Catch All : MistNet Case/Incident Messages
Classification
Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| Catch All : MistNet Case/Incident Messages | Base Rule | Security : Activity | General Threat Message |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| admin_state | <status> | String | Status of a Case/Incident. Possible values: CaseOpen, CaseClosed, IncidentReported, IncidentInvestigation, and IncidentClosed |
| active | N/A | N/A | Describes whether a case is active or not. Possible values: true and false |
| case_detail | <subject> | String | Short description about a Case/Incident |
| case_id | <threatid> | Number | Unique ID of a Case/Incident |
| case_summary | <vendorinfo> | String | Case/Incident Summary |
| category | <vmid> <tag1> | String | Category to which a Case/Incident belongs. Possible values: Initial Compromise, Lateral Movement, Anomalous Activity, Extrusion, Vulnerability, Endpoint, etc. |
| certainty | N/A | N/A | Certainty of a Case/Incident. Possible values: 0 through 100 |
| closed_reason | N/A | N/A | Reason why the case/incident was closed. Possible values: false-positive and inactive |
| created_at | N/A | N/A | Time when a Case/Incident was created |
| entity_type | N/A | N/A | The type of entity associated with this case. Possible values: User, Host, and Ip |
| entity_uuid | N/A | N/A | Unique ID for the entity. Possible values: user_uuid, host_uuid, dest_host_uuid, dest_user_uuid, src, and dest |
| entry_origin | N/A | N/A | The engine that originated this record. Possible values: XXX YYY Engine, XXX Watcher Engine, ZZZ Watch, etc. |
| entry_source | N/A | N/A | The source node that produced this record. For example, Probe Node of a Case/Incident |
| entry_type | N/A | N/A | Type of this record. Possible values: AlertEvent, IntelEvent, ThirdPartyEvent, SslAnomalyEvent, TriggerEvent, etc. |
| entry_uuid | N/A | N/A | Unique UUID for a Case/Incident |
| event_count | N/A | N/A | Number of case-events in a Case/Incident |
| ioa | N/A | N/A | Indicator of Attack - For now, first IOA of a Case/Incident is stored |
| action | N/A | N/A | N/A |
| app | N/A | N/A | N/A |
| bytes | N/A | N/A | N/A |
| created_at | N/A | N/A | N/A |
| columns | N/A | N/A | N/A |
| community_id | N/A | N/A | N/A |
| date | N/A | N/A | N/A |
| dest | N/A | N/A | N/A |
| dest_fqdn | N/A | N/A | N/A |
| dest.cc | N/A | N/A | N/A |
| dest_port | N/A | N/A | N/A |
| destination.as.organization_name | N/A | N/A | N/A |
| destination.as.asn | N/A | N/A | N/A |
| destination.geo.continent_name | N/A | N/A | N/A |
| destination.geo.country_iso_code | N/A | N/A | N/A |
| destination.geo.location.lat | N/A | N/A | N/A |
| destination.geo.location.lon | N/A | N/A | N/A |
| destination.ip | N/A | N/A | N/A |
| destination.port | N/A | N/A | N/A |
| destination.is_local | N/A | N/A | N/A |
| duration | N/A | N/A | N/A |
| end_time | N/A | N/A | N/A |
| entity_type | N/A | N/A | N/A |
| entity_uuid | N/A | N/A | N/A |
| entity_origin | N/A | N/A | N/A |
| entity_source | N/A | N/A | N/A |
| entity_type | N/A | N/A | N/A |
| entity_uuid | N/A | N/A | N/A |
| event_attribute | N/A | N/A | N/A |
| event_category | N/A | N/A | N/A |
| event_certainty | N/A | N/A | N/A |
| event.event_extra_attributes | N/A | N/A | N/A |
| event_score | N/A | N/A | N/A |
| event_severity | N/A | N/A | N/A |
| event_trigger | N/A | N/A | N/A |
| event_trigger_id | N/A | N/A | N/A |
| event_tags | N/A | N/A | N/A |
| event_uuid | N/A | N/A | N/A |
| hour | N/A | N/A | N/A |
