Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
Cortext Agent Messages |
Base Rule |
General Alert |
Warning |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
act |
<action> |
Text/String |
N/A |
|
cat |
<threatname> |
Text/String |
N/A |
|
cs1 |
<process> |
Text/String |
N/A |
|
cs1Label |
N/A |
N/A |
N/A |
|
cs2 |
N/A |
N/A |
N/A |
|
cs2Label |
N/A |
N/A |
N/A |
|
cs3 |
N/A |
N/A |
N/A |
|
cs3Label |
N/A |
N/A |
N/A |
|
cs4 |
N/A |
N/A |
N/A |
|
cs4Label |
N/A |
N/A |
N/A |
|
cs5 |
<command> |
Text/String/Number |
N/A |
|
cs5Label |
N/A |
N/A |
N/A |
|
cs6 |
N/A |
N/A |
N/A |
|
cs6Label |
N/A |
N/A |
N/A |
|
CSPaccountname |
N/A |
N/A |
N/A |
|
deviceFacility |
N/A |
N/A |
N/A |
|
end |
N/A |
N/A |
Timestamp |
|
externalId |
<threatid> |
Number |
N/A |
|
fileHash |
<hash> |
Text/String/Number |
N/A |
|
filePath |
<object> |
Text/String/Number |
N/A |
|
HEADER/Device Event Class ID |
<vmid> |
Text/String |
N/A |
|
HEADER/Device Product |
N/A |
N/A |
Device Product info |
|
HEADER/Device Version |
<version> |
Text/String |
Device Version info |
|
HEADER/name |
<vendorinfo> |
Text/String |
Action type |
|
HEADER/Severity |
<severity> |
Text/String |
integer: 0 - Unknown, 6 - Low, 8 - Medium, 9 - High |
|
HEADER/Vendor |
N/A |
N/A |
Vendor info |
|
incident |
<reason> |
Number |
N/A |
|
initiatorPath |
<parentprocesspath> |
Text/String/Number |
N/A |
|
initiatorSha256 |
N/A |
N/A |
N/A |
|
osParentSignature |
N/A |
N/A |
N/A |
|
request |
<url> |
Text/String/Number |
N/A |
|
shost |
<sname> |
Text/String |
The hostname of the machine from where the action was initiated. |
|
suser |
<login>, <domainorigin> |
Text/String |
The username of the user who initiated the action. |
|
targetprocesssignature |
N/A |
N/A |
N/A |
|
tenantCDLid |
N/A |
N/A |
N/A |
|
tenantname |
N/A |
N/A |
N/A |