Classification
|
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|
|
Catch All : MistNet Case/Incident Messages |
Base Rule |
Security : Activity |
General Threat Message |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
admin_state |
<status> |
String |
Status of a Case/Incident. Possible values: CaseOpen, CaseClosed, IncidentReported, IncidentInvestigation, and IncidentClosed |
|
active |
N/A |
N/A |
Describes whether a case is active or not. Possible values: true and false |
|
case_detail |
<subject> |
String |
Short description about a Case/Incident |
|
case_id |
<threatid> |
Number |
Unique ID of a Case/Incident |
|
case_summary |
<vendorinfo> |
String |
Case/Incident Summary |
|
category |
<vmid>
|
String |
Category to which a Case/Incident belongs. Possible values: Initial Compromise, Lateral Movement, Anomalous Activity, Extrusion, Vulnerability, Endpoint, etc. |
|
certainty |
N/A |
N/A |
Certainty of a Case/Incident. Possible values: 0 through 100 |
|
closed_reason |
N/A |
N/A |
Reason why the case/incident was closed. Possible values: false-positive and inactive |
|
created_at |
N/A |
N/A |
Time when a Case/Incident was created |
|
entity_type |
N/A |
N/A |
The type of entity associated with this case. Possible values: User, Host, and Ip |
|
entity_uuid |
N/A |
N/A |
Unique ID for the entity. Possible values: user_uuid, host_uuid, dest_host_uuid, dest_user_uuid, src, and dest |
|
entry_origin |
N/A |
N/A |
The engine that originated this record. Possible values: XXX YYY Engine, XXX Watcher Engine, ZZZ Watch, etc. |
|
entry_source |
N/A |
N/A |
The source node that produced this record. For example, Probe Node of a Case/Incident |
|
entry_type |
N/A |
N/A |
Type of this record. Possible values: AlertEvent, IntelEvent, ThirdPartyEvent, SslAnomalyEvent, TriggerEvent, etc. |
|
entry_uuid |
N/A |
N/A |
Unique UUID for a Case/Incident |
|
event_count |
N/A |
N/A |
Number of case-events in a Case/Incident |
|
ioa |
N/A |
N/A |
Indicator of Attack - For now, first IOA of a Case/Incident is stored |
|
action |
N/A |
N/A |
N/A |
|
app |
N/A |
N/A |
N/A |
|
bytes |
N/A |
N/A |
N/A |
|
created_at |
N/A |
N/A |
N/A |
|
columns |
N/A |
N/A |
N/A |
|
community_id |
N/A |
N/A |
N/A |
|
date |
N/A |
N/A |
N/A |
|
dest |
N/A |
N/A |
N/A |
|
dest_fqdn |
N/A |
N/A |
N/A |
|
dest.cc |
N/A |
N/A |
N/A |
|
dest_port |
N/A |
N/A |
N/A |
|
destination.as.organization_name |
N/A |
N/A |
N/A |
|
destination.as.asn |
N/A |
N/A |
N/A |
|
destination.geo.continent_name |
N/A |
N/A |
N/A |
|
destination.geo.country_iso_code |
N/A |
N/A |
N/A |
|
destination.geo.location.lat |
N/A |
N/A |
N/A |
|
destination.geo.location.lon |
N/A |
N/A |
N/A |
|
destination.ip |
N/A |
N/A |
N/A |
|
destination.port |
N/A |
N/A |
N/A |
|
destination.is_local |
N/A |
N/A |
N/A |
|
duration |
N/A |
N/A |
N/A |
|
end_time |
N/A |
N/A |
N/A |
|
entity_type |
N/A |
N/A |
N/A |
|
entity_uuid |
N/A |
N/A |
N/A |
|
entity_origin |
N/A |
N/A |
N/A |
|
entity_source |
N/A |
N/A |
N/A |
|
entity_type |
N/A |
N/A |
N/A |
|
entity_uuid |
N/A |
N/A |
N/A |
|
event_attribute |
N/A |
N/A |
N/A |
|
event_category |
N/A |
N/A |
N/A |
|
event_certainty |
N/A |
N/A |
N/A |
|
event.event_extra_attributes |
N/A |
N/A |
N/A |
|
event_score |
N/A |
N/A |
N/A |
|
event_severity |
N/A |
N/A |
N/A |
|
event_trigger |
N/A |
N/A |
N/A |
|
event_trigger_id |
N/A |
N/A |
N/A |
|
event_tags |
N/A |
N/A |
N/A |
|
event_uuid |
N/A |
N/A |
N/A |
|
hour |
N/A |
N/A |
N/A |
|
domain_report |
N/A |
N/A |
N/A |
|
ip_investigation_report |
N/A |
N/A |
N/A |
|
kubernetes.container |
N/A |
N/A |
N/A |
|
kubernetes.labels |
N/A |
N/A |
N/A |
|
kubernetes.node |
N/A |
N/A |
N/A |
|
kubernetes.pod |
N/A |
N/A |
N/A |
|
kubernetes.replicaset |
N/A |
N/A |
N/A |
|
local_orig |
N/A |
N/A |
N/A |
|
local_resp |
N/A |
N/A |
N/A |
|
attack_framework |
N/A |
N/A |
N/A |
|
mitre_tactic |
N/A |
N/A |
N/A |
|
mitre_technique |
N/A |
N/A |
N/A |
|
proto |
N/A |
N/A |
N/A |
|
session_id |
N/A |
N/A |
N/A |
|
site |
N/A |
N/A |
N/A |
|
source.ip |
N/A |
N/A |
N/A |
|
source.port |
N/A |
N/A |
N/A |
|
source.is_local |
N/A |
N/A |
N/A |
|
source.user |
N/A |
N/A |
N/A |
|
src |
N/A |
N/A |
N/A |
|
src_port |
N/A |
N/A |
N/A |
|
start_time |
N/A |
N/A |
N/A |
|
summary_dests |
N/A |
N/A |
N/A |
|
timestamp |
N/A |
N/A |
N/A |
|
user_uuid |
N/A |
N/A |
N/A |
|
weekday |
N/A |
N/A |
N/A |
|
whitelisted |
N/A |
N/A |
N/A |
|
app_info.created_at |
N/A |
N/A |
N/A |
|
app_info.completed_at |
N/A |
N/A |
N/A |
|
app_info.process_count |
N/A |
N/A |
N/A |
|
app_info.response_code |
N/A |
N/A |
N/A |
|
case_info.created_at |
N/A |
N/A |
N/A |
|
case_info.completed_at |
N/A |
N/A |
N/A |
|
case_info.process_count |
N/A |
N/A |
N/A |
|
classifier_info.created_at |
N/A |
N/A |
N/A |
|
classifier_info.completed_at |
N/A |
N/A |
N/A |
|
classifier_info.process_count |
N/A |
N/A |
N/A |
|
cve_info.cve_dest_status |
N/A |
N/A |
N/A |
|
deduper_info.bypass |
N/A |
N/A |
N/A |
|
deduper_info.created_at |
N/A |
N/A |
N/A |
|
deduper_info.completed_at |
N/A |
N/A |
N/A |
|
deduper_info.process_count |
N/A |
N/A |
N/A |
|
domain_info |
N/A |
N/A |
N/A |
|
eventscorer_info.bypass |
N/A |
N/A |
N/A |
|
eventscorer_info.created_at |
N/A |
N/A |
N/A |
|
eventscorer_info.completed_at |
N/A |
N/A |
N/A |
|
eventscrorer_info.process_count |
N/A |
N/A |
N/A |
|
ext_info.created_at |
N/A |
N/A |
N/A |
|
ext_info.response_code |
N/A |
N/A |
N/A |
|
ext_info.threat_level |
N/A |
N/A |
N/A |
|
ext_info.domain_info |
N/A |
N/A |
N/A |
|
ext_info.domain_info.domain |
N/A |
N/A |
N/A |
|
ext_info.domain_info.domain_is_popular |
N/A |
N/A |
N/A |
|