| domain_report | N/A | N/A | N/A |
| ip_investigation_report | N/A | N/A | N/A |
| kubernetes.container | N/A | N/A | N/A |
| kubernetes.labels | N/A | N/A | N/A |
| kubernetes.node | N/A | N/A | N/A |
| kubernetes.pod | N/A | N/A | N/A |
| kubernetes.replicaset | N/A | N/A | N/A |
| local_orig | N/A | N/A | N/A |
| local_resp | N/A | N/A | N/A |
| attack_framework | N/A | N/A | N/A |
| mitre_tactic | N/A | N/A | N/A |
| mitre_technique | N/A | N/A | N/A |
| proto | N/A | N/A | N/A |
| session_id | N/A | N/A | N/A |
| site | N/A | N/A | N/A |
| source.ip | N/A | N/A | N/A |
| source.port | N/A | N/A | N/A |
| source.is_local | N/A | N/A | N/A |
| source.user | N/A | N/A | N/A |
| src | N/A | N/A | N/A |
| src_port | N/A | N/A | N/A |
| start_time | N/A | N/A | N/A |
| summary_dests | N/A | N/A | N/A |
| timestamp | N/A | N/A | N/A |
| user_uuid | N/A | N/A | N/A |
| weekday | N/A | N/A | N/A |
| whitelisted | N/A | N/A | N/A |
| app_info.created_at | N/A | N/A | N/A |
| app_info.completed_at | N/A | N/A | N/A |
| app_info.process_count | N/A | N/A | N/A |
| app_info.response_code | N/A | N/A | N/A |
| case_info.created_at | N/A | N/A | N/A |
| case_info.completed_at | N/A | N/A | N/A |
| case_info.process_count | N/A | N/A | N/A |
| classifier_info.created_at | N/A | N/A | N/A |
| classifier_info.completed_at | N/A | N/A | N/A |
| classifier_info.process_count | N/A | N/A | N/A |
| cve_info.cve_dest_status | N/A | N/A | N/A |
| deduper_info.bypass | N/A | N/A | N/A |
| deduper_info.created_at | N/A | N/A | N/A |
| deduper_info.completed_at | N/A | N/A | N/A |
| deduper_info.process_count | N/A | N/A | N/A |
| domain_info | N/A | N/A | N/A |
| eventscorer_info.bypass | N/A | N/A | N/A |
| eventscorer_info.created_at | N/A | N/A | N/A |
| eventscorer_info.completed_at | N/A | N/A | N/A |
| eventscrorer_info.process_count | N/A | N/A | N/A |
| ext_info.created_at | N/A | N/A | N/A |
| ext_info.response_code | N/A | N/A | N/A |
| ext_info.threat_level | N/A | N/A | N/A |
| ext_info.domain_info | N/A | N/A | N/A |
| ext_info.domain_info.domain | N/A | N/A | N/A |
| ext_info.domain_info.domain_is_popular | N/A | N/A | N/A |
| ext_info.domain_info.domain_whois_cc | N/A | N/A | N/A |
| ext_info.domain_info.domain_whois_location | N/A | N/A | N/A |
| ext_info.domain_info.domain_whois_org | N/A | N/A | N/A |
| ext_info.domain_info.domain_whois_reg_date | N/A | N/A | N/A |
| ext_info.domain_info.server_name | N/A | N/A | N/A |
| ext_info.dest_ip_info | N/A | N/A | N/A |
| ext_info.dest_ip_info.ip_addr | N/A | N/A | N/A |
| ext_info.dest_ip_info.ip_whois_cc | N/A | N/A | N/A |
| ext_info.dest_ip_info.ip_whois_location | N/A | N/A | N/A |
| ext_info.dest_ip_info.ip_whois_org | N/A | N/A | N/A |
| ext_info.dest_ip_info.ip_whois_reg_date | N/A | N/A | N/A |
| ext_info.src_ip_info | N/A | N/A | N/A |
| ext-info.uri_info | N/A | N/A | N/A |
| file_info | N/A | N/A | N/A |
| ip_info | N/A | N/A | N/A |
| logfinder_info.bypass | N/A | N/A | N/A |
| logfinder_info.created_at | N/A | N/A | N/A |
| logfinder_info.completed_at | N/A | N/A | N/A |
| logfinder_info.process_count | N/A | N/A | N/A |
| mistwatcher_info | N/A | N/A | N/A |
| network_info.created_at | N/A | N/A | N/A |
| network_info.completed_at | N/A | N/A | N/A |
| network_info.process_count | N/A | N/A | N/A |
| network_info.response_code | N/A | N/A | N/A |
| network_info.int_dest.ip_addr | N/A | N/A | N/A |
| network_info.int_dest.network_description | N/A | N/A | N/A |
| network_info.int_dest.network_prefix | N/A | N/A | N/A |
