Attack Technique Log Messages | LogRhythm Documentation

Vendor Documentation

https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-cef-observed-attack-techniques-logs

https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-syslog-content-mapping-cef

Classification

Rule Name	Rule Type	Common Event	Classification
Attack Technique Log Messages	Base Rule	General Attack Activity	Attack

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
datetime	N/A	N/A	Local time in the format: "MMM dd yyyy HH:mm:ss"
host	N/A	N/A	Hostname without the domain information
Version	N/A	N/A	CEF format version, current CEF version is 0
Device Vendor	N/A	N/A	Appliance vendor
Device Product	<vendorinfo>	Text/String	Appliance product
Device Version	<version>	Text/String	Appliance version
Device Event Class ID	<vmid>	Number	A unique identifier per event-type. This can be a string or an integer Workbench OR OAT
Name	<objecttype>	Text/String	A string representing a human-readable and understandable description of the event
Severity	<severity>	Number	A string or integer and reflects the importance of the event. Workbench : severity or modelSeverity OAT : filter.level
cat	N/A	N/A	filter name
reason	<reason>	Text/String	filter description
cs1	N/A	N/A	MITRE tactics id list
cs1Label	N/A	N/A	N/A
cs2	N/A	N/A	MITRE technique id list
cs2Label	N/A	N/A	N/A
sourceServiceName ?? not in pipeline api	N/A	N/A	OAT source
rt	N/A	N/A	event time MMM dd yyyy HH:mm:ss
dvchost	<dname>	Text/String	The hostname of endpoint.
dvc	N/A	N/A	The first IPv4 address of endpoint if have
c6a1	N/A	N/A	The first IPv6 address of endpoint if have
c6a1Label	N/A	N/A	N/A
deviceExternalId	N/A	N/A	The endpoint guid
deviceProcessName	<process>	Text/String	N/A
dst	<dip>	IP Address	destination ip address
src	<sip>	IP Address	source ip address
dhost	N/A	N/A	destination host name
shost	<sname>	Text/String	source host name
dpt	<dport>	Number	destination port
spt	<sport>	Number	source port
dproc	<command>	Text/String	command line
sproc	N/A	N/A	N/A
dntdom	<domainimpacted>	Text/String	destination domain
sntdom	<domainorigin>	Text/String	source domain
cs3	<threatname>	Text/String	malware name or rule name or policy name or
cs3Label	N/A	N/A	N/A
cs4	N/A	N/A	N/A
cs4Label	N/A	N/A	N/A
act	<action>	Text/String	action or action result
app	<protname>	Text/String	application level protocol
deviceDirection	N/A	N/A	device direction
suid	N/A	N/A	source user account or user id
suser	<login>	Text/String	source user account or email sender
duser	<account>	Text/String	destination user account or email address
request	<url>	Text/String	URL
dpid	<processID>	Text/String	process ID
spid	<parentprocessID>	Text/String	parent process ID
requestClientApplication	<useragent>	Text/String	user agent
fileHash	<hash>	Text/String	file hash
fname	<object>	Text/String	file name
filePath	<parentprocesspath>	Text/String	full file path
externalId	N/A	N/A	windows event log id
msg	N/A	N/A	N/A
cs5	N/A	N/A	N/A
cs5Label	N/A	N/A	N/A
cs6	N/A	N/A	N/A
cs6Label	N/A	N/A	N/A
TrendMicroV1EngineOperation	N/A	N/A	engine operation
TrendMicroV1ObjectRawDataStr	N/A	N/A	AMSI raw data
TrendMicroV1RegistryData	N/A	N/A	registry value data
TrendMicroV1RegistryValue	N/A	N/A	registry value
TrendMicroV1RegistryKeyHandle	N/A	N/A	registry key
TrendMicroV1ScanType	N/A	N/A	scan Type
TrendMicroV1ProvideName	N/A	N/A	provider Name
TrendMicroV1AttackPhase	N/A	N/A	attack phase
TrendMicroV1ClientFlag	N/A	N/A	client flag
TrendMicroV1FileHashSha256	N/A	N/A	file hash in SHA256
TrendMicroV1Remarks	N/A	N/A	remarks
TrendMicroV1UrlCat	N/A	N/A	URL category
TrendMicroV1Rating	N/A	N/A	URL rating or risk level?
TrendMicroV1CncDbCat	N/A	N/A	hostname category in C&C DB?
TrendMicroV1CncDbStatus	N/A	N/A	hostname status in C&C DB ?
TrendMicroV1HighlightedText	N/A	N/A	Forensic data by DLP detection or content matching?