V 2.0 : Content Security Event
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| V 2.0 : Content Security Event | Base Rule | Other Security | General Security |
| V 2.0 : Content Security : Unknown | Sub Rule | Activity | General Threat Message |
| V 2.0 : Content Security : Not Applicable | Sub Rule | Other Security | General Security |
| V 2.0 : Content Security : Clean | Sub Rule | Failed Activity | Threat Deleted |
| V 2.0 : Content Security : Delete | Sub Rule | Failed Activity | Threat Deleted |
| V 2.0 : Content Security : Move | Sub Rule | Activity | General Threat Message |
| V 2.0 : Content Security : Rename | Sub Rule | Activity | General Threat Message |
| V 2.0 : Content Security : Pass/Log | Sub Rule | Activity | General Threat Message |
| V 2.0 : Content Security : Strip | Sub Rule | Failed Activity | Threat Deleted |
| V 2.0 : Content Security : Drop | Sub Rule | Failed Activity | Threat Blocked |
| V 2.0 : Content Security : Quarantine | Sub Rule | Activity | Quarantine |
| V 2.0 : Content Security : Insert/Replace | Sub Rule | Activity | General Threat Message |
| V 2.0 : Content Security : Archive | Sub Rule | Activity | General Threat Message |
| V 2.0 : Content Security : Stamp | Sub Rule | Activity | General Threat Message |
| V 2.0 : Content Security : Block | Sub Rule | Failed Activity | Threat Blocked |
| V 2.0 : Content Security : Redirect Mail For Approval | Sub Rule | Activity | General Threat Message |
| V 2.0 : Content Security : Encrypt | Sub Rule | Activity | General Threat Message |
| V 2.0 : Content Security : Detect | Sub Rule | Activity | General Threat Message |
| V 2.0 : Content Security : Reset | Sub Rule | Failed Activity | Threat Blocked |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Header (logVer) | N/A | N/A | CEF format version |
| Header (vendor) | N/A | N/A | Appliance vendor |
| Header (pname) | N/A | N/A | Appliance product |
| Header (pver) | N/A | N/A | Appliance product version |
| Header (eventid) | <vmid> | Text/String | MS: Filter action |
| Header (eventName) | N/A | N/A | Policy name |
| Header (severity) | N/A | N/A | Severity |
| cnt | N/A | N/A | Number of detections |
| deviceExternalId | N/A | N/A | ID |
| rt | N/A | N/A | Log generation time in UTC |
| dhost | <recipient> | Text/String/Number | List of all recipients |
| duser | N/A | N/A | One of the recipients |
| act | <action> <tag1> | Number | Filter action |
| cs1Label | N/A | N/A | Corresponding label for the "cs1" field |
| cs1 | N/A | N/A | Policy settings |
| cs2Label | N/A | N/A | Corresponding label for the "cs2" field |
| cs2 | N/A | N/A | Product version |
| cs3Label | N/A | N/A | Corresponding label for the "cs3" field |
| cs3 | N/A | N/A | Filter type 0: Unknown 1: ContentFilter 2: AttachmentFilter 3: StandardFilter 4: SizeFilter 5: DisclaimerMgr 6: SpamFilter 7: OPP 8: ImportFilter 9: PhishingFilter 10: UrlReputationFilter |
| cs4Label | N/A | N/A | Corresponding label for the "cs4" field |
| cs4 | N/A | N/A | Reason Code |
| cs5Label | N/A | N/A | Corresponding label for the "cs5" field |
| cs5 | N/A | N/A | Reason code source |
| cs6Label | N/A | N/A | Corresponding label for the "cs6" field |
| cs6 | N/A | N/A | Action 0: Unknown 1: N/A 2: Deliver 3: Delete 4: Quarantine 5: Postpone 6: Forward 7: Replace 8: Archive 100: Strip 101: Pass |
| cat | N/A | N/A | Log type |
| dvchost | <dname> | Text/String/Number | Endpoint host name |
| cn1Label | N/A | N/A | Corresponding label for the "cn1" field |
| cn1 | <severity> | Number | Severity code 0: Unknown 1: Information 2: Warning 3: Error 4: Critical |
| TMCMLogSeverity | N/A | N/A | Description of severity |
| fname | <object> | Text/String/Number | File |
| msg | <subject> | Text/String/Number | Subject |
| shost | <sender> | Text/String/Number | List of all senders/users in violation |
| suser | N/A | N/A | One of the senders/users in violation |
| request | <url> | Text/String/Number | Suspicious URL |
| cn2Label | N/A | N/A | Corresponding label for the "cn2" field |
| cn2 | N/A | N/A | Filter action result |
| deviceFacility | N/A | N/A | Product |
| src | <sip> | IP Address | Email sender IP address |
| reason | <reason> | Text/String | Critical threat type A: Known Advanced Persistent Threat (APT) B: Social engineering attack C: Vulnerability attack D: Lateral movement E: Unknown threats F: C&C callback G: Ransomware |
| filepath | N/A | N/A | Suspicious file location |
| ApexCentralHost | N/A | N/A | Apex Central host name |
| devicePayloadId | N/A | N/A | Unique message GUID |