MN: Case And Incident Messages | LogRhythm Documentation

Classification

Rule Name	Rule Type	Classification	Common Event
MN : Case And Incident Messages	Base Rule	Operations : Information	General Threat Message
MN : Case Closed	Sub Rule	Information	General Information
MN : Anomalous Activity	Sub Rule	Suspicious	Suspicious Activity
MN : Extrusion	Sub Rule	Misuse	Unauthorized Activity
MN : Intel	Sub Rule	Reconnaissance	Reconnaissance Activity
MN : Intel Match	Sub Rule	Reconnaissance	Reconnaissance Activity
MN : Malware Compromise	Sub Rule	Malware	Detected Malware Activity
MN : Policy Violation	Sub Rule	Other Security	Security Violation
MN : Ransomware	Sub Rule	Malware	Detected Malware Activity
MN : Recon Activity	Sub Rule	Reconnaissance	Reconnaissance Activity
MN : Service Attack	Sub Rule	Attack	General Attack Activity
MN : Suspicious Access	Sub Rule	Suspicious	Suspicious Activity
MN : Suspicious Activity	Sub Rule	Suspicious	Suspicious Activity
MN : Test	Sub Rule	Information	Test Message
MN : Vulnerability	Sub Rule	Activity	General Threat Message
MN : Endpoint	Sub Rule	Activity	General Threat Message
MN : Collection & Exfil	Sub Rule	Activity	General Threat Message
MN : C&C	Sub Rule	Activity	General Threat Message
MN : Infection	Sub Rule	Malware	Detected Malware Activity
MN : Initial Compromies	Sub Rule	Activity	General Threat Message
MN : Lateral Movement	Sub Rule	Activity	General Threat Message
MN : Privilege Escalation	Sub Rule	Activity	General Threat Message
MN : Recon & Discovery	Sub Rule	Reconnaissance	Reconnaissance Activity
MN : PUP	Sub Rule	Malware	Possible Malware Activity
MN : Check & Update	Sub Rule	Information	General Information

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
admin_state	<status>	String	Status of a Case/Incident. Possible values: CaseOpen, CaseClosed, IncidentReported, IncidentInvestigation, and IncidentClosed
case_detail	<subject>	String	Short description about a Case/Incident
case_id	N/A	N/A	Unique ID of a Case/Incident
case_summary	<vendorinfo>	String	Case/Incident Summary
category	<vmid> <tag1>	String	Category to which a Case/Incident belongs. Possible values: Initial Compromise, Lateral Movement, Anomalous Activity, Extrusion, Vulnerability, Endpoint, etc.
certainty	N/A	N/A	Certainty of a Case/Incident. Possible values: 0 through 100
created_at	N/A	N/A	Time when a Case/Incident was created
entity_type	N/A	N/A	The type of entity associated with this case. Possible values: User, Host, and Ip
entity_uuid	N/A	N/A	Unique ID for the entity. Possible values from: user_uuid, host_uuid, dest_host_uuid, dest_user_uuid, src, and dest
entry_origin	N/A	N/A	The engine that originated this record. Possible values: XXX YYY Engine, XXX YYY Engine, Watcher Engine, ZZZ Watch, etc.
entry_source	N/A	N/A	The source node that produced this record. For example, Probe Node of a Case/Incident
entry_type	N/A	N/A	Type of this record. Possible values: AlertEvent, IntelEvent, ThirdPartyEvent, SslAnomalyEvent, TriggerEvent, etc.