ext_info.domain_info.domain_whois_cc |
N/A |
N/A |
N/A |
|
ext_info.domain_info.domain_whois_location |
N/A |
N/A |
N/A |
|
ext_info.domain_info.domain_whois_org |
N/A |
N/A |
N/A |
|
ext_info.domain_info.domain_whois_reg_date |
N/A |
N/A |
N/A |
|
ext_info.domain_info.server_name |
N/A |
N/A |
N/A |
|
ext_info.dest_ip_info |
N/A |
N/A |
N/A |
|
ext_info.dest_ip_info.ip_addr |
N/A |
N/A |
N/A |
|
ext_info.dest_ip_info.ip_whois_cc |
N/A |
N/A |
N/A |
|
ext_info.dest_ip_info.ip_whois_location |
N/A |
N/A |
N/A |
|
ext_info.dest_ip_info.ip_whois_org |
N/A |
N/A |
N/A |
|
ext_info.dest_ip_info.ip_whois_reg_date |
N/A |
N/A |
N/A |
|
ext_info.src_ip_info |
N/A |
N/A |
N/A |
|
ext-info.uri_info |
N/A |
N/A |
N/A |
|
file_info |
N/A |
N/A |
N/A |
|
ip_info |
N/A |
N/A |
N/A |
|
logfinder_info.bypass |
N/A |
N/A |
N/A |
|
logfinder_info.created_at |
N/A |
N/A |
N/A |
|
logfinder_info.completed_at |
N/A |
N/A |
N/A |
|
logfinder_info.process_count |
N/A |
N/A |
N/A |
|
mistwatcher_info |
N/A |
N/A |
N/A |
|
network_info.created_at |
N/A |
N/A |
N/A |
|
network_info.completed_at |
N/A |
N/A |
N/A |
|
network_info.process_count |
N/A |
N/A |
N/A |
|
network_info.response_code |
N/A |
N/A |
N/A |
|
network_info.int_dest.ip_addr |
N/A |
N/A |
N/A |
|
network_info.int_dest.network_description |
N/A |
N/A |
N/A |
|
network_info.int_dest.network_prefix |
N/A |
N/A |
N/A |
|
network_info.int_dest.network_type |
N/A |
N/A |
N/A |
|
network_info.int_src.ip_addr |
N/A |
N/A |
N/A |
|
network_info.int_src.network_description |
N/A |
N/A |
N/A |
|
network_info.int_src.network_prefix |
N/A |
N/A |
N/A |
|
network_info.int_src.network_type |
N/A |
N/A |
N/A |
|
network_info.int_src.user_uuid |
N/A |
N/A |
N/A |
|
pcap_info |
N/A |
N/A |
N/A |
|
rapid7_info |
N/A |
N/A |
N/A |
|
rare_info.created_at |
N/A |
N/A |
N/A |
|
rare_info.completed_at |
N/A |
N/A |
N/A |
|
rare_info.process_count |
N/A |
N/A |
N/A |
|
rare_info.response_code |
N/A |
N/A |
N/A |
|
rare_info.rare |
N/A |
N/A |
N/A |
|
rare_info.rule_id |
N/A |
N/A |
N/A |
|
url_info |
N/A |
N/A |
N/A |
|
session_info.local_orig |
N/A |
N/A |
N/A |
|
session_info.local_resp |
N/A |
N/A |
N/A |
|
session_info.logs_count_ssl |
N/A |
N/A |
N/A |
|
session_info.logs_count_total |
N/A |
N/A |
N/A |
|
vulnerability_info |
N/A |
N/A |
N/A |
|
event_actor |
N/A |
N/A |
N/A |
|
logs.app |
N/A |
N/A |
N/A |
|
logs.community_id |
N/A |
N/A |
N/A |
|
logs.created_at |
N/A |
N/A |
N/A |
|
logs.date |
N/A |
N/A |
N/A |
|
logs.dest |
N/A |
N/A |
N/A |
|
logs.destination.as.organization_name |
N/A |
N/A |
N/A |
|
logs.destination.as.asn |
N/A |
N/A |
N/A |
|
logs.destination.geo.continent_name |
N/A |
N/A |
N/A |
|
logs.destination.country_iso_code |
N/A |
N/A |
N/A |
|
logs.destination.location.lat |
N/A |
N/A |
N/A |
|
logs.destination.location.lon |