| network_info.int_dest.network_type | N/A | N/A | N/A |
| network_info.int_src.ip_addr | N/A | N/A | N/A |
| network_info.int_src.network_description | N/A | N/A | N/A |
| network_info.int_src.network_prefix | N/A | N/A | N/A |
| network_info.int_src.network_type | N/A | N/A | N/A |
| network_info.int_src.user_uuid | N/A | N/A | N/A |
| pcap_info | N/A | N/A | N/A |
| rapid7_info | N/A | N/A | N/A |
| rare_info.created_at | N/A | N/A | N/A |
| rare_info.completed_at | N/A | N/A | N/A |
| rare_info.process_count | N/A | N/A | N/A |
| rare_info.response_code | N/A | N/A | N/A |
| rare_info.rare | N/A | N/A | N/A |
| rare_info.rule_id | N/A | N/A | N/A |
| url_info | N/A | N/A | N/A |
| session_info.local_orig | N/A | N/A | N/A |
| session_info.local_resp | N/A | N/A | N/A |
| session_info.logs_count_ssl | N/A | N/A | N/A |
| session_info.logs_count_total | N/A | N/A | N/A |
| vulnerability_info | N/A | N/A | N/A |
| event_actor | N/A | N/A | N/A |
| logs.app | N/A | N/A | N/A |
| logs.community_id | N/A | N/A | N/A |
| logs.created_at | N/A | N/A | N/A |
| logs.date | N/A | N/A | N/A |
| logs.dest | N/A | N/A | N/A |
| logs.destination.as.organization_name | N/A | N/A | N/A |
| logs.destination.as.asn | N/A | N/A | N/A |
| logs.destination.geo.continent_name | N/A | N/A | N/A |
| logs.destination.country_iso_code | N/A | N/A | N/A |
| logs.destination.location.lat | N/A | N/A | N/A |
| logs.destination.location.lon | N/A | N/A | N/A |
| logs.destination.ip | N/A | N/A | N/A |
| logs.destination.port | N/A | N/A | N/A |
| logs.destination.is_local | N/A | N/A | N/A |
| logs.entry_origin | N/A | N/A | N/A |
| logs.entry_source | N/A | N/A | N/A |
| logs.entry_type | N/A | N/A | N/A |
| logs.entry_uuid | N/A | N/A | N/A |
| logs.hour | N/A | N/A | N/A |
| logs.source.ip | N/A | N/A | N/A |
| logs.source.port | N/A | N/A | N/A |
| logs.source.is_local | N/A | N/A | N/A |
| logs.source.user_uuid | N/A | N/A | N/A |
| logs.src | N/A | N/A | N/A |
| logs.timestamp | N/A | N/A | N/A |
| logs.user_uuid | N/A | N/A | N/A |
| logs.pcap_info | N/A | N/A | N/A |
| logs.mistwatcher_info | N/A | N/A | N/A |
| logs.weekday | N/A | N/A | N/A |
| logs.conn_state | N/A | N/A | N/A |
| logs.dest_port | N/A | N/A | N/A |
| logs.duration | N/A | N/A | N/A |
| logs.history | N/A | N/A | N/A |
| logs.local_orig | N/A | N/A | N/A |
| logs.local_resp | N/A | N/A | N/A |
| logs.missed_bytes | N/A | N/A | N/A |
| logs.orig_bytes | N/A | N/A | N/A |
| logs.orig_ip_bytes | N/A | N/A | N/A |
| logs.orig_pkts | N/A | N/A | N/A |
| logs.proto | N/A | N/A | N/A |
| logs.resp_bytes | N/A | N/A | N/A |
| logs.resp_ip_bytes | N/A | N/A | N/A |
| logs.resp_pkts | N/A | N/A | N/A |
| logs.service | N/A | N/A | N/A |
| logs.session_id | N/A | N/A | N/A |
| logs.src_port | N/A | N/A | N/A |
| logs.dhcp_server | N/A | N/A | N/A |
| logs.columns | N/A | N/A | N/A |
| logs.decorations | N/A | N/A | N/A |
| logs.request_type | N/A | N/A | N/A |
| logs.cipher | N/A | N/A | N/A |
| logs.request-type | N/A | N/A | N/A |
| logs.version | N/A | N/A | N/A |
| logs.cert_chain_fuids | N/A | N/A | N/A |
| logs.curve | N/A | N/A | N/A |
| logs.established | N/A | N/A | N/A |
| logs.issuer | N/A | N/A | N/A |
| logs.subject | N/A | N/A | N/A |
| logs.validation_status | N/A | N/A | N/A |
| logs.ja3 | N/A | N/A | N/A |
| logs.ja3s | N/A | N/A | N/A |
| IncidentCaseEvents | N/A | N/A | N/A |
| decorations | N/A | N/A | N/A |
| mitre_ttp | N/A | N/A | N/A |
| mitre_ttp.tactic_id | N/A | N/A | N/A |
| mitre_ttp.tactic | N/A | N/A | N/A |
