Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|---|---|---|
|
N/A |
<version> |
N/A |
|
N/A |
<vmid> |
N/A |
|
N/A |
<severity> |
N/A |
|
categoryDeviceType |
<subject> |
N/A |
|
dst |
<dip> |
<dip> |
|
dmac |
<dmac> |
<dmac> |
|
dhost |
<dname> |
N/A |
|
request |
<url> |
N/A |
|
categoryOutcome |
<result> |
N/A |
|
categorySignificance |
<object> |
N/A |
|
cs7 |
<action> |
N/A |
|
categoryTupleDescription |
<command> |
N/A |
|
cs4 |
<threatname> |
<url> |
|
cs4 |
<objectname> |
N/A |
|
filePath |
<status> |
N/A |
|
fileHash |
<hash> |
N/A |
|
cs4 |
<process> |
N/A |
|
scs10 |
<hash> |
N/A |
|
cs11 |
<threatname> |
N/A |
|
N/A |
N/A |
<vendorinfo> |
|
N/A |
N/A |
<process> |
|
N/A |
N/A |
<severity> |
|
N/A |
N/A |
<sip> |
|
N/A |
N/A |
<sname> |
|
N/A |
N/A |
<protname> |
|
N/A |
N/A |
<dname> |
|
N/A |
N/A |
<sport> |
|
N/A |
N/A |
<smac> |
|
N/A |
N/A |
<dport> |
|
N/A |
N/A |
<subject> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1009183 |
HX Messages |
Base Rule |
General Firewall Log |
Network Traffic |
|
Host Acquisition Successfully Completed |
Sub Rule |
Object Operation |
Other Audit Success |
|
|
Host Acquisition Successfully Queued |
Sub Rule |
Object Operation |
Other Audit Success |
|
|
Host Acquisition Successfully Started |
Sub Rule |
Object Operation |
Other Audit Success |
|
|
IOC Hit Found |
Sub Rule |
Host Compromised |
Compromise |
|
|
IOC Hit Found : Not Malicious |
Sub Rule |
Suspicious Activity |
Suspicious |
|
|
IOC Hit Found : TOR Exit Node |
Sub Rule |
Network Compromised |
Compromise |
|
|
IOC Hit Found : TOR Exit Node |
Sub Rule |
Network Compromised |
Compromise |
|
|
IOC Hit Found : Ransomware |
Sub Rule |
Host Compromised |
Compromise |
|
|
IOC Hit Found : Suspicious WScript Usage |
Sub Rule |
Host Compromised |
Compromise |
|
|
IOC Hit Found : CCLEANER Trojan |
Sub Rule |
Host Compromised |
Compromise |
|
|
IOC Hit Found : Trojan.JS.Nemucod |
Sub Rule |
Detected Trojan Activity |
Malware |
|
|
IOC Hit Found : Trojan.Nakoctb |
Sub Rule |
Detected Trojan Activity |
Malware |
|
|
IOC Hit Found : Trojan.Downloader.Hancitor |
Sub Rule |
Detected Trojan Activity |
Malware |
|
|
IOC Hit Found : Trojan.Adwind |
Sub Rule |
Detected Trojan Activity |
Malware |
|
|
IOC Hit Found : Suspicious VBScript |
Sub Rule |
Host Compromised |
Compromise |
|
|
ExD Hit Found |
Sub Rule |
Host Compromised |
Compromise |
|
|
IOC Hit Found : TaskMgr Process Dump LSASS.EXE |
Sub Rule |
Host Compromised |
Compromise |
|
|
IOC Hit Found : Suspicious Powershell Usage |
Sub Rule |
Host Compromised |
Compromise |
|
|
IOC Hit Found : Phishing Activity |
Sub Rule |
Phishing Activity |
Attack |
|
|
IOC Hit Found : Mimikatz Malware |
Sub Rule |
Network Compromised |
Compromise |
|
|
IOC Hit Found : Malware.Binary |
Sub Rule |
Detected Malware Activity |
Malware |
|
|
IOC Hit Found : MalwrSpam |
Sub Rule |
Detected Malware Activity |
Malware |
|
|
Malware Protection Found A Compromise Indication |
Sub Rule |
Detected Malware Activity |
Malware |
|
|
Quarantine Task Successfully Completed, File Delet |
Sub Rule |
Quarantine |
Activity |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1012551 |
V 2.0 : FireEye MPS Events |
Base Rule |
FireEye Notification |
Operations : Other Operations |