Cortext Agent Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|
Cortext Agent Messages | Base Rule | General Alert | Warning |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
act | <action> | Text/String | N/A |
cat | <threatname> | Text/String | N/A |
cs1 | <process> | Text/String | N/A |
cs1Label | N/A | N/A | N/A |
cs2 | N/A | N/A | N/A |
cs2Label | N/A | N/A | N/A |
cs3 | N/A | N/A | N/A |
cs3Label | N/A | N/A | N/A |
cs4 | N/A | N/A | N/A |
cs4Label | N/A | N/A | N/A |
cs5 | <command> | Text/String/Number | N/A |
cs5Label | N/A | N/A | N/A |
cs6 | N/A | N/A | N/A |
cs6Label | N/A | N/A | N/A |
CSPaccountname | N/A | N/A | N/A |
deviceFacility | N/A | N/A | N/A |
end | N/A | N/A | Timestamp |
externalId | <threatid> | Number | N/A |
fileHash | <hash> | Text/String/Number | N/A |
filePath | <object> | Text/String/Number | N/A |
HEADER/Device Event Class ID | <vmid> | Text/String | N/A |
HEADER/Device Product | N/A | N/A | Device Product info |
HEADER/Device Version | <version> | Text/String | Device Version info |
HEADER/name | <vendorinfo> | Text/String | Action type |
HEADER/Severity | <severity> | Text/String | integer: 0 - Unknown, 6 - Low, 8 - Medium, 9 - High |
HEADER/Vendor | N/A | N/A | Vendor info |
incident | <reason> | Number | N/A |
initiatorPath | <parentprocesspath> | Text/String/Number | N/A |
initiatorSha256 | N/A | N/A | N/A |
osParentSignature | N/A | N/A | N/A |
request | <url> | Text/String/Number | N/A |
shost | <sname> | Text/String | The hostname of the machine from where the action was initiated. |
suser | <login>, <domainorigin> | Text/String | The username of the user who initiated the action. |
targetprocesssignature | N/A | N/A | N/A |
tenantCDLid | N/A | N/A | N/A |
tenantname | N/A | N/A | N/A |