V 2.0 : Predictive Machine Learning Event
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
---|---|---|---|
V 2.0 : Predictive Machine Learning Event | Base Rule | Other Security | General Security |
V 2.0 : PML : Unknown | Sub Rule | Other Security | General Security |
V 2.0 : PML : Not Applicable | Sub Rule | Other Security | General Security |
V 2.0 : PML : File Cleaned | Sub Rule | Failed Activity | Threat Blocked |
V 2.0 : PML : File Deleted | Sub Rule | Failed Activity | Threat Deleted |
V 2.0 : PML : File Quarantined | Sub Rule | Activity | Quarantine |
V 2.0 : PML : File Renamed | Sub Rule | Activity | General Threat Message |
V 2.0 : PML : File Passed | Sub Rule | Activity | General Threat Message |
V 2.0 : PML : Unable To Clean File, Passed | Sub Rule | Activity | General Threat Message |
V 2.0 : PML : Unable To Clean File, Deleted | Sub Rule | Failed Activity | Threat Deleted |
V 2.0 : PML : Unable To Clean File, Renamed | Sub Rule | Activity | General Threat Message |
V 2.0 : PML : Unable To Clean File, Quarantined | Sub Rule | Activity | Quarantine |
V 2.0 : PML : Unable To Clean File, Stripped | Sub Rule | Failed Activity | Threat Blocked |
V 2.0 : PML : File Replaced | Sub Rule | Failed Activity | Threat Blocked |
V 2.0 : PML : File Dropped | Sub Rule | Failed Activity | Threat Deleted |
V 2.0 : PML : File Archived | Sub Rule | Activity | General Threat Message |
V 2.0 : PML : Blocked Successfully | Sub Rule | Failed Activity | Threat Blocked |
V 2.0 : PML : Quarantined Successfully | Sub Rule | Activity | Quarantine |
V 2.0 : PML : Stamped Successfully | Sub Rule | Activity | General Threat Message |
V 2.0 : PML : File Uploaded | Sub Rule | Activity | General Threat Message |
V 2.0 : PML : Access Denied | Sub Rule | Activity | General Threat Message |
V 2.0 : PML : No Action | Sub Rule | Activity | General Threat Message |
V 2.0 : PML : Scan Stopped | Sub Rule | Information | Scan Stopped |
V 2.0 : PML : Encrypted | Sub Rule | Activity | Encrypted Files Detected |
V 2.0 : PML : Undefined | Sub Rule | Activity | General Activity |
V 2.0 : PML : System Rebooted | Sub Rule | Startup and Shutdown | System Restarted |
V 2.0 : PML : Action Failed | Sub Rule | Activity | General Activity |
V 2.0 : PML : Action Required | Sub Rule | Activity | General Activity |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
Header (logVer) | N/A | N/A | CEF format version |
Header (vendor) | N/A | N/A | Appliance vendor |
Header (pname) | N/A | N/A | Appliance product |
Header (pver) | N/A | N/A | Appliance version |
Header (eventid) | <vmid> | Text/String | PML:Action result |
Header (eventName) | N/A | N/A | Detection name |
Header (severity) | <severity> | Number | Severity |
deviceExternalId | N/A | N/A | Log sequence number |
rt | N/A | N/A | The detection time in UTC |
deviceFacility | N/A | N/A | Product |
dvchost | N/A | N/A | Product server |
cn1Label | N/A | N/A | Corresponding label for the "cn1" field |
cn1 | N/A | N/A | Probable threat type |
cs2Label | N/A | N/A | Corresponding label for the "cs2" field |
cs2 | <threatname> | Text/String/Number | Security threat |
shost | <dip> | IP Address | Infected endpoint |
suser | <login> | Text/String/Number | Logon user |
cn2Label | N/A | N/A | Corresponding label for the "cn2" field |
cn2 | N/A | N/A | 0: File 1: Process |
filePath | N/A | N/A | File path |
fname | <object> | Text/String | File name |
deviceCustomDate1Label | N/A | N/A | Corresponding label for the "deviceCustomDate1" field |
deviceCustomDate1 | N/A | N/A | File creation time |
sproc | <process> | Text/String | System process |
cs4Label | N/A | N/A | Corresponding label for the "cn4" field |
cs4 | <command> | Text/String | Process command |
duser | N/A | N/A | Process owner |
app | N/A | N/A | 0: Unknown 1: Local drive 2: Network drive 3: AutoRun files 10: Web 11: Email 999: Local or network drive |
cs3Label | N/A | N/A | Corresponding label for the "cs3" field |
cs3 | N/A | N/A | Infection source |
dst | N/A | N/A | Product/Endpoint IPv4 Address |
c6a3Label | N/A | N/A | Corresponding label for the "c6a3" field |
c6a3 | N/A | N/A | Product/Endpoint IPv6 Address |
cn3Label | N/A | N/A | Corresponding label for the "cn3" field |
cn3 | N/A | N/A | Threat probability |
act | <action> <tag1> | Text/String/Number | Action result |
fileHash | <hash> | Text/String/Number | File SHA-1 |
dhost | N/A | N/A | Product entity/endpoint |
reason | <reason> | Text/String | Critical Threat Type A: Known Advanced Persistent Threat (APT) B: Social engineering attack C: Vulnerability attack D: Lateral movement E: Unknown threats F: C&C callback G: Ransomware |
deviceNtDomain | N/A | N/A | Active Directory domain |
dntdom | N/A | N/A | Apex One domain hierarchy |
TMCMLogDetectedHost | N/A | N/A | Endpoint name where the log event occurred |
TMCMLogDetectedIP | N/A | N/A | IP address where the log event occurred |
ApexCentralHost | N/A | N/A | Apex Central host name |
devicePayloadId | N/A | N/A | Unique message GUID |