Skip to main content
Skip table of contents

MN: Case And Incident Messages

Classification

Rule Name

Rule Type

Classification

Common Event

MN : Case And Incident MessagesBase RuleOperations : InformationGeneral Threat Message
MN : Case ClosedSub RuleInformationGeneral Information
MN : Anomalous ActivitySub RuleSuspiciousSuspicious Activity
MN : ExtrusionSub RuleMisuseUnauthorized Activity
MN : IntelSub RuleReconnaissanceReconnaissance Activity
MN : Intel MatchSub RuleReconnaissanceReconnaissance Activity
MN : Malware CompromiseSub RuleMalwareDetected Malware Activity
MN : Policy ViolationSub RuleOther SecuritySecurity Violation
MN : RansomwareSub RuleMalwareDetected Malware Activity
MN : Recon ActivitySub RuleReconnaissanceReconnaissance Activity
MN : Service AttackSub RuleAttackGeneral Attack Activity
MN : Suspicious AccessSub RuleSuspiciousSuspicious Activity
MN : Suspicious ActivitySub RuleSuspiciousSuspicious Activity
MN : TestSub RuleInformationTest Message
MN : VulnerabilitySub RuleActivityGeneral Threat Message
MN : EndpointSub RuleActivityGeneral Threat Message
MN : Collection & ExfilSub RuleActivityGeneral Threat Message
MN : C&CSub RuleActivityGeneral Threat Message
MN : InfectionSub RuleMalwareDetected Malware Activity
MN : Initial CompromiesSub RuleActivityGeneral Threat Message
MN : Lateral MovementSub RuleActivityGeneral Threat Message
MN : Privilege EscalationSub RuleActivityGeneral Threat Message
MN : Recon & DiscoverySub RuleReconnaissanceReconnaissance Activity
MN : PUPSub RuleMalwarePossible Malware Activity
MN : Check & UpdateSub RuleInformationGeneral Information

