Skip to main content
Skip table of contents

V 2.0 : Suspicious File Event

Vendor Documentation


Rule Name

Rule Type


Common Event

V 2.0 : Suspicious File EventBase RuleSuspiciousSuspicious Activity
V 2.0 : Suspicious File : LogSub RuleSuspiciousSuspicious Activity
V 2.0 : Suspicious File : BlockSub RuleFailed SuspiciousFailed Suspicious Activity
V 2.0 : Suspicious File : QuarantineSub RuleActivityQuarantine

Mapping with LogRhythm Schema

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
Header (logVer)N/AN/ACEF format version
Header (vendor)N/AN/AAppliance vendor
Header (pname)N/AN/AAppliance product
Header (pver)N/AN/AAppliance version
Header (eventid) N/AN/AFH:Action
Header (eventName)<vmid>Text/StringName
Header (severity)<severity>NumberSeverity
rtN/AN/ADetection time
catN/AN/ALog type
deviceFacilityN/AN/AProduct name
cn1LabelN/AN/ACorresponding label for the "cn1" field
cn1<version>NumberProduct version
dst<dip>IP AddressEndpoint IPv4 address
dhost<dname>Text/String/NumberEndpoint host name
cs2LabelN/AN/ACorresponding label for the "cs2" field
cs2<objecttype>Text/StringFile type
fileHash<hash>Text/String/NumberFile SHA-1
cs3LabelN/AN/ACorresponding label for the "cs3" field
cs3<object>Text/String/NumberFile path
Corresponding label for the "cn2" field
0: Sandbox
1: User-defined
Text/String1: Log
2: Block
3: Quarantine
cn3LabelN/AN/ACorresponding label for the "cn3" field
cn3N/AN/A1: Scheduled scan
2: Manual scan
3: Scan now
4: Real-time scan
reason<reason>Text/StringCritical Threat Type
A: Known Advanced Persistent Threat (APT)
B: Social engineering attack
C: Vulnerability attack
D: Lateral movement
E: Unknown threats
F: C&C callback
G: Ransomware
deviceNtDomainN/AN/AActive Directory domain
dntdomN/AN/AApex One domain hierarchy
TMCMLogDetectedHostN/AN/AEndpoint name where the log event occurred
TMCMLogDetectedIPN/AN/AIP address where the log event occurred
ApexCentralHostN/AN/AApex Central host name
devicePayloadIdN/AN/AUnique message GUID
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.