Malware Detection Events
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
---|---|---|---|
Malware Detection Events | Base Rule | Security : Other Security | General Security |
EVID 1006 : Malware found | Sub rule | Security : Malware | Detected Malware Activity |
EVID 1007 : Malware found : Cleaned | Sub rule | Security : Failed Malware | Failed Malware Activity |
EVID 1007 : Malware found : Quarantined | Sub rule | Security : Failed Malware | Failed Malware Activity |
EVID 1007 : Malware found : Removed | Sub rule | Security : Failed Activity | Threat Deleted |
EVID 1007 : Malware found : Allowed | Sub rule | Security : Malware | Detected Malware Activity |
EVID 1007 : Malware found : User Defined Action | Sub rule | Operations : Other Security | General Security |
EVID 1007 : Malware found : No action Taken | Sub rule | Security : Malware | Detected Malware Activity |
EVID 1007 : Malware found : Blocked | Sub rule | Security : Failed Malware | Failed Malware Activity |
EVID 1008 : Malware Response Action Failed | Sub rule | Operations : Error | General Antivirus Error |
EVID 1015 : Suspicious Behavior Detected | Sub rule | Security : Suspicious | Suspicious Activity |
EVID 1116 : Malware Activity Detected | Sub rule | Security : Malware | Detected Malware Activity |
EVID 1117 : Malware found : Cleaned | Sub rule | Security : Failed Malware | Failed Malware Activity |
EVID 1117 : Malware found : Quarantined | Sub rule | Security : Failed Activity | Quarantined Message |
EVID 1117 : Malware found : Removed | Sub rule | Security : Failed Activity | Threat Deleted |
EVID 1117 : Malware found : Allowed | Sub rule | Security : Malware | Detected Malware Activity |
EVID 1117 : Malware found : User Defined Action | Sub rule | Operations : Other Security | General Security |
EVID 1117 : Malware found : No action Taken | Sub rule | Security : Malware | Detected Malware Activity |
EVID 1117 : Malware found : Blocked | Sub rule | Security : Failed Malware | Failed Malware Activity |
EVID 1118 : Malware Response Action Failed | Sub rule | Operations : Error | General Antivirus Error |
EVID 1119 : Malware Response Action Critically Failed | Sub rule | Operations : Critical | Critical Failure |
Mapping with LogRhythm Schema
Device Key in log message | LogRhythm Schema | Data Type | Schema Description |
Provider | Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events; otherwise, the EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. | ||
EventID | <vmid> <tag1> | Number | The identifier that the provider used to identify the event. |
Version | The version number of the event's definition. | ||
Level | <severity> | String/Number | The severity level defined in the event. |
Task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | ||
Opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | ||
Keywords | A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data). | ||
TimeCreated | The time stamp that identifies when the event was logged. The time stamp includes either the SystemTime attribute or the RawTime attribute. | ||
EventRecordID | The record number assigned to the event when it was logged. | ||
Correlation | The activity identifiers that consumers can use to group related events together. | ||
Execution | Contains information about the process and thread that logged the event. | ||
Channel | The channel to which the event was logged. | ||
Computer | <dname> | Text/String | The name of the computer on which the event occurred. |
Security | |||
<subject> | Text/String | A description of the event. | |
Name | <threatname> | Text/String | |
ID | <threatid> | Number | |
Severity | <severity> | Text/String | |
Category | |||
Path | |||
Detection Origin | |||
Detection Type | |||
Detection Source | |||
User | <login> <domainorigin> | Text/String | |
Process Name | <process> | Text/String | |
Action | <action> <tag2> | Text/String | |
Action Status | <status> | Text/String | |
Error Code | <responsecode> | Text/String | |
Error description | <reason> | Text/String | |
Signature Version | |||
Engine Version |