# Syslog guide (QUX) ## Overview
Expand/Collapse for Details Administrators can configure the Vectra to send host and Account scoring information, detection details, campaign details, and audit logs over syslog to external collectors for storage and analysis. The Brain appliance can be configured to use a standard syslog, the HP ArcSight Common Event Format (CEF) syslog or JSON message format. Syslog messages include information displayed in the Vectra user interface, although in some cases the representations in the user interface may consist of derived values. Syslog messages can reflect a host scoring, account scoring, detection event, campaign event, audit log or system health alert. Host scoring messages are generated when a host score is changed, which occurs upon initial threat detection, discovery of additional detections, and updates to any discovered detections. A host scoring message contains information on whether the host is marked as a key asset or has a detection that targets a key asset. The host score is also reduced over time if the underlying detection behavior subsides, either because of user intervention or because the host has left the network. Account scoring messages are generated when an account score is changed, which occurs upon initial threat detection, discovery of additional detections, and updates to any discovered detections. The account score is reduced over time if the underlying detection behavior subsides, either because of user intervention or because the account has left the network. Detection messages are created upon initial detection and for each update of the detection. Campaign messages are generated upon initial creation of a campaign, and on campaign closure. Audit logs are generated for login events (both successful and failed), logout events, as well as other user actions that can impact the security posture of the product (such as creating a triage filter, marking detections as fixed, creating users, creating roles, etc). System health logs are generated for specific events that can impact the health and operation of the product. These include changes to sensor connectivity, capture interface status and disk health status. Further, system health syslog includes periodic heartbeat messages that indicate the status of the Brain appliance. Using the default sort order in the Vectra user interface, the first row of the Recent Activity table reflects the most recent update, while the last row reflects the oldest tracked detection. ![An example of a network Detection alert.](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-8a48ad53d5cf2586ab188a30e2183f5ee5752e67%2F8a6367abe1ecd879882b03d855e6676098954d0419905d3fec39aafb62e7a8b9.jpg?alt=media) Since the Vectra Brain limits the amount of data it maintains for individual detections, the last detection instance in the table may be the first instance of observed behavior or, for a very active detection, may simply be the oldest one currently tracked. The Recent Activity table is fully sortable, so clicking on the Last Seen column heading will place the oldest detection at the top of the table. Most detection messages contain event updates and summary fields (e.g. bytesSent, totalBytesSent). Event fields are displayed in the Recent Activity table while summary fields are displayed directly above the table in the Detection Summary portion of the user interface. Customers can enable one or more log types for each syslog destination. If chosen, the relevant logs are sent to the syslog destination per the specified format.
## Configuration Steps
Expand/Collapse for Details Maximum of three Syslog destinations can be configured from Vectra platform (Brain) web-UI. Here are the steps: 1. Login to Vectra (Brain) web-UI with admin ID. 2. Go to Settings » notification. In the notification page Scroll to Syslog section. 3. Click on the "✎ Edit" option to add or edit Syslog destinations. Here the fields description:\ ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-7e22dbababced00d84f0bc1d39773a6e01032f2a%2F63c50cd4ea4aea798d1a2eab52f0d261031bef460f1a093fe0458a0b3ff6cce5.png?alt=media) * Destination: Enter the \ of the remote Syslog server. * PORT: Enter the port number on which Syslog receiving server is listening. * PROTOCOL: Protocol being leveraged for the preferred type of Syslog service. Select one from the drop-down: ``` UDP #Stateless TCP #Stateful SSL #Secure ``` * FORMAT: The format in which Syslog messages are to be sent to the remote Syslog server. Select one from the drop-down: ``` Standard CEF #i.e. HP ArcSight CEF (i.e. Common Event Format)  JSON # JavaScript Object Notation ``` * LOG TYPES: Type of logs that are to be sent to the remote Syslog server. Select one or more from the following options: ``` Host Scoring Account Scoring Host Detection Account Detection Account Lockdown Campaigns Audit Health ``` 4. Upon completing the configuration click on save:\ ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-ef4c5a88469edeed90bf83ed33ea5ba93a6f3dd6%2Fa576b7eb2d92c7dae6fdeb3dd4ec44b6e353a11f401e6b6760da7fdbe30c9aa0.png?alt=media) 5. Click on "➤ Test": to verify Syslog configuration.\ ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-1ebb890bff10e85cab0f5a413885b357eaedaf82%2Fc8026d4b2baa1b4776d6674687fb8ade0c49c1bc1194661c6f54fb6d616f9c30.png?alt=media)\ Upon successful following message should appear at top of the web-page for few seconds :\ ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-76991c0af345c7ef75eff67ea1cdb8a0ef6fe854%2F8f86f632febb47ceaf89bcc49b151733207add62f2242867a3df68fde093f631.png?alt=media) **Important Note:** When the selected protocol is SSL, you are asked to upload the certificates: ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-5897ded632e40860648ad7273a1b35a43e3fdf06%2F9f4903309ea84872e44ec703551956b3720c533a1d1d380174d2e0f96da4f333.jpg?alt=media) **Please Note!** * The certificates must be in PEM format. * "Validate Server CA Certificate" is a new option in the v9.8 release. * This will default to on (checked) for new deployments as of the v9.8 release. * This will default to off (unchecked) for any prior deployments. * Please check this box if you would like the syslog server to enforce validation for certificates. Connections will work without this checkbox check, even with expired certificates. * Prior deployments may show a "Browse files" link for the Server CA Certificate if your prior deployment encountered a bug where the Server CA certificate was deleted by the system when only a client certificate was updated.
## Host Scoring Log Events
Expand/Collapse for Details **Host Scoring Standard Syslog Message Example** ```language-markup HOST [host@41261 category="$category" hostName="$host_name" currentIP="$host_ip" dvchost="$dvchost" threat="$threat" certainty="$certainty" privilege="$privilege" scoreDecreases="$score_decreases" URL="$href" UTCTime="$UTCTimeEnd" sourceKeyAsset="$src_key_asset" destKeyAsset="$dst_key_asset"] ``` **Host Scoring Standard Syslog Message Detail** | | | | | ----------------- | -------- | ---------------------------------------------------------------------------------------------------------------- | | **Key** | **Type** | **Description** | | $category | str | Always the string 'HOST SCORING'. Used internally to differentiate between account, host and detection messages. | | $certainty | int | The certainty of the score assigned to this host | | $dst\_key\_asset | bool | Whether there is a detection that is targeting this host and this host is a key asset | | $dvchost | str | The hostname of the Brain | | $host\_ip | str | The IP of the host being scored | | $host\_name | str | The name of the host being scored | | $href | str | A link to see this host in the UI | | $privilege | int | The observed privilege level of the host. | | $score\_decreases | bool | Indicates whether both Threat and Certainty scores are decreasing. | | $src\_key\_asset | bool | Whether the host being scored is marked as a key asset | | $threat | int | Newly calculated host threat | | $UTCTimeEnd | int | Seconds since epoch for event end | **Host Scoring CEF Syslog Message Example** ```language-markup CEF:0|Vectra |X Series|$version|hsc|Host Score Change|3|externalId=$host_id cat=$category dvc=$headend_addr dvchost=$dvchost shost=$host_name src=$host_ip dst=$host_ip flexNumber1Label=threat flexNumber1=$threat flexNumber2Label=certainty flexNumber2=$certainty flexNumber3Label=privilege flexNumber3=$privilege cs3Label=scoreDecreases cs3=$score_decreases cs4Label=Vectra Event URL cs4=$href start=$UTCTimeStartCEF end=$UTCTimeEndCEF cs1Label=sourceKeyAsset cs1=$src_key_asset cs2Label=destKeyAsset cs2=$dst_key_asset ``` **Host Scoring CEF Syslog Message Detail** | **Key** | **Type** | **Description** | | ----------------- | -------- | ---------------------------------------------------------------------------------------------------------------- | | $category | str | Always the string 'HOST SCORING'. Used internally to differentiate between account, host and detection messages. | | $certainty | int | The certainty of the score assigned to this host | | $dst\_key\_asset | bool | Whether there is a detection that is targeting this host and this host is a key asset | | $dvchost | str | The hostname of the Vectra Brain | | $headend\_addr | str | The IP of the Vectra Brain | | $host\_id | int | The ID of the host | | $host\_ip | str | The IP of the host being scored | | $host\_name | str | The name of the host being scored | | $href | str | A link to see this host in the UI | | $privilege | int | The observed privilege level of the host. | | $score\_decreases | bool | Indicates whether both Threat and Certainty scores are decreasing. | | $src\_key\_asset | bool | Whether the host being scored is marked as a key asset | | $threat | int | Newly calculated host threat | | $UTCTimeEndCEF | int | Milliseconds since epoch for event end | | $UTCTimeStartCEF | int | Milliseconds since epoch for event start | | $version | str | The version of Vectra platform running the Vectra Brain | **Host Scoring JSON Syslog Message Example** ```language-markup {"version": "$version", "dvchost": "$dvchost", "host_ip": "$host_ip", "href": "$href", "src_key_asset": $src_key_asset, "host_id": $host_id, "headend_addr": "$headend_addr", "category": "$category", "dst_key_asset": $dst_key_asset, "privilege": $privilege, "certainty": $certainty, "score_decreases": $score_decreases, "vectra_timestamp": "$timestamp", "host_name": "$host_name", "threat": $threat} ``` **Host Scoring JSON Syslog Message Detail** | **Key** | **Type** | **Description** | | ----------------- | -------- | ---------------------------------------------------------------------------------------------------------------- | | $category | str | Always the string 'HOST SCORING'. Used internally to differentiate between account, host and detection messages. | | $certainty | int | The certainty of the score assigned to this host | | $dst\_key\_asset | bool | Whether there is a detection that is targeting this host and this host is a key asset | | $dvchost | str | The hostname of the Vectra Brain | | $headend\_addr | str | The IP of the Vectra Brain | | $host\_id | int | The ID of the host | | $host\_ip | str | The IP of the host being scored | | $host\_name | str | The name of the host being scored | | $href | str | A link to see this host in the UI | | $privilege | int | The observed privilege level of the host. | | $score\_decreases | bool | Indicates whether both Threat and Certainty scores are decreasing. | | $src\_key\_asset | bool | Whether the host being scored is marked as a key asset | | $threat | int | Newly calculated host threat | | $timestamp | int | Timestamp in seconds since epoch | | $version | str | The version of Vectra software running on the Vectra Brain | **Host Scoring Enhanced Details** Enhanced details are available for host system logs in each of three formats: Standard, CEF, and JSON. In the case of Standard, the fields are appended to the end of the system log message. ```language-markup vectra_standard_v2 -: HOST [host@41261 category=”$category” hostName="$hostName" currentIP="$currentIP" dvchost="$dvchost" threat="$threat" certainty="$certainty" privilege="$privilege" scoreDecreases="$scoreDecreases" URL="$url" UTCTime="$UTCTime" sourceKeyAsset="$sourceKeyAsset" destKeyAsset="$destKeyAsset" sensor="$sensor" detectionProfile="$detectionProfile" hostGroups=[$hostGroups] tags="$tags" accountAccessHistory="$accountAccessHistory" serviceAccessHistory="$serviceAccessHistory" macAddress="$macAddress" macVendor="$macVendor" lastDetectionType="$lastDetectionType" quadrant="$quadrant"] ``` In the case of CEF, the new fields are represented as a JSON string inside the msg field. ```language-markup vectra_cef_v2 -: CEF:0|Vectra |X Series|$version|hsc|Host Score Change|3|externalId=$host_id cat=$category dvc=$headend_addr dvchost=$dvchost shost=$host_name src=$host_ip dst=$host_ip flexNumber1Label=threat flexNumber1=$threat flexNumber2Label=certainty flexNumber2=$certainty flexNumber3Label=privilege flexNumber3=$privilege cs3Label=scoreDecreases cs3=$score_decreases cs4Label=Vectra Event URL cs4=$href start=$UTCTimeStartCEF end=$UTCTimeEndCEF cs1Label=sourceKeyAsset cs1=$src_key_asset cs2Label=destKeyAsset cs2=$dst_key_asset msg="{'sensor': $sensor, 'detectionProfile': $detectionProfile, 'hostGroups':[$hostGroups], 'tags':[$tags], 'accountAccessHistory':[$accountAccessHistory], 'serviceAccessHistory':[$serviceAccessHistory], 'macAddress': $macAddress, 'macVendor': $macVendor, 'lastDetectionType': $lastDetectionType, 'quadrant': $quadrant}” ``` In the case of JSON, the new fields appear throughout the JSON object ```language-markup vectra_json_v2 -: {"account_access_history": [$accountAccessHistory], "tags": [$tags], "service_access_history": [$serviceAccessHistory], "dvchost": "$dvchost", "host_ip": "$hostIP", "last_detection_type": "$lastDetectionType", "href": "$href", "src_key_asset": $src_key_asset, "host_id": $host_id, "headend_addr": "$headend_addr", "category": "$category", "dst_key_asset": $dst_key_asset, "detection_profile": $detectionProfile, "score_decreases": $scoreDecreases, "host_groups": [$hostGroups], "mac_vendor": $macVendor, "certainty": $certainty, "vectra_timestamp": "$vectra_timestamp", "threat": $threat, "host_name": "$host_name", "version": "$version", "macAddress":$mac_address, "privilege": $privilege, "sensor": "$sensor", "quadrant": "$quadrant"} ``` **Host Scoring Enhanced Fields Detail** | **Key** | **Type** | **Description** | | --------------------- | -------- | ---------------------------------------------------------------------------------------------------------------- | | $sensor | str | The sensor associated with this host | | $detectionProfile | obj | The detection profile associated with this host | | $hostGroups | list | A list of the host groups that the host is a member of | | $tags | list | A list of tags applied to the host | | $accountAccessHistory | list | The account access history associated with this host | | $serviceAccessHistory | list | The service access history associated with this host | | $macAddress | str | The MAC address of this host | | $macVendor | str | The vendor of the MAC address of this host | | $lastDetectionType | str | The most recent type of detection associated with this host | | $quadrant | str | The values for this field are Low, Medium, High, or Critical, and reflect the status of the given host in the UI |
