LSO FortiGate - UTM : Virus
Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|---|---|
Header: Severity | <severity> | N/A |
date | N/A | N/A |
time | N/A | N/A |
logid | <vmid> | <vmid> |
type | N/A | <vendorinfo> |
subtype | N/A | N/A |
eventtype | <status> | N/A |
level | N/A | <severity> |
vd | N/A | <sessiontype> |
eventtime | N/A | N/A |
msg | <subject> | <subject> |
action | <action> | <action> |
service | <protname> | <protname> |
sessionid | <session> | <session> |
srcip | <sip> | <sip> |
dstip | <dip> | <dip> |
srcport | <sport> | <sport> |
dstport | <dport> | <dport> |
srcintf | <sinterface> | <sinterface> |
srcintfrole | N/A | N/A |
dstintf | <dinterface> | <dinterface> |
dstintfrole | N/A | N/A |
policyid | N/A | <policy> |
proto | <protnum> | <protnum> |
direction | N/A | N/A |
filename | <object> | <object> |
fsaverdict | N/A | <result> |
quarskip | <vendorinfo> | <status> |
virus | <threatname> | <threatname> |
dtype | <objecttype> | N/A |
filetype | <objectname> | N/A |
ref | N/A | N/A |
virusid | N/A | <threatid> |
url | <url> | <url> |
profile | <policy> | N/A |
agent | <useragent> | <useragent> |
analyticscksum | <hash> | N/A |
analyticssubmit | N/A | N/A |
crscore | N/A | N/A |
craction | N/A | N/A |
crlevel | N/A | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|---|
1010168 | UTM: Virus | Base Rule | General Virus Filename Information | Information |
Virus Infect Warning | Sub Rule | General Virus Infected Warning | Warning | |
Malware Traffic Allowed By AntiVirus | Sub Rule | General Virus Infected Notice | Information | |
MIME Header Detected To Have A Virus And Blocked | Sub Rule | Detected Malware Activity | Malware | |
MIME Header Infected And Passed | Sub Rule | MIME Intercepted | Activity | |
File Is An Executable | Sub Rule | HTTP Executable Transfer | Activity | |
File Is An Executable | Sub Rule | HTTP Executable Transfer | Activity | |
FortiGate Unit Blocked A File | Sub Rule | Blocked Message | Failed Activity | |
FortiGate Unit Blocked A File | Sub Rule | Blocked Message | Failed Activity | |
FortiGate Unit Blocked A File | Sub Rule | Blocked Message | Failed Activity | |
FortiGate Unit Blocked A File | Sub Rule | Blocked Message | Failed Activity | |
FortiGate Unit Blocked A Virus Command | Sub Rule | Unknown Command | Other Security | |
FortiGate Unit Intercepted A File Containing Virus | Sub Rule | File Intercepted | Activity | |
FortiGate Unit Intercepted A File (MIME) | Sub Rule | File Intercepted | Activity | |
File Exempted | Sub Rule | File Exempted | Information | |
File Exempted | Sub Rule | File Exempted | Information | |
MMS Content Checksum Blocked An Infected File | Sub Rule | Checksum Warning | Warning | |
MMS Content Checksum Was Matched | Sub Rule | General Checksum Information | Information | |
Defined File Size Limit Was Exceeded | Sub Rule | Limit Exceeded | Warning | |
File Size Limit Was Exceeded | Sub Rule | Limit Exceeded | Warning | |
File (MIME) Size Exceed The Defined Size Limit | Sub Rule | Limit Exceeded | Warning | |
File (MIME) Size Exceed The Defined Size Limit | Sub Rule | Limit Exceeded | Warning | |
Switching Protocols Request | Sub Rule | Protocol Change Requested | Information | |
Switching Protocols Request | Sub Rule | Protocol Change Requested | Information | |
File Reached The Uncompressed Nested Limit | Sub Rule | Limit Exceeded | Warning | |
