File Analysis Event
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| File Analysis Event | Base Rule | Activity | General Threat Message |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Header (logVer) | N/A | N/A | CEF format version |
| Header (vendor) | N/A | N/A | Appliance vendor |
| Header (pname) | N/A | N/A | Appliance product |
| Header (pver) | N/A | N/A | Appliance version |
| Header (eventid) | N/A | N/A | Signature ID |
| Header (eventName) | <vendorinfo> | Text/String | Description |
| Header (severity) | <severity> | Number | Severity |
| cn1 | N/A | N/A | Result of GRID/CSSS |
| cn1label | N/A | N/A | Result of GRID/CSSS label |
| cn2 | N/A | N/A | ROZ rating |
| cn2label | N/A | N/A | ROZ rating label |
| cn3 | N/A | N/A | PCAP ready |
| cn3Label | N/A | N/A | PCAP ready label |
| cs1 | N/A | N/A | Sandbox image type |
| cs1Label | N/A | N/A | Sandbox image type label |
| cs2 | <threatname> | Text/String | Malware name |
| cs2Label | N/A | N/A | Malware name label |
| cs3 | N/A | N/A | Parent SHA1 |
| cs3Label | N/A | N/A | Parent SHA1 label |
| deviceExternalId | N/A | N/A | Appliance GUID |
| dvc | N/A | N/A | Appliance IP address |
| dvchost | N/A | N/A | Appliance host name |
| dvcmac | N/A | N/A | Appliance MAC address |
| fileHash | <hash> | Text/String | SHA1 |
| filePath | N/A | N/A | File path |
| fileType | <objecttype> | Text/String | True file type |
| fname | <object> | Text/String | File name |
| fsize | <size> | Number | File size |
| rt | N/A | N/A | Log generation time Format: Unix time stamp (number of milliseconds since Jan 01 1970 UTC) |