## Account Scoring Log Events
Expand/Collapse for Details **Account Scoring Standard Syslog Message Example** ```language-markup ACCOUNT [account@41261 category="$category" threat="$threat" certainty="$certainty" privilege="$privilege" scoreDecreases=$score_decreases URL="$href" UTCTime="$UTCTimeEnd"] ``` **Account Scoring Standard Syslog Message Detail** | **Key** | **Type** | **Description** | | ------------------- | -------- | ------------------------------------------------------------------------------------------------------------------- | | *$category* | str | Always the string 'ACCOUNT SCORING'. Used internally to differentiate between account, host and detection messages. | | *$certainty* | int | The certainty of the score assigned to this account | | *$href* | str | A link to see this account in the UI | | *$privilege* | int | The observed privilege level of the account. | | *$score\_decreases* | bool | Indicates whether both Threat and Certainty scores are decreasing. | | *$threat* | int | Newly calculated account threat | | *$UTCTimeEnd* | int | Seconds since epoch for event end | **Account Scoring CEF Syslog Message Example** ```language-markup CEF:0|Vectra Networks|X Series|$version|asc|Account Score Change|3|externalId=$account_id cat=$category dvc=$headend_addr saccount=$account_uid flexNumber1Label=threat flexNumber1=$threat flexNumber2Label=certainty flexNumber2=$certainty flexNumber3Label=privilege flexNumber3=$privilege cs3Label=scoreDecreases cs3=$score_decreases cs4Label=Vectra Event URL cs4=$href start=$UTCTimeStartCEF end=$UTCTimeEndCEF""" ``` **Account Scoring CEF Syslog Message Detail** | **Key** | **Type** | **Description** | | ------------------- | -------- | ------------------------------------------------------------------------------------------------------------------- | | *$account\_id* | int | The ID of the account | | *$account\_uid* | str | The user account identifier. | | *$category* | str | Always the string 'ACCOUNT SCORING'. Used internally to differentiate between account, host and detection messages. | | *$certainty* | int | The certainty of the score assigned to this account | | *$headend\_addr* | str | The IP of the Vectra Brain | | *$href* | str | A link to see this account in the UI | | *$privilege* | int | The observed privilege level of the account. | | *$score\_decreases* | bool | Indicates whether both Threat and Certainty scores are decreasing. | | *$threat* | int | Newly calculated account threat | | *$UTCTimeEndCEF* | int | Milliseconds since epoch for event end | | *$UTCTimeStartCEF* | int | Milliseconds since epoch for event start | | *$version* | str | The version of Vectra platform running the Vectra Brain | **Account Scoring JSON Syslog Message Example** ```language-markup {"category": "$category", "account_id": $account_id, "href": "$href", "certainty": $certainty, "privilege": $privilege, "score_decreases": $score_decreases, "version": "$version", "vectra_timestamp": "$timestamp", "headend_addr": "$headend_addr", "threat": $threat, "account_uid": "$account_uid"} ``` **Account Scoring JSON Syslog Message Detail** | **Key** | **Type** | **Description** | | ------------------- | -------- | ------------------------------------------------------------------------------------------------------------------- | | *$account\_id* | int | The ID of the account | | *$account\_uid* | str | The user ID of the account | | *$category* | str | Always the string 'ACCOUNT SCORING'. Used internally to differentiate between account, host and detection messages. | | *$certainty* | int | The certainty of the score assigned to this account | | *$headend\_addr* | str | The IP of the Vectra Brain | | *$href* | str | A link to see this account in the UI | | *$privilege* | int | The observed privilege level of the account. | | *$score\_decreases* | bool | Indicates whether both Threat and Certainty scores are decreasing. | | *$threat* | int | Newly calculated account threat | | *$timestamp* | int | Timestamp in seconds since epoch | | *$version* | str | The version of Vectra platform running the Vectra Brain | **Account Scoring Enhanced Details** Enhanced details are available for account system logs in each of three formats: Standard, CEF, and JSON. In the case of Standard, the fields are appended to the end of the syslog message. ```language-markup vectra_standard_account_v2 -: ACCOUNT [account@41261 category="$category" accountName="$accountName " threat="$threat" certainty="$certainty" privilege="$privilege " scoreDecreases=$scoreDecreases URL="$url" UTCTime="$UTCTime" tags="[$tags]" hostAccessHistory="[$hostAccessHistory]" serviceAccessHistory="[$serviceAccessHistory]" lastDetectionType="$lastDetectionType" quadrant="$quadrant"] ``` In the case of CEF, the new fields are represented as a JSON string inside the msg field. ```language-markup vectra_cef_account_v2 -: CEF:0|Vectra Networks|X Series|$version|asc|Account Score Change|3|externalId=$account_id cat=$category dvc=$headend_addr saccount=$account_uid flexNumber1Label=threat flexNumber1=$threat flexNumber2Label=certainty flexNumber2=$certainty flexNumber3Label=privilege flexNumber3=$privilege cs3Label=scoreDecreases cs3=$score_decreases cs4Label=Vectra Event URL cs4=$href start=$UTCTimeStartCEF end=$UTCTimeEndCEF msg="{'tags':[$tags],'hostAccessHistory':[$hostAccessHistory],'serviceAccessHistory':[$ser viceAccessHistory], 'lastDetectionType': $last_detection_type, 'quadrant': $quadrant}" ``` In the case of JSON, the new fields appear throughout the JSON object. ```language-markup vectra_json_account_v2 -: {"account_id": $account_id, "tags": [$tags], "service_access_history": [$serviceAccessHistory], "version": "$version", "last_detection_type": "$lastDetectionType", "href": "href", "headend_addr": "$headend_addr", "category": "$category", "score_decreases": $scoreDecreases, "certainty": $certainty, "vectra_timestamp": "$vectra_timestamp", "host_access_history": [$hostAccessHistory], "threat": $threat, "privilege": $privilege, "account_uid": "$account_uid", "quadrant": "$quadrant"} ``` **Account Scoring Enhanced Fields Detail** | **Key** | **Type** | **Description** | | ----------------------- | -------- | -------------------------------------------------------------------------------------------------------------------- | | *$tags* | list | A list of tags applied to the host. | | *$hostAccessHistory* | list | The host access history associated with this account. | | *$serviceAccessHistory* | list | The service access history associated with this account. | | *$lastDetectionType* | str | The most recent type of detection associated with this account. | | *$quadrant* | str | The values for this field are Low, Medium, High, or Critical, and reflect the status of the given account in the UI. |
