Vendor Documentation
Classification
|
RuleName |
RuleType |
Common Event |
Classification |
|
V 2.0 : UTM : Antivirus |
Base Rule |
General Antivirus Information |
Information |
|
V 2.0 : Infected File Blocked |
Sub Rule |
Threat Blocked |
Failed Activity |
|
V 2.0 : Infected File Detected |
Sub Rule |
General Virus Infected Notice |
Information |
|
V 2.0 : MIME Header Detected To Have A Virus&Block |
Sub Rule |
Detected Malware Activity |
Malware |
|
V 2.0 : MIME Header Infected And Passed |
Sub Rule |
MIME Intercepted |
Activity |
|
V 2.0 : File Is An Executable |
Sub Rule |
HTTP Executable Transfer |
Activity |
|
V 2.0 : File Is An Executable |
Sub Rule |
HTTP Executable Transfer |
Activity |
|
V 2.0 : FortiGate Unit Blocked A File |
Sub Rule |
Blocked Message |
Failed Activity |
|
V 2.0 : FortiGate Unit Blocked A File |
Sub Rule |
Blocked Message |
Failed Activity |
|
V 2.0 : FortiGate Unit Blocked A File |
Sub Rule |
Blocked Message |
Failed Activity |
|
V 2.0 : FortiGate Unit Blocked A File |
Sub Rule |
Blocked Message |
Failed Activity |
|
V 2.0 : FortiGate Unit Blocked A Virus Command |
Sub Rule |
Unknown Command |
Other Security |
|
V 2.0 : FortiGate Intercepted File Contain Virus |
Sub Rule |
File Intercepted |
Activity |
|
V 2.0 : FortiGate Unit Intercepted A File (MIME) |
Sub Rule |
File Intercepted |
Activity |
|
V 2.0 : File Exempted |
Sub Rule |
File Exempted |
Information |
|
V 2.0 : File Exempted |
Sub Rule |
File Exempted |
Information |
|
V 2.0 : MMS Content Checksum Blocked Infected File |
Sub Rule |
Checksum Warning |
Warning |
|
V 2.0 : MMS Content Checksum Was Matched |
Sub Rule |
General Checksum Information |
Information |
|
V 2.0 : Defined File Size Limit Was Exceeded |
Sub Rule |
Limit Exceeded |
Warning |
|
V 2.0 : File Size Limit Was Exceeded |
Sub Rule |
Limit Exceeded |
Warning |
|
V 2.0 : File (MIME) Size Exceed Defined Size Limit |
Sub Rule |
Limit Exceeded |
Warning |
|
V 2.0 : File (MIME) Size Exceed Defined Size Limit |
Sub Rule |
Limit Exceeded |
Warning |
|
V 2.0 : Switching Protocols Request |
Sub Rule |
Protocol Change Requested |
Information |
|
V 2.0 : Switching Protocols Request |
Sub Rule |
Protocol Change Requested |
Information |
|
V 2.0 : File Reached The Uncompressed Nested Limit |
Sub Rule |
Limit Exceeded |
Warning |
|
V 2.0 : File Reached The Uncompressed Nested Limit |
Sub Rule |
Limit Exceeded |
Warning |
|
V 2.0 : Archived File Is Corrupted |
Sub Rule |
Data Corrupt |
Warning |
|
V 2.0 : Archived File Is Encrypted |
Sub Rule |
Encrypted Files Detected |
Activity |
|
V 2.0 : Corrupted Archive |
Sub Rule |
Data Corrupt |
Warning |
|
V 2.0 : Corrupted Archive |
Sub Rule |
Data Corrupt |
Warning |
|
V 2.0 : File Is A Multipart Archive |
Sub Rule |
Archive Message |
Information |
|
V 2.0 : File Is A Multipart Archive |
Sub Rule |
Archive Message |
Information |
|
V 2.0 : File Is A Nested Archived File |
Sub Rule |
Archive Message |
Information |
|
V 2.0 : Archived File Is Oversized |
Sub Rule |
Limit Exceeded |
Warning |
|
V 2.0 : Archived File Is Oversized |
Sub Rule |
Limit Exceeded |
Warning |
|
V 2.0 : Unhandled Archive |
Sub Rule |
Object Not Archived |
Warning |
|
V 2.0 : Unhandled Archive |
Sub Rule |
Archive Message |
Information |
|
V 2.0 : Partially Corrupted Archive |
Sub Rule |
Data Corrupt |
Warning |
|
V 2.0 : Partially Corrupted Archive |
Sub Rule |
Data Corrupt |
Warning |
|
V 2.0 : Exceeded Archive Files Limit |
Sub Rule |
Limit Exceeded |
Warning |
|
V 2.0 : Exceeded Archive Files Limit |
Sub Rule |
File Size Exceeds Limit |
Activity |
|
V 2.0 : Archive Scan Timeout |
Sub Rule |
Timeout |
Warning |
|
V 2.0 : Archive Scan Timeout |
Sub Rule |
Timeout |
Warning |
|
V 2.0 : File Submitted To Sandbox |
Sub Rule |
Job Submitted |
Other Audit Success |
|
V 2.0 : File Reported Infected |
Sub Rule |
General Virus Infected Warning |
Warning |
|
V 2.0 : File Reported Infected |