File Reached The Uncompressed Nested Limit | Sub Rule | Limit Exceeded | Warning | |
Archived File Is Corrupted | Sub Rule | Data Corrupt | Warning | |
Archived File Is Encrypted | Sub Rule | Encrypted Files Detected | Activity | |
Corrupted Archive | Sub Rule | Data Corrupt | Warning | |
Corrupted Archive | Sub Rule | Data Corrupt | Warning | |
File Is A Multipart Archive | Sub Rule | Archive Message | Information | |
File Is A Multipart Archive | Sub Rule | Archive Message | Information | |
File Is A Nested Archived File | Sub Rule | Archive Message | Information | |
File Is An Archived Type Unhandled | Sub Rule | Archive Message | Information | |
Archived File Is Oversized | Sub Rule | Limit Exceeded | Warning | |
Archived File Is Oversized | Sub Rule | Limit Exceeded | Warning | |
Unhandled Archive | Sub Rule | Object Not Archived | Warning | |
Unhandled Archive | Sub Rule | Archive Message | Information | |
AV Engine Load Failed | Sub Rule | Onload Failure | Error | |
Partially Corrupted Archive | Sub Rule | Data Corrupt | Warning | |
Partially Corrupted Archive | Sub Rule | Data Corrupt | Warning | |
Exceeded Archive Files Limit | Sub Rule | Limit Exceeded | Warning | |
Exceeded Archive Files Limit | Sub Rule | File Size Exceeds Limit | Activity | |
Archive Scan Timeout | Sub Rule | Timeout | Warning | |
Archive Scan Timeout | Sub Rule | Timeout | Warning | |
File Submitted To Sandbox | Sub Rule | File Monitoring Event - Permissions | Access Success | |
File Reported Infected | Sub Rule | General Virus Infected Warning | Warning | |
File Reported Infected | Sub Rule | General Virus Infected | Information | |
File Reported Infected | Sub Rule | General Virus Infected Warning | Warning | |
File Reported Infected | Sub Rule | General Virus Infected | Information | |
File Verdict Returned | Sub Rule | Results Returned | Information | |
Active Content Detected By Content Disarm Engine | Sub Rule | General WebFilter Content | Information | |
File Was Disarmed By Content Disarm Engine | Sub Rule | File Unavailable | Warning | |
Botnet C&C Communication | Sub Rule | InterProcessor Communication Warning | Warning | |
Botnet C&C Communication | Sub Rule | Interprocess Communication | Information |
LogRhythm Default v2.0
Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|---|
1013186 | V 2.0: UTM: Antivirus | Base Rule | General Antivirus Information | Information |
V 2.0: Infected File Blocked | Sub Rule | Threat Blocked | Failed Activity | |
V 2.0: Infected File Detected | Sub Rule | General Virus Infected Notice | Information | |
V 2.0: MIME Header Detected To Have A Virus&Block | Sub Rule | Detected Malware Activity | Malware | |
V 2.0: MIME Header Infected And Passed | Sub Rule | MIME Intercepted | Activity | |
V 2.0: File Is An Executable | Sub Rule | HTTP Executable Transfer | Activity | |
V 2.0: File Is An Executable | Sub Rule | HTTP Executable Transfer | Activity | |
V 2.0: FortiGate Unit Blocked A File | Sub Rule | Blocked Message | Failed Activity | |
V 2.0: FortiGate Unit Blocked A File | Sub Rule | Blocked Message | Failed Activity | |
V 2.0: FortiGate Unit Blocked A File | Sub Rule | Blocked Message | Failed Activity | |
V 2.0: FortiGate Unit Blocked A File | Sub Rule | Blocked Message | Failed Activity | |
V 2.0: FortiGate Unit Blocked A Virus Command | Sub Rule | Unknown Command | Other Security | |
V 2.0: FortiGate Intercepted File Contain Virus | Sub Rule | File Intercepted | Activity | |