## Host Detection Log Events
Expand/Collapse for Details **Host Detection Standard Syslog Message Example** ```language-markup DETECT [detection@41261 category="$category" type="$d_type_vname" hostname="$host_name" currentIP="$host_ip" dvchost="$dvchost" threat="$threat" certainty="$certainty" URL="$href" DestinationIP="$dd_dst_ip" DestinationDomain="$dd_dst_dns" DestinationPort="$dd_dst_port" Proto="$dd_proto" triaged="$triaged" BytesSent="$dd_bytes_sent" BytesRcvd="$dd_bytes_rcvd" UTCTimeStart="$UTCTimeStart" UTCTimeEnd="$UTCTimeEnd"] ``` **Host Detection Standard Syslog Message Detail** | **Key** | **Type** | **Description** | | ------------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | *$category* | str | The category of the detection (e.g., EXFILTRATION) | | *$certainty* | int | The certainty of the detection | | *$d\_type\_vname* | str | The name of the detection. For possible detection names, please see [Understanding Vectra AI Detections](https://docs.vectra.ai/operations/analyst-guidance/understanding-vectra-ai-detections). | | *$dd\_bytes\_rcvd* | int | Meaning differs depending on detection type. Does not apply to all detections. Defaults to 0 | | *$dd\_bytes\_sent* | int | The number of bytes in the traffic that caused the detection. Does not apply to all detections. Defaults to 0 | | *$dd\_dst\_dns* | str | The destination domain name of detection event | | *$dd\_dst\_ip* | str | The destination IP address of detection event | | *$dd\_dst\_port* | int | The port of the attacked host. Defaults to 80 | | *$dd\_proto* | str | The protocol over which this detection fired (e.g., tcp). Does not apply to all detections. Defaults to empty string | | *$dvchost* | str | The hostname of the Vectra Brain | | *$host\_name* | str | The hostname for attacking host | | *$host\_ip* | str | The IP of the host that triggered the detection | | *$href* | str | A link to this detection in the UI | | *$threat* | int | The threat score of this detection | | *$triaged* | bool | Whether the detection has been triaged yet or not | | *$UTCTimeEnd* | int | Seconds since epoch for event end | | *$UTCTimeStart* | int | Seconds since epoch for event start | **Host Detection CEF Syslog Message Example** ```language-markup CEF:0|Vectra |X Series|$version|$d_type|$d_type_vname|$severity|externalId=$detection_id cat=$category dvc=$headend_addr dvchost=$dvchost shost=$host_name src=$host_ip flexNumber1Label=threat flexNumber1=$threat flexNumber2Label=certainty flexNumber2=$certainty cs4Label=Vectra Event URL cs4=$href cs5Label=triaged cs5=$triaged dst=$dd_dst_ip dhost=$dd_dst_dns proto=$dd_proto dpt=$dd_dst_port out=$dd_bytes_sent in=$dd_bytes_rcvd start=$UTCTimeStartCEF end=$UTCTimeEndCEF ``` **Host Detection CEF Syslog Message Detail** | **Key** | **Type** | **Description** | | ---------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | $category | str | The category of the detection (e.g., EXFILTRATION) | | $certainty | int | The certainty of the detection | | $d\_type | str | The Vectra internal representation of detection name (e.g., smash\_n\_grab, or sql\_injection) | | $d\_type\_vname | str | The name of the detection. For possible detection names, please see [Understanding Vectra AI Detections](https://docs.vectra.ai/operations/analyst-guidance/understanding-vectra-ai-detections). | | $dd\_bytes\_rcvd | int | Meaning differs depending on detection type. Does not apply to all detections. Defaults to 0 | | $dd\_bytes\_sent | int | The number of bytes in the traffic that caused the detection. Does not apply to all detections. Defaults to 0 | | $dd\_dst\_dns | str | The destination domain name of detection event | | $dd\_dst\_ip | str | The destination IP address of detection event | | $dd\_dst\_port | int | The port of the attacked host. Defaults to 80 | | $dd\_proto | str | The protocol over which this detection fired (e.g., tcp). Does not apply to all detections. Defaults to empty string | | $detection\_id | int | The ID of the detection | | $dvchost | str | The hostname of the Vectra Brain | | $headend\_addr | str | The IP of the Vectra Brain | | $host\_ip | str | The IP of the host that triggered the detection | | $host\_name | str | The hostname for attacking host | | $href | str | A link to this detection in the UI | | $severity | int | A score proportional to threat | | $threat | int | The threat score of this detection | | $triaged | bool | Whether the detection has been triaged yet or not | | $UTCTimeEndCEF | int | Milliseconds since epoch for event end | | $UTCTimeStartCEF | int | Milliseconds since epoch for event start | | $version | str | The version runningon the Vectra Brain | **Host Detection JSON Syslog Message Example** ```language-markup {"d_type_vname": "$d_type_vname", "dvchost": "$dvchost", "host_ip": "$host_ip", "href": "$href", "detection_id": $detection_id, "dd_bytes_sent": $dd_bytes_sent, "headend_addr": "$headend_addr", "dd_dst_port": $dd_dst_port, "category": "$category", "dd_bytes_rcvd": $dd_bytes_rcvd, "dd_dst_dns": "$dd_dst_dns", "severity": $severity, "certainty": $certainty, "triaged": $triaged, "vectra_timestamp": "$timestamp", "version": "$version", "host_name": "$host_name", "threat": $threat, "dd_dst_ip": "$dd_dst_ip", "dd_proto": "$dd_proto", "d_type": "$d_type"} ``` **Host Detection JSON Syslog Message Detail** | **Key** | **Type** | **Description** | | ------------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | *$category* | str | The category of the detection (e.g., EXFILTRATION) | | *$certainty* | int | The certainty of the detection | | *$detection\_id* | int | The ID of the detection | | *$d\_type* | str | The Vectra internal representation of detection name (e.g., smash\_n\_grab, or sql\_injection) | | *$d\_type\_vname* | str | The name of the detection. For possible detection names, please see [Understanding Vectra AI Detections](https://docs.vectra.ai/operations/analyst-guidance/understanding-vectra-ai-detections). | | *$dd\_bytes\_rcvd* | int | Meaning differs depending on detection type. Does not apply to all detections. Defaults to 0 | | *$dd\_bytes\_sent* | int | The number of bytes in the traffic that caused the detection. Does not apply to all detections. Defaults to 0 | | *$dd\_dst\_dns* | str | The destination domain name of detection event | | *$dd\_dst\_ip* | str | The destination IP address of detection event | | *$dd\_dst\_port* | int | The port of the attacked host. Defaults to 80 | | *$dd\_proto* | str | The protocol over which this detection fired (e.g., tcp). Does not apply to all detections. Defaults to empty string. | | *$dvchost* | str | The hostname of the Vectra Brain | | *$headend\_addr* | str | The IP of the Vectra Brain | | *$host\_ip* | str | The IP of the host that triggered the detection | | *$host\_name* | str | The hostname for attacking host | | *$href* | str | A link to this detection in the UI | | *$severity* | int | A score proportional to threat | | *$threat* | int | The threat score of this detection | | *$timestamp* | int | Timestamp in seconds since epoch | | *$triaged* | bool | Whether the detection has been triaged yet or not | | *$version* | str | The version running on the Vectra Brain | **Host Detection Enhanced Details** When enabling enhanced details for Host Detections, the enhanced fields will be appended to the end of the existing syslog message for Standard and CEF formats. By convention, JSON objects are unordered. | **Key** | **Type** | **Description** | | -------- | -------- | ---------------------------------------------------- | | *$MITRE* | str | The MITRE T-Number(s) associated with the detection. | **Host Detection per Detection Type Enhanced Detail Message Detail**
DetectionStandardCEFJSONDescription
Cryptocurrency MiningCount="$count"cnt=$count"count": "$count"The number of attempts.
Outbound DosDosType="$dos_type"msg=$dos_type"dos_type": "$dos_type"The DOS type.
Outbound Port SweepNumAttempts="$num_attempts"cnt=$num_attempts"num_attempts": "$num_attempts"The number of attempts.
Networks="$networks"msg=$networks"networks": "$networks"The target subnets.
Brute-ForceCount="$count"cnt=$count"count": "$count"The number of attempts.
Ransomware File ActivityCount="$count"cnt=$count"count": "$count"The number of files affected.
Shares="$shares"msg=$shares"shares": "$shares"The related files shares.
Extensions="$extensions""extensions": "$extensions"File extensions used.
RansomNotes="$ransom_notes""ransom_notes": "$ransom_notes"Ransome notes found.
Shell Knocker ClientSentPattern="$sent_pattern""sent_pattern": "$sent_pattern"The sent pattern.
SentNormalPattern="$sent_normal_pattern""sent_normal_patter n": "$sent_normal_pattern"Example sent normal pattern.
ReceivedPattern="$received_pattern""received_pattern": "$received_pattern"The received pattern.
ReceivedNormalPattern="$received_normal_pattern""received_normal_pattern": "$received_normal_pattern"Example received normal pattern.
SMB Brute-ForceCount="$countcnt=$count"count": "$count"The number of attempts.
Reason="$reason"msg=$reason"reason": "$reason"The error code.
Accounts="$accounts""accounts": "$accounts"The related accounts.
Shares="$shares""shares": "$shares"The related shares.
SQL Injection ActivitySQLFragment="$sql_fragment"msg=$sql_fragment"sql_fragment": "$sql_fragment"The SQL fragment.
HTTPSegment="$http_segment""http_segment": "$http_segment"The HTTP segment.
UserAgent="$user_agent""user_agent": "$user_agent"The user agent.
ResponseCode="$response_code""response_code": "$response_code"The HTTP response code.
