Skip to main content
Skip table of contents

V 2.0 : Predictive Machine Learning Event

Vendor Documentation

Classification

Rule Name

Rule Type

Classification

Common Event

V 2.0 : Predictive Machine Learning EventBase RuleOther SecurityGeneral Security
V 2.0 : PML : UnknownSub RuleOther SecurityGeneral Security
V 2.0 : PML : Not ApplicableSub RuleOther SecurityGeneral Security
V 2.0 : PML : File CleanedSub RuleFailed ActivityThreat Blocked
V 2.0 : PML : File DeletedSub RuleFailed ActivityThreat Deleted
V 2.0 : PML : File QuarantinedSub RuleActivityQuarantine
V 2.0 : PML : File RenamedSub RuleActivityGeneral Threat Message
V 2.0 : PML : File PassedSub RuleActivityGeneral Threat Message
V 2.0 : PML : Unable To Clean File, PassedSub RuleActivityGeneral Threat Message
V 2.0 : PML : Unable To Clean File, DeletedSub RuleFailed ActivityThreat Deleted
V 2.0 : PML : Unable To Clean File, RenamedSub RuleActivityGeneral Threat Message
V 2.0 : PML : Unable To Clean File, QuarantinedSub RuleActivityQuarantine
V 2.0 : PML : Unable To Clean File, StrippedSub RuleFailed ActivityThreat Blocked
V 2.0 : PML : File ReplacedSub RuleFailed ActivityThreat Blocked
V 2.0 : PML : File DroppedSub RuleFailed ActivityThreat Deleted
V 2.0 : PML : File ArchivedSub RuleActivityGeneral Threat Message
V 2.0 : PML : Blocked SuccessfullySub RuleFailed ActivityThreat Blocked
V 2.0 : PML : Quarantined SuccessfullySub RuleActivityQuarantine
V 2.0 : PML : Stamped SuccessfullySub RuleActivityGeneral Threat Message
V 2.0 : PML : File UploadedSub RuleActivityGeneral Threat Message
V 2.0 : PML : Access DeniedSub RuleActivityGeneral Threat Message
V 2.0 : PML : No ActionSub RuleActivityGeneral Threat Message
V 2.0 : PML : Scan StoppedSub RuleInformationScan Stopped
V 2.0 : PML : EncryptedSub RuleActivityEncrypted Files Detected
V 2.0 : PML : UndefinedSub RuleActivityGeneral Activity
V 2.0 : PML : System RebootedSub RuleStartup and ShutdownSystem Restarted
V 2.0 : PML : Action FailedSub RuleActivityGeneral Activity
V 2.0 : PML : Action RequiredSub RuleActivityGeneral Activity

Mapping with LogRhythm Schema

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
Header (logVer)N/AN/ACEF format version
Header (vendor)N/AN/AAppliance vendor
Header (pname)N/AN/AAppliance product
Header (pver)N/AN/AAppliance version
Header (eventid)<vmid>Text/StringPML:Action result
Header (eventName)N/AN/ADetection name
Header (severity)<severity>NumberSeverity
deviceExternalIdN/AN/ALog sequence number
rtN/AN/AThe detection time in UTC
deviceFacilityN/AN/AProduct
dvchostN/AN/AProduct server
cn1LabelN/AN/ACorresponding label for the "cn1" field
cn1N/AN/AProbable threat type
cs2LabelN/AN/ACorresponding label for the "cs2" field
cs2<threatname>Text/String/NumberSecurity threat
shost<dip>IP AddressInfected endpoint
suser<login>Text/String/NumberLogon user
cn2LabelN/AN/ACorresponding label for the "cn2" field
cn2N/AN/A0: File
1: Process
filePathN/AN/AFile path
fname<object>Text/StringFile name
deviceCustomDate1LabelN/AN/A Corresponding label for the "deviceCustomDate1" field
deviceCustomDate1N/AN/AFile creation time
sproc<process>Text/StringSystem process
cs4LabelN/AN/ACorresponding label for the "cn4" field
cs4<command>Text/StringProcess command
duserN/AN/AProcess owner
appN/AN/A0: Unknown
1: Local drive
2: Network drive
3: AutoRun files
10: Web
11: Email
999: Local or network drive
cs3LabelN/AN/ACorresponding label for the "cs3" field
cs3N/AN/AInfection source
dstN/AN/AProduct/Endpoint IPv4 Address
c6a3LabelN/AN/ACorresponding label for the "c6a3" field
c6a3N/AN/AProduct/Endpoint IPv6 Address
cn3LabelN/AN/ACorresponding label for the "cn3" field
cn3N/AN/AThreat probability
act<action>
<tag1>
Text/String/NumberAction result
fileHash<hash>Text/String/NumberFile SHA-1
dhostN/AN/AProduct entity/endpoint
reason<reason>Text/StringCritical Threat Type
A: Known Advanced Persistent Threat (APT)
B: Social engineering attack
C: Vulnerability attack
D: Lateral movement
E: Unknown threats
F: C&C callback
G: Ransomware
deviceNtDomainN/AN/AActive Directory domain
dntdomN/AN/AApex One domain hierarchy
TMCMLogDetectedHostN/AN/AEndpoint name where the log event occurred
TMCMLogDetectedIPN/AN/AIP address where the log event occurred
ApexCentralHostN/AN/AApex Central host name
devicePayloadIdN/AN/AUnique message GUID
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.