V 2.0 : Intrusion Prevention Event | LogRhythm Documentation

Vendor Documentation

https://docs.trendmicro.com/en-us/enterprise/apex-central-online-help/appendices/syslog-mapping-cef.aspx

https://docs.trendmicro.com/en-us/enterprise/apex-central-online-help/appendices/syslog-mapping-cef/cef-intrusion-preven.aspx

Classification

Rule Name	Rule Type	Classification	Common Event
V 2.0 : Intrusion Prevention Event	Base Rule	Activity	General Activity

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Header (logVer)	N/A	N/A	CEF format version
Header (vendor)	N/A	N/A	Product vendor
Header (pname)	N/A	N/A	Product name
Header (pver)	N/A	N/A	Product version
Header (eventid)	N/A	N/A	Event ID
Header (eventName)	<vmid>	Text/String	Log name
Header (severity)	N/A	N/A	Severity
rt	N/A	N/A	Log generation time in UTC
dvchost	N/A	N/A	Display name of the managed endpoint
deviceFacility	N/A	N/A	Product name
act	<action>	Text/String	Action 0 = UNKNOWN 3 = DELETE 6 = LOG 10 = INSERT/REPLACE 13 = BLOCK 257 = RESET
src	<sip>	IP Address	Source IPv4 address
c6a2Label	N/A	N/A	Corresponding label for the "c6a2" field
c6a2	<sip>	IP Address	Source IPv6 address
dst	<dip>	IP Address	Destination IPv4 address
c6a3Label	N/A	N/A	Corresponding label for the "c6a3" field
c6a3Label	<dip>	IP Address	Destination IPv6 address
smac	<smac>	Text/String/Number	Source MAC address
spt	<sport>	Number	Source port
dmac	<dmac>	Text/String/Number	Destination host MAC address
dpt	<dport>	Number	Destination port
cn2Label	N/A	N/A	Corresponding label for the "cn2" field
cn2	N/A	N/A	Indicates whether the system is in "detection only" mode 0 or NULL = No 1 = Yes
deviceDirection	N/A	N/A	Incoming or outgoing direction
cn3Label	N/A	N/A	Corresponding label for the "cn3" field
cn3	N/A	N/A	Weighted priority of the incident
cn4Label	N/A	N/A	Corresponding label for the "cn4" field
cn4	<severity>	Number	The system defined incident severity value 1 = LOW 2 = MEDIUM 3 = HIGH 4 = CRITICAL
proto	N/A	N/A	The network protocol being exploited 28 = ICMP 46 = ICMPv6 10003 = TCP 10004 = UDP 10005 = IGMP 10006 = GGP 10007 = PUP 10008 = IDP 10009 = ND 10010 = RAW
cs2Label	N/A	N/A	Corresponding label for the "cs2" field
cs2	N/A	N/A	The network application name
cn1Label	N/A	N/A	Corresponding label for the "cn1" field
cn1	N/A	N/A	The ID of the inspection rule
cs1Label	N/A	N/A	Corresponding label for the "cs1" field
cs1	<policy>	Text/String/Number	The string literal of the rule ID and description
cnt	<quantity>	Number	Aggregated count
deviceNtDomain	N/A	N/A	Active Directory domain
dntdom	N/A	N/A	Apex One domain hierarchy
TMCMLogDetectedHost	<sname>	Text/String	Endpoint name where the log event occurred
TMCMLogDetectedIP	<sip>	IP Address	IP address where the log event occurred