Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|
|
Catch-All |
Base Rule |
Information |
General Information Log Message |
|
EVID 1150 : Service In Healthy State |
Sub Rule |
Information |
General Health Monitor Information |
|
EVID 1151 : Service Health Report |
Sub Rule |
Information |
General Health Monitor Information |
|
EVID 2000 : Malware Signatures Updated |
Sub Rule |
Information |
Update Successful |
|
EVID 2001 : Malware Signature Update Failed |
Sub Rule |
Error |
Update Failed |
|
EVID 2002 : Malware Engine Updated |
Sub Rule |
Information |
Update Successful |
|
EVID 2003 : Malware Engine Update Failed |
Sub Rule |
Error |
Update Failed |
|
EVID 2004 : Malware Signature Reverted |
Sub Rule |
Information |
General System Information |
|
EVID 2005 : Malware Platform Out Of Date |
Sub Rule |
Warning |
General System Warning |
|
EVID 2006 : Malware Platform Update Failed |
Sub Rule |
Error |
Update Failed |
|
EVID 2007 : Malware Platform Soon ToBe Out Of Date |
Sub Rule |
Warning |
General System Warning |
|
EVID 2010 : Malware Signatures Updated |
Sub Rule |
Information |
Update Successful |
|
EVID 2011 : Obsolete Malware Signatures Deleted |
Sub Rule |
Information |
General System Information |
|
EVID 2012 : Malware Signature Update Failed |
Sub Rule |
Error |
Update Failed |
|
EVID 2013 : Dynamic Malware Signatures Deleted |
Sub Rule |
Information |
General System Information |
|
EVID 2020 : Malware Engine Downloaded Clean File |
Sub Rule |
Information |
Update Successful |
|
EVID 2021 : Malw. Eng. Fail To Download Clean File |
Sub Rule |
Error |
Update Failed |
|
EVID 2030 : Offline Scan Installed |
Sub Rule |
Information |
Install Successful |
|
EVID 2031 : Offline Scan Installation Failed |
Sub Rule |
Warning |
Software Installation Failed |
|
EVID 2040 : Support For OS Expiring |
Sub Rule |
Warning |
General System Warning |
|
EVID 2041 : Support For OS Ended |
Sub Rule |
Critical |
General System Critical |
|
EVID 2042 : Support For OS Ended |
Sub Rule |
Critical |
General System Critical |
|
EVID 5008 : Malware Protection Engine Failure |
Sub Rule |
Error |
General WinDefend Error |
|
EVID 5009 : Malware Protection Antispyware Enabled |
Sub Rule |
Configuration |
Configuration Enabled : Security |
|
EVID 5010 : Malware Protection Antispyware Disable |
Sub Rule |
Configuration |
Configuration Disabled : Security |
|
EVID 5011 : Malware Protection Antivirus Enabled |
Sub Rule |
Configuration |
Configuration Enabled : Security |
|
EVID 5012 : Malware Protection Antivirus Disabled |
Sub Rule |
Configuration |
Configuration Disabled : Security |
|
EVID 5100 :Antimalware Platform Expiration Warning |
Sub Rule |
Warning |
License Period Will Expire Soon |
|
EVID 5101 : Antimalware Platform Expired |
Sub Rule |
Critical |
License Expired |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|
Provider |
N/A |
N/A |
Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events; otherwise, the EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. |
|
EventID |
<vmid> |
Number |
The identifier that the provider used to identify the event. |
|
Version |
N/A |
N/A |
The version number of the event's definition. |
|
Level |
<severity> |
Text/String |
The severity level defined in the event. |
|
Task |
N/A |
N/A |
The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. |
|
Opcode |
N/A |
N/A |
The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. |
|
Keywords |
N/A |
N/A |
A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data). |
|
TimeCreated |
N/A |
N/A |
The time stamp that identifies when the event was logged. The time stamp includes either the SystemTime attribute or the RawTime attribute. |
|
EventRecordID |
N/A |
N/A |
The record number assigned to the event when it was logged. |
|
Correlation |
N/A |
N/A |
The activity identifiers that consumers can use to group related events together. |
|
Execution |
N/A |
N/A |
Contains information about the process and thread that logged the event. |
|
Channel |
N/A |
N/A |
The channel to which the event was logged. |
|
Computer |
<dname> |
Text/String |
The name of the computer on which the event occurred. |
|
Security |
N/A |
N/A |
N/A |