N/A |
N/A |
N/A |
|
logs.destination.ip |
N/A |
N/A |
N/A |
|
logs.destination.port |
N/A |
N/A |
N/A |
|
logs.destination.is_local |
N/A |
N/A |
N/A |
|
logs.entry_origin |
N/A |
N/A |
N/A |
|
logs.entry_source |
N/A |
N/A |
N/A |
|
logs.entry_type |
N/A |
N/A |
N/A |
|
logs.entry_uuid |
N/A |
N/A |
N/A |
|
logs.hour |
N/A |
N/A |
N/A |
|
logs.source.ip |
N/A |
N/A |
N/A |
|
logs.source.port |
N/A |
N/A |
N/A |
|
logs.source.is_local |
N/A |
N/A |
N/A |
|
logs.source.user_uuid |
N/A |
N/A |
N/A |
|
logs.src |
N/A |
N/A |
N/A |
|
logs.timestamp |
N/A |
N/A |
N/A |
|
logs.user_uuid |
N/A |
N/A |
N/A |
|
logs.pcap_info |
N/A |
N/A |
N/A |
|
logs.mistwatcher_info |
N/A |
N/A |
N/A |
|
logs.weekday |
N/A |
N/A |
N/A |
|
logs.conn_state |
N/A |
N/A |
N/A |
|
logs.dest_port |
N/A |
N/A |
N/A |
|
logs.duration |
N/A |
N/A |
N/A |
|
logs.history |
N/A |
N/A |
N/A |
|
logs.local_orig |
N/A |
N/A |
N/A |
|
logs.local_resp |
N/A |
N/A |
N/A |
|
logs.missed_bytes |
N/A |
N/A |
N/A |
|
logs.orig_bytes |
N/A |
N/A |
N/A |
|
logs.orig_ip_bytes |
N/A |
N/A |
N/A |
|
logs.orig_pkts |
N/A |
N/A |
N/A |
|
logs.proto |
N/A |
N/A |
N/A |
|
logs.resp_bytes |
N/A |
N/A |
N/A |
|
logs.resp_ip_bytes |
N/A |
N/A |
N/A |
|
logs.resp_pkts |
N/A |
N/A |
N/A |
|
logs.service |
N/A |
N/A |
N/A |
|
logs.session_id |
N/A |
N/A |
N/A |
|
logs.src_port |
N/A |
N/A |
N/A |
|
logs.dhcp_server |
N/A |
N/A |
N/A |
|
logs.columns |
N/A |
N/A |
N/A |
|
logs.decorations |
N/A |
N/A |
N/A |
|
logs.request_type |
N/A |
N/A |
N/A |
|
logs.cipher |
N/A |
N/A |
N/A |
|
logs.request-type |
N/A |
N/A |
N/A |
|
logs.version |
N/A |
N/A |
N/A |
|
logs.cert_chain_fuids |
N/A |
N/A |
N/A |
|
logs.curve |
N/A |
N/A |
N/A |
|
logs.established |
N/A |
N/A |
N/A |
|
logs.issuer |
N/A |
N/A |
N/A |
|
logs.subject |
N/A |
N/A |
N/A |
|
logs.validation_status |
N/A |
N/A |
N/A |
|
logs.ja3 |
N/A |
N/A |
N/A |
|
logs.ja3s |
N/A |
N/A |
N/A |
|
IncidentCaseEvents |
N/A |
N/A |
N/A |
|
decorations |
N/A |
N/A |
N/A |
|
mitre_ttp |
N/A |
N/A |
N/A |
|
mitre_ttp.tactic_id |
N/A |
N/A |
N/A |
|
mitre_ttp.tactic |
N/A |
N/A |
N/A |
|
mitre_ttp.technique_id |
N/A |
N/A |
N/A |
|
mitre_ttp.technique |
N/A |
N/A |
N/A |
|
ioa_count |
N/A |
N/A |
Total number of IOAs for a Case/Incident |
|
ioa_summary_count |
N/A |
N/A |
Total number of summary IOAs of a Case/Incident |
|
last_modified |
N/A |
N/A |
Time when a Case/Incident was last modified |
|
main_event |
N/A |
N/A |
The most significant event of a Case/Incident |
|
main_event.created_at |
N/A |
N/A |
N/A |
|
main_event.columns |
N/A |
N/A |
N/A |
|
main_event.date |
N/A |
N/A |
N/A |
|
main_event.entry_origin |
N/A |
N/A |
N/A |
|
main_event.entry_source |
N/A |
N/A |
N/A |
|
main_event.entry_type |
N/A |
N/A |
N/A |
|
main_event.entry_uuid |
N/A |
N/A |
N/A |
|
main_event.event_attribute |
