V 2.0 : Suspicious File Event
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| V 2.0 : Suspicious File Event | Base Rule | Suspicious | Suspicious Activity |
| V 2.0 : Suspicious File : Log | Sub Rule | Suspicious | Suspicious Activity |
| V 2.0 : Suspicious File : Block | Sub Rule | Failed Suspicious | Failed Suspicious Activity |
| V 2.0 : Suspicious File : Quarantine | Sub Rule | Activity | Quarantine |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Header (logVer) | N/A | N/A | CEF format version |
| Header (vendor) | N/A | N/A | Appliance vendor |
| Header (pname) | N/A | N/A | Appliance product |
| Header (pver) | N/A | N/A | Appliance version |
| Header (eventid) | N/A | N/A | FH:Action |
| Header (eventName) | <vmid> | Text/String | Name |
| Header (severity) | <severity> | Number | Severity |
| deviceExternalId | N/A | N/A | ID |
| rt | N/A | N/A | Detection time |
| cat | N/A | N/A | Log type |
| deviceFacility | N/A | N/A | Product name |
| cn1Label | N/A | N/A | Corresponding label for the "cn1" field |
| cn1 | <version> | Number | Product version |
| dst | <dip> | IP Address | Endpoint IPv4 address |
| dhost | <dname> | Text/String/Number | Endpoint host name |
| cs2Label | N/A | N/A | Corresponding label for the "cs2" field |
| cs2 | <objecttype> | Text/String | File type |
| fileHash | <hash> | Text/String/Number | File SHA-1 |
| cs3Label | N/A | N/A | Corresponding label for the "cs3" field |
| cs3 | <object> | Text/String/Number | File path |
| cn2Label | N/A | Corresponding label for the "cn2" field | |
| cn2 | N/A | N/A | 0: Sandbox 1: User-defined |
| act | <action> <tag1> | Text/String | 1: Log 2: Block 3: Quarantine |
| cn3Label | N/A | N/A | Corresponding label for the "cn3" field |
| cn3 | N/A | N/A | 1: Scheduled scan 2: Manual scan 3: Scan now 4: Real-time scan |
| reason | <reason> | Text/String | Critical Threat Type A: Known Advanced Persistent Threat (APT) B: Social engineering attack C: Vulnerability attack D: Lateral movement E: Unknown threats F: C&C callback G: Ransomware |
| deviceNtDomain | N/A | N/A | Active Directory domain |
| dntdom | N/A | N/A | Apex One domain hierarchy |
| TMCMLogDetectedHost | N/A | N/A | Endpoint name where the log event occurred |
| TMCMLogDetectedIP | N/A | N/A | IP address where the log event occurred |
| ApexCentralHost | N/A | N/A | Apex Central host name |
| devicePayloadId | N/A | N/A | Unique message GUID |