Suspicious AdminNormalServers="$normal_servers""normal_servers": "$normal_servers"The normal servers observed.
NormalAdmins="$normal_admins""normal_admins": "$normal_admins"The normal admins observed.
Suspicious Remote DesktopReason="$reason"msg=$reason"reason": "$reason"The reason this is suspicious.
ClientToken="$client_token""client_token": "$client_token"The RDP client token.
ClientName="$client_name""client_name": "$client_name"The RDP client name.
KeyboardID="$keyboard_id""keyboard_id": "$keyboad_id"They keyboard layout ID.
KeyboardName="$keyboard_name""keyboard_name": "$keyboad_name"They keyboard layout name.
ProductID="$product_id ""product_id": "$product_id"The unusual product ID.
Suspicious Remote ExecutionFunction="$function"msg=$function"function": "$function"The executed function.
Account="$account""account": "$account"The related user account.
UUID="$uuid""uuid": "$uuid"The RPC UUID.
NamedPipe="$namedpipe""namedpipe": "$namedpipe"The named pipe.
Internal Stage LoaderStageLoaderBytesSent="$bytes_sent""bytes_sent": "$bytes_sent"The bytes of data sent.
StageLoaderBytesReceived="$bytes_received""bytes_received": "$bytes_received"The bytes of data received.
Suspicious LDAP QueryCount="$count"cnt=$count"count": "$count"The number of objects received.
Request="$request"msg=$request"request": "$request"The LDAP request.
BaseObject="$base_object""base_object": "$base_object"The base distinguished name.
ResponseCode="$response_code""response_code": "$response_code"The response code.
RPC ReconUUID="$uuid"msg=$uuid"uuid": "$uuid"The RPC UUID.
Count="$count"cnt=$count"count": "$count"The number of internal targets.
RDP ReconCount="$count"cnt=$count"count": "$count"The number of attempts.
ClientName="$client_name"msg=$client_name"client_name": "$client_name"The RDP client name.
Cookie="$cookie""cookie": "$cookie"The RDP client token.
SMB Account ScanCount="$count"cnt=$count"count": "$count"The number of attempts.
Accounts="$accounts"msg=$account s"accounts": "$accounts"The related accounts.
Port SweepNumAttempts="$num_attemptscnt=$num_attempts"num_attempts": "$num_attempts"The number of attempts.
DstIPs="$dst_ips"msg=$dst_ips"dst_ips": "$dst_ips"The target subnets.
Port ScanScans="$scans"cnt=$scans"scans": "$scans"The number of attempts.
Ports="$ports"msg=$ports"ports": "$ports"Ports scanned.
Successes="$successes""successes": "$successes"The number of successes.
File Share EnumerationCount="$count"cnt=$count"count": "$count"The number of file shares enumerated.
Shares="$shares"msg=$shares"shares": "$shares"The shares enumerated.
Accounts="accounts""accounts": "$accounts"The related accounts.
External Remote AccessCount="$count"cnt=$count'"count": "$count"The number of sessions.
Hidden DNS TunnelCount="$count"cnt=$count'"count": $countThe number of sessions.
TOR ActivityCount="$count"cnt=$count'"count": "$count"The number of sessions.
Hidden HTTPS TunnelTunnelType="$tunnel_type"msg=$tunnel_type"tunnel_type": "$tunnel_type"The type of hidden tunnel.
Threat Intelligence MatchThreatFeeds="$threat_feeds"msg=$threat_feeds"threat_feeds": "$threat_feeds"The name of the threat feed.
Reason="$reason""reason": "$reason"The indicating reason.
MatchedDomain="$matched_domain" (CNC)"matched_domain": "$matched_domain"The matched domain.
MatchedIP="$matched_ip" (Exfil)"matched_ip": "$matched_ip"The matched IP.
MatchedUserAgent="$matched_user_agent" (Lateral)"matched_user_agent": "$matched_user_agent"The matched user-agent.
Suspicious HTTPHttpMethod="$http_method""http_method": "$http_method"The HTTP method.
URL="$url""url": "$url"The suspicous URL.
Referer="$referer""referer": "$referer"The referer.
Host="$host""host": "$host"The suspicous host.
ReplyCacheControl="$reply_cache_control""reply_cache_control": "$reply_cache_control "The replay cache control setting.
Suspicious RelayIP="$ip""ip": "$ip"The internal target host.
Protocol="$protocol""protocol": "$protocol"The external protocol used.
Port="$port""port": "$port"The external port used.
Data SmugglerProxiedDst=”foo.com”msg=foo.com“proxied_dst”: “foo.com”The domain name or IP of the proxy.
Smash and GrabProxiedDst=”foo.com”msg=foo.com“proxied_dst”: “foo.com”The domain name or IP of the proxy.
## Account Detection Log Events
Expand/Collapse for Details **Account Detection Standard Syslog Message Example** ```language-markup DETECT [detection@41261 category="$category" type="$d_type_vname" account="$account" threat="$threat" certainty="$certainty" URL="$href" DestinationIP="$dd_dst_ip" DestinationDomain="$dd_dst_dns" DestinationPort="$dd_dst_port" triaged="$triaged" BytesSent="$dd_bytes_sent" BytesRcvd="$dd_bytes_rcvd" UTCTimeStart="$UTCTimeStart" UTCTimeEnd="$UTCTimeEnd"] ``` **Account Detection Standard Syslog Message Detail** | **Key** | **Type** | **Description** | | ------------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | *$account* | str | The account associated with this detection. | | *$category* | str | The category of the detection (e.g., EXFILTRATION) | | *$certainty* | int | The certainty of the detection | | *$d\_type\_vname* | str | The name of the detection. For possible detection names, please see [Understanding Vectra AI Detections](https://docs.vectra.ai/operations/analyst-guidance/understanding-vectra-ai-detections). | | *$dd\_bytes\_rcvd* | int | Meaning differs depending on detection type. Does not apply to all detections. Defaults to 0 | | *$dd\_bytes\_sent* | int | The number of bytes in the traffic that caused the detection. Does not apply to all detections. Defaults to 0 | | *$dd\_dst\_dns* | str | The destination domain name of detection event | | *$dd\_dst\_ip* | str | The destination IP address of detection event | | *$dd\_dst\_port* | int | The port of the attacked host. Defaults to 80 | | *$href* | str | A link to this detection in the UI | | *$threat* | int | The threat score of this detection | | *$triaged* | bool | Whether the detection has been triaged yet or not | | *$UTCTimeEnd* | int | Seconds since epoch for event end | | *$UTCTimeStart* | int | Seconds since epoch for event start | **Account Detection CEF Syslog Message Example** ```language-markup CEF:0|Vectra |X Series|$version|$d_type|$d_type_vname|$severity|externalId=$detection_id cat=$category dvc=$headend_addr account=$account flexNumber1Label=threat flexNumber1=$threat flexNumber2Label=certainty flexNumber2=$certainty cs4Label=Vectra Event URL cs4=$href cs5Label=triaged cs5=$triaged dst=$dd_dst_ip dhost=$dd_dst_dns dpt=$dd_dst_port out=$dd_bytes_sent in=$dd_bytes_rcvd start=$UTCTimeStartCEF end=$UTCTimeEndCEF ``` **Account Detection CEF Syslog Message Detail** | Key | Type | Description | | ------------------ | ---- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | *$dd\_bytes\_rcvd* | int | Meaning differs depending on detection type. Does not apply to all detections. Defaults to 0 | | *$dd\_bytes\_sent* | int | The number of bytes in the traffic that caused the detection. Does not apply to all detections. Defaults to 0 | | *$dd\_dst\_dns* | str | The destination domain name of detection event | | *$dd\_dst\_ip* | str | The destination IP address of detection event | | *$dd\_dst\_port* | int | The port of the attacked host. Defaults to 80 | | *$detection\_id* | int | The ID of the detection | | *$headend\_addr* | str | The IP of the Vectra Brain | | *$href* | str | A link to this detection in the UI | | *$severity* | int | A score proportional to threat | | *$threat* | int | The threat score of this detection | | *$triaged* | bool | Whether the detection has been triaged yet or not | | *$UTCTimeEndCEF* | int | Milliseconds since epoch for event end | | *$UTCTimeStartCEF* | int | Milliseconds since epoch for