Anti Malware
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| Anti Malware | Base Rule | General Threat Protection Event | Activity |
| Anti-Malware : Traffic Rejected | Sub Rule | Threat Blocked | Failed Activity |
| Anti-Malware : Control Traffic | Sub Rule | General Threat Message | Activity |
| Anti-Malware : Traffic Dropped | Sub Rule | Threat Blocked | Failed Activity |
| Anti-Malware : Traffic Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
| Anti-Malware : Traffic Blocked | Sub Rule | Threat Blocked | Failed Activity |
| Anti-Malware : Activity Detected | Sub Rule | Possible Malware Activity | Malware |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type |
|---|---|---|
| Product | <version> | Number/Text |
| Origin | <sender> | Number/Text |
| Action | <action> | Number/Text |
| Action | <tag1> | Number/Text |
| SIP | <sip> | Number/Text |
| SPort | <sport> | Number |
| DIP | <dip> | Number |
| DPort | <dport> | Number |
| src_machine_name | <sname> | Number/Text |
| protocol | <protname> | Number/Text |
| ifname | <sinterface> | Number/Text |
| ifdirection | <tag2> | Number/Text |
| User | <login> | Number/Text |
| src_user_name | <login> | Number/Text |
| Url | <url> | Number/Text |
| web_client_type | <useragent> | Number/Text |
| sent_bytes | <bytesout> | Number |
| received_bytes | <bytesin> | Number |
| session_id | <session> | Number/Text |
| malware_family | <objecttype> | Number/Text |
| Confidence_Level | <amount> | Number |
| severity | <severity> | Number |
| malware_action | <vendorinfo> | Number/Text |
| rule_name | <command> | Number/Text |
| Protection_Name | <threatname> | Number/Text |
| Protection_Name | <object> | Number/Text |
| status | <status> | Number/Text |
| Dst_DNS_Host | <dname> | Number/Text |
| description | <subject> | Number/Text |
| Reason | <reason> | Number/Text |
| Attack | <threatname> | Number/Text |
| Virus_Name | <threatname> | Number/Text |
| short_desc | <vmid> | Number/Text |