entry_uuid	<object>	String	Unique UUID for a Case/Incident
event_count	N/A	N/A	Number of case-events in a Case/Incident
ioa	N/A	N/A	Indicator of Attack - For now, the first IOA of a Case/Incident is stored
columns	N/A	N/A	N/A
community_id	N/A	N/A	N/A
date	N/A	N/A	N/A
dest	<dip>	Number	N/A
dest_fqdn	N/A	N/A	N/A
dest_port	<dport>	Number	N/A
destination.as.organization_name	N/A	N/A	N/A
destination.as.asn	N/A	N/A	N/A
destination.geo.continent_name	N/A	N/A	N/A
destination.geo.country_iso_code	N/A	N/A	N/A
destination.geo.location.lat	N/A	N/A	N/A
destination.geo.location.lon	N/A	N/A	N/A
destination.ip	N/A	N/A	N/A
destination.port	N/A	N/A	N/A
destination.is_local	N/A	N/A	N/A
duration	N/A	N/A	N/A
end_time	N/A	N/A	N/A
entity_type	N/A	N/A	N/A
entity_uuid	N/A	N/A	N/A
entity_origin	N/A	N/A	N/A
entity_source	N/A	N/A	N/A
entity_type	N/A	N/A	N/A
entity_uuid	N/A	N/A	N/A
event_attribute	N/A	N/A	N/A
event_category	N/A	N/A	N/A
event_certainty	N/A	N/A	N/A
event.event_extra_attributes	N/A	N/A	N/A
event_score	N/A	N/A	N/A
event_severity	N/A	N/A	N/A
event_trigger	<reason>	String	N/A
event_trigger_id	N/A	N/A	N/A
event_tags	N/A	N/A	N/A
event_uuid	N/A	N/A	N/A
hour	N/A	N/A	N/A
domain_report	N/A	N/A	N/A
ip_investigation_report	N/A	N/A	N/A
ioa.mitre_ttp.technique_id	<threatid>	String	N/A
kubernetes.container	N/A	N/A	N/A
kubernetes.labels	N/A	N/A	N/A
kubernetes.node	N/A	N/A	N/A
kubernetes.pod	N/A	N/A	N/A
kubernetes.replicaset	N/A	N/A	N/A
local_orig	N/A	N/A	N/A
local_resp	N/A	N/A	N/A
attack_framework	N/A	N/A	N/A
mitre_tactic	N/A	N/A	N/A
mitre_technique	N/A	N/A	N/A
proto	<protname>	String	N/A
session_id	N/A	N/A	N/A
site	N/A	N/A	N/A
source.ip	<sip>	Number	N/A
source.port	<sport>	Number	N/A
source.is_local	N/A	N/A	N/A
source.user	<account>	String	N/A
src	N/A	N/A	N/A
src_port	N/A	N/A	N/A
start_time	N/A	N/A	N/A
summary_dests	N/A	N/A	N/A
timestamp	N/A	N/A	N/A
user_uuid	N/A	N/A	N/A
weekday	N/A	N/A	N/A
whitelisted	N/A	N/A	N/A
app_info.created_at	N/A	N/A	N/A
app_info.completed_at	N/A	N/A	N/A
app_info.process_count	N/A	N/A	N/A
app_info.response_code	N/A	N/A	N/A
case_info.created_at	N/A	N/A	N/A
case_info.completed_at	N/A	N/A	N/A
case_info.process_count	N/A	N/A	N/A
classifier_info.created_at	N/A	N/A	N/A
classifier_info.completed_at	N/A	N/A	N/A
classifier_info.process_count	N/A	N/A	N/A
cve_info.cve_dest_status	N/A	N/A	N/A
deduper_info.bypass	N/A	N/A	N/A
deduper_info.created_at	N/A	N/A	N/A
deduper_info.completed_at	N/A	N/A	N/A
deduper_info.process_count	N/A	N/A	N/A
domain_info	N/A	N/A	N/A
eventscorer_info.bypass	N/A	N/A	N/A
eventscorer_info.created_at	N/A	N/A	N/A
eventscorer_info.completed_at	N/A	N/A	N/A
eventscrorer_info.process_count	N/A	N/A	N/A
ext_info.created_at	N/A	N/A	N/A
ext_info.response_code	N/A	N/A	N/A
ext_info.threat_level	N/A	N/A	N/A
ext_info.domain_info	N/A	N/A	N/A
ext_info.domain_info.domain	<domainimpacted>	String	N/A
ext_info.domain_info.domain_is_popular	N/A	N/A	N/A
ext_info.domain_info.domain_whois_cc	N/A	N/A	N/A
ext_info.domain_info.domain_whois_location	N/A	N/A	N/A
ext_info.domain_info.domain_whois_org	N/A	N/A	N/A
ext_info.domain_info.domain_whois_reg_date	N/A	N/A	N/A
ext_info.domain_info.server_name	<dname>	String	N/A
