V 2.0 : Sandbox Detection Event
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
---|---|---|---|
V 2.0 : Sandbox Detection Event | Base Rule | Activity | General Threat Message |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
Header (logVer) | N/A | N/A | CEF format version |
Header (vendor) | N/A | N/A | Appliance vendor |
Header (pname) | N/A | N/A | Appliance product |
Header (pver) | N/A | N/A | Appliance version |
Header (eventid) | <vmid> | Text/String | Device event class ID |
Header (eventName) | N/A | N/A | Event name |
Header (severity) | N/A | N/A | Severity |
deviceExternalId | N/A | N/A | ID |
rt | N/A | N/A | Log generation time in UTC |
deviceFacility | N/A | N/A | Product type |
dvchost | N/A | N/A | Server name |
dhost | <dname> | Text/String/Number | Endpoint name |
dst | <dip> | IP Address | Endpoint IPv4 address |
c6a3 | N/A | N/A | Endpoint IPv6 address |
app | N/A | N/A | Entry channel |
sourceServiceName | N/A | N/A | Source |
destinationServiceName | N/A | N/A | Destination |
sproc | <process> | Text/String | Process name |
fileHash | <hash> | Text/String/Number | File SHA-1 hash |
fname | <object> | Text/String | File name |
request | <url> | Text/String/Number | URL |
cs1Label | N/A | N/A | Corresponding label for the "cs1" field |
cs1 | <threatname> | Text/String | The name of the security threat determined by Virtual Analyzer |
cn1Label | N/A | N/A | Corresponding label for the "cn1" field |
cn1 | <severity> | Number | 0: No risk 1: Low risk 2: Medium risk 3: High risk 9999: Unknown |
cs2Label | N/A | N/A | Corresponding label for the "cs2" field |
cs2 | <subject> | Text/String | Displays the security threat type |
cs3Label | N/A | N/A | Corresponding label for the "cs3" field |
cs3 | N/A | N/A | Cloud storage vendor Google Drive Dropbox Box Google Drive Microsoft OneDrive SugarSync Hightail Evernote Microsoft Exchange Online Microsoft SharePoint Online Unknown N/A |
reason | <reason> | Text/String | Critical Threat Type A: Known Advanced Persistent Threat (APT) B: Social engineering attack C: Vulnerability attack D: Lateral movement E: Unknown threats F: C&C callback G: Ransomware |
deviceNtDomain | N/A | N/A | Active Directory domain |
dntdom | N/A | N/A | Apex One domain hierarchy |
TMCMLogDetectedHost | N/A | N/A | Endpoint name where the log event occurred |
TMCMLogDetectedIP | N/A | N/A | IP address where the log event occurred |
ApexCentralHost | N/A | N/A | Apex Central host name |
devicePayloadId | N/A | N/A | Unique message GUID |