Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|
|
V 2.0 : Predictive Machine Learning Event |
Base Rule |
Other Security |
General Security |
|
V 2.0 : PML : Unknown |
Sub Rule |
Other Security |
General Security |
|
V 2.0 : PML : Not Applicable |
Sub Rule |
Other Security |
General Security |
|
V 2.0 : PML : File Cleaned |
Sub Rule |
Failed Activity |
Threat Blocked |
|
V 2.0 : PML : File Deleted |
Sub Rule |
Failed Activity |
Threat Deleted |
|
V 2.0 : PML : File Quarantined |
Sub Rule |
Activity |
Quarantine |
|
V 2.0 : PML : File Renamed |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : PML : File Passed |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : PML : Unable To Clean File, Passed |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : PML : Unable To Clean File, Deleted |
Sub Rule |
Failed Activity |
Threat Deleted |
|
V 2.0 : PML : Unable To Clean File, Renamed |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : PML : Unable To Clean File, Quarantined |
Sub Rule |
Activity |
Quarantine |
|
V 2.0 : PML : Unable To Clean File, Stripped |
Sub Rule |
Failed Activity |
Threat Blocked |
|
V 2.0 : PML : File Replaced |
Sub Rule |
Failed Activity |
Threat Blocked |
|
V 2.0 : PML : File Dropped |
Sub Rule |
Failed Activity |
Threat Deleted |
|
V 2.0 : PML : File Archived |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : PML : Blocked Successfully |
Sub Rule |
Failed Activity |
Threat Blocked |
|
V 2.0 : PML : Quarantined Successfully |
Sub Rule |
Activity |
Quarantine |
|
V 2.0 : PML : Stamped Successfully |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : PML : File Uploaded |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : PML : Access Denied |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : PML : No Action |
Sub Rule |
Activity |
General Threat Message |
|
V 2.0 : PML : Scan Stopped |
Sub Rule |
Information |
Scan Stopped |
|
V 2.0 : PML : Encrypted |
Sub Rule |
Activity |
Encrypted Files Detected |
|
V 2.0 : PML : Undefined |
Sub Rule |
Activity |
General Activity |
|
V 2.0 : PML : System Rebooted |
Sub Rule |
Startup and Shutdown |
System Restarted |
|
V 2.0 : PML : Action Failed |
Sub Rule |
Activity |
General Activity |
|
V 2.0 : PML : Action Required |
Sub Rule |
Activity |
General Activity |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
Header (logVer) |
N/A |
N/A |
CEF format version |
|
Header (vendor) |
N/A |
N/A |
Appliance vendor |
|
Header (pname) |
N/A |
N/A |
Appliance product |
|
Header (pver) |
N/A |
N/A |
Appliance version |
|
Header (eventid) |
<vmid> |
Text/String |
PML:Action result |
|
Header (eventName) |
N/A |
N/A |
Detection name |
|
Header (severity) |
<severity> |
Number |
Severity |
|
deviceExternalId |
N/A |
N/A |
Log sequence number |
|
rt |
N/A |
N/A |
The detection time in UTC |
|
deviceFacility |
N/A |
N/A |
Product |
|
dvchost |
N/A |
N/A |
Product server |
|
cn1Label |
N/A |
N/A |
Corresponding label for the "cn1" field |
|
cn1 |
N/A |
N/A |
Probable threat type |
|
cs2Label |
N/A |
N/A |
Corresponding label for the "cs2" field |
|
cs2 |
<threatname> |
Text/String/Number |
Security threat |
|
shost |
<dip> |
IP Address |
Infected endpoint |
|
suser |
<login> |
Text/String/Number |
Logon user |
|
cn2Label |
N/A |
N/A |
Corresponding label for the "cn2" field |
|
cn2 |
N/A |
N/A |
0: File
|
|
filePath |
N/A |
N/A |
File path |
|
fname |
<object> |
Text/String |
File name |
|
deviceCustomDate1Label |
N/A |
N/A |
Corresponding label for the "deviceCustomDate1" field |
|
deviceCustomDate1 |
N/A |
N/A |
File creation time |
|
sproc |
<process> |
Text/String |
System process |
|
cs4Label |
N/A |
N/A |
Corresponding label for the "cn4" field |
|
cs4 |
<command> |
Text/String |
Process command |
|
duser |
N/A |
N/A |
Process owner |
|
app |
N/A |
N/A |
0: Unknown
|
|
cs3Label |
N/A |
N/A |
Corresponding label for the "cs3" field |
|
cs3 |
N/A |
N/A |
Infection source |
|
dst |
N/A |
N/A |
Product/Endpoint IPv4 Address |
|
c6a3Label |
N/A |
N/A |
Corresponding label for the "c6a3" field |
|
c6a3 |
N/A |
N/A |
Product/Endpoint IPv6 Address |
|
cn3Label |
N/A |
N/A |
Corresponding label for the "cn3" field |
|
cn3 |
N/A |
N/A |
Threat probability |
|
act |
<action>
|
Text/String/Number |
Action result |
|
fileHash |
<hash> |
Text/String/Number |
File SHA-1 |
|
dhost |
N/A |
N/A |
Product entity/endpoint |
|
reason |
<reason> |
Text/String |
Critical Threat Type
|
|
deviceNtDomain |
N/A |
N/A |
Active Directory domain |
|
dntdom |
N/A |
N/A |
Apex One domain hierarchy |
|
TMCMLogDetectedHost |
N/A |
N/A |
Endpoint name where the log event occurred |
|
TMCMLogDetectedIP |
N/A |
N/A |
IP address where the log event occurred |
|
ApexCentralHost |
N/A |
N/A |
Apex Central host name |
|
devicePayloadId |
N/A |
N/A |
Unique message GUID |