event start | | *$version* | str | The version of Vectra platform running the Vectra Brain | | *$account* | str | The account associated with this detection. | | *$category* | str | The category of the detection (e.g., EXFILTRATION) | | *$certainty* | int | The certainty of the detection | | *$d\_type* | str | The Vectra internal representation of detection name (e.g., smash\_n\_grab, or sql\_injection) | | *$d\_type\_vname* | str | The name of the detection. For possible detection names, please see [Understanding Vectra AI Detections](https://docs.vectra.ai/operations/analyst-guidance/understanding-vectra-ai-detections). | **Account Detection JSON Syslog Message Example** ```language-markup {"d_type_vname": "$d_type_vname", "dvchost": "$dvchost", "href": "$href", "detection_id": $detect ion_id, "dd_bytes_sent": $dd_bytes_sent, "headend_addr": "$headend_addr", "dd_dst_port": $dd_dst_ port, "category": "$category", "dd_bytes_rcvd": $dd_bytes_rcvd, "dd_dst_dns": "$dd_dst_dns", "sev erity": $severity, "certainty": $certainty, "triaged": $triaged, "vectra_timestamp": "$timestamp", "account_uid": "$account_uid", "version": "$version", "threat": $threat, "dd_dst_ip": "$dd_dst_ ip", "d_type": "$d_type"} ``` **Account Detection JSON Syslog Message Detail** | **Key** | **Type** | **Description** | | ------------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | *$account\_uid* | str | The account name | | *$category* | str | The category of the detection (e.g., EXFILTRATION) | | *$certainty* | int | The certainty of the detection | | *$detection\_id* | int | The ID of the detection | | *$d\_type* | str | The Vectra internal representation of detection name (e.g., smash\_n\_grab, or sql\_injection) | | *$d\_type\_vname* | str | The name of the detection. For possible detection names, please see [Understanding Vectra AI Detections](https://docs.vectra.ai/operations/analyst-guidance/understanding-vectra-ai-detections). | | *$dd\_bytes\_rcvd* | int | Meaning differs depending on detection type. Does not apply to all detections. Defaults to 0 | | *$dd\_bytes\_sent* | int | The number of bytes in the traffic that caused the detection. Does not apply to all detections. Defaults to 0 | | *$dd\_dst\_dns* | str | The destination domain name of detection event | | *$dd\_dst\_ip* | str | The destination IP address of detection event | | *$dd\_dst\_port* | int | The port of the attacked host. Defaults to 80 | | *$dvchost* | str | The hostname of the Vectra Brain | | *$headend\_addr* | str | The IP of the Vectra Brain | | *$href* | str | A link to this detection in the UI | | *$severity* | int | A score proportional to threat | | *$threat* | int | The threat score of this detection | | *$timestamp* | int | Timestamp in seconds since epoch | | *$triaged* | bool | Whether the detection has been triaged yet or not | | *$version* | str | The version running on he Vectra Brain | **Account Detection Enhanced Details** When enabling enhanced details for Account Detections, the enhanced fields will be appended to the end of the existing syslog message for Standard and CEF formats. By convention, JSON objects are unordered. | **Key** | **Type** | **Description** | | -------- | -------- | ---------------------------------------------------- | | *$MITRE* | str | The MITRE T-Number(s) associated with the detection. | **Account Detection Enhanced Fields Detail**
DetectionStandardCEFJSONDescription
Privilege AnomalyAccountName="$account_name"msg=$account_name"account_name": "$account_name"The account name.
AccountInfo="$account_info""account_info": [$account_privilege_score, $account_privilege_level]The account information, consisting of account privilege score and privilege level.
ServiceName="$service_name""service_name": "$service_name"The service name.
ServiceInfo="$service_info""service_info": [$service_privilege_score, $service_privilege_level]The service information, consisting of service privilege score and privilege level.
Data SmugglerProxiedDst=”foo.com”msg=foo.com“proxied_dst”: “foo.com”The domain name or IP of the proxy.
Smash and GrabProxiedDst=”foo.com”msg=foo.com“proxied_dst”: “foo.com”The domain name or IP of the proxy.
## Account Lockdown Log Events
Expand/Collapse for Details **Account Lockdown Standard Syslog Message Example** ```language-markup LOCKDOWN [lockdown@41261 category="$category" accountName="$account_name" action="$action" success="$success" dvc="$headend_addr" user="$user" URL="$href" UTCTime="$UTCTime"] ``` **Account Lockdown Standard Syslog Message Detail** | **Key** | **Type** | **Description** | | ---------------- | -------- | -------------------------------------------------------------- | | *$account\_name* | str | The name of the account. | | *$action* | str | The action taken on the account (e.g., lock or unlock) | | *$category* | str | The category of the event (e.g., LOCKDOWN) | | *$headend\_addr* | str | The IP of the Vectra Brain. | | *$user* | int | The username of the person that performed the lockdown action. | | *$success* | bool | Confirmation if the lockdown action was successful. | | *$href* | str | A link to the account in the UI. | | *$UTCTime* | int | Seconds since epoch for this event | **Account Lockdown CEF Syslog Message Example** ```language-markup CEF:0|Vectra Networks|X Series|$version|lockdown|Account Lockdown|3|externalId=$account_id cat=$category dvc=$headend_addr suser=$user account=$account_name cs1Label=action cs1=$action cs2Label=success cs2=$success cs4Label=Vectra Event URL cs4=$href start=$UTCTimeStart end=$UTCTimeEnd ``` **Account Lockdown CEF Syslog Message Detail** | **Key** | **Type** | **Description** | | ---------------- | -------- | -------------------------------------------------------------- | | *$account\_id* | int | The ID of the account. | | *$account\_name* | str | The name of the account. | | *$action* | str | The action taken on the account (e.g., lock or unlock) | | *$category* | str | The category of the event (e.g., LOCKDOWN) | | *$headend\_addr* | str | The IP of the Vectra Brain. | | *$user* | int | The username of the person that performed the lockdown action. | | *$success* | bool | Confirmation if the lockdown action was successful. | | *$href* | str | A link to the account in the UI. | | *$version* | str | The version of Vectra platform running the Vectra Brain | | *$UTCTimeEnd* | int | Seconds since epoch for event end. | | *$version* | str | The version running on the Vectra Brain | **Account Lockdown JSON Syslog Message Example** ```language-markup "category": "$category", "account_id": $account_id, "success": $success, "href": "$href", "vectra_timestamp": "$UTCTime", "headend_addr": "$headend_addr", "user": "$user", "version": "$version", "action": "$action", "account_uid": "$account_name"} ``` **Account Lockdown JSON Syslog Message Detail** | **Key** | **Type** | **Description** | | ---------------- | -------- | -------------------------------------------------------------- | | *$account\_id* | int | The ID of the account. | | *$account\_name* | str | The name of the account. | | *$action* | str | The action taken on the account (e.g., lock or unlock). | | *$category* | str | The category of the event (e.g., LOCKDOWN). | | *$headend\_addr* | str | The IP of the Vectra Brain. | | *$user* | int | The username of the person that performed the lockdown action. | | *$success* | bool | Confirmation if the lockdown action was successful. | | *$href* | str | A link to the account in the UI. | | *$UTCTime* | int | Seconds since epoch for this event. | | *$version* | str | The version running on the Vectra Brain. |