| mitre_ttp.technique_id | N/A | N/A | N/A |
| mitre_ttp.technique | N/A | N/A | N/A |
| ioa_count | N/A | N/A | Total number of IOAs for a Case/Incident |
| ioa_summary_count | N/A | N/A | Total number of summary IOAs of a Case/Incident |
| last_modified | N/A | N/A | Time when a Case/Incident was last modified |
| main_event | N/A | N/A | The most significant event of a Case/Incident |
| main_event.created_at | N/A | N/A | N/A |
| main_event.columns | N/A | N/A | N/A |
| main_event.date | N/A | N/A | N/A |
| main_event.entry_origin | N/A | N/A | N/A |
| main_event.entry_source | N/A | N/A | N/A |
| main_event.entry_type | N/A | N/A | N/A |
| main_event.entry_uuid | N/A | N/A | N/A |
| main_event.event_attribute | N/A | N/A | N/A |
| main_event.event_category | N/A | N/A | N/A |
| main_event.event_extra_attributes | N/A | N/A | N/A |
| main_event.event_score | N/A | N/A | N/A |
| main_event.event_uuid | N/A | N/A | N/A |
| main_event.hour | N/A | N/A | N/A |
| main_event.domain_report | N/A | N/A | N/A |
| main_event.ip_investigation_report | N/A | N/A | N/A |
| main_event.kubernetes.container | N/A | N/A | N/A |
| main_event.kubernetes.labels | N/A | N/A | N/A |
| main_event.kubernetes.node | N/A | N/A | N/A |
| main_event.kubernetes.pod | N/A | N/A | N/A |
| main_event.kubernetes.replicaset | N/A | N/A | N/A |
| main_event.attack_framework | N/A | N/A | N/A |
| main_event.mitre_tactic | N/A | N/A | N/A |
| main_event.mitre_technique | N/A | N/A | N/A |
| main_event.timestamp | N/A | N/A | N/A |
| main_event.whitelisted | N/A | N/A | N/A |
| main_event.app_info | N/A | N/A | N/A |
| main_event.case_info | N/A | N/A | N/A |
| main_event.classifier_info | N/A | N/A | N/A |
| main_event.cve_info | N/A | N/A | N/A |
| main_event.deduper_info | N/A | N/A | N/A |
| main_event.domain_info | N/A | N/A | N/A |
| main_event.eventscorer_info | N/A | N/A | N/A |
| main_event.ext_info.domain_info | N/A | N/A | N/A |
| main_event.ext_info.dest_ip_info | N/A | N/A | N/A |
| main_event.ext_info.src_ip_info | N/A | N/A | N/A |
| main_event.ext_info.uri_info | N/A | N/A | N/A |
| main_event.file_info | N/A | N/A | N/A |
| main_event.ip_info | N/A | N/A | N/A |
| main_event.logfinder_info | N/A | N/A | N/A |
| main_event.mistwatcher_info | N/A | N/A | N/A |
| main_event.network_info.int_dest | N/A | N/A | N/A |
| main_event.network_info.int_src | N/A | N/A | N/A |
| main_event.pcap_info | N/A | N/A | N/A |
| main_event.rapid7_info | N/A | N/A | N/A |
| main_event.url_info | N/A | N/A | N/A |
| main_event.session_info.local_orig | N/A | N/A | N/A |
| main_event.session_info.local_resp | N/A | N/A | N/A |
| main_event.vulnerability_info | N/A | N/A | N/A |
| main_event.event_actor | N/A | N/A | N/A |
| main_event.IncidentCaseEvents | N/A | N/A | N/A |
| main_event.decorations | N/A | N/A | N/A |
| positive | N/A | N/A | Tells whether a Case/Incident is true or false positive |
| servicenow_info | N/A | N/A | N/A |
| severity | N/A | N/A | Severity of a Case/Incident. Possible values: 0 through 100 |
| score | N/A | N/A | Score of a Case/Incident. Possible values: 0 through 10 |
| timestamp | N/A | N/A | Timestamp for case |
| wildcard_ioa_count | N/A | N/A | Number of wildcard IOAs |
| actor | N/A | N/A | Actor responsible for an event |
| summary_events_count | N/A | N/A | N/A |
| polic_violation_info | N/A | N/A | N/A |
| incident_info | N/A | N/A | N/A |
| casescore | N/A | N/A | N/A |
| determination | N/A | N/A | Determination for incident |
| note | N/A | N/A | Notes for incident |