Skip to main content
Skip table of contents

V 2.0 : Anti Malware Events

Vendor Documentation


Rule Name

Rule Type

Common Event


V 2.0 : Anti Malware EventsBase RuleDetected Malware ActivityMalware
V 2.0 : Anti Malware Events : Malware DetectedSub RuleDetected Malware ActivityMalware
V 2.0 : Anti Malware Events : Malware PreventedSub RuleFailed Malware ActivityFailed Malware

Mapping with LogRhythm Schema

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
Product<vmid>Text/StringProduct name
OriginipN/AN/AIP of the log origin 
originN/AN/AName of the first Security Gateway that reported this event
Text/StringDescription of detected malware activity
SIP<sip>IP addressSource IP
SPort<sport>NumberSource host port number
DIP<dip>IP addressDestination IP
dport<dport>NumberDestination host port number
src_machine_name<sname>Text/StringMachine name connected to source IP 
protocol<protnum>NumberProtocol detected on the connection
ifname<sinterface>Text/StringThe name of the Security Gateway interface, through which a connection traverses
ifdirectionN/AN/AConnection direction
UserN/AN/ASource user name
src_user_name<login>Text/StringUser name connected to source IP 
proxy_src_ip<snatip>IP addressSender source IP (even when using proxy) 
Url<url>Text/StringMatched URL
web_client_type<useragent>Text/StringWeb client detected in the HTTP request (e.g: Chrome) 
sent_bytes<bytesin>NumberNumber of bytes sent during the connection 
received_bytes<bytesout>NumberNumber of bytes received during connection 
session_idN/AN/ALog UID
nameN/AN/AApplication name 
malware_familyN/AN/AAdditional information on protection 
Source_OSN/AN/AOS which generated the attack 
Confidence_LevelN/AN/AConfidence level determined by ThreatCloud
Possible values:
0 - N/A
1- Low
2- Medium-Low
3 - Medium
4 - Medium-High
5 - High
Severity<severity>NumberThreat severity determined by ThreatCloud
Possible values:
0 - Informational
1 - Low
2 - Medium
3 - High
4 - Critical
malware_action<vendorinfo>Text/StringDescription of detected malware activity 
rule_nameN/AN/AAccess rule name 
Protection_TypeN/AN/AType of protection used to detect the attack 
Protection_name<threatname>Text/StringSpecific signature name of the attack 
special_propertiesN/AN/AIf this field is set to "1" the log will not be shown (in use for monitoring scan progress) 
scan_mailN/AN/ANumber of emails that were scanned by "AB malicious activity" engine 
descriptionN/AN/AAdditional explanation how the security gateway enforced the connection 
Reason<reason>Text/StringDescription of log's reason 
short_descN/AN/AShort description of the process that was executed  
timeN/AN/AThe time stamp when the log was created
rule_uidN/AN/AAccess policy rule ID on which the connection was matched
informationN/AN/APolicy installation status for a specific blade (used only for Anti-Bot and Anti-Virus)
flagsN/AN/ACheckpoint internal field
loguidN/AN/AUUID  of unified logs  
sequencenumN/AN/ANumber added to order logs with the same Linux timestamp and origin
dst_countryN/AN/ADestination country 
log_idN/AN/AUnique identity for logs includes: Type, Family, Product/Blade, Category
malware_rule_idN/AN/AThreat prevention rule ID  
malware_rule_nameN/AN/AThreat prevention rule name 
origin_sic_nameN/AN/AMachine SIC  
protection_idN/AN/AProtection malware ID
vendor_listN/AN/AThe vendor name that provided the verdict for a malicious URL 
long_descN/AN/AMore information on the process (usually describing error reason in failure) 
scan_hosts_dayN/AN/ANumber of unique hosts during the last day 
scan_hosts_hourN/AN/ANumber of unique hosts during the last hour 
scan_hosts_weekN/AN/ANumber of unique hosts during the last week 
unique_detected_dayN/AN/ADetected virus for a specific host during the last day  
unique_detected_hourN/AN/ADetected virus for a specific host during the last hour  
unique_detected_weekN/AN/ADetected virus for a specific host during the last week 
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.