CTP Detection Log Messages

Vendor Documentation

Rule Name	Rule Type	Common Event	Classification
CTP Detection Log Messages	Base Rule	Web Application Blocked	Failed Activity

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Header (logVer)	N/A	N/A	CEF format version.
Header (vendor)	N/A	N/A	Appliance vendor.
Header (pname)	N/A	N/A	Appliance product.
Header (pver	<version>	Text/String	Appliance version.
Header (eventid)	<vmid>	Number	Signature ID.
Header (eventName)	<vendorinfo>	Text/String	Description.
Header (severity)	<severity>	Number	Severity 2: Unavailable 4: Low 6: Medium 8: High
rt	N/A	N/A	Log generation time.
cs2Label	N/A	N/A	Label for sender email address.
cs2	<sender>	Text/String	Sender email address.
request	<url>	Text/String	URL.
suser	<login>	Text/String	Email sender.
dvchost	<dname>	Text/String	Appliance host name.
dvc	<dip>	IP Address	Appliance IP address.
deviceExternalId	N/A	N/A	Appliance GUID.
duser	<recipient>	Text/String	Email recipients.
msg	<subject>	Text/String	Email subject.
cs3Label	N/A	N/A	Label for recipient email address.
cs3	N/A	N/A	Recipient email address.
cs1Label	N/A	N/A	Names of threats in the email.
cs1	<session>	Text/String	Names of threats in the email.
act	<action>	Text/String	The action in the event: blocked warned_and_stopped warned_but_accessed
dvcmac	<dmac>	Text/String	Appliance MAC address.
cs4Label	N/A	N/A	Label for time of URL click.
cs4	N/A	N/A	The time of URL click.