Mapping with LogRhythm Schema

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

admin_state<status>StringStatus of a Case/Incident. Possible values: CaseOpen, CaseClosed, IncidentReported, IncidentInvestigation, and IncidentClosed
case_detail<subject>StringShort description about a Case/Incident
case_idN/AN/AUnique ID of a Case/Incident
case_summary<vendorinfo>StringCase/Incident Summary
category<vmid>
<tag1>		StringCategory to which a Case/Incident belongs. Possible values: Initial Compromise, Lateral Movement, Anomalous Activity, Extrusion, Vulnerability, Endpoint, etc.
certaintyN/AN/ACertainty of a Case/Incident. Possible values: 0 through 100
created_atN/AN/ATime when a Case/Incident was created
entity_typeN/AN/AThe type of entity associated with this case. Possible values: User, Host, and Ip
entity_uuidN/AN/AUnique ID for the entity. Possible values from: user_uuid, host_uuid, dest_host_uuid, dest_user_uuid, src, and dest
entry_originN/AN/AThe engine that originated this record. Possible values: XXX YYY Engine, XXX YYY Engine, Watcher Engine, ZZZ Watch, etc.
entry_sourceN/AN/AThe source node that produced this record. For example, Probe Node of a Case/Incident
entry_typeN/AN/AType of this record. Possible values: AlertEvent, IntelEvent, ThirdPartyEvent, SslAnomalyEvent, TriggerEvent, etc.
entry_uuid<object>StringUnique UUID for a Case/Incident
event_countN/AN/ANumber of case-events in a Case/Incident
ioaN/AN/AIndicator of Attack - For now, the first IOA of a Case/Incident is stored
columnsN/AN/AN/A
community_idN/AN/AN/A
dateN/AN/AN/A
dest<dip>NumberN/A 
dest_fqdnN/AN/AN/A
dest_port<dport>NumberN/A 
destination.as.organization_nameN/AN/AN/A
destination.as.asnN/AN/AN/A
destination.geo.continent_nameN/AN/AN/A
destination.geo.country_iso_codeN/AN/AN/A
destination.geo.location.latN/AN/AN/A
destination.geo.location.lonN/AN/AN/A
destination.ipN/AN/AN/A
destination.portN/AN/AN/A
destination.is_localN/AN/AN/A
durationN/AN/AN/A
end_timeN/AN/AN/A
entity_typeN/AN/AN/A
entity_uuidN/AN/AN/A
entity_originN/AN/AN/A
entity_sourceN/AN/AN/A
entity_typeN/AN/AN/A
entity_uuidN/AN/AN/A
event_attributeN/AN/AN/A
event_categoryN/AN/AN/A
event_certaintyN/AN/AN/A
event.event_extra_attributesN/AN/AN/A
event_scoreN/AN/AN/A
event_severityN/AN/AN/A
event_trigger<reason>StringN/A
event_trigger_idN/AN/AN/A
event_tagsN/AN/AN/A
event_uuidN/AN/AN/A
hourN/AN/AN/A
domain_reportN/AN/AN/A
ip_investigation_reportN/AN/AN/A
ioa.mitre_ttp.technique_id<threatid>StringN/A
kubernetes.containerN/AN/AN/A
kubernetes.labelsN/AN/AN/A
kubernetes.nodeN/AN/AN/A
kubernetes.podN/AN/AN/A
kubernetes.replicasetN/AN/AN/A
local_origN/AN/AN/A
local_respN/AN/AN/A
attack_frameworkN/AN/AN/A
mitre_tacticN/AN/AN/A
mitre_techniqueN/AN/AN/A
proto<protname>StringN/A
session_idN/AN/AN/A
siteN/AN/AN/A
source.ip<sip>NumberN/A
source.port<sport>NumberN/A
source.is_localN/AN/AN/A
source.user<account>StringN/A
srcN/AN/AN/A
src_portN/AN/AN/A
start_timeN/AN/AN/A
summary_destsN/AN/AN/A
timestampN/AN/AN/A
user_uuidN/AN/AN/A
weekdayN/AN/AN/A
whitelistedN/AN/AN/A
app_info.created_atN/AN/AN/A
app_info.completed_atN/AN/AN/A
app_info.process_countN/AN/AN/A
app_info.response_codeN/AN/AN/A
case_info.created_atN/AN/AN/A
case_info.completed_atN/AN/AN/A
case_info.process_countN/AN/AN/A
classifier_info.created_atN/AN/AN/A
classifier_info.completed_atN/AN/AN/A
