V 2.0 : Behavior Monitoring Event | LogRhythm Documentation

Vendor Documentation

https://docs.trendmicro.com/en-us/enterprise/apex-central-online-help/appendices/syslog-mapping-cef.aspx

https://docs.trendmicro.com/en-us/enterprise/apex-central-online-help/appendices/syslog-mapping-cef/cef-behavior-monitor.aspx

Classification

Rule Name	Rule Type	Classification	Common Event
V 2.0 : Behavior Monitoring Event	Base Rule	Activity	General Threat Message
V 2.0 : Behaviour Monitoring : Allow	Sub Rule	Activity	General Threat Message
V 2.0 : Behaviour Monitoring : Ask	Sub Rule	Other Security	General Security
V 2.0 : Behaviour Monitoring : Deny	Sub Rule	Failed Activity	Threat Blocked
V 2.0 : Behaviour Monitoring : Terminate : 3	Sub Rule	Failed Activity	Threat Blocked
V 2.0 : Behaviour Monitoring : Read Only	Sub Rule	Activity	General Threat Message
V 2.0 : Behaviour Monitoring : Read/Write Only	Sub Rule	Activity	General Threat Message
V 2.0 : Behaviour Monitoring : Read/Execute Only	Sub Rule	Activity	General Threat Message
V 2.0 : Behaviour Monitoring : Feedback	Sub Rule	Activity	General Threat Message
V 2.0 : Behaviour Monitoring : Clean	Sub Rule	Failed Activity	Threat Deleted
V 2.0 : Behaviour Monitoring : Unknown	Sub Rule	Activity	General Threat Message
V 2.0 : Behaviour Monitoring : Assess	Sub Rule	Activity	General Threat Message
V 2.0 : Behaviour Monitoring : Terminate : 1004	Sub Rule	Failed Activity	Threat Blocked
V 2.0 : Behaviour Monitoring : Terminate : 1005	Sub Rule	Failed Activity	Threat Blocked
V 2.0 : Behaviour Monitoring : Terminate : 1006	Sub Rule	Failed Activity	Threat Blocked
V 2.0 : Behaviour Monitoring : Terminate : 1007	Sub Rule	Failed Activity	Threat Blocked
V 2.0 : Behaviour Monitoring : Terminate : 1008	Sub Rule	Failed Activity	Threat Blocked
V 2.0 : Behaviour Monitoring : Terminate : 1009	Sub Rule	Failed Activity	Threat Blocked

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Header (logVer)	N/A	N/A	CEF format version
Header (vendor)	N/A	N/A	Product vendor
Header (pname)	N/A	N/A	Product name
Header (pver)	N/A	N/A	Product version
Header (eventid)	N/A	N/A	Behavior Monitoring policy ID
Header (eventName)	<vmid>	Text/String	Log name
Header (severity)	N/A	N/A	Severity
devicePayloadId	N/A	N/A	Unique message GUID
rt	N/A	N/A	Log generation time in UTC
dvcHost	N/A	N/A	Host name
cs5Label	N/A	N/A	Corresponding label for the "cs5" field
cs5Label	<severity>	Number/Text/String	Risk Level 0: Low 1: High
cs2Label	N/A	N/A	Corresponding label for the "cs2" field
cs2	<policy>	Number/Text/String	0: Compromised executable file 1: New startup program 2: Host file modification 3: Program library injection 4: New Internet Explorer plugin 5: Internet Explorer setting modification 6: Shell modification 7: New service 8: Security policy modification 9: Firewall policy modification 10: System file modification 11: Duplicated system file 13: Layered service provider 14: System process modification 16: Suspicious behavior 100: Newly encountered programs 200: Unauthorized file encryption 1000: Threat behavior analysis 9999: User-defined policy
sproc	<process>	Text/String/Number	Target of the event
cs3Label	N/A	N/A	Corresponding label for the "cs3" field
cs3	N/A	N/A	1: Process 2: Process image 4: Registry 8: File system 16: Driver 32: SDT 64: System API 128: User Mode 2048: Exploit 65535: All
cs1Label	N/A	N/A	Corresponding label for the "cs1" field
cs1	<object>	Text/String/Number	Target host
act	<action> <tag1>	Number/Text/String	Translated action 0: Allow 1: Ask 2: Deny 3: Terminate 4: Read Only 5: Read/Write Only 6: Read/Execute Only 7: Feedback 8: Clean 1002: Unknown 1003: Assess 1004: Terminated. Files were recovered. 1005: Terminated. Some files were not recovered. 1006: Terminated. Files were not recovered. 1007: Terminated. Restart result: Files were recovered. 1008: Terminated: Restart result: Some files were not recovered. 1009: Terminated: Restart result: Files were not recovered.
cs4Label	N/A	N/A	Corresponding label for the "cn3" field
cs4	N/A	N/A	The operation to be performed by the target of the event 101: Create Process 102: Open 103: Terminate 104: Terminate 301: Delete 302: Write 303: Access 401: Create File 402: Close 403: Execute 501: Invoke 601: Exploit 9999: Unhandled Operation
shost	<sname>	Text/String	Source host (endpoint)
src	<sip>	IP Address	Source host IP address
TMCMLogDetectedHost	N/A	N/A	Endpoint name where the log event occurred
TMCMLogDetectedIP	N/A	N/A	IP address where the log event occurred
deviceFacility	N/A	N/A	Product
ApexCentralHost	N/A	N/A	Apex Central host name
reason	<reason>	Text/String	Critical threat type A: Known Advanced Persistent Threat (APT) B: Social engineering attack C: Vulnerability attack D: Lateral movement E: Unknown threats F: C&C callback G: Ransomware
deviceNtDomain	N/A	N/A	Active Directory domain
dntdom	N/A	N/A	Apex One domain hierarchy