V 2.0 Data/File/Virus/Spyware Threat Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|
V 2.0 Data/File/Virus/Spyware Threat Messages | Base Rule | General Threat Message | Activity |
V 2.0 Spyware Alert | Sub Rule | Possible Spyware Activity | Malware |
V 2.0 Spyware Allowed | Sub Rule | Possible Spyware Activity | Malware |
V 2.0 Spyware Denied | Sub Rule | Possible Spyware Activity | Malware |
V 2.0 Spyware Dropped | Sub Rule | Possible Spyware Activity | Malware |
V 2.0 Spyware Activity | Sub Rule | Failed Spyware Activity | Failed Malware |
V 2.0 DLP Alert | Sub Rule | General Alert Log Message | Activity |
V 2.0 DLP Event Allowed | Sub Rule | Traffic Allowed by DLP | Network Allow |
V 2.0 DLP Event Denied | Sub Rule | Traffic Denied by DLP | Network Deny |
V 2.0 DLP Event Dropped | Sub Rule | Traffic Denied by DLP | Network Deny |
V 2.0 DLP Event | Sub Rule | Traffic Denied by DLP | Network Deny |
V 2.0 Potentially Threatening File Alert | Sub Rule | Potentially Threatening File Observed | Activity |
V 2.0 Potentially Threatening File Allowed | Sub Rule | Potentially Threatening File Observed | Activity |
V 2.0 Potentially Threatening File Denied | Sub Rule | Failed Suspicious Activity | Failed Suspicious |
V 2.0 Potentially Threatening File Dropped | Sub Rule | Failed Suspicious Activity | Failed Suspicious |
V 2.0 Potentially Threatening File | Sub Rule | Threat Blocked | Failed Activity |
V 2.0 Virus Alert | Sub Rule | Possible Virus Activity | Malware |
V 2.0 Virus Allow | Sub Rule | Detected Virus Activity | Malware |
V 2.0 Virus Denied | Sub Rule | Failed Virus Activity | Failed Malware |
V 2.0 Virus Drop | Sub Rule | Failed Virus Activity | Failed Malware |
V 2.0 Virus Activity | Sub Rule | Threat Blocked | Failed Activity |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
Type (type) | <vmid> | Text/String | Specifies the type of log; value is THREAT. |
Threat/Content Type (subtype) | <vendorinfo> <tag1> | Text/String | Subtype of threat log. Values include the following: data—Data pattern matching a Data Filtering profile. file—File type matching a File Blocking profile. flood—Flood detected via a Zone Protection profile. packet—Packet-based attack protection triggered by a Zone Protection profile. scan—Scan detected via a Zone Protection profile. spyware —Spyware detected via an Anti-Spyware profile. url—URL filtering log. ml-virus—Virus detected by WildFire Inline ML via an Antivirus profile. virus—Virus detected via an Antivirus profile. vulnerability —Vulnerability exploit detected via a Vulnerability Protection profile. wildfire —A WildFire verdict generated when the firewall submits a file to WildFire per a WildFire Analysis profile and a verdict (malware, phishing, grayware, or benign, depending on what you are logging) is logged in the WildFire Submissions log. wildfire-virus—Virus detected via an Antivirus profile. |
Source address (src) | <sip> | IP Address | Original session source IP address |
Destination address (dst) | <dip> | IP Address | Original session destination IP address |
NAT Source IP (natsrc) | <snatip> | IP Address | If Source NAT performed, the post-NAT Source IP address |
NAT Destination IP (natdst) | <dnatip> | IP Address | If Destination NAT performed, the post-NAT Destination IP address |
Rule Name (rule) | <policy> | Text/String | Name of the rule that the session matched |
Source User (srcuser) | <domainorigin> <login> | Text/String | Username of the user who initiated the session |
Destination User (dstuser) | <domainimpacted> <account> | Text/String | Username of the user to which the session was destined |
Inbound Interface (inbound_if) | <sinterface> | Text/String | Interface that the session was sourced from |
Outbound Interface (outbound_if) | <dinterface> | Text/String | Interface that the session was destined to |
Session ID (sessionid) | <session> | Number | An internal numerical identifier applied to each session |
Repeat Count (repeatcnt) | <quantity> | Number | Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds |
Source Port (sport) | <sport> | Number | Source port utilized by the session |
Destination Port (dport) | <dport> | Number | Destination port utilized by the session |
NAT Source Port (natsport) | <snatport> | Number | Post-NAT source port |
NAT Destination Port (natdport) | <dnatport> | Number | Post-NAT destination port |
IP Protocol (proto) | <protname> | Text/String | IP protocol associated with the session |
Action (action) | <action> <tag2> | Text/String | Action taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url. alert—threat or URL detected but not blocked allow— flood detection alert deny—flood detection mechanism activated and deny traffