Syslog Fortinet FortiGate - V 2.0 : UTM : Antivirus
Vendor Documentation
Classification
RuleName | RuleType | Common Event | Classification |
V 2.0 : UTM : Antivirus | Base Rule | General Antivirus Information | Information |
V 2.0 : Infected File Blocked | Sub Rule | Threat Blocked | Failed Activity |
V 2.0 : Infected File Detected | Sub Rule | General Virus Infected Notice | Information |
V 2.0 : MIME Header Detected To Have A Virus&Block | Sub Rule | Detected Malware Activity | Malware |
V 2.0 : MIME Header Infected And Passed | Sub Rule | MIME Intercepted | Activity |
V 2.0 : File Is An Executable | Sub Rule | HTTP Executable Transfer | Activity |
V 2.0 : File Is An Executable | Sub Rule | HTTP Executable Transfer | Activity |
V 2.0 : FortiGate Unit Blocked A File | Sub Rule | Blocked Message | Failed Activity |
V 2.0 : FortiGate Unit Blocked A File | Sub Rule | Blocked Message | Failed Activity |
V 2.0 : FortiGate Unit Blocked A File | Sub Rule | Blocked Message | Failed Activity |
V 2.0 : FortiGate Unit Blocked A File | Sub Rule | Blocked Message | Failed Activity |
V 2.0 : FortiGate Unit Blocked A Virus Command | Sub Rule | Unknown Command | Other Security |
V 2.0 : FortiGate Intercepted File Contain Virus | Sub Rule | File Intercepted | Activity |
V 2.0 : FortiGate Unit Intercepted A File (MIME) | Sub Rule | File Intercepted | Activity |
V 2.0 : File Exempted | Sub Rule | File Exempted | Information |
V 2.0 : File Exempted | Sub Rule | File Exempted | Information |
V 2.0 : MMS Content Checksum Blocked Infected File | Sub Rule | Checksum Warning | Warning |
V 2.0 : MMS Content Checksum Was Matched | Sub Rule | General Checksum Information | Information |
V 2.0 : Defined File Size Limit Was Exceeded | Sub Rule | Limit Exceeded | Warning |
V 2.0 : File Size Limit Was Exceeded | Sub Rule | Limit Exceeded | Warning |
V 2.0 : File (MIME) Size Exceed Defined Size Limit | Sub Rule | Limit Exceeded | Warning |
V 2.0 : File (MIME) Size Exceed Defined Size Limit | Sub Rule | Limit Exceeded | Warning |
V 2.0 : Switching Protocols Request | Sub Rule | Protocol Change Requested | Information |
V 2.0 : Switching Protocols Request | Sub Rule | Protocol Change Requested | Information |
V 2.0 : File Reached The Uncompressed Nested Limit | Sub Rule | Limit Exceeded | Warning |
V 2.0 : File Reached The Uncompressed Nested Limit | Sub Rule | Limit Exceeded | Warning |
V 2.0 : Archived File Is Corrupted | Sub Rule | Data Corrupt | Warning |
V 2.0 : Archived File Is Encrypted | Sub Rule | Encrypted Files Detected | Activity |
V 2.0 : Corrupted Archive | Sub Rule | Data Corrupt | Warning |
V 2.0 : Corrupted Archive | Sub Rule | Data Corrupt | Warning |
V 2.0 : File Is A Multipart Archive | Sub Rule | Archive Message | Information |
V 2.0 : File Is A Multipart Archive | Sub Rule | Archive Message | Information |
V 2.0 : File Is A Nested Archived File | Sub Rule | Archive Message | Information |
V 2.0 : Archived File Is Oversized | Sub Rule | Limit Exceeded | Warning |
V 2.0 : Archived File Is Oversized | Sub Rule | Limit Exceeded | Warning |
V 2.0 : Unhandled Archive | Sub Rule | Object Not Archived | Warning |
V 2.0 : Unhandled Archive | Sub Rule | Archive Message | Information |
V 2.0 : Partially Corrupted Archive | Sub Rule | Data Corrupt | Warning |
V 2.0 : Partially Corrupted Archive | Sub Rule | Data Corrupt | Warning |
V 2.0 : Exceeded Archive Files Limit | Sub Rule | Limit Exceeded | Warning |
V 2.0 : Exceeded Archive Files Limit | Sub Rule | File Size Exceeds Limit | Activity |
V 2.0 : Archive Scan Timeout | Sub Rule | Timeout | Warning |
V 2.0 : Archive Scan Timeout | Sub Rule | Timeout | Warning |
V 2.0 : File Submitted To Sandbox | Sub Rule | Job Submitted | Other Audit Success |
V 2.0 : File Reported Infected | Sub Rule | General Virus Infected Warning | Warning |
