Skip to main content
Skip table of contents

Attack Technique Log Messages

Vendor Documentation

Classification

Rule Name

Rule Type

Common Event

Classification

Attack Technique Log Messages

Base Rule

General Attack Activity

Attack

Mapping with LogRhythm Schema

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

datetime

N/A

N/A

Local time in the format: "MMM dd yyyy HH:mm:ss"

host

N/A

N/A

Hostname without the domain information

Version

N/A

N/A

CEF format version, current CEF version is 0

Device Vendor

N/A

N/A

Appliance vendor

Device Product

<vendorinfo>

Text/String

Appliance product

Device Version

<version>

Text/String

Appliance version

Device Event Class ID

<vmid>

Number

A unique identifier per event-type. This can be a string or an integer Workbench OR OAT

Name

<objecttype>

Text/String

A string representing a human-readable and understandable description of the event

Severity

<severity>

Number

A string or integer and reflects the importance of the event.
Workbench : severity or modelSeverity
OAT : filter.level

cat

N/A

N/A

filter name

reason

<reason>

Text/String

filter description

cs1

N/A

N/A

MITRE tactics id list

cs1Label

N/A

N/A

 N/A

cs2

N/A

N/A

MITRE technique id list

cs2Label

N/A

N/A

N/A

sourceServiceName ?? not in pipeline api

N/A

N/A

OAT source

rt

N/A

N/A

event time MMM dd yyyy HH:mm:ss

dvchost

<dname>

Text/String

The hostname of endpoint.

dvc

N/A

N/A

The first IPv4 address of endpoint if have 

c6a1

N/A

N/A

The first IPv6 address of endpoint if have

c6a1Label

N/A

N/A

N/A

deviceExternalId

N/A

N/A

The endpoint guid

dst

<dip>

IP Address

destination ip address

src

<sip>

IP Address

source ip address

dhost

N/A

N/A

destination host name 

shost

<sname>

Text/String

source host name

dpt

<dport>

Number

destination port

spt

<sport>

Number

source port

dproc

<command>

Text/String

command line

sproc

 N/A

N/A

N/A

dntdom

<domainimpacted>

Text/String

destination domain

sntdom

<domainorigin>

Text/String

source domain

cs3

<threatname>

Text/String

malware name or rule name or policy name or

cs3Label

N/A

N/A

N/A

cs4

N/A

N/A

N/A

cs4Label

N/A

N/A

N/A

act

<action>

Text/String

action or action result

app

<protname>

Text/String

application level protocol

deviceDirection

N/A

N/A

device direction

suid

N/A

N/A

source user account or user id

suser

<login>

Text/String

source user account or email sender

duser

<account>

Text/String

destination user account or email address

request

<url>

Text/String

URL

dpid

<processID>

Text/String

process ID

spid

<parentprocessID>

Text/String

parent process ID

requestClientApplication

<useragent>

Text/String

user agent

fileHash

<hash>

Text/String

file hash

fname

<object>

Text/String

file name

filePath

<parentprocesspath>

Text/String

full file path

externalId

N/A

N/A

windows event log id

msg

N/A

N/A

N/A

cs5

N/A

N/A

N/A

cs5Label

N/A

N/A

N/A

cs6

N/A

N/A

N/A

cs6Label

N/A

N/A

N/A

TrendMicroV1EngineOperation

N/A

N/A

engine operation

TrendMicroV1ObjectRawDataStr

N/A

N/A

AMSI raw data

TrendMicroV1RegistryData

N/A

N/A

registry value data

TrendMicroV1RegistryValue

N/A

N/A

registry value

TrendMicroV1RegistryKeyHandle

N/A

N/A

registry key

TrendMicroV1ScanType

N/A

N/A

scan Type

TrendMicroV1ProvideName

N/A

N/A

provider Name

TrendMicroV1AttackPhase

N/A

N/A

attack phase

TrendMicroV1ClientFlag

N/A

N/A

client flag

TrendMicroV1FileHashSha256

N/A

N/A

file hash in SHA256

TrendMicroV1Remarks

N/A

N/A

remarks

TrendMicroV1UrlCat

N/A

N/A

URL category

TrendMicroV1Rating

N/A

N/A

URL rating or risk level?

TrendMicroV1CncDbCat

N/A

N/A

hostname category in C&C DB?

TrendMicroV1CncDbStatus

N/A

N/A

hostname status in C&C DB ?

TrendMicroV1HighlightedText

N/A

N/A

Forensic data by DLP detection or content matching?

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.