Malware Detection Events (XML Logs)
Vendor Documentation
Classification
| Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| Malware Detection Events (XML Logs) | Base Rule | Security : Other Security | General Security |
| EVID 1006 : Malware Found | Sub rule | Security : Malware | Detected Malware Activity |
| EVID 1007 : Malware Found : Cleaned | Sub rule | Security : Failed Malware | Failed Malware Activity |
| EVID 1007 : Malware Found : Quarantined | Sub rule | Security : Failed Malware | Failed Malware Activity |
| EVID 1007 : Malware Found : Removed | Sub rule | Security : Failed Activity | Threat Deleted |
| EVID 1007 : Malware Found : Allowed | Sub rule | Security : Malware | Detected Malware Activity |
| EVID 1007 : Malware Found : User Defined Action | Sub rule | Operations : Other Security | General Security |
| EVID 1007 : Malware Found : No action Taken | Sub rule | Security : Malware | Detected Malware Activity |
| EVID 1007 : Malware Found : Blocked | Sub rule | Security : Failed Malware | Failed Malware Activity |
| EVID 1008 : Malware Response Action Failed | Sub rule | Operations : Error | General Antivirus Error |
| EVID 1015 : Suspicious Behavior Detected | Sub rule | Security : Suspicious | Suspicious Activity |
| EVID 1116 : Malware Activity Detected | Sub rule | Security : Malware | Detected Malware Activity |
| EVID 1117 : Malware Found : Cleaned | Sub rule | Security : Failed Malware | Failed Malware Activity |
| EVID 1117 : Malware Found : Quarantined | Sub rule | Security : Failed Activity | Quarantined Message |
| EVID 1117 : Malware Found : Removed | Sub rule | Security : Failed Activity | Threat Deleted |
| EVID 1117 : Malware Found : Allowed | Sub rule | Security : Malware | Detected Malware Activity |
| EVID 1117 : Malware Found : User Defined Action | Sub rule | Operations : Other Security | General Security |
| EVID 1117 : Malware Found : No action Taken | Sub rule | Security : Malware | Detected Malware Activity |
| EVID 1117 : Malware Found : Blocked | Sub rule | Security : Failed Malware | Failed Malware Activity |
| EVID 1118 : Malware Response Action Failed | Sub rule | Operations : Error | General Antivirus Error |
| EVID 1119 : Malware Response Action Critically Failed | Sub rule | Operations : Critical | Critical Failure |
Mapping with LogRhythm Schema
| Device Key in log message | LogRhythm Schema | Data Type | Schema Description |
| Provider | Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events; otherwise, the EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. | ||
| EventID | <vmid> | Number | The identifier that the provider used to identify the event. |
| Version | The version number of the event's definition. | ||
| Level | <severity> | String/Number | The severity level defined in the event. |
| Task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | ||
| Opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | ||
| Keywords | A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data). | ||
| TimeCreated | The time stamp that identifies when the event was logged. The time stamp includes either the SystemTime attribute or the RawTime attribute. | ||
| EventRecordID | The record number assigned to the event when it was logged. | ||
| Correlation | The activity identifiers that consumers can use to group related events together. | ||
| Execution | Contains information about the process and thread that logged the event. | ||
| Channel | The channel to which the event was logged. | ||
| Computer | <dname> | Text/String | The name of the computer on which the event occurred. |
| Security | |||
| Product Name | |||
| Product Version | |||
| Detection ID | |||
| Detection Time | |||
| Threat ID | <threatid> | Number | |
| Threat Name | <threatname> | Text/String | |
| Severity ID | <severity> | Number | |
| Severity Name | |||
| Category ID | |||
| Category Name | |||
| FWLink | |||
| Status Code | |||
| Status Description | |||
| State | |||
| Source ID | |||
| Source Name | |||
| Process Name | <process> | Text/String | |
| Detection User | <login> <domainorigin> | Text/String | |
| Path | |||
| Origin ID | |||
| Origin Name | |||
| Execution ID | |||
| Execution Name | |||
| Type ID | |||
| Type Name | |||
| Pre Execution Status | |||
| Action ID | |||
| Action Name | <action> <tag1> | Text/String | |
| Error Code | <responsecode> | Text/String | |
| Error Description | <reason> | Text/String | |
| Post Clean Status | |||
| Additional Actions ID | |||
| Additional Actions String | <status> | Text/String | |
| Remediation User | |||
| Signature Version | |||
| Engine Version |