V 2.0 : File Reported Infected | Sub Rule | General Virus Infected | Information |
V 2.0 : File Reported Infected | Sub Rule | General Virus Infected Warning | Warning |
V 2.0 : File Reported Infected | Sub Rule | General Virus Infected | Information |
V 2.0 : File Verdict Returned | Sub Rule | Results Returned | Information |
V 2.0 : Active Content Detected By Content Disarm | Sub Rule | General Threat Message | Activity |
V 2.0 : File Was Disarmed By Content Disarm Engine | Sub Rule | File Unavailable | Warning |
V 2.0 : Botnet C&C Communication | Sub Rule | Detected Botnet Activity | Malware |
V 2.0 : Botnet C&C Communication | Sub Rule | Detected Botnet Activity | Malware |
V 2.0 : File Is An Archived Type Unhandled | Sub Rule | Archive Message | Information |
V 2.0 : AV Engine Load Failed | Sub Rule | Onload Failure | Error |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
date | N/A | N/A | The date of the log entry. |
time | N/A | N/A | The time of the log entry. |
logid | <vmid> | Number | The unique identifier for the log entry. |
type | <vendorinfo> | Text/String | The type of log event. |
subtype | N/A | N/A | The subtype of the log event. |
eventtype | N/A | N/A | The type of event (infected in this case). |
level | <severity> | Text/String | The severity level of the log event. |
vd | <sessiontype> | Text/String | The virtual domain associated with the log event. |
eventtime | N/A | N/A | The timestamp of the event. |
msg | <subject> | Text/String | Additional message or details of the log event. |
action | <action> | Text/String | The action taken by the system (blocked in this case). |
service | <protname> | Text/String | The service or protocol associated with the log event. |
sessionid | <session> | Number | The ID of the session associated with the log event. |
srcip | <sip> | IP Address | The source IP address of the communication. |
dstip | <dip> | IP Address | The destination IP address of the communication. |
srcport | <sport> | Number | The source port number. |
dstport | <dport> | Number | The destination port number. |
srcintf | <sinterface> | Text/String | The source interface. |
srcintfrole | N/A | N/A | The role of the source interface. |
dstintf | <dinterface> | Text/String | The destination interface. |
dstintfrole | N/A | N/A | The role of the destination interface. |
policyid | <policy> | Number | The ID of the policy associated with the log event. |
proto | <protnum> | Number | The protocol number. |
direction | N/A | N/A | The direction of the traffic (incoming in this case). |
filename | <object> | Text/String | The name of the infected file. |
fsaverdict | <result> | Text/String | Verdict returned to FortiGate after analysis (clean, low risk, med risk, high risk, malicious) |
quarskip | <status> | Text/String | Information about quarantine status (not quarantined in this case). |
virus | <threatname> | Text/String | The name of the virus detected. |
dtype | N/A | N/A | The type of detection (virus in this case). |
ref | N/A | N/A | Reference link for more information about the virus. |
virusid | <threatid> | Number | The ID of the detected virus. |
url | <url> | Text/String | The URL associated with the infected file. |
profile | N/A | N/A | The profile applied to the log event. |
agent | <useragent> | Text/String | The user agent or client software associated with the event. |
analyticscksum | N/A | N/A | Checksum for analytics. |
analyticssubmit | N/A | N/A | Indicates whether analytics were submitted (false in this case). |
crscore | N/A | N/A | The score assigned by the content reputation feature. |
craction | N/A | N/A | The action taken based on the content reputation score. |
crlevel | N/A | N/A | The level of content reputation. |