V 2.0 : FireEye MPS Events
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0: FireEye MPS Events | Base Rule | FireEye Notification | Operations: Other Operations |
| V 2.0: Trellix FMPS Events | Sub Rule | Detected Malware Activity | Security: Malware |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| N/A | N/A | N/A | Format |
| N/A | <tag1> | Text/String | Device Vendor |
| N/A | <vendorinfo> | Text/String | Device Product |
| N/A | N/A | N/A | Device Version |
| N/A | N/A | N/A | Signature ID |
| N/A | <process> | Text/String | Name |
| N/A | <severity> | Number | Severity |
| rt | N/A | N/A | Log generation time in UTC |
| src | <sip> | Ip Address | Source IP address |
| cn2Label | N/A | N/A | Corresponding label for the "cn2" field |
| cn2 | N/A | N/A | Protocol |
| shost | <sname> | Text/String | Endpoint hostname |
| proto | <protname> | Text/String | The network protocol being exploited |
| dvchost | <dname> | Text/String | Host Name |
| dst | <dip> | Ip Address | Destination IP address |
| spt | <sport> | Number | Source Port |
| dvc | N/A | N/A | Device IP address |
| smac | <smac> | Text/String/Number | Source Mac address |
| cn1Label | N/A | N/A | Corresponding label for the "cn1" field |
| cn1 | N/A | N/A | VLAN |
| dpt | <dport> | Number | Destination Port |
| externalId | N/A | N/A | ID |
| cs4Label | N/A | N/A | Corresponding label for the "cs4" field |
| cs4 | <url> | Text/String | URL |
| dmac | <dmac> | Text/String/Number | Destination MAC address |
| cs1Label | N/A | N/A | Corresponding label for the "cs1" field |
| cs1 | <subject> | Text/String | Message |