V 2.0 : Attack Discovery Detection Event

Vendor Documentation

Rule Name	Rule Type	Classification	Common Event
V 2.0 : Attack Discovery Detection Event	Base Rule	Attack	General Attack Activity

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Header (logVer)	N/A	N/A	CEF format version
Header (vendor)	N/A	N/A	Appliance vendor
Header (pname)	N/A	N/A	Appliance product
Header (pver)	N/A	N/A	Appliance version
Header (eventid)	N/A	N/A	Event ID
Header (eventName)	<vmid>	Text/String	Log name
Header (severity)	N/A	N/A	Severity
deviceExternalId	N/A	N/A	ID
rt	N/A	N/A	Log generation time in UTC
dhost	<dname>	Text/String/Number	Endpoint host name
dst	<dip>	IP Address	Client IPv4 address
c6a3	<dip>	IP Address	Client IPv6 address
customerExternalID	N/A	N/A	Instance ID
cn1Label	N/A	N/A	Corresponding label for the "cn1" field
cn1	<severity>	Number/Text/String	Risk Level 0: Unknown 100: Low risk 500: Medium risk 1000: High risk
cn2Label	N/A	N/A	Corresponding label for the "cn2" field
cn2	N/A	N/A	Pattern Number
cs1Label	N/A	N/A	Corresponding label for the "cs1" field
cs1	<policy>	Text/String	Rule ID
cat	<subject>	Text/String	Category ID
cs2Label	N/A	N/A	Corresponding label for the "cs2" field
cs2	N/A	N/A	Attack Discovery object information
deviceNtDomain	<domainimpacted>	Text/String	Active Directory domain
dntdom	N/A	N/A	Apex One domain hierarchy
TMCMLogDetectedHost	N/A	N/A	Endpoint name where the log event occurred
TMCMLogDetectedIP	N/A	N/A	IP address where the log event occurred
ApexCentralHost	N/A	N/A	Apex Central host name
devicePayloadId	N/A	N/A	Unique message GUID