Anomali Threatstream CEF Log Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
Anomali Threatstream CEF Log Messages | Base Rule | General Threat Message | Activity |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
N/A | N/A | N/A | Common Event Format identifier: Default or unspecified severity level (can be replaced with specific severity levels such as 1-10). |
N/A | <vendorinfo> | Text/String | Vendor or organization name |
N/A | N/A | N/A | Product or service name generating the event |
N/A | <version> | Text/String | Version number |
N/A | <threatname> | Text/String | Specific name or identifier for the event. |
N/A | <object> | Text/String | Description |
N/A | <severity> | Text/String | Severity level of the event (e.g., low, medium, high). |
Extension | N/A | N/A | N/A |
cs5Label | N/A | N/A | N/A |
customerName | <account> | Text/String | N/A |
appType | <objecttype> | Text/String | N/A |
dateFirst | N/A | N/A | N/A |
modifiedTs | N/A | N/A | N/A |
dcid | N/A | N/A | N/A |
app | N/A | N/A | N/A |
spt | <sport> | Number | N/A |
nodeName | <dinterface> | Text/String | N/A |
cs2Label | N/A | N/A | N/A |
cn3Label | N/A | N/A | N/A |
srcip | <sip> | IP Address | N/A |
org | N/A | N/A | N/A |
totalScore | N/A | N/A | N/A |
cimField | N/A | N/A | N/A |
sourceFeedId | N/A | N/A | N/A |
id | N/A | N/A | N/A |
loc | N/A | N/A | N/A |
cnt | <quantity> | Number | N/A |
end | N/A | N/A | N/A |
classification | <reason> | Text/String | N/A |
timestamp | N/A | N/A | N/A |
dst | <dip> | IP Address | N/A |
request | <objectname> | Text/String | N/A |
suser | <sender> | Text/String | N/A |
duser | <recipient> | Text/String | N/A |
lon | N/A | N/A | N/A |
trustedCircleIds | N/A | N/A | N/A |
age | N/A | N/A | N/A |
state | <status> | Text/String | N/A |
alertTime | N/A | N/A | N/A |
numOfSrc | N/A | N/A | N/A |
deviceDirection | N/A | N/A | N/A |
shost | <sname> | Text/String | N/A |
eventDsId | N/A | N/A | N/A |
cn1 | N/A | N/A | N/A |
volume | N/A | N/A | N/A |
dpt | <dport> | Number | N/A |
updateId | N/A | N/A | N/A |
cs6Label | N/A | N/A | N/A |
lat | N/A | N/A | N/A |
maltype | N/A | N/A | N/A |
cs1Label | N/A | N/A | N/A |
cs3Label | N/A | N/A | N/A |
uuid | <session> | Text/String | N/A |
src | <sip> | IP Address | N/A |
span | N/A | N/A | N/A |
cs6 | <url> | Text/String | N/A |
dateLast | N/A | N/A | N/A |
cn3 | N/A | N/A | N/A |
iocScore | N/A | N/A | N/A |
corrType | N/A | N/A | N/A |
srcHost | <sname> | Text/String | N/A |
clientId | N/A | N/A | N/A |
trustedCircleNames | N/A | N/A | N/A |
detail2 | N/A | N/A | N/A |
cn1Label | N/A | N/A | N/A |
act | <action> | Text/String | N/A |
cs5 | N/A | N/A | N/A |
dhost | <dname> or <dnatip> | IP Address/Text/String | N/A |
cs1 | <policy> | Text/String | N/A |
customerId | N/A | N/A | N/A |
cs3 | <subject> | Text/String | N/A |
cs2 | N/A | N/A | N/A |