V 2.0: FortiGate Unit Intercepted A File (MIME) | Sub Rule | File Intercepted | Activity | |
V 2.0: File Exempted | Sub Rule | File Exempted | Information | |
V 2.0: File Exempted | Sub Rule | File Exempted | Information | |
V 2.0: MMS Content Checksum Blocked Infected File | Sub Rule | Checksum Warning | Warning | |
V 2.0: MMS Content Checksum Was Matched | Sub Rule | General Checksum Information | Information | |
V 2.0: Defined File Size Limit Was Exceeded | Sub Rule | Limit Exceeded | Warning | |
V 2.0: File Size Limit Was Exceeded | Sub Rule | Limit Exceeded | Warning | |
V 2.0: File (MIME) Size Exceed Defined Size Limit | Sub Rule | Limit Exceeded | Warning | |
V 2.0: File (MIME) Size Exceed Defined Size Limit | Sub Rule | Limit Exceeded | Warning | |
V 2.0: Switching Protocols Request | Sub Rule | Protocol Change Requested | Information | |
V 2.0: Switching Protocols Request | Sub Rule | Protocol Change Requested | Information | |
V 2.0: File Reached The Uncompressed Nested Limit | Sub Rule | Limit Exceeded | Warning | |
V 2.0: File Reached The Uncompressed Nested Limit | Sub Rule | Limit Exceeded | Warning | |
V 2.0: Archived File Is Corrupted | Sub Rule | Data Corrupt | Warning | |
V 2.0: Archived File Is Encrypted | Sub Rule | Encrypted Files Detected | Activity | |
V 2.0: Corrupted Archive | Sub Rule | Data Corrupt | Warning | |
V 2.0: Corrupted Archive | Sub Rule | Data Corrupt | Warning | |
V 2.0: File Is A Multipart Archive | Sub Rule | Archive Message | Information | |
V 2.0: File Is A Multipart Archive | Sub Rule | Archive Message | Information | |
V 2.0: File Is A Nested Archived File | Sub Rule | Archive Message | Information | |
V 2.0: Archived File Is Oversized | Sub Rule | Limit Exceeded | Warning | |
V 2.0: Archived File Is Oversized | Sub Rule | Limit Exceeded | Warning | |
V 2.0: Unhandled Archive | Sub Rule | Object Not Archived | Warning | |
V 2.0: Unhandled Archive | Sub Rule | Archive Message | Information | |
V 2.0: Partially Corrupted Archive | Sub Rule | Data Corrupt | Warning | |
V 2.0: Partially Corrupted Archive | Sub Rule | Data Corrupt | Warning | |
V 2.0: Exceeded Archive Files Limit | Sub Rule | Limit Exceeded | Warning | |
V 2.0: Exceeded Archive Files Limit | Sub Rule | File Size Exceeds Limit | Activity | |
V 2.0: Archive Scan Timeout | Sub Rule | Timeout | Warning | |
V 2.0: Archive Scan Timeout | Sub Rule | Timeout | Warning | |
V 2.0: File Submitted To Sandbox | Sub Rule | Job Submitted | Other Audit Success | |
V 2.0: File Reported Infected | Sub Rule | General Virus Infected Warning | Warning | |
V 2.0: File Reported Infected | Sub Rule | General Virus Infected | Information | |
V 2.0: File Reported Infected | Sub Rule | General Virus Infected Warning | Warning | |
V 2.0: File Reported Infected | Sub Rule | General Virus Infected | Information | |
V 2.0: File Verdict Returned | Sub Rule | Results Returned | Information | |
V 2.0: Active Content Detected By Content Disarm | Sub Rule | General Threat Message | Activity | |
V 2.0: File Was Disarmed By Content Disarm Engine | Sub Rule | File Unavailable | Warning | |
V 2.0: Botnet C&C Communication | Sub Rule | Detected Botnet Activity | Malware | |
V 2.0: Botnet C&C Communication | Sub Rule | Detected Botnet Activity | Malware | |
V 2.0: File Is An Archived Type Unhandled | Sub Rule | Archive Message | Information | |
V 2.0: AV Engine Load Failed | Sub Rule | Onload Failure | Error |