Vendor Documentation

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log FieldLogRhythm DefaultLogRhythm Default v2.0
N/A<version>N/A
N/A<vmid>N/A
N/A<severity>N/A
src<sip><sip>
proto<protname><protname>
dvchost<dname><dname>
spt<sport><sport>
cs4<url><url>
smac<smac><smac>
act<vendorinfo>N/A
dmac<dmac><dmac>
cs1<threatname><subject>
cs1<subject>N/A
dst<dip><dip>
dpt<dport><dport>
fileHash<hash>N/A
cs6<useragent>N/A
shost<sname><sname>
N/AN/A<vendorinfo>
N/AN/A<process>
N/AN/A<severity>

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex IDRule NameRule TypeCommon EventClassification
1009290CMS Messages - DeprecatedBase RuleDetected Malware ActivityMalware
Infection MatchSub RuleDetected Virus ActivityMalware
Web InfectionSub RuleDetected Virus ActivityMalware
Infected BinarySub RuleDetected Virus ActivityMalware
Malware CallbackSub RuleDetected Malware ActivityMalware
Malware ObjectSub RuleDetected Malware ActivityMalware
Unauthorized DomainSub RuleUnauthorized WebsiteMisuse

LogRhythm Default v2.0

Regex IDRule NameRule TypeCommon EventClassification
1012551V 2.0 : FireEye MPS EventsBase RuleFireEye NotificationOperations : Other Operations