Cortext Agent Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| Cortext Agent Messages | Base Rule | General Alert | Warning |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| act | <action> | Text/String | N/A |
| cat | <threatname> | Text/String | N/A |
| cs1 | <process> | Text/String | N/A |
| cs1Label | N/A | N/A | N/A |
| cs2 | N/A | N/A | N/A |
| cs2Label | N/A | N/A | N/A |
| cs3 | N/A | N/A | N/A |
| cs3Label | N/A | N/A | N/A |
| cs4 | N/A | N/A | N/A |
| cs4Label | N/A | N/A | N/A |
| cs5 | <command> | Text/String/Number | N/A |
| cs5Label | N/A | N/A | N/A |
| cs6 | N/A | N/A | N/A |
| cs6Label | N/A | N/A | N/A |
| CSPaccountname | N/A | N/A | N/A |
| deviceFacility | N/A | N/A | N/A |
| end | N/A | N/A | Timestamp |
| externalId | <threatid> | Number | N/A |
| fileHash | <hash> | Text/String/Number | N/A |
| filePath | <object> | Text/String/Number | N/A |
| HEADER/Device Event Class ID | <vmid> | Text/String | N/A |
| HEADER/Device Product | N/A | N/A | Device Product info |
| HEADER/Device Version | <version> | Text/String | Device Version info |
| HEADER/name | <vendorinfo> | Text/String | Action type |
| HEADER/Severity | <severity> | Text/String | integer: 0 - Unknown, 6 - Low, 8 - Medium, 9 - High |
| HEADER/Vendor | N/A | N/A | Vendor info |
| incident | <reason> | Number | N/A |
| initiatorPath | <parentprocesspath> | Text/String/Number | N/A |
| initiatorSha256 | N/A | N/A | N/A |
| osParentSignature | N/A | N/A | N/A |
| request | <url> | Text/String/Number | N/A |
| shost | <sname> | Text/String | The hostname of the machine from where the action was initiated. |
| suser | <login>, <domainorigin> | Text/String | The username of the user who initiated the action. |
| targetprocesssignature | N/A | N/A | N/A |
| tenantCDLid | N/A | N/A | N/A |
| tenantname | N/A | N/A | N/A |