Vendor Documentation
|
N/A |
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|
Link Shadow Log Messages |
Base Rule |
General Information |
Information |
|
Threat Intel Domain Log Messages |
Sub Rule |
General Threat Message |
Information |
|
Threat Intel IP Log Messages |
Sub Rule |
General Threat Message |
Information |
|
Suspected DGA Log Messages |
Sub Rule |
Suspicious Activity |
Suspicious |
|
Suspicious Domains Log Messages |
Sub Rule |
Suspicious Activity |
Suspicious |
|
Suspicious Login Log Messages |
Sub Rule |
Suspicious User Activity |
Suspicious |
|
Suspicious IP Log Messages |
Sub Rule |
Suspect IP Address Detected |
Activity |
|
Suspicious DNS Log Messages |
Sub Rule |
Suspicious Activity |
Suspicious |
|
Suspicious DNS Query Log Messages |
Sub Rule |
Suspicious Activity |
Suspicious |
|
SSH Traffic Log Messages |
Sub Rule |
SSH session in progress on Unusual Port |
Activity |
|
SSH Connection To External Log Messages |
Sub Rule |
SSH Session Opened |
Network Traffic |
|
SSH Connection Attempt From External Log Messages |
Sub Rule |
SSH Session Opened |
Network Traffic |
|
SMB Brute Force Log Messages |
Sub Rule |
Brute Force Activity |
Attack |
|
RDP Log Messages |
Sub Rule |
General Information |
Information |
|
DNS Response Log Messages |
Sub Rule |
DNS Response |
Information |
|
Network Scan Log Messages |
Sub Rule |
Network Information Message |
Information |
|
HTTP Errors Log Messages |
Sub Rule |
General HTTP Error |
Error |
|
Multiple Files Transfer Log Messages |
Sub Rule |
General File Transfer Message |
Information |
|
Kerberos Traffic Log Messages |
Sub Rule |
General Kerberos Information |
Information |
|
File Transfer Log Messages |
Sub Rule |
General File Transfer Message |
Information |
|
Executable File Transfers Log Messages |
Sub Rule |
General File Transfer Message |
Information |
|
Suspicious SMB Communication Log Messages |
Sub Rule |
Suspicious Activity |
Suspicious |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|
N/A |
N/A |
N/A |
4 |
|
N/A |
N/A |
N/A |
Device vendor. |
|
product_name |
<vendorinfo> |
Text/String |
N/A |
|
N/A |
<version> |
Number |
Version. |
|
N/A |
<vmid>
|
Number |
Signature ID. |
|
N/A |
<object> |
Text/String |
Description of the event. |
|
Severity |
<severity> |
Number |
N/A |
|
dvc |
<dnatip> |
IP Address |
N/A |
|
externalId |
N/A |
N/A |
N/A |
|
smac |
<smac> |
Number |
N/A |
|
spt |
<sport> |
Number |
N/A |
|
dpt |
<dport> |
Number |
N/A |
|
cat |
N/A |
N/A |
N/A |
|
msg |
<subject> |
Text/String |
N/A |
|
src |
<sip> |
IP Address |
N/A |
|
dst |
<dip> |
IP Address |
N/A |
|
cn1Label |
N/A |
N/A |
N/A |
|
cn1 |
N/A |
N/A |
N/A |
|
cs3Label |
N/A |
N/A |
N/A |
|
cs3 |
<process> |
Text/String |
N/A |
|
cn2Label |
N/A |
N/A |
N/A |
|
cn2 |
N/A |
N/A |
N/A |
|
fname |
<objectname> |
Text/String |
N/A |
|
fileHash |
<hash> |
Text/String/Number |
N/A |
|
fileType |
<objecttype> |
Text/String |
N/A |
|
rt |
N/A |
N/A |
N/A |
|
reason |
<reason> |
Text/String |
N/A |
|
suser |
<login> |
Text/String |
N/A |
|
duser |
<account> |
Text/String |
N/A |