N/A |
N/A |
N/A |
|
main_event.event_category |
N/A |
N/A |
N/A |
|
main_event.event_extra_attributes |
N/A |
N/A |
N/A |
|
main_event.event_score |
N/A |
N/A |
N/A |
|
main_event.event_uuid |
N/A |
N/A |
N/A |
|
main_event.hour |
N/A |
N/A |
N/A |
|
main_event.domain_report |
N/A |
N/A |
N/A |
|
main_event.ip_investigation_report |
N/A |
N/A |
N/A |
|
main_event.kubernetes.container |
N/A |
N/A |
N/A |
|
main_event.kubernetes.labels |
N/A |
N/A |
N/A |
|
main_event.kubernetes.node |
N/A |
N/A |
N/A |
|
main_event.kubernetes.pod |
N/A |
N/A |
N/A |
|
main_event.kubernetes.replicaset |
N/A |
N/A |
N/A |
|
main_event.attack_framework |
N/A |
N/A |
N/A |
|
main_event.mitre_tactic |
N/A |
N/A |
N/A |
|
main_event.mitre_technique |
N/A |
N/A |
N/A |
|
main_event.timestamp |
N/A |
N/A |
N/A |
|
main_event.whitelisted |
N/A |
N/A |
N/A |
|
main_event.app_info |
N/A |
N/A |
N/A |
|
main_event.case_info |
N/A |
N/A |
N/A |
|
main_event.classifier_info |
N/A |
N/A |
N/A |
|
main_event.cve_info |
N/A |
N/A |
N/A |
|
main_event.deduper_info |
N/A |
N/A |
N/A |
|
main_event.domain_info |
N/A |
N/A |
N/A |
|
main_event.eventscorer_info |
N/A |
N/A |
N/A |
|
main_event.ext_info.domain_info |
N/A |
N/A |
N/A |
|
main_event.ext_info.dest_ip_info |
N/A |
N/A |
N/A |
|
main_event.ext_info.src_ip_info |
N/A |
N/A |
N/A |
|
main_event.ext_info.uri_info |
N/A |
N/A |
N/A |
|
main_event.file_info |
N/A |
N/A |
N/A |
|
main_event.ip_info |
N/A |
N/A |
N/A |
|
main_event.logfinder_info |
N/A |
N/A |
N/A |
|
main_event.mistwatcher_info |
N/A |
N/A |
N/A |
|
main_event.network_info.int_dest |
N/A |
N/A |
N/A |
|
main_event.network_info.int_src |
N/A |
N/A |
N/A |
|
main_event.pcap_info |
N/A |
N/A |
N/A |
|
main_event.rapid7_info |
N/A |
N/A |
N/A |
|
main_event.url_info |
N/A |
N/A |
N/A |
|
main_event.session_info.local_orig |
N/A |
N/A |
N/A |
|
main_event.session_info.local_resp |
N/A |
N/A |
N/A |
|
main_event.vulnerability_info |
N/A |
N/A |
N/A |
|
main_event.event_actor |
N/A |
N/A |
N/A |
|
main_event.IncidentCaseEvents |
N/A |
N/A |
N/A |
|
main_event.decorations |
N/A |
N/A |
N/A |
|
positive |
N/A |
N/A |
Tells whether a Case/Incident is true or false positive |
|
servicenow_info |
N/A |
N/A |
N/A |
|
severity |
N/A |
N/A |
Severity of a Case/Incident. Possible values: 0 through 100 |
|
score |
N/A |
N/A |
Score of a Case/Incident. Possible values: 0 through 10 |
|
timestamp |
N/A |
N/A |
Timestamp for case |
|
wildcard_ioa_count |
N/A |
N/A |
Number of wildcard IOAs |
|
actor |
N/A |
N/A |
Actor responsible for an event |
|
summary_events_count |
N/A |
N/A |
N/A |
|
polic_violation_info |
N/A |
N/A |
N/A |
|
incident_info |
N/A |
N/A |
N/A |
|
casescore |
N/A |
N/A |
N/A |
|
determination |
N/A |
N/A |
Determination for incident |
|
note |
N/A |
N/A |
Notes for incident |