Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
Email Detection Messages |
Base Rule |
General Threat Message |
Activity |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|
Header (logVer) |
N/A |
N/A |
CEF format version. |
|
Header (vendor) |
N/A |
N/A |
Appliance vendor. |
|
Header (pname) |
N/A |
N/A |
Appliance product. |
|
Header (pver |
<version> |
Text/String |
Appliance version. |
|
Header (eventid) |
<vmid> |
Number |
Signature ID. |
|
Header (eventName) |
<vendorinfo> |
Text/String |
Description. |
|
Header (severity) |
<severity> |
Number |
Severity
|
|
dvc |
<dip> |
IP Address |
Appliance IP address. |
|
dvcmac |
<dmac> |
Text/String |
Appliance MAC address. |
|
dvchost |
<dname> |
Text/String |
Appliance host name. |
|
rt |
N/A |
N/A |
Log generation time. |
|
suser |
<sender> |
Text/String |
Email sender. |
|
src |
<sip> |
IP Address |
Source IP address. |
|
duser |
<recipient> |
Text/String |
Email recipients. |
|
msg |
<subject> |
Text/String |
Email subject. |
|
cn2Label |
N/A |
N/A |
msgSize. |
|
cn2 |
<size> |
Number |
msgSize. |
|
cn1Label |
N/A |
N/A |
Threattype. |
|
cn1 |
<threatname> |
Number |
Threattype
|
|
act |
<action> |
Text/String |
The action in the event. Examples:
|
|
cs2Label |
N/A |
N/A |
Internal email ID. |
|
cs2 |
N/A |
N/A |
Internal email ID. |
|
cs3Label |
N/A |
N/A |
Email ID. |
|
cs3 |
N/A |
N/A |
Email ID. |
|
cs4Label |
N/A |
N/A |
Label for sender email address. |
|
cs4 |
N/A |
N/A |
Sender email address. |
|
cs5Label |
N/A |
N/A |
Label for recipient email address. |
|
cs5 |
N/A |
N/A |
Recipient email address. |
|
deviceExternalId |
N/A |
N/A |
Appliance GUID. |
|
cs1 |
N/A |
N/A |
Names of threats in the email. |
|
cs1Label |
N/A |
N/A |
Names of threats in the email. |