classifier_info.process_countN/AN/AN/A
cve_info.cve_dest_statusN/AN/AN/A
deduper_info.bypassN/AN/AN/A
deduper_info.created_atN/AN/AN/A
deduper_info.completed_atN/AN/AN/A
deduper_info.process_countN/AN/AN/A
domain_infoN/AN/AN/A
eventscorer_info.bypassN/AN/AN/A
eventscorer_info.created_atN/AN/AN/A
eventscorer_info.completed_atN/AN/AN/A
eventscrorer_info.process_countN/AN/AN/A
ext_info.created_atN/AN/AN/A
ext_info.response_codeN/AN/AN/A
ext_info.threat_levelN/AN/AN/A
ext_info.domain_infoN/AN/AN/A
ext_info.domain_info.domain<domainimpacted>StringN/A
ext_info.domain_info.domain_is_popularN/AN/AN/A
ext_info.domain_info.domain_whois_ccN/AN/AN/A
ext_info.domain_info.domain_whois_locationN/AN/AN/A
ext_info.domain_info.domain_whois_orgN/AN/AN/A
ext_info.domain_info.domain_whois_reg_dateN/AN/AN/A
ext_info.domain_info.server_name<dname>StringN/A
ext_info.dest_ip_infoN/AN/AN/A
ext_info.dest_ip_info.ip_addrN/AN/AN/A
ext_info.dest_ip_info.ip_whois_ccN/AN/AN/A
ext_info.dest_ip_info.ip_whois_locationN/AN/AN/A
ext_info.dest_ip_info.ip_whois_orgN/AN/AN/A
ext_info.dest_ip_info.ip_whois_reg_dateN/AN/AN/A
ext_info.src_ip_infoN/AN/AN/A
ext-info.uri_infoN/AN/AN/A
file_infoN/AN/AN/A
ip_infoN/AN/AN/A
logfinder_info.bypassN/AN/AN/A
logfinder_info.created_atN/AN/AN/A
logfinder_info.completed_atN/AN/AN/A
logfinder_info.process_countN/AN/AN/A
mistwatcher_infoN/AN/AN/A
network_info.created_atN/AN/AN/A
network_info.completed_atN/AN/AN/A
network_info.process_countN/AN/AN/A
network_info.response_code'N/AN/AN/A
network_info.int_dest.ip_addrN/AN/AN/A
network_info.int_dest.network_descriptionN/AN/AN/A
network_info.int_dest.network_prefixN/AN/AN/A
network_info.int_dest.network_typeN/AN/AN/A
network_info.int_src.ip_addrN/AN/AN/A
network_info.int_src.network_descriptionN/AN/AN/A
network_info.int_src.network_prefixN/AN/AN/A
network_info.int_src.network_typeN/AN/AN/A
network_info.int_src.user_uuidN/AN/AN/A
pcap_infoN/AN/AN/A
rapid7_infoN/AN/AN/A
rare_info.created_atN/AN/AN/A
rare_info.completed_atN/AN/AN/A
rare_info.process_countN/AN/AN/A
rare_info.response_codeN/AN/AN/A
rare_info.rareN/AN/AN/A
rare_info.rule_idN/AN/AN/A
url_infoN/AN/AN/A
session_info.local_origN/AN/AN/A
session_info.local_respN/AN/AN/A
session_info.logs_count_sslN/AN/AN/A
session_info.logs_count_totalN/AN/AN/A
vulnerability_infoN/AN/AN/A
event_actorN/AN/AN/A
logs.appN/AN/AN/A
logs.community_idN/AN/AN/A
logs.created_atN/AN/AN/A
logs.dateN/AN/AN/A
logs.destN/AN/AN/A
logs.destination.as.organization_nameN/AN/AN/A
logs.destination.as.asnN/AN/AN/A
logs.destination.geo.continent_nameN/AN/AN/A
logs.destination.country_iso_codeN/AN/AN/A
logs.destination.location.latN/AN/AN/A
logs.destination.location.lonN/AN/AN/A
logs.destination.ipN/AN/AN/A
logs.destination.portN/AN/AN/A
logs.destination.is_localN/AN/AN/A
logs.entry_originN/AN/AN/A
logs.entry_sourceN/AN/AN/A
logs.entry_typeN/AN/AN/A
logs.entry_uuidN/AN/AN/A
logs.hourN/AN/AN/A
logs.source.ipN/AN/AN/A
logs.source.portN/AN/AN/A
logs.source.is_localN/AN/AN/A
logs.source.user_uuidN/AN/AN/A
logs.srcN/AN/AN/A
logs.timestampN/AN/AN/A
logs.user_uuidN/AN/AN/A
logs.pcap_infoN/AN/AN/A
logs.mistwatcher_infoN/AN/AN/A
logs.weekdayN/AN/AN/A
logs.conn_stateN/AN/AN/A
logs.dest_portN/AN/AN/A
logs.duration<duration>NumberN/A
logs.historyN/AN/AN/A
logs.local_origN/AN/AN/A
logs.local_respN/AN/AN/A
logs.missed_bytesN/AN/AN/A
