Attack Technique Log Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|
Attack Technique Log Messages | Base Rule | General Attack Activity | Attack |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
datetime | N/A | N/A | Local time in the format: "MMM dd yyyy HH:mm:ss" |
host | N/A | N/A | Hostname without the domain information |
Version | N/A | N/A | CEF format version, current CEF version is 0 |
Device Vendor | N/A | N/A | Appliance vendor |
Device Product | <vendorinfo> | Text/String | Appliance product |
Device Version | <version> | Text/String | Appliance version |
Device Event Class ID | <vmid> | Number | A unique identifier per event-type. This can be a string or an integer Workbench OR OAT |
Name | <objecttype> | Text/String | A string representing a human-readable and understandable description of the event |
Severity | <severity> | Number | A string or integer and reflects the importance of the event. |
cat | N/A | N/A | filter name |
reason | <reason> | Text/String | filter description |
cs1 | N/A | N/A | MITRE tactics id list |
cs1Label | N/A | N/A | N/A |
cs2 | N/A | N/A | MITRE technique id list |
cs2Label | N/A | N/A | N/A |
sourceServiceName ?? not in pipeline api | N/A | N/A | OAT source |
rt | N/A | N/A | event time MMM dd yyyy HH:mm:ss |
dvchost | <dname> | Text/String | The hostname of endpoint. |
dvc | N/A | N/A | The first IPv4 address of endpoint if have |
c6a1 | N/A | N/A | The first IPv6 address of endpoint if have |
c6a1Label | N/A | N/A | N/A |
deviceExternalId | N/A | N/A | The endpoint guid |
dst | <dip> | IP Address | destination ip address |
src | <sip> | IP Address | source ip address |
dhost | N/A | N/A | destination host name |
shost | <sname> | Text/String | source host name |
dpt | <dport> | Number | destination port |
spt | <sport> | Number | source port |
dproc | <command> | Text/String | command line |
sproc | N/A | N/A | N/A |
dntdom | <domainimpacted> | Text/String | destination domain |
sntdom | <domainorigin> | Text/String | source domain |
cs3 | <threatname> | Text/String | malware name or rule name or policy name or |
cs3Label | N/A | N/A | N/A |
cs4 | N/A | N/A | N/A |
cs4Label | N/A | N/A | N/A |
act | <action> | Text/String | action or action result |
app | <protname> | Text/String | application level protocol |
deviceDirection | N/A | N/A | device direction |
suid | N/A | N/A | source user account or user id |
suser | <login> | Text/String | source user account or email sender |
duser | <account> | Text/String | destination user account or email address |
request | <url> | Text/String | URL |
dpid | <processID> | Text/String | process ID |
spid | <parentprocessID> | Text/String | parent process ID |
requestClientApplication | <useragent> | Text/String | user agent |
fileHash | <hash> | Text/String | file hash |
fname | <object> | Text/String | file name |
filePath | <parentprocesspath> | Text/String | full file path |
externalId | N/A | N/A | windows event log id |
msg | N/A | N/A | N/A |
cs5 | N/A | N/A | N/A |
cs5Label | N/A | N/A | N/A |
cs6 | N/A | N/A | N/A |
cs6Label | N/A | N/A | N/A |
TrendMicroV1EngineOperation | N/A | N/A | engine operation |
TrendMicroV1ObjectRawDataStr | N/A | N/A | AMSI raw data |
TrendMicroV1RegistryData | N/A | N/A | registry value data |
TrendMicroV1RegistryValue | N/A | N/A | registry value |
TrendMicroV1RegistryKeyHandle | N/A | N/A | registry key |
TrendMicroV1ScanType | N/A | N/A | scan Type |
TrendMicroV1ProvideName | N/A | N/A | provider Name |
TrendMicroV1AttackPhase | N/A | N/A | attack phase |
TrendMicroV1ClientFlag | N/A | N/A | client flag |
TrendMicroV1FileHashSha256 | N/A | N/A | file hash in SHA256 |
TrendMicroV1Remarks | N/A | N/A | remarks |
TrendMicroV1UrlCat | N/A | N/A | URL category |
TrendMicroV1Rating | N/A | N/A | URL rating or risk level? |
TrendMicroV1CncDbCat | N/A | N/A | hostname category in C&C DB? |
TrendMicroV1CncDbStatus | N/A | N/A | hostname status in C&C DB ? |
TrendMicroV1HighlightedText | N/A | N/A | Forensic data by DLP detection or content matching? |