Malware Detection Events
Vendor Documentation
Classification
| Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| Malware Detection Events | Base Rule | Security : Other Security | General Security |
| EVID 1006 : Malware found | Sub rule | Security : Malware | Detected Malware Activity |
| EVID 1007 : Malware found : Cleaned | Sub rule | Security : Failed Malware | Failed Malware Activity |
| EVID 1007 : Malware found : Quarantined | Sub rule | Security : Failed Malware | Failed Malware Activity |
| EVID 1007 : Malware found : Removed | Sub rule | Security : Failed Activity | Threat Deleted |
| EVID 1007 : Malware found : Allowed | Sub rule | Security : Malware | Detected Malware Activity |
| EVID 1007 : Malware found : User Defined Action | Sub rule | Operations : Other Security | General Security |
| EVID 1007 : Malware found : No action Taken | Sub rule | Security : Malware | Detected Malware Activity |
| EVID 1007 : Malware found : Blocked | Sub rule | Security : Failed Malware | Failed Malware Activity |
| EVID 1008 : Malware Response Action Failed | Sub rule | Operations : Error | General Antivirus Error |
| EVID 1015 : Suspicious Behavior Detected | Sub rule | Security : Suspicious | Suspicious Activity |
| EVID 1116 : Malware Activity Detected | Sub rule | Security : Malware | Detected Malware Activity |
| EVID 1117 : Malware found : Cleaned | Sub rule | Security : Failed Malware | Failed Malware Activity |
| EVID 1117 : Malware found : Quarantined | Sub rule | Security : Failed Activity | Quarantined Message |
| EVID 1117 : Malware found : Removed | Sub rule | Security : Failed Activity | Threat Deleted |
| EVID 1117 : Malware found : Allowed | Sub rule | Security : Malware | Detected Malware Activity |
| EVID 1117 : Malware found : User Defined Action | Sub rule | Operations : Other Security | General Security |
| EVID 1117 : Malware found : No action Taken | Sub rule | Security : Malware | Detected Malware Activity |
| EVID 1117 : Malware found : Blocked | Sub rule | Security : Failed Malware | Failed Malware Activity |
| EVID 1118 : Malware Response Action Failed | Sub rule | Operations : Error | General Antivirus Error |
| EVID 1119 : Malware Response Action Critically Failed | Sub rule | Operations : Critical | Critical Failure |
Mapping with LogRhythm Schema
| Device Key in log message | LogRhythm Schema | Data Type | Schema Description |
| Provider | Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events; otherwise, the EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. | ||
| EventID | <vmid> <tag1> | Number | The identifier that the provider used to identify the event. |
| Version | The version number of the event's definition. | ||
| Level | <severity> | String/Number | The severity level defined in the event. |
| Task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | ||
| Opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | ||
| Keywords | A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data). | ||
| TimeCreated | The time stamp that identifies when the event was logged. The time stamp includes either the SystemTime attribute or the RawTime attribute. | ||
| EventRecordID | The record number assigned to the event when it was logged. | ||
| Correlation | The activity identifiers that consumers can use to group related events together. | ||
| Execution | Contains information about the process and thread that logged the event. | ||
| Channel | The channel to which the event was logged. | ||
| Computer | <dname> | Text/String | The name of the computer on which the event occurred. |
| Security | |||
| <subject> | Text/String | A description of the event. | |
| Name | <threatname> | Text/String | |
| ID | <threatid> | Number | |
| Severity | <severity> | Text/String | |
| Category | |||
| Path | |||
| Detection Origin | |||
| Detection Type | |||
| Detection Source | |||
| User | <login> <domainorigin> | Text/String | |
| Process Name | <process> | Text/String | |
| Action | <action> <tag2> | Text/String | |
| Action Status | <status> | Text/String | |
| Error Code | <responsecode> | Text/String | |
| Error description | <reason> | Text/String | |
| Signature Version | |||
| Engine Version |