logs.orig_bytesN/AN/AN/A
logs.orig_ip_bytes<bytesin>NumberN/A
logs.orig_pkts<packetsin>NumberN/A 
logs.protoN/AN/AN/A
logs.resp_bytesN/AN/AN/A
logs.resp_ip_bytes<bytesout>NumberN/A
logs.resp_pkts<packetsout>NumberN/A 
logs.serviceN/AN/AN/A
logs.session_idN/AN/AN/A
logs.src_portN/AN/AN/A
logs.dhcp_serverN/AN/AN/A
logs.columnsN/AN/AN/A
logs.decorationsN/AN/AN/A
logs.request_typeN/AN/AN/A
logs.cipherN/AN/AN/A
logs.request-typeN/AN/AN/A
logs.versionN/AN/AN/A
logs.cert_chain_fuidsN/AN/AN/A
logs.curveN/AN/AN/A
logs.establishedN/AN/AN/A
logs.issuerN/AN/AN/A
logs.subjectN/AN/AN/A
logs.validation_statusN/AN/AN/A
logs.ja3N/AN/AN/A
logs.ja3sN/AN/AN/A
IncidentCaseEventsN/AN/AN/A
decorationsN/AN/AN/A
mitre_ttpN/AN/AN/A
mitre_ttp.technique<threatname>StringN/A
ioa_summary_countN/AN/ATotal number of summary IOAs of a Case/Incident
last_modifiedN/A N/ATime when a Case/Incident was last modified
main_eventN/AN/AThe most significant event of a Case/Incident
main_event.created_atN/AN/AN/A
main_event.columnsN/AN/AN/A
main_event.dateN/AN/AN/A
main_event.entry_originN/AN/AN/A
main_event.entry_sourceN/AN/AN/A
main_event.entry_typeN/AN/AN/A
main_event.entry_uuidN/AN/AN/A
main_event.event_attributeN/AN/AN/A
main_event.event_categoryN/AN/AN/A
main_event.event_extra_attributesN/AN/AN/A
main_event.event_scoreN/AN/AN/A
main_event.event_uuidN/AN/AN/A
main_event.hourN/AN/AN/A
main_event.domain_reportN/AN/AN/A
main_event.ip_investigation_reportN/AN/AN/A
main_event.kubernetes.containerN/AN/AN/A
main_event.kubernetes.labelsN/AN/AN/A
main_event.kubernetes.nodeN/AN/AN/A
main_event.kubernetes.podN/AN/AN/A
main_event.kubernetes.replicasetN/AN/AN/A
main_event.attack_frameworkN/AN/AN/A
main_event.mitre_tacticN/AN/AN/A
main_event.mitre_techniqueN/AN/AN/A
main_event.timestampN/AN/AN/A
main_event.whitelistedN/AN/AN/A
main_event.app_infoN/AN/AN/A
main_event.case_infoN/AN/AN/A
main_event.classifier_infoN/AN/AN/A
main_event.cve_infoN/AN/AN/A
main_event.deduper_infoN/AN/AN/A
main_event.domain_infoN/AN/AN/A
main_event.eventscorer_infoN/AN/AN/A
main_event.ext_info.domain_infoN/AN/AN/A
main_event.ext_info.dest_ip_infoN/AN/AN/A
main_event.ext_info.src_ip_infoN/AN/AN/A
main_event.ext_info.uri_infoN/AN/AN/A
main_event.file_infoN/AN/AN/A
main_event.ip_infoN/AN/AN/A
main_event.logfinder_infoN/AN/AN/A
main_event.mistwatcher_infoN/AN/AN/A
main_event.network_info.int_destN/AN/AN/A
main_event.network_info.int_srcN/AN/AN/A
main_event.pcap_infoN/AN/AN/A
main_event.rapid7_infoN/AN/AN/A
main_event.url_infoN/AN/AN/A
main_event.session_info.local_origN/AN/AN/A 
main_event.session_info.local_respN/A N/AN/A 
main_event.vulnerability_infoN/A N/AN/A
main_event.event_actorN/A N/AN/A
main_event.IncidentCaseEventsN/AN/AN/A 
main_event.decorationsN/AN/AN/A 
positiveN/AN/ATells whether a Case/Incident is true or false positive
servicenow_infoN/A N/AN/A 
severity<severity>NumberSeverity of a Case/Incident. Possible values: 0 through 100
scoreN/AN/AScore of a Case/Incident. Possible values: 0 through 10
timestampN/AN/ATimestamp for case
wildcard_ioa_countN/AN/ANumber of wildcard IOAs
actorN/AN/AActor responsible for an event
summary_events_countN/AN/AN/A
polic_violation_infoN/A N/AN/A 
incident_infoN/A N/AN/A 
casescoreN/AN/AN/A 
determinationN/AN/ADetermination for incident
noteN/A N/AN/A


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close