V 2.0 : FireEye MPS Events

https://docs.trellix.com/bundle/enterprise-security-manager-data-sources-configuration-reference-guide/page/GUID-DEE7F31A-23FA-4A89-B641-C2DF422E7748.html

https://docs.logrhythm.com/docs/devices/syslog-log-sources/syslog-fireeye-ex

https://docs.trellix.com/bundle/hx_5.3.0_ug/page/UUID-f8412658-d198-7c0d-ed0b-619a245c3e7c.html

Rule Name	Rule Type	Common Event	Classification
V 2.0: FireEye MPS Events	Base Rule	FireEye Notification	Operations: Other Operations
V 2.0: Trellix FMPS Events	Sub Rule	Detected Malware Activity	Security: Malware

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
N/A	N/A	N/A	Format
N/A	<tag1>	Text/String	Device Vendor
N/A	<vendorinfo>	Text/String	Device Product
N/A	N/A	N/A	Device Version
N/A	N/A	N/A	Signature ID
N/A	<process>	Text/String	Name
N/A	<severity>	Number	Severity
rt	N/A	N/A	Log generation time in UTC
src	<sip>	Ip Address	Source IP address
cn2Label	N/A	N/A	Corresponding label for the "cn2" field
cn2	N/A	N/A	Protocol
shost	<sname>	Text/String	Endpoint hostname
proto	<protname>	Text/String	The network protocol being exploited
dvchost	<dname>	Text/String	Host Name
dst	<dip>	Ip Address	Destination IP address
spt	<sport>	Number	Source Port
dvc	N/A	N/A	Device IP address
smac	<smac>	Text/String/Number	Source Mac address
cn1Label	N/A	N/A	Corresponding label for the "cn1" field
cn1	N/A	N/A	VLAN
dpt	<dport>	Number	Destination Port
externalId	N/A	N/A	ID
cs4Label	N/A	N/A	Corresponding label for the "cs4" field
cs4	<url>	Text/String	URL
dmac	<dmac>	Text/String/Number	Destination MAC address
cs1Label	N/A	N/A	Corresponding label for the "cs1" field
cs1	<subject>	Text/String	Message

Vendor Documentation

Classification

Mapping with LogRhythm Schema