oracle
SaberNet
Unix
DeviceAction - the arbitrary action reported by the device. Examples:
DHCPACK
DHCPDISCOVER
DHCPINFORM
DHCPNAK
DHCPOFFER
DHCPRELEASE
DHCPREQUEST
200
400
5
Accept
accepted
closed
connect
info
moved
notice
pckt dropped
Postponed
REFUSED
Sent
SERVFAIL
succeeded
Suspicious
Warning