Cortex BIOC Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|
Cortex BIOC Messages | Base Rule | General Security | Other Security |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
HEADER/Vendor | N/A | N/A | Vendor info |
HEADER/Device Product | N/A | N/A | Device Product info |
HEADER/Device Version | <version> | Text/String | Device Version info |
HEADER/Device Event Class ID | <vmid> | Text/String | N/A |
HEADER/name | <vendorinfo> | Text/String | Action type |
HEADER/Severity | <severity> | Text/String | integer/0 - Unknown, 6 - Low, 8 - Medium, 9 - High |
end | N/A | N/A | Timestamp |
shost | <sname> | Text/String | Hostname of the machine from where the action was initiated. |
suser | <login>, <domainorigin> | Text/String | Username of the user who initiated the action. |
deviceFacility | N/A | N/A | N/A |
cat | <threatname> | Text/String | N/A |
externalId | <threatid> | Number | N/A |
request | <url> | Text/String/Number | N/A |
cs1 | <process> | Text/String | N/A |
cs1Label | N/A | N/A | N/A |
cs2 | N/A | N/A | N/A |
cs2Label | N/A | N/A | N/A |
cs3 | N/A | N/A | N/A |
cs3Label | N/A | N/A | N/A |
cs4 | N/A | N/A | N/A |
cs4Label | N/A | N/A | N/A |
cs5 | <command> | Text/String | N/A |
cs5Label | N/A | N/A | N/A |
cs6 | N/A | N/A | N/A |
cs6Label | N/A | N/A | N/A |
fileHash | <hash> | Text/String/Number | N/A |
filePath | <object> | Text/String | N/A |
targetprocesssignature | N/A | N/A | N/A |
tenantname | N/A | N/A | N/A |
tenantCDLid | N/A | N/A | N/A |
CSPaccountname | N/A | N/A | N/A |
initiatorSha256 | N/A | N/A | N/A |
initiatorPath | <parentprocesspath> | Text/String | N/A |
cgoSha256 | N/A | N/A | N/A |
osParentName | N/A | N/A | N/A |
osParentCmd | N/A | N/A | N/A |
osParentSha256 | N/A | N/A | N/A |
osParentSignature | N/A | N/A | N/A |
osParentSigner | N/A | N/A | N/A |
incident | N/A | N/A | N/A |
act | <action> | Text/String | N/A |