Threat Event | LogRhythm Documentation

Vendor Documentation

https://docs.trendmicro.com/all/ent/ddd/v5.3/en-us/ddd_5.3_sg.pdf

Classification

Rule Name	Rule Type	Classification	Common Event
Threat Event	Base Rule	Activity	General Threat Message
Threat Event : Threat Blocked	Sub Rule	Failed Activity	Threat Blocked
Threat Event : Threat Not Blocked	Sub Rule	Activity	General Threat Message

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Header (logVer)	N/A	N/A	CEF format version
Header (vendor)	N/A	N/A	Appliance vendor
Header (pname)	N/A	N/A	Appliance product
Header (pver)	N/A	N/A	Appliance version
Header (eventid)	<threatid>	Number	Signature ID
Header (eventName)	<vendorinfo>	Text/String	Description
Header (severity)	<severity>	Number	Severity
act	<action> <tag1>	Text/String	The action in the event
app	<protname>	Text/String	Protocol
c6a1	<snatip>	IP	Interested IPv6
c6a1Label	N/A	N/A	Interested IPv6 label
c6a2	<sip>	IP	Source IPv6 address
c6a2Label	N/A	N/A	Source IPv6 address label
c6a3	<dip>	IP	Destination IPv6 address
c6a3Label	N/A	N/A	Destination IPv6 address label
c6a4	<dnatip>	IP	Peer IPv6 address
c6a4Label	N/A	N/A	Peer IPv6 address label
cat	N/A	N/A	Event category
cnt	N/A	N/A	Total count
cn1	N/A	N/A	CCCA detection
cn1label	N/A	N/A	CCCA detection label
cn3	N/A	N/A	Threat type
cn3Label	N/A	N/A	Threat type label
cs1	N/A	N/A	Mail subject
cs1Label	N/A	N/A	Mail subject label
cs2	<threatname>	Text/String	Malware name
cs2Label	N/A	N/A	Malware name label
cs3	N/A	N/A	Host name
cs3Label	N/A	N/A	Host name label
cs4	N/A	N/A	File name in archive
cs4Label	N/A	N/A	File name in archive label
cs5	N/A	N/A	CCCA log is detected by
cs5Label	N/A	N/A	CCCA log is detected by label
cs6	N/A	N/A	Attack Phase
cs6Label	N/A	N/A	Attack Phase label
destinationTranslatedAddress	<dnatip>	IP	Peer IP
deviceDirection	N/A	N/A	Packet direction
deviceExternalId	N/A	N/A	Appliance GUID
devicePayloadId	N/A	N/A	An extendable field Format: {threat_type}:{log_id}:{with pcap file captured}:{extensions}*
dhost	<dname>	IP	Destination host name
dmac	<dmac>	Text/String	Destination MAC
dpt	<dport>	Number	Destination port
dst	<dip>	IP	Destination IP address
duser	<recipient>	Text/String	Mail recipient
dvc	N/A	N/A	Appliance IP address
dvchost	N/A	N/A	Appliance host name
dvcmac	N/A	N/A	Appliance MAC address
fileHash	<hash>	Text/String	SHA1
filePath	N/A	N/A	File path
fileType	N/A	N/A	Real file type
flexNumber1	N/A	N/A	vLANId
flexNumber1Label	N/A	N/A	vLANId label
fname	<object>	Text/String	File name
fsize	<size>	Number	File size
oldFileHash	N/A	N/A	Mail attachment SHA1
oldFileName	N/A	N/A	Mail attachment file name
oldFileSize	N/A	N/A	Mail attachment file size
oldFileType	N/A	N/A	Mail attachment file type
requestClientApplication	<useragent>	Text/String	User agent
request	<url>	Text/String	URL
rt	N/A	N/A	Log generation time Format: Unix time stamp (number of milliseconds since Jan 01 1970 UTC)
shost	<sname>	IP	Source host name
smac	<smac>	Text/String	Source MAC
sourceTranslatedAddress	<snatip>	IP	Interested IP
src	<sip>	IP	Source IP address
spt	<sport>	Number	Source port
suid	<login>	Text/String	User name
suser	<sender>	Text/String	Mail sender