Vendor Documentation

https://docs.trellix.com/bundle/enterprise-security-manager-data-sources-configuration-reference-guide/page/GUID-DEE7F31A-23FA-4A89-B641-C2DF422E7748.html
https://docs.logrhythm.com/docs/devices/syslog-log-sources/syslog-fireeye-ex

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log FieldLogRhythm DefaultLogRhythm Default v2.0
N/A<version>N/A
N/A<vmid>N/A
N/A<severity>N/A
categoryDeviceType<subject>N/A
dst<dip><dip>
dmac<dmac><dmac>
dhost<dname>N/A
request<url>N/A
categoryOutcome<result>N/A
categorySignificance<object>N/A
cs7<action>N/A
categoryTupleDescription<command>N/A
cs4<threatname><url>
cs4<objectname>N/A
filePath<status>N/A
fileHash<hash>N/A
cs4<process>N/A
scs10<hash>N/A
cs11<threatname>N/A
N/AN/A<vendorinfo>
N/AN/A<process>
N/AN/A<severity>
N/AN/A<sip>
N/AN/A<sname>
N/AN/A<protname>
N/AN/A<dname>
N/AN/A<sport>
N/AN/A<smac>
N/AN/A<dport>
N/AN/A<subject>

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex IDRule NameRule TypeCommon EventClassification
1009183HX MessagesBase RuleGeneral Firewall LogNetwork Traffic
Host Acquisition Successfully CompletedSub RuleObject OperationOther Audit Success
Host Acquisition Successfully QueuedSub RuleObject OperationOther Audit Success
Host Acquisition Successfully StartedSub RuleObject OperationOther Audit Success
IOC Hit FoundSub RuleHost CompromisedCompromise
IOC Hit Found : Not MaliciousSub RuleSuspicious ActivitySuspicious
IOC Hit Found : TOR Exit NodeSub RuleNetwork CompromisedCompromise
IOC Hit Found : TOR Exit NodeSub RuleNetwork CompromisedCompromise
IOC Hit Found : RansomwareSub RuleHost CompromisedCompromise
IOC Hit Found : Suspicious WScript UsageSub RuleHost CompromisedCompromise
IOC Hit Found : CCLEANER TrojanSub RuleHost CompromisedCompromise
IOC Hit Found : Trojan.JS.NemucodSub RuleDetected Trojan ActivityMalware
IOC Hit Found : Trojan.NakoctbSub RuleDetected Trojan ActivityMalware
IOC Hit Found : Trojan.Downloader.HancitorSub RuleDetected Trojan ActivityMalware
IOC Hit Found : Trojan.AdwindSub RuleDetected Trojan ActivityMalware
IOC Hit Found : Suspicious VBScriptSub RuleHost CompromisedCompromise
ExD Hit FoundSub RuleHost CompromisedCompromise
IOC Hit Found : TaskMgr Process Dump LSASS.EXESub RuleHost CompromisedCompromise
IOC Hit Found : Suspicious Powershell UsageSub RuleHost CompromisedCompromise
IOC Hit Found : Phishing ActivitySub RulePhishing ActivityAttack
IOC Hit Found : Mimikatz MalwareSub RuleNetwork CompromisedCompromise
IOC Hit Found : Malware.BinarySub RuleDetected Malware ActivityMalware
IOC Hit Found : MalwrSpamSub RuleDetected Malware ActivityMalware
Malware Protection Found A Compromise IndicationSub RuleDetected Malware ActivityMalware
Quarantine Task Successfully Completed, File DeletSub RuleQuarantineActivity

LogRhythm Default v2.0

Regex IDRule NameRule TypeCommon EventClassification
1012551V 2.0 : FireEye MPS EventsBase RuleFireEye NotificationOperations : Other Operations