Threat Emulation
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| Threat Emulation | Base Rule | General Threat Protection Event | Activity |
| Threat Emulation : Detect | Sub Rule | General Threat Message | Activity |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type |
|---|---|---|
| Product | <version> | Text/String |
| Origin | <sender> | Number/Text |
| Action | <action> | Number/Text |
| SIP | <sip> | Number |
| SPort | <sport> | Number |
| DIP | <dip> | Number |
| dport | <dport> | Number |
| protocol | <protname> | Number |
| ifname | <sinterface> | Number/Text |
| ifdirection | <tag2> | Number/Text |
| Url | <url> | Number/Text |
| Source_OS | <version> | Number/Text |
| severity | <severity> | Number |
| verdict | <result> | Text/String |
| User | <login> | Number/Text |
| src_user_name | <login> | Number/Text |
| src_machine_name | <sname> | Number/Text |
| from | <sender> | Number/Text |
| to | <recipient> | Number/Text |
| Email_Subject | <subject> | Number/Text |
| email_scanned | <object> | Number/Text |
| dst_user_name | <account> | Number/Text |
| web_client_type | <useragent> | Number/Text |
| user_status | <status> | Number/Text |
| portal_message | <vendorinfo> | Number/Text |
| file_name | <objectname> | Number/Text |
| file_type | <objecttype> | Number/Text |
| file_size | <bytesin> | Number |
| file_size | <bytesout> | Number |
| malware_detected | <amount> | Number |
| file_md5 | <hash> | Number/Text |
| Action | <tag1> | Text/String |