Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|---|---|---|
|
N/A |
<severity> |
N/A |
|
Header (pver) |
<version> |
N/A |
|
Header (eventid) |
N/A |
<vmid> |
|
Header (eventName) |
<vendorinfo>
|
N/A |
|
Header (severity) |
<severity> |
<severity> |
|
cnt |
<amount> |
<quantity> |
|
dhost |
<dname> |
N/A |
|
cs1 |
<threatname> |
<threatname> |
|
cs2 |
N/A |
<version> |
|
cs5 |
<action> |
<action>
|
|
dvchost |
N/A |
<dname> |
|
fname |
<object> |
<object> |
|
filePath |
<parentprocesspath> |
N/A |
|
dst |
<dip> |
<dip> |
|
fileHash |
N/A |
<hash> |
|
duser |
<account> |
N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Rule ID |
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|---|
|
1011397 |
Spyware Detected Log Messages |
Base Rule |
Malware |
Detected Spyware Activity |
LogRhythm Default v2.0
|
Rule ID |
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|---|
|
1012153 |
V 2.0 : Spyware/Grayware Event |
Base Rule |
Malware |
Detected Spyware Activity |
|
V 2.0 : Spyware/Grayware : Unknown |
Sub Rule |
Other Security |
General Security |
|
|
V 2.0 : Spyware/Grayware : Not Applicable |
Sub Rule |
Other Security |
General Security |
|
|
V 2.0 : Spyware/Grayware : File Cleaned |
Sub Rule |
Failed Malware |
Failed Spyware Activity |
|
|
V 2.0 : Spyware/Grayware : File Deleted |
Sub Rule |
Failed Malware |
Failed Spyware Activity |
|
|
V 2.0 : Spyware/Grayware : File Quarantined |
Sub Rule |
Activity |
Quarantine |
|
|
V 2.0 : Spyware/Grayware : File Renamed |
Sub Rule |
Malware |
Detected Spyware Activity |
|
|
V 2.0 : Spyware/Grayware : File Passed |
Sub Rule |
Malware |
Detected Spyware Activity |
|
|
V 2.0 : Spyware/Grayware : Unable To Clean File, Passed |
Sub Rule |
Malware |
Detected Spyware Activity |
|
|
V 2.0 : Spy/Grayware : Unable To Clean File, Deleted |
Sub Rule |
Failed Malware |
Failed Spyware Activity |
|
|
V 2.0 : Spy/Grayware : Unable To Clean File, Renamed |
Sub Rule |
Malware |
Detected Spyware Activity |
|
|
V 2.0 : Spy/Grayware : Unable To Clean File, Quarantine |
Sub Rule |
Activity |
Quarantine |
|
|
V 2.0 : Spyware/Grayware : File Dropped |
Sub Rule |
Failed Malware |
Failed Spyware Activity |
|
|
V 2.0 : Spy/Grayware : Unable To Clean File, Stripped |
Sub Rule |
Failed Malware |
Failed Spyware Activity |
|
|
V 2.0 : Spyware/Grayware : File Replaced |
Sub Rule |
Failed Malware |
Failed Spyware Activity |
|
|
V 2.0 : Spyware/Grayware : File Dropped |
Sub Rule |
Failed Malware |
Failed Spyware Activity |
|
|
V 2.0 : Spyware/Grayware : File Archived |
Sub Rule |
Malware |
Detected Spyware Activity |
|
|
V 2.0 : Spyware/Grayware : Blocked Successfully |
Sub Rule |
Failed Malware |
Failed Spyware Activity |
|
|
V 2.0 :Spyware/Grayware : Quarantined Successfully |
Sub Rule |
Activity |
Quarantine |
|
|
V 2.0 : Spyware/Grayware : Stamped Successfully |
Sub Rule |
Malware |
Detected Spyware Activity |
|
|
V 2.0 : Spyware/Grayware : File Uploaded |
Sub Rule |
Malware |
Detected Spyware Activity |
|
|
V 2.0 : Spyware/Grayware : Access Denied |
Sub Rule |
Malware |
Detected Spyware Activity |
|
|
V 2.0 : Spyware/ Grayware : No Action |
Sub Rule |
Malware |
Detected Spyware Activity |
|
|
V 2.0 : Spyware/ Grayware : Scan Stopped |
Sub Rule |
Information |
Scan Stopped |
|
|
V 2.0 : Spyware/ Grayware : Encrypted |
Sub Rule |
Activity |
Encrypted Files Detected |
|
|
V 2.0 : Spyware/ Grayware : Undefined |
Sub Rule |
Activity |
General Activity |
|
|
V 2.0 : Spyware/ Grayware : System Rebooted |
Sub Rule |
Startup and Shutdown |
System Restarted |
|
|
V 2.0 : Spyware/Grayware : Action Failed |
Sub Rule |
Activity |
General Activity |
|
|
V 2.0 : Spyware/Grayware : Action Required |
Sub Rule |
Activity |
General Activity |