Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|
|
Malware Detection Events |
Base Rule |
Security : Other Security |
General Security |
|
EVID 1006 : Malware found |
Sub rule |
Security : Malware |
Detected Malware Activity |
|
EVID 1007 : Malware found : Cleaned |
Sub rule |
Security : Failed Malware |
Failed Malware Activity |
|
EVID 1007 : Malware found : Quarantined |
Sub rule |
Security : Failed Malware |
Failed Malware Activity |
|
EVID 1007 : Malware found : Removed |
Sub rule |
Security : Failed Activity |
Threat Deleted |
|
EVID 1007 : Malware found : Allowed |
Sub rule |
Security : Malware |
Detected Malware Activity |
|
EVID 1007 : Malware found : User Defined Action |
Sub rule |
Operations : Other Security |
General Security |
|
EVID 1007 : Malware found : No action Taken |
Sub rule |
Security : Malware |
Detected Malware Activity |
|
EVID 1007 : Malware found : Blocked |
Sub rule |
Security : Failed Malware |
Failed Malware Activity |
|
EVID 1008 : Malware Response Action Failed |
Sub rule |
Operations : Error |
General Antivirus Error |
|
EVID 1015 : Suspicious Behavior Detected |
Sub rule |
Security : Suspicious |
Suspicious Activity |
|
EVID 1116 : Malware Activity Detected |
Sub rule |
Security : Malware |
Detected Malware Activity |
|
EVID 1117 : Malware found : Cleaned |
Sub rule |
Security : Failed Malware |
Failed Malware Activity |
|
EVID 1117 : Malware found : Quarantined |
Sub rule |
Security : Failed Activity |
Quarantined Message |
|
EVID 1117 : Malware found : Removed |
Sub rule |
Security : Failed Activity |
Threat Deleted |
|
EVID 1117 : Malware found : Allowed |
Sub rule |
Security : Malware |
Detected Malware Activity |
|
EVID 1117 : Malware found : User Defined Action |
Sub rule |
Operations : Other Security |
General Security |
|
EVID 1117 : Malware found : No action Taken |
Sub rule |
Security : Malware |
Detected Malware Activity |
|
EVID 1117 : Malware found : Blocked |
Sub rule |
Security : Failed Malware |
Failed Malware Activity |
|
EVID 1118 : Malware Response Action Failed |
Sub rule |
Operations : Error |
General Antivirus Error |
|
EVID 1119 : Malware Response Action Critically Failed |
Sub rule |
Operations : Critical |
Critical Failure |
Mapping with LogRhythm Schema
|
Device Key in log message |
LogRhythm Schema |
Data Type |
Schema Description |
|
Provider |
|
|
Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events; otherwise, the EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. |
|
EventID |
<vmid>
|
Number |
The identifier that the provider used to identify the event. |
|
Version |
|
|
The version number of the event's definition. |
|
Level |
<severity> |
String/Number |
The severity level defined in the event. |
|
Task |
|
|
The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. |
|
Opcode |
|
|
The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. |
|
Keywords |
|
|
A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data). |
|
TimeCreated |
|
|
The time stamp that identifies when the event was logged. The time stamp includes either the SystemTime attribute or the RawTime attribute. |
|
EventRecordID |
|
|
The record number assigned to the event when it was logged. |
|
Correlation |
|
|
The activity identifiers that consumers can use to group related events together. |
|
Execution |
|
|
Contains information about the process and thread that logged the event. |
|
Channel |
|
|
The channel to which the event was logged. |
|
Computer |
<dname> |
Text/String |
The name of the computer on which the event occurred. |
|
Security |
|
|
|
|
|
<subject> |
Text/String |
A description of the event. |
|
Name |
<threatname> |
Text/String |
|
|
ID |
<threatid> |
Number |
|
|
Severity |
<severity> |
Text/String |
|
|
Category |
|
|
|
|
Path |
|
|
|
|
Detection Origin |
|
|
|
|
Detection Type |
|
|
|
|
Detection Source |
|
|
|
|
User |
<login>
|
Text/String |
|
|
Process Name |
<process> |
Text/String |
|
|
Action |
<action>
|
Text/String |
|
|
Action Status |
<status> |
Text/String |
|
|
Error Code |
<responsecode> |
Text/String |
|
|
Error description |
<reason> |
Text/String |
|
|
Signature Version |
|
|
|
|
Engine Version |
|
|
|