## Host Lockdown Log Events
Expand/Collapse for Details **Host Lockdown Standard Syslog Message Example** ```language-markup LOCKDOWN [host_lockdown@41261 category="$category" hostName="$host_name" action="$action" success="$success" willRetry="$retry" dvc="$headend_addr" user="$user" URL="$href" UTCTime="$UTCTime"] ``` **Host Lockdown Standard Syslog Message Detail** | **Key** | **Type** | **Description** | | ---------------- | -------- | ------------------------------------------------------------------------------------------- | | *$action* | str | The action taken on the account (e.g., lock or unlock). | | *$category* | str | The category of the event (e.g., HOST\_LOCKDOWN). | | *$headend\_addr* | str | The IP of the Vectra Brain. | | *$host\_name* | str | The name of the host. | | *$user* | int | The username of the person that performed the lockdown action. | | *$success* | bool | Confirmation if the lockdown action was successful. | | *$href* | str | A link to the account in the UI. | | *$retry* | bool | When a Lockdown action has failed, this indicates whether the system will retry the action. | | *$UTCTime* | int | Seconds since epoch for this event. | **Host Lockdown CEF Syslog Message Example** ```language-markup CEF:0|Vectra Networks|X Series|$version|host lockdown|Host Lockdown|3|externalId=$host_id cat=$category dvc=$headend_addr suser=$user host=$host_name cs1Label=action cs1=$action cs2Label=success cs2=$success cs3Label=willRetry cs3=$retry cs4Label=Vectra Event URL cs4=$href start=$UTCTimeStart end=$UTCTimeEnd ``` **Host Lockdown CEF Syslog Message Detail** | **Key** | **Type** | **Description** | | ---------------- | -------- | ------------------------------------------------------------------------------------------- | | *$action* | str | The action taken on the host (e.g., lock or unlock). | | *$category* | str | The category of the event (e.g., HOST\_LOCKDOWN). | | *$headend\_addr* | str | The IP of the Vectra Brain. | | *$host\_id* | int | The ID of the host. | | *$host\_name* | str | The name of the host. | | *$href* | str | A link to the account in the UI. | | *$retry* | bool | When a Lockdown action has failed, this indicates whether the system will retry the action. | | *$success* | bool | Confirmation if the lockdown action was successful. | | *$user* | int | The username of the person that performed the lockdown action. | | *$UTCTimeStart* | int | Seconds since epoch for event start. | | *$UTCTimeEnd* | int | Seconds since epoch for event end. | | *$version* | str | The version running on the Vectra Brain. | **Host Lockdown JSON Syslog Message Example** ```language-markup {"category": "$category ", "version": "$version ]", "success": "$success", "vectra_timestamp": "$UTCTime", "will_retry": "$retry", "href": "$href", "host_name": "$host_name", "action": "$action", "host_id": "$host_id", "headend_addr": "$headend_addr", "user": "$user"} ``` **Host Lockdown JSON Syslog Message Detail** | **Key** | **Type** | **Description** | | ---------------- | -------- | ------------------------------------------------------------------------------------------- | | *$action* | str | The action taken on the host (e.g., lock or unlock). | | *$category* | str | The category of the event (e.g., HOST\_LOCKDOWN). | | *$headend\_addr* | str | The IP of the Vectra Brain. | | *$host\_id* | int | The ID of the host. | | *$host\_name* | str | The name of the host. | | *$href* | str | A link to the account in the UI. | | *$user* | int | The username of the person that performed the lockdown action. | | *$retry* | bool | When a Lockdown action has failed, this indicates whether the system will retry the action. | | *$success* | bool | Confirmation if the lockdown action was successful. | | *$UTCTime* | int | Seconds since epoch for this event. | | *$version* | str | The version running on the Vectra Brain. |
## Campaign Log Events
Expand/Collapse for Details **Campaign Standard Syslog Message Example** ```language-markup CAMPAIGN [campaign@41261 id="$campaign_id" action="$action" reason="$reason" dvc="$headend_addr" dvchost="$dvchost" detectionId="$det_id" hostname="$src_name" currentIP="$src_ip" source_id="$src_hid" URL="$campaign_link" dstHost="$dest_name" DestinationIP="$dest_ip" destID="$dest_id" timestamp="$timestamp"] ``` **Campaign Standard Syslog Message Detail** | **Key** | **Type** | **Description** | | ----------------- | -------- | -------------------------------------------------------------------------------- | | *$action* | str | The action that caused the message to be logged (e.g., START, TRIAGED, TIMEOUT). | | *$campaign\_id* | int | The id of the campaign. | | *$campaign\_link* | str | The link to the campaign in the UI. | | *$dest\_id* | str | The destination of the campaign. Defaults to 'external'. | | *$dest\_ip* | str | The destination IP address the campaign is targeting. | | *$dest\_name* | str | The external domain of the campaign destination. | | *$det\_id* | int | The ID of the detection that caused the campaign creation. | | *$dvchost* | str | The hostname of the Vectra Brain. | | *$headend\_addr* | str | The IP of the Vectra Brain. | | *$reason* | str | The event name of the campaign. | | *$src\_hid* | int | The original host ID of the member host in this campaign. | | *$src\_ip* | str | The host IP of the source host. | | *$src\_name* | str | The host name of the source host. | | *$timestamp* | int | Timestamp in seconds since epoch. | **Campaign CEF Syslog Message Example** ```language-markup CEF:0|Vectra |X Series|$version|campaigns|$campaign_name|2| externalId=$campaign_id cat=CAMPAIGNS act=$action dvc=$headend_addr dvchost=$dvchost shost=$src_name src=$src_ip suid=$src_hid cs4Label=VectraEventURL cs4=$campaign_link dhost=$dest_name dst=$dest_ip duid=$dest_id rt=$timestamp reason=$reason cs6Label=VectraDetectionID cs6=$det_id ``` **Campaign CEF Syslog Message Detail** | **Key** | **Type** | **Description** | | ----------------- | -------- | ------------------------------------------------------------------------------- | | *$action* | str | The action that caused the message to be logged (e.g., START, TRIAGED, TIMEOUT) | | *$campaign\_id* | int | The id of the campaign | | *$campaign\_link* | str | The link to the campaign in the UI | | *$campaign\_name* | str | The name of the campaign | | *$dest\_id* | str | The destination of the campaign. Defaults to 'external' | | *$dest\_ip* | str | The destination IP address the campaign is targeting | | *$dest\_name* | str | The external domain of the campaign destination | | *$det\_id* | int | The ID of the detection that caused the campaign creation | | *$dvchost* | str | The hostname of the Vectra Brain | | *$headend\_addr* | str | The IP of the Vectra Brain | | *$reason* | str | The event name of the campaign | | *$src\_hid* | int | The original host ID of the member host in this campaign | | *$src\_ip* | str | The host IP of the source host | | *$src\_name* | str | The host name of the source host | | *$timestamp* | int | Timestamp in seconds since epoch | | *$version* | str | The version of Vectra platform running the Vectra Brain | **Campaign JSON Syslog Message Example** ```language-markup {"src_hid": "$src_hid", "timestamp": "$syslog_timestamp", "dvchost": "$dvchost", "campaign_id": "$campaign_id", "reason": "$reason", "src_name": "$src_name", "campaign_name": "$campaign_name", "campaign_link": "$campaign_link", "headend_addr": "$headend_addr", "dest_name": "$dest_name", "dest_id": "$dest_id", "vectra_timestamp": "$vectra_timestamp", "src_ip": "$src_ip", "version": "$version", "action": "$action", "dest_ip": "$dest_ip", "det_id": "$det_id"} ``` **Campaign JSON Syslog Message