Mappings: FireEye CMS DM
| Input | Value |
|---|---|
| Vendor | FireEye |
| Product | CMS |
| Log Format | CEF |
| Event ID Regex Pattern | DM |
| Output | Value |
|---|---|
| Vendor | FireEye |
| Product | Central Management System |
| Record Type | NetworkDNS |
| Cloud SIEM Schema Field | Original Record Key | Notes |
|---|---|---|
| description | None | The static text CMS Domain Match is populated in this schema field. |
| device_ip | src | |
| dns_queryDomain | cs5 | |
| dstDevice_ip | dst | |
| dstDevice_mac | dmac | |
| ipProtocol | proto | |
| normalizedSeverity | None | The static text 3 is populated in this schema field. |
| srcDevice_hostname | shost | |
| srcDevice_ip | src | |
| srcDevice_mac | smac | |
| srcPort | spt | |
| threat_name | sname | |
| threat_referenceUrl | cs4 | |
| threat_ruleType | None | The static text direct is populated in this schema field. |
| threat_signalName | sname | |
| timestamp | rt | We expect the orginal record value of rt is in the format MMM dd yyyy HH:mm:ss zzz |