Email Detection Messages

Vendor Documentation

https://docs.trendmicro.com/o-help/ent/ddei/5.1/en-us/ddei_5.1_ag.pdf

Classification

Rule Name	Rule Type	Common Event	Classification
Email Detection Messages	Base Rule	General Threat Message	Activity

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Header (logVer)	N/A	N/A	CEF format version.
Header (vendor)	N/A	N/A	Appliance vendor.
Header (pname)	N/A	N/A	Appliance product.
Header (pver	<version>	Text/String	Appliance version.
Header (eventid)	<vmid>	Number	Signature ID.
Header (eventName)	<vendorinfo>	Text/String	Description.
Header (severity)	<severity>	Number	Severity 2: Unavailable 4: Low 6: Medium 8: High
dvc	<dip>	IP Address	Appliance IP address.
dvcmac	<dmac>	Text/String	Appliance MAC address.
dvchost	<dname>	Text/String	Appliance host name.
rt	N/A	N/A	Log generation time.
suser	<sender>	Text/String	Email sender.
src	<sip>	IP Address	Source IP address.
duser	<recipient>	Text/String	Email recipients.
msg	<subject>	Text/String	Email subject.
cn2Label	N/A	N/A	msgSize.
cn2	<size>	Number	msgSize.
cn1Label	N/A	N/A	Threattype.
cn1	<threatname>	Number	Threattype 1: Targeted malware 2: Malware 3: Malicious URL 4: Suspicious file 5: Suspicious URL 6: Spam/Graymail 7: Phishing 8: Content violation 9: DLP incident
act	<action>	Text/String	The action in the event. Examples: analyzed cleaned up deleted delivered directly encrypted file sanitized passed quarantined recipient changed stamped stripped subjectsTagged
cs2Label	N/A	N/A	Internal email ID.
cs2	N/A	N/A	Internal email ID.
cs3Label	N/A	N/A	Email ID.
cs3	N/A	N/A	Email ID.
cs4Label	N/A	N/A	Label for sender email address.
cs4	N/A	N/A	Sender email address.
cs5Label	N/A	N/A	Label for recipient email address.
cs5	N/A	N/A	Recipient email address.
deviceExternalId	N/A	N/A	Appliance GUID.
cs1	N/A	N/A	Names of threats in the email.
cs1Label	N/A	N/A	Names of threats in the email.