Detail** | **Key** | **Type** | **Description** | | -------------------- | -------- | -------------------------------------------------------------------------------- | | *$action* | str | The action that caused the message to be logged (e.g., START, TRIAGED, TIMEOUT). | | *$campaign\_id* | int | The id of the campaign. | | *$campaign\_link* | str | The link to the campaign in the UI. | | *$campaign\_name* | str | The name of the campaign. | | *$dest\_id* | str | The destination of the campaign. Defaults to 'external'. | | *$dest\_ip* | str | The destination IP address the campaign is targeting. | | *$dest\_name* | str | The external domain of the campaign destination. | | *$det\_id* | int | The ID of the detection that caused the campaign creation. | | *$dvchost* | str | The hostname of the Vectra Brain. | | *$headend\_addr* | str | The IP of the Vectra Brain. | | *$reason* | str | The event name of the campaign. | | *$src\_hid* | int | The original host ID of the member host in this campaign. | | *$src\_ip* | str | The host IP of the source host. | | *$src\_name* | str | The host name of the source host. | | *$syslog\_timestamp* | int | The epoch timestamp for when syslog received the message (e.g., 1550014653). | | *$vectra\_timestamp* | int | The epoch timestamp for when the event occurred (e.g., 1550014653). | | *$version* | str | The version of Vectra platform running the Vectra Brain. |
## Audit Log Events
Expand/Collapse for Details **Audit Standard Syslog Message Example** ```language-markup AUDIT [dvc="$headend_addr" dvchost="$dvchost" version="$version" user="$user" role="$role" source="$source_ip" type="user_action" outcome="$result" message="$message] ``` **Audit Standard Syslog Message Detail** | **Key** | **Type** | **Description** | | ---------------- | -------- | -------------------------------------------------------------------- | | *$dvchost* | str | The hostname of the Vectra Brain. | | *$headend\_addr* | str | The IP of the Vectra Brain. | | *$message* | str | A message explaining the cause/nature of the log. | | *$result* | bool | True, False, or pending. | | *$role* | str | Role of the user who caused the log (e.g., admin, super admin, etc). | | *$source\_ip* | str | IP address of the machine that initiated the user action. | | *$user* | str | Username of the user who caused the log. | | *$version* | str | The version running onthe Vectra Brain. | **Audit CEF Syslog Message Example** ```language-markup CEF:0|Vectra |X Series|$version|audit|user_action|0|dvc=$headend_addr dvchost=$dvchost suser=$user spriv=$role src=$source_ip deviceFacility=13 cat=user_action outcome=$result msg=$message ``` **Audit CEF Syslog Message Detail** | **Key** | **Type** | **Description** | | ---------------- | -------- | -------------------------------------------------------------------- | | *$dvchost* | str | The hostname of the Vectra Brain. | | *$headend\_addr* | str | The IP of the Vectra Brain. | | *$message* | str | A message explaining the cause/nature of the log. | | *$result* | bool | True, False, or pending. | | *$role* | str | Role of the user who caused the log (e.g., admin, super admin, etc). | | *$source\_ip* | str | IP address of the machine that initiated the user action. | | *$user* | str | Username of the user who caused the log. | | *$version* | str | The version running on the Vectra Brain. | **Audit JSON Syslog Message Example** ```language-markup "source_ip": "$source_ip", "dvchost": "$dvchost", "version": "$version", "role": "$role", "user": "$user", "message": "$message", "vectra_timestamp": "$vectra_timestamp", "headend_addr": "$headend_addr", "result": "$result"} ``` **Audit JSON Syslog Message Detail** | **Key** | **Type** | **Description** | | -------------------- | -------- | -------------------------------------------------------------------- | | *$dvchost* | str | The hostname of the Vectra Brain. | | *$headend\_addr* | str | The IP of the Vectra Brain. | | *$message* | str | A message explaining the cause/nature of the log. | | *$result* | bool | True, False, or pending. | | *$role* | str | Role of the user who caused the log (e.g., admin, super admin, etc). | | *$source\_ip* | str | IP address of the machine that initiated the user action. | | *$user* | str | Username of the user who caused the log. | | *$vectra\_timestamp* | int | The epoch timestamp for when the event occurred (e.g., 1550014653). | | *$version* | str | The version running on the Vectra Brain. |
## Health Log Events
Expand/Collapse for Details **Health Standard Syslog Message Example** ```language-markup HEALTH [dvc="$headend_addr" dvchost="$dvchost" version="$version" type="$type" outcome="$result" message="$message"] ``` **Health Standard Syslog Message Detail** | **Key** | **Type** | **Description** | | ---------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | *$dvchost* | str | The hostname of the Vectra Brain. | | *$headend\_addr* | str | The IP of the Vectra Brain. | | *$message* | str | A message explains the cause/nature of the log. | | *$result* | str | A string indicating either a success or failure. | | *$type* | str | A string to indicate what type of health message this is. Valid types include sensor\_connectivity, disk\_hardware\_raid\_check, system\_cpuflags\_valid, disk\_ro\_mount\_check, capture\_interface\_flap\_status, capture\_interface\_bandwidth\_status, colossus\_packet\_drop\_rate, heartbeat\_check, and stream\_health. | | *$version* | str | The version running on the Vectra Brain. | **Health CEF Syslog Message Example** ```language-markup CEF:0|Vectra |X Series|$version|health|$type|0|dvc=$headend_addr dvchost=$dvchost deviceFacility=14 outcome=$result msg=$message ``` **Health CEF Syslog Message Detail** | **Key** | **Type** | **Description** | | ---------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | *$dvchost* | str | The hostname of the Vectra Brain. | | *$headend\_addr* | str | The IP of the Vectra Brain. | | *$message* | str | A message explains the cause/nature of the log. | | *$result* | str | A string indicating either a success or failure. | | *$type* | str | A string to indicate what type of health message this is. Valid types include sensor\_connectivity, disk\_hardware\_raid\_check, system\_cpuflags\_valid, disk\_ro\_mount\_check, capture\_interface\_flap\_status, capture\_interface\_bandwidth\_status, colossus\_packet\_drop\_rate, heartbeat\_check, and stream\_health. | | *$version* | str | The version running on the Vectra Brain. | **Health JSON Syslog Message Example** ```language-markup {"vectra_timestamp": "$vectra_timestamp", "version": "$version", "result": "$result", "type": "$type", "source_ip": "$source_ip", "message": "$message", "dvchost": "$dvchost", "headend_addr": "$headend_addr"} ``` **Health JSON Syslog Message Detail** | **Key** | **Type** | **Description** | | -------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | *$dvchost* | str | The hostname of the Vectra Brain. | | *$headend\_addr* | str | The IP of the Vectra Brain. | | *$message* | str | A message explains the cause/nature of the log. | | *$result* | str | A string indicating either a success or failure. | | *$source\_ip* | str | IP address of the machine that initiated the action. | | *$type* | str | A string to indicate what type of health message this is. Valid types include sensor\_connectivity, disk\_hardware\_raid\_check, system\_cpuflags\_valid, disk\_ro\_mount\_check, capture\_interface\_flap\_status, capture\_interface\_bandwidth\_status, colossus\_packet\_drop\_rate, heartbeat\_check, and stream\_health. | | *$vectra\_timestamp* | int | The epoch timestamp for when the event occurred (e.g., 1550014653). | | *$version* | str | The version running on the Vectra Brain. |
### Attachments {% file src="" %}