Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
Anomali Threatstream CEF Log Messages |
Base Rule |
General Threat Message |
Activity |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
N/A |
N/A |
N/A |
Common Event Format identifier: Default or unspecified severity level (can be replaced with specific severity levels such as 1-10). |
|
N/A |
<vendorinfo> |
Text/String |
Vendor or organization name |
|
N/A |
N/A |
N/A |
Product or service name generating the event |
|
N/A |
<version> |
Text/String |
Version number |
|
N/A |
<threatname> |
Text/String |
Specific name or identifier for the event. |
|
N/A |
<object> |
Text/String |
Description |
|
N/A |
<severity> |
Text/String |
Severity level of the event (e.g., low, medium, high). |
|
Extension |
N/A |
N/A |
N/A |
|
cs5Label |
N/A |
N/A |
N/A |
|
customerName |
<account> |
Text/String |
N/A |
|
appType |
<objecttype> |
Text/String |
N/A |
|
dateFirst |
N/A |
N/A |
N/A |
|
modifiedTs |
N/A |
N/A |
N/A |
|
dcid |
N/A |
N/A |
N/A |
|
app |
N/A |
N/A |
N/A |
|
spt |
<sport> |
Number |
N/A |
|
nodeName |
<dinterface> |
Text/String |
N/A |
|
cs2Label |
N/A |
N/A |
N/A |
|
cn3Label |
N/A |
N/A |
N/A |
|
srcip |
<sip> |
IP Address |
N/A |
|
org |
N/A |
N/A |
N/A |
|
totalScore |
N/A |
N/A |
N/A |
|
cimField |
N/A |
N/A |
N/A |
|
sourceFeedId |
N/A |
N/A |
N/A |
|
id |
N/A |
N/A |
N/A |
|
loc |
N/A |
N/A |
N/A |
|
cnt |
<quantity> |
Number |
N/A |
|
end |
N/A |
N/A |
N/A |
|
classification |
<reason> |
Text/String |
N/A |
|
timestamp |
N/A |
N/A |
N/A |
|
dst |
<dip> |
IP Address |
N/A |
|
request |
<objectname> |
Text/String |
N/A |
|
suser |
<sender> |
Text/String |
N/A |
|
duser |
<recipient> |
Text/String |
N/A |
|
lon |
N/A |
N/A |
N/A |
|
trustedCircleIds |
N/A |
N/A |
N/A |
|
age |
N/A |
N/A |
N/A |
|
state |
<status> |
Text/String |
N/A |
|
alertTime |
N/A |
N/A |
N/A |
|
numOfSrc |
N/A |
N/A |
N/A |
|
deviceDirection |
N/A |
N/A |
N/A |
|
shost |
<sname> |
Text/String |
N/A |
|
eventDsId |
N/A |
N/A |
N/A |
|
cn1 |
N/A |
N/A |
N/A |
|
volume |
N/A |
N/A |
N/A |
|
dpt |
<dport> |
Number |
N/A |
|
updateId |
N/A |
N/A |
N/A |
|
cs6Label |
N/A |
N/A |
N/A |
|
lat |
N/A |
N/A |
N/A |
|
maltype |
N/A |
N/A |
N/A |
|
cs1Label |
N/A |
N/A |
N/A |
|
cs3Label |
N/A |
N/A |
N/A |
|
uuid |
<session> |
Text/String |
N/A |
|
src |
<sip> |
IP Address |
N/A |
|
span |
N/A |
N/A |
N/A |
|
cs6 |
<url> |
Text/String |
N/A |
|
dateLast |
N/A |
N/A |
N/A |
|
cn3 |
N/A |
N/A |
N/A |
|
iocScore |
N/A |
N/A |
N/A |
|
corrType |
N/A |
N/A |
N/A |
|
srcHost |
<sname> |
Text/String |
N/A |
|
clientId |
N/A |
N/A |
N/A |
|
trustedCircleNames |
N/A |
N/A |
N/A |
|
detail2 |
N/A |
N/A |
N/A |
|
cn1Label |
N/A |
N/A |
N/A |
|
act |
<action> |
Text/String |
N/A |
|
cs5 |
N/A |
N/A |
N/A |
|
dhost |
<dname> or <dnatip> |
IP Address/Text/String |
N/A |
|
cs1 |
<policy> |
Text/String |
N/A |
|
customerId |
N/A |
N/A |
N/A |
|
cs3 |
<subject> |
Text/String |
N/A |
|
cs2 |
N/A |
N/A |
N/A |