Sub Rule |
General Virus Infected |
Information |
|
V 2.0 : File Reported Infected |
Sub Rule |
General Virus Infected Warning |
Warning |
|
V 2.0 : File Reported Infected |
Sub Rule |
General Virus Infected |
Information |
|
V 2.0 : File Verdict Returned |
Sub Rule |
Results Returned |
Information |
|
V 2.0 : Active Content Detected By Content Disarm |
Sub Rule |
General Threat Message |
Activity |
|
V 2.0 : File Was Disarmed By Content Disarm Engine |
Sub Rule |
File Unavailable |
Warning |
|
V 2.0 : Botnet C&C Communication |
Sub Rule |
Detected Botnet Activity |
Malware |
|
V 2.0 : Botnet C&C Communication |
Sub Rule |
Detected Botnet Activity |
Malware |
|
V 2.0 : File Is An Archived Type Unhandled |
Sub Rule |
Archive Message |
Information |
|
V 2.0 : AV Engine Load Failed |
Sub Rule |
Onload Failure |
Error |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
date |
N/A |
N/A |
The date of the log entry. |
|
time |
N/A |
N/A |
The time of the log entry. |
|
logid |
<vmid> |
Number |
The unique identifier for the log entry. |
|
type |
<vendorinfo> |
Text/String |
The type of log event. |
|
subtype |
N/A |
N/A |
The subtype of the log event. |
|
eventtype |
N/A |
N/A |
The type of event (infected in this case). |
|
level |
<severity> |
Text/String |
The severity level of the log event. |
|
vd |
<sessiontype> |
Text/String |
The virtual domain associated with the log event. |
|
eventtime |
N/A |
N/A |
The timestamp of the event. |
|
msg |
<subject> |
Text/String |
Additional message or details of the log event. |
|
action |
<action> |
Text/String |
The action taken by the system (blocked in this case). |
|
service |
<parentprocessname> |
Text/String |
The service or protocol associated with the log event. |
|
sessionid |
<session> |
Number |
The ID of the session associated with the log event. |
|
srcip |
<sip> |
IP Address |
The source IP address of the communication. |
|
dstip |
<dip> |
IP Address |
The destination IP address of the communication. |
|
srcport |
<sport> |
Number |
The source port number. |
|
dstport |
<dport> |
Number |
The destination port number. |
|
srcintf |
<sinterface> |
Text/String |
The source interface. |
|
srcintfrole |
N/A |
N/A |
The role of the source interface. |
|
dstintf |
<dinterface> |
Text/String |
The destination interface. |
|
dstintfrole |
N/A |
N/A |
The role of the destination interface. |
|
policyid |
<policy> |
Number |
The ID of the policy associated with the log event. |
|
proto |
<protnum> |
Number |
The protocol number. |
|
direction |
N/A |
N/A |
The direction of the traffic (incoming in this case). |
|
filename |
<object> |
Text/String |
The name of the infected file. |
|
fsaverdict |
<result> |
Text/String |
Verdict returned to FortiGate after analysis (clean, low risk, med risk, high risk, malicious) |
|
quarskip |
<status> |
Text/String |
Information about quarantine status (not quarantined in this case). |
|
virus |
<threatname> |
Text/String |
The name of the virus detected. |
|
dtype |
N/A |
N/A |
The type of detection (virus in this case). |
|
ref |
N/A |
N/A |
Reference link for more information about the virus. |
|
virusid |
<threatid> |
Number |
The ID of the detected virus. |
|
url |
<url> |
Text/String |
The URL associated with the infected file. |
|
profile |
N/A |
N/A |
The profile applied to the log event. |
|
agent |
<useragent> |
Text/String |
The user agent or client software associated with the event. |
|
sender |
<sender> |
Text/String |
N/A |
|
recipient |
<recipient> |
Text/String |
N/A |
|
analyticscksum |
N/A |
N/A |
Checksum for analytics. |
|
analyticssubmit |
N/A |
N/A |
Indicates whether analytics were submitted (false in this case). |
|
crscore |
N/A |
N/A |
The score assigned by the content reputation feature. |
|
craction |
N/A |
N/A |
The action taken based on the content reputation score. |
|
crlevel |
N/A |
N/A |
The level of content reputation. |