Web Reputation Event | LogRhythm Documentation

Vendor Documentation

https://docs.trendmicro.com/all/ent/ddd/v5.3/en-us/ddd_5.3_sg.pdf

Classification

Rule Name	Rule Type	Classification	Common Event
Web Reputation Event	Base Rule	Activity	General Threat Message

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Header (logVer)	N/A	N/A	CEF format version
Header (vendor)	N/A	N/A	Appliance vendor
Header (pname)	N/A	N/A	Appliance product
Header (pver)	N/A	N/A	Appliance version
Header (eventid)	N/A	N/A	Signature ID
Header (eventName)	<vendorinfo>	Text/String	Description
Header (severity)	<severity>	Number	Severity
app	<protname>	Text/String	Protocol
c6a1	<snatip>	IP	Interested IPv6
c6a1Label	N/A	N/A	Interested IPv6 label
c6a2	<sip>	IP	Source IPv6 address
c6a2Label	N/A	N/A	Source IPv6 address label
c6a3	<dip>	IP	Destination IPv6 address
c6a3Label	N/A	N/A	Destination IPv6 address label
c6a4	<dnatip>	IP	Peer IPv6 address
c6a4Label	N/A	N/A	Peer IPv6 address label
cn1	N/A	N/A	CCCA detection
cn1label	N/A	N/A	CCCA detection label
cn2	N/A	N/A	Score
cn2Label	N/A	N/A	Score label
cn3	N/A	N/A	Threat type
cn3Label	N/A	N/A	Threat type label
cs1	N/A	N/A	Mail subject
cs1Label	N/A	N/A	Mail subject label
cs2	<subject>	Text/String	Category
cs2Label	N/A	N/A	Category label
cs3	N/A	N/A	Host name
cs3Label	N/A	N/A	Host name label
cs4	<threatname>	Text/String	Attack Phase
cs4Label	N/A	N/A	Attack Phase label
destinationTranslatedAddress	<dnatip>	IP	Peer IP
deviceDirection	N/A	N/A	Packet direction
deviceExternalId	N/A	N/A	Appliance GUID
devicePayloadId	N/A	N/A	An extendable field. Format: {threat_type}:{log_id}:{with pcap file captured}:{extensions}*
dhost	<dname>	IP	Destination host name
dmac	<dmac>	Text/String	Destination MAC
dpt	<dport>	Number	Destination port
dst	<dip>	IP	Destination IP address
duser	<recipient>	Text/String	Mail recipient
dvc	N/A	N/A	Appliance IP address
dvchost	N/A	N/A	Appliance host name
dvcmac	N/A	N/A	Appliance MAC address
flexNumber1	N/A	N/A	vLANId
flexNumber1Label	N/A	N/A	vLANId label
requestClientApplication	<useragent>	Text/String	User agent
request	<url>	Text/String	URL
rt	N/A	N/A	Log generation time Format: Unix time stamp (number of milliseconds since Jan 01 1970 UTC)
shost	<sname>	IP	Source host name
smac	<smac>	Text/String	Source MAC
sourceTranslatedAddress	<snatip>	IP	Interested IP
src	<sip>	IP	Source IP address
spt	<sport>	Number	Source port
suser	<sender>	Text/String	Mail sender