ext_info.dest_ip_info	N/A	N/A	N/A
ext_info.dest_ip_info.ip_addr	N/A	N/A	N/A
ext_info.dest_ip_info.ip_whois_cc	N/A	N/A	N/A
ext_info.dest_ip_info.ip_whois_location	N/A	N/A	N/A
ext_info.dest_ip_info.ip_whois_org	N/A	N/A	N/A
ext_info.dest_ip_info.ip_whois_reg_date	N/A	N/A	N/A
ext_info.src_ip_info	N/A	N/A	N/A
ext-info.uri_info	N/A	N/A	N/A
file_info	N/A	N/A	N/A
ip_info	N/A	N/A	N/A
logfinder_info.bypass	N/A	N/A	N/A
logfinder_info.created_at	N/A	N/A	N/A
logfinder_info.completed_at	N/A	N/A	N/A
logfinder_info.process_count	N/A	N/A	N/A
mistwatcher_info	N/A	N/A	N/A
network_info.created_at	N/A	N/A	N/A
network_info.completed_at	N/A	N/A	N/A
network_info.process_count	N/A	N/A	N/A
network_info.response_code'	N/A	N/A	N/A
network_info.int_dest.ip_addr	N/A	N/A	N/A
network_info.int_dest.network_description	N/A	N/A	N/A
network_info.int_dest.network_prefix	N/A	N/A	N/A
network_info.int_dest.network_type	N/A	N/A	N/A
network_info.int_src.ip_addr	N/A	N/A	N/A
network_info.int_src.network_description	N/A	N/A	N/A
network_info.int_src.network_prefix	N/A	N/A	N/A
network_info.int_src.network_type	N/A	N/A	N/A
network_info.int_src.user_uuid	N/A	N/A	N/A
pcap_info	N/A	N/A	N/A
rapid7_info	N/A	N/A	N/A
rare_info.created_at	N/A	N/A	N/A
rare_info.completed_at	N/A	N/A	N/A
rare_info.process_count	N/A	N/A	N/A
rare_info.response_code	N/A	N/A	N/A
rare_info.rare	N/A	N/A	N/A
rare_info.rule_id	N/A	N/A	N/A
url_info	N/A	N/A	N/A
session_info.local_orig	N/A	N/A	N/A
session_info.local_resp	N/A	N/A	N/A
session_info.logs_count_ssl	N/A	N/A	N/A
session_info.logs_count_total	N/A	N/A	N/A
vulnerability_info	N/A	N/A	N/A
event_actor	N/A	N/A	N/A
logs.app	N/A	N/A	N/A
logs.community_id	N/A	N/A	N/A
logs.created_at	N/A	N/A	N/A
logs.date	N/A	N/A	N/A
logs.dest	N/A	N/A	N/A
logs.destination.as.organization_name	N/A	N/A	N/A
logs.destination.as.asn	N/A	N/A	N/A
logs.destination.geo.continent_name	N/A	N/A	N/A
logs.destination.country_iso_code	N/A	N/A	N/A
logs.destination.location.lat	N/A	N/A	N/A
logs.destination.location.lon	N/A	N/A	N/A
logs.destination.ip	N/A	N/A	N/A
logs.destination.port	N/A	N/A	N/A
logs.destination.is_local	N/A	N/A	N/A
logs.entry_origin	N/A	N/A	N/A
logs.entry_source	N/A	N/A	N/A
logs.entry_type	N/A	N/A	N/A
logs.entry_uuid	N/A	N/A	N/A
logs.hour	N/A	N/A	N/A
logs.source.ip	N/A	N/A	N/A
logs.source.port	N/A	N/A	N/A
logs.source.is_local	N/A	N/A	N/A
logs.source.user_uuid	N/A	N/A	N/A
logs.src	N/A	N/A	N/A
logs.timestamp	N/A	N/A	N/A
logs.user_uuid	N/A	N/A	N/A
logs.pcap_info	N/A	N/A	N/A
logs.mistwatcher_info	N/A	N/A	N/A
logs.weekday	N/A	N/A	N/A
logs.conn_state	N/A	N/A	N/A
logs.dest_port	N/A	N/A	N/A
logs.duration	<duration>	Number	N/A
logs.history	N/A	N/A	N/A
logs.local_orig	N/A	N/A	N/A
logs.local_resp	N/A	N/A	N/A
logs.missed_bytes	N/A	N/A	N/A
logs.orig_bytes	N/A	N/A	N/A
logs.orig_ip_bytes	<bytesin>	Number	N/A
logs.orig_pkts	<packetsin>	Number	N/A
logs.proto	N/A	N/A	N/A
logs.resp_bytes	N/A	N/A	N/A
logs.resp_ip_bytes	<bytesout>	Number	N/A
logs.resp_pkts	<packetsout>	Number	N/A
logs.service	N/A	N/A	N/A
logs.session_id	N/A	N/A	N/A
logs.src_port	N/A	N/A	N/A
logs.dhcp_server	N/A	N/A	N/A
logs.columns	N/A	N/A	N/A
logs.decorations	N/A	N/A	N/A
logs.request_type	N/A	N/A	N/A
logs.cipher	N/A	N/A	N/A
logs.request-type	N/A	N/A	N/A
logs.version	N/A	N/A	N/A
logs.cert_chain_fuids	N/A	N/A	N/A
logs.curve	N/A	N/A	N/A
logs.established	N/A	N/A	N/A
logs.issuer	N/A	N/A	N/A
logs.subject	N/A	N/A	N/A
logs.validation_status	N/A	N/A	N/A
logs.ja3	N/A	N/A	N/A
logs.ja3s	N/A	N/A	N/A
IncidentCaseEvents	N/A	N/A	N/A
decorations	N/A	N/A	N/A
mitre_ttp	N/A	N/A	N/A
mitre_ttp.technique	<threatname>	String	N/A
ioa_summary_count	N/A	N/A	Total number of summary IOAs of a Case/Incident
last_modified	N/A	N/A	Time when a Case/Incident was last modified
main_event	N/A	N/A	The most significant event of a Case/Incident
main_event.created_at	N/A	N/A	N/A
main_event.columns	N/A	N/A	N/A
main_event.date	N/A	N/A	N/A
main_event.entry_origin	N/A	N/A	N/A
main_event.entry_source	N/A	N/A	N/A
main_event.entry_type	N/A	N/A	N/A
main_event.entry_uuid	N/A	N/A	N/A
main_event.event_attribute	N/A	N/A	N/A
main_event.event_category	N/A	N/A	N/A
main_event.event_extra_attributes	N/A	N/A	N/A
main_event.event_score	N/A	N/A	N/A
main_event.event_uuid	N/A	N/A	N/A
main_event.hour	N/A	N/A	N/A
main_event.domain_report	N/A	N/A	N/A
main_event.ip_investigation_report	N/A	N/A	N/A
main_event.kubernetes.container	N/A	N/A	N/A
main_event.kubernetes.labels	N/A	N/A	N/A
main_event.kubernetes.node	N/A	N/A	N/A
main_event.kubernetes.pod	N/A	N/A	N/A
main_event.kubernetes.replicaset	N/A	N/A	N/A
main_event.attack_framework	N/A	N/A	N/A
main_event.mitre_tactic	N/A	N/A	N/A
main_event.mitre_technique	N/A	N/A	N/A
main_event.timestamp	N/A	N/A	N/A
main_event.whitelisted	N/A	N/A	N/A
main_event.app_info	N/A	N/A	N/A
main_event.case_info	N/A	N/A	N/A
main_event.classifier_info	N/A	N/A	N/A
main_event.cve_info	N/A	N/A	N/A
main_event.deduper_info	N/A	N/A	N/A
main_event.domain_info	N/A	N/A	N/A
main_event.eventscorer_info	N/A	N/A	N/A
main_event.ext_info.domain_info	N/A	N/A	N/A
main_event.ext_info.dest_ip_info	N/A	N/A	N/A
main_event.ext_info.src_ip_info	N/A	N/A	N/A
main_event.ext_info.uri_info	N/A	N/A	N/A
main_event.file_info	N/A	N/A	N/A
main_event.ip_info	N/A	N/A	N/A
main_event.logfinder_info	N/A	N/A	N/A
main_event.mistwatcher_info	N/A	N/A	N/A
main_event.network_info.int_dest	N/A	N/A	N/A
main_event.network_info.int_src	N/A	N/A	N/A
main_event.pcap_info	N/A	N/A	N/A
main_event.rapid7_info	N/A	N/A	N/A
main_event.url_info	N/A	N/A	N/A
main_event.session_info.local_orig	N/A	N/A	N/A
main_event.session_info.local_resp	N/A	N/A	N/A
main_event.vulnerability_info	N/A	N/A	N/A
main_event.event_actor	N/A	N/A	N/A
main_event.IncidentCaseEvents	N/A	N/A	N/A
main_event.decorations	N/A	N/A	N/A
positive	N/A	N/A	Tells whether a Case/Incident is true or false positive
servicenow_info	N/A	N/A	N/A
severity	<severity>	Number	Severity of a Case/Incident. Possible values: 0 through 100
score	N/A	N/A	Score of a Case/Incident. Possible values: 0 through 10
timestamp	N/A	N/A	Timestamp for case
wildcard_ioa_count	N/A	N/A	Number of wildcard IOAs
actor	N/A	N/A	Actor responsible for an event
summary_events_count	N/A	N/A	N/A
polic_violation_info	N/A	N/A	N/A
incident_info	N/A	N/A	N/A
casescore	N/A	N/A	N/A
determination	N/A	N/A	Determination for incident
note	N/A	N/A	N/A