Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|
|
V 2.0 : Content Security Event |
Base Rule |
Other Security |
General Security |
|
V 2.0 : Content Security : Unknown |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : Content Security : Not Applicable |
Sub Rule |
Other Security |
General Security |
|
V 2.0 : Content Security : Clean |
Sub Rule |
Failed Activity |
Threat Deleted |
|
V 2.0 : Content Security : Delete |
Sub Rule |
Failed Activity |
Threat Deleted |
|
V 2.0 : Content Security : Move |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : Content Security : Rename |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : Content Security : Pass/Log |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : Content Security : Strip |
Sub Rule |
Failed Activity |
Threat Deleted |
|
V 2.0 : Content Security : Drop |
Sub Rule |
Failed Activity |
Threat Blocked |
|
V 2.0 : Content Security : Quarantine |
Sub Rule |
Activity |
Quarantine |
|
V 2.0 : Content Security : Insert/Replace |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : Content Security : Archive |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : Content Security : Stamp |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : Content Security : Block |
Sub Rule |
Failed Activity |
Threat Blocked |
|
V 2.0 : Content Security : Redirect Mail For Approval |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : Content Security : Encrypt |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : Content Security : Detect |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : Content Security : Reset |
Sub Rule |
Failed Activity |
Threat Blocked |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
Header (logVer) |
N/A |
N/A |
CEF format version |
|
Header (vendor) |
N/A |
N/A |
Appliance vendor |
|
Header (pname) |
N/A |
N/A |
Appliance product |
|
Header (pver) |
N/A |
N/A |
Appliance product version |
|
Header (eventid) |
<vmid> |
Text/String |
MS: Filter action |
|
Header (eventName) |
N/A |
N/A |
Policy name |
|
Header (severity) |
N/A |
N/A |
Severity |
|
cnt |
N/A |
N/A |
Number of detections |
|
deviceExternalId |
N/A |
N/A |
ID |
|
rt |
N/A |
N/A |
Log generation time in UTC |
|
dhost |
<recipient> |
Text/String/Number |
List of all recipients |
|
duser |
N/A |
N/A |
One of the recipients |
|
act |
<action>
|
Number |
Filter action |
|
cs1Label |
N/A |
N/A |
Corresponding label for the "cs1" field |
|
cs1 |
N/A |
N/A |
Policy settings |
|
cs2Label |
N/A |
N/A |
Corresponding label for the "cs2" field |
|
cs2 |
N/A |
N/A |
Product version |
|
cs3Label |
N/A |
N/A |
Corresponding label for the "cs3" field |
|
cs3 |
N/A |
N/A |
Filter type
|
|
cs4Label |
N/A |
N/A |
Corresponding label for the "cs4" field |
|
cs4 |
N/A |
N/A |
Reason Code |
|
cs5Label |
N/A |
N/A |
Corresponding label for the "cs5" field |
|
cs5 |
N/A |
N/A |
Reason code source |
|
cs6Label |
N/A |
N/A |
Corresponding label for the "cs6" field |
|
cs6 |
N/A |
N/A |
Action
|
|
cat |
N/A |
N/A |
Log type |
|
dvchost |
<dname> |
Text/String/Number |
Endpoint host name |
|
cn1Label |
N/A |
N/A |
Corresponding label for the "cn1" field |
|
cn1 |
<severity> |
Number |
Severity code
|
|
TMCMLogSeverity |
N/A |
N/A |
Description of severity |
|
fname |
<object> |
Text/String/Number |
File |
|
msg |
<subject> |
Text/String/Number |
Subject |
|
shost |
<sender> |
Text/String/Number |
List of all senders/users in violation |
|
suser |
N/A |
N/A |
One of the senders/users in violation |
|
request |
<url> |
Text/String/Number |
Suspicious URL |
|
cn2Label |
N/A |
N/A |
Corresponding label for the "cn2" field |
|
cn2 |
N/A |
N/A |
Filter action result |
|
deviceFacility |
N/A |
N/A |
Product |
|
src |
<sip> |
IP Address |
Email sender IP address |
|
reason |
<reason> |
Text/String |
Critical threat type
|
|
filepath |
N/A |
N/A |
Suspicious file location |
|
ApexCentralHost |
N/A |
N/A |
Apex Central host name |
|
devicePayloadId |
N/A |
N/A |
Unique message GUID |