Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|
|
Malware Detection Events (XML Logs) |
Base Rule |
Security : Other Security |
General Security |
|
EVID 1006 : Malware Found |
Sub rule |
Security : Malware |
Detected Malware Activity |
|
EVID 1007 : Malware Found : Cleaned |
Sub rule |
Security : Failed Malware |
Failed Malware Activity |
|
EVID 1007 : Malware Found : Quarantined |
Sub rule |
Security : Failed Malware |
Failed Malware Activity |
|
EVID 1007 : Malware Found : Removed |
Sub rule |
Security : Failed Activity |
Threat Deleted |
|
EVID 1007 : Malware Found : Allowed |
Sub rule |
Security : Malware |
Detected Malware Activity |
|
EVID 1007 : Malware Found : User Defined Action |
Sub rule |
Operations : Other Security |
General Security |
|
EVID 1007 : Malware Found : No action Taken |
Sub rule |
Security : Malware |
Detected Malware Activity |
|
EVID 1007 : Malware Found : Blocked |
Sub rule |
Security : Failed Malware |
Failed Malware Activity |
|
EVID 1008 : Malware Response Action Failed |
Sub rule |
Operations : Error |
General Antivirus Error |
|
EVID 1015 : Suspicious Behavior Detected |
Sub rule |
Security : Suspicious |
Suspicious Activity |
|
EVID 1116 : Malware Activity Detected |
Sub rule |
Security : Malware |
Detected Malware Activity |
|
EVID 1117 : Malware Found : Cleaned |
Sub rule |
Security : Failed Malware |
Failed Malware Activity |
|
EVID 1117 : Malware Found : Quarantined |
Sub rule |
Security : Failed Activity |
Quarantined Message |
|
EVID 1117 : Malware Found : Removed |
Sub rule |
Security : Failed Activity |
Threat Deleted |
|
EVID 1117 : Malware Found : Allowed |
Sub rule |
Security : Malware |
Detected Malware Activity |
|
EVID 1117 : Malware Found : User Defined Action |
Sub rule |
Operations : Other Security |
General Security |
|
EVID 1117 : Malware Found : No action Taken |
Sub rule |
Security : Malware |
Detected Malware Activity |
|
EVID 1117 : Malware Found : Blocked |
Sub rule |
Security : Failed Malware |
Failed Malware Activity |
|
EVID 1118 : Malware Response Action Failed |
Sub rule |
Operations : Error |
General Antivirus Error |
|
EVID 1119 : Malware Response Action Critically Failed |
Sub rule |
Operations : Critical |
Critical Failure |
Mapping with LogRhythm Schema
|
Device Key in log message |
LogRhythm Schema |
Data Type |
Schema Description |
|
Provider |
|
|
Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events; otherwise, the EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. |
|
EventID |
<vmid> |
Number |
The identifier that the provider used to identify the event. |
|
Version |
|
|
The version number of the event's definition. |
|
Level |
<severity> |
String/Number |
The severity level defined in the event. |
|
Task |
|
|
The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. |
|
Opcode |
|
|
The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. |
|
Keywords |
|
|
A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data). |
|
TimeCreated |
|
|
The time stamp that identifies when the event was logged. The time stamp includes either the SystemTime attribute or the RawTime attribute. |
|
EventRecordID |
|
|
The record number assigned to the event when it was logged. |
|
Correlation |
|
|
The activity identifiers that consumers can use to group related events together. |
|
Execution |
|
|
Contains information about the process and thread that logged the event. |
|
Channel |
|
|
The channel to which the event was logged. |
|
Computer |
<dname> |
Text/String |
The name of the computer on which the event occurred. |
|
Security |
|
|
|
|
Product Name |
|
|
|
|
Product Version |
|
|
|
|
Detection ID |
|
|
|
|
Detection Time |
|
|
|
|
Threat ID |
<threatid> |
Number |
|
|
Threat Name |
<threatname> |
Text/String |
|
|
Severity ID |
<severity> |
Number |
|
|
Severity Name |
|
|
|
|
Category ID |
|
|
|
|
Category Name |
|
|
|
|
FWLink |
|
|
|
|
Status Code |
|
|
|
|
Status Description |
|
|
|
|
State |
|
|
|
|
Source ID |
|
|
|
|
Source Name |
|
|
|
|
Process Name |
<process> |
Text/String |
|
|
Detection User |
<login>
|
Text/String |
|
|
Path |
|
|
|
|
Origin ID |
|
|
|
|
Origin Name |
|
|
|
|
Execution ID |
|
|
|
|
Execution Name |
|
|
|
|
Type ID |
|
|
|
|
Type Name |
|
|
|
|
Pre Execution Status |
|
|
|
|
Action ID |
|
|
|
|
Action Name |
<action>
|
Text/String |
|
|
Error Code |
<responsecode> |
Text/String |
|
|
Error Description |
<reason> |
Text/String |
|
|
Post Clean Status |
|
|
|
|
Additional Actions ID |
|
|
|
|
Additional Actions String |
<status> |
Text/String |
|
|
Remediation User |
|
|
|
|
Signature Version |
|
|
|
|
Engine Version |
|
|
|