V 2.0 : Suspicious File Event

https://docs.trendmicro.com/en-us/enterprise/apex-central-online-help/appendices/syslog-mapping-cef.aspx

https://docs.trendmicro.com/en-us/enterprise/apex-central-online-help/appendices/syslog-mapping-cef/cef-file-hash-detect.aspx

Rule Name	Rule Type	Classification	Common Event
V 2.0 : Suspicious File Event	Base Rule	Suspicious	Suspicious Activity
V 2.0 : Suspicious File : Log	Sub Rule	Suspicious	Suspicious Activity
V 2.0 : Suspicious File : Block	Sub Rule	Failed Suspicious	Failed Suspicious Activity
V 2.0 : Suspicious File : Quarantine	Sub Rule	Activity	Quarantine

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Header (logVer)	N/A	N/A	CEF format version
Header (vendor)	N/A	N/A	Appliance vendor
Header (pname)	N/A	N/A	Appliance product
Header (pver)	N/A	N/A	Appliance version
Header (eventid)	N/A	N/A	FH:Action
Header (eventName)	<vmid>	Text/String	Name
Header (severity)	<severity>	Number	Severity
deviceExternalId	N/A	N/A	ID
rt	N/A	N/A	Detection time
cat	N/A	N/A	Log type
deviceFacility	N/A	N/A	Product name
cn1Label	N/A	N/A	Corresponding label for the "cn1" field
cn1	<version>	Number	Product version
dst	<dip>	IP Address	Endpoint IPv4 address
dhost	<dname>	Text/String/Number	Endpoint host name
cs2Label	N/A	N/A	Corresponding label for the "cs2" field
cs2	<objecttype>	Text/String	File type
fileHash	<hash>	Text/String/Number	File SHA-1
cs3Label	N/A	N/A	Corresponding label for the "cs3" field
cs3	<object>	Text/String/Number	File path
cn2Label	N/A		Corresponding label for the "cn2" field
cn2	N/A	N/A	0: Sandbox 1: User-defined
act	<action> <tag1>	Text/String	1: Log 2: Block 3: Quarantine
cn3Label	N/A	N/A	Corresponding label for the "cn3" field
cn3	N/A	N/A	1: Scheduled scan 2: Manual scan 3: Scan now 4: Real-time scan
reason	<reason>	Text/String	Critical Threat Type A: Known Advanced Persistent Threat (APT) B: Social engineering attack C: Vulnerability attack D: Lateral movement E: Unknown threats F: C&C callback G: Ransomware
deviceNtDomain	N/A	N/A	Active Directory domain
dntdom	N/A	N/A	Apex One domain hierarchy
TMCMLogDetectedHost	N/A	N/A	Endpoint name where the log event occurred
TMCMLogDetectedIP	N/A	N/A	IP address where the log event occurred
ApexCentralHost	N/A	N/A	Apex Central host name
devicePayloadId	N/A	N/A	Unique message GUID

Vendor Documentation

Classification

Mapping with LogRhythm Schema