V 2.0 : Sandbox Detection Event | LogRhythm Documentation

Vendor Documentation

https://docs.trendmicro.com/en-us/enterprise/apex-central-online-help/appendices/syslog-mapping-cef.aspx

https://docs.trendmicro.com/en-us/enterprise/apex-central-online-help/appendices/syslog-mapping-cef/cef-sandbox-logs.aspx

Classification

Rule Name	Rule Type	Classification	Common Event
V 2.0 : Sandbox Detection Event	Base Rule	Activity	General Threat Message

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Header (logVer)	N/A	N/A	CEF format version
Header (vendor)	N/A	N/A	Appliance vendor
Header (pname)	N/A	N/A	Appliance product
Header (pver)	N/A	N/A	Appliance version
Header (eventid)	<vmid>	Text/String	Device event class ID
Header (eventName)	N/A	N/A	Event name
Header (severity)	N/A	N/A	Severity
deviceExternalId	N/A	N/A	ID
rt	N/A	N/A	Log generation time in UTC
deviceFacility	N/A	N/A	Product type
dvchost	N/A	N/A	Server name
dhost	<dname>	Text/String/Number	Endpoint name
dst	<dip>	IP Address	Endpoint IPv4 address
c6a3	N/A	N/A	Endpoint IPv6 address
app	N/A	N/A	Entry channel
sourceServiceName	N/A	N/A	Source
destinationServiceName	N/A	N/A	Destination
sproc	<process>	Text/String	Process name
fileHash	<hash>	Text/String/Number	File SHA-1 hash
fname	<object>	Text/String	File name
request	<url>	Text/String/Number	URL
cs1Label	N/A	N/A	Corresponding label for the "cs1" field
cs1	<threatname>	Text/String	The name of the security threat determined by Virtual Analyzer
cn1Label	N/A	N/A	Corresponding label for the "cn1" field
cn1	<severity>	Number	0: No risk 1: Low risk 2: Medium risk 3: High risk 9999: Unknown
cs2Label	N/A	N/A	Corresponding label for the "cs2" field
cs2	<subject>	Text/String	Displays the security threat type
cs3Label	N/A	N/A	Corresponding label for the "cs3" field
cs3	N/A	N/A	Cloud storage vendor Google Drive Dropbox Box Google Drive Microsoft OneDrive SugarSync Hightail Evernote Microsoft Exchange Online Microsoft SharePoint Online Unknown N/A
reason	<reason>	Text/String	Critical Threat Type A: Known Advanced Persistent Threat (APT) B: Social engineering attack C: Vulnerability attack D: Lateral movement E: Unknown threats F: C&C callback G: Ransomware
deviceNtDomain	N/A	N/A	Active Directory domain
dntdom	N/A	N/A	Apex One domain hierarchy
TMCMLogDetectedHost	N/A	N/A	Endpoint name where the log event occurred
TMCMLogDetectedIP	N/A	N/A	IP address where the log event occurred
ApexCentralHost	N/A	N/A	Apex Central host name
devicePayloadId	N/A	N/A	Unique message GUID