Skip to main content
Skip table of contents

Threat Event

Vendor Documentation


Rule Name

Rule Type


Common Event

Threat EventBase RuleActivityGeneral Threat Message
Threat Event : Threat BlockedSub RuleFailed ActivityThreat Blocked
Threat Event : Threat Not BlockedSub RuleActivityGeneral Threat Message

Mapping with LogRhythm Schema

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

Header (logVer)N/AN/ACEF format version
Header (vendor)N/AN/AAppliance vendor
Header (pname)N/AN/AAppliance product
Header (pver)N/AN/AAppliance version
Header (eventid)<threatid>NumberSignature ID
Header (eventName)<vendorinfo>Text/StringDescription
Header (severity)<severity>NumberSeverity
Text/StringThe action in the event
c6a1<snatip>IPInterested IPv6
c6a1LabelN/AN/AInterested IPv6 label
c6a2<sip>IPSource IPv6 address
c6a2LabelN/AN/ASource IPv6 address label
c6a3<dip>IPDestination IPv6 address
c6a3LabelN/AN/ADestination IPv6 address label
c6a4<dnatip>IPPeer IPv6 address
c6a4LabelN/AN/APeer IPv6 address label
catN/AN/AEvent category
cntN/AN/ATotal count
cn1N/AN/ACCCA detection
cn1labelN/AN/ACCCA detection label
cn3N/AN/AThreat type
cn3LabelN/AN/AThreat type label
cs1N/AN/AMail subject
cs1LabelN/AN/AMail subject label
cs2<threatname>Text/StringMalware name
cs2LabelN/AN/AMalware name label
cs3N/AN/AHost name
cs3LabelN/AN/AHost name label
cs4N/AN/AFile name in archive
cs4LabelN/AN/AFile name in archive label
cs5N/AN/ACCCA log is detected by
cs5LabelN/AN/ACCCA log is detected by label
cs6N/AN/AAttack Phase
cs6LabelN/AN/AAttack Phase label
destinationTranslatedAddress<dnatip>IPPeer IP
deviceDirectionN/AN/APacket direction
deviceExternalIdN/AN/AAppliance GUID
devicePayloadIdN/AN/AAn extendable field
Format: {threat_type}:{log_id}:{with pcap file captured}:{extensions}*
dhost<dname>IPDestination host name
dmac<dmac>Text/StringDestination MAC
dpt<dport>NumberDestination port
dst<dip>IPDestination IP address
duser<recipient>Text/StringMail recipient
dvcN/AN/AAppliance IP address
dvchostN/AN/AAppliance host name
dvcmacN/AN/AAppliance MAC address
filePathN/AN/AFile path
fileTypeN/AN/AReal file type
flexNumber1LabelN/AN/AvLANId label
fname<object>Text/StringFile name
fsize<size>NumberFile size
oldFileHashN/AN/AMail attachment SHA1
oldFileNameN/AN/AMail attachment file name
oldFileSizeN/AN/AMail attachment file size
oldFileTypeN/AN/AMail attachment file type
requestClientApplication<useragent>Text/StringUser agent
rtN/AN/ALog generation time
Format: Unix time stamp (number of milliseconds since Jan 01 1970 UTC)
shost<sname>IPSource host name
smac<smac>Text/StringSource MAC
sourceTranslatedAddress<snatip>IPInterested IP
src<sip>IPSource IP address
spt<sport>NumberSource port
suid<login>Text/StringUser name
suser<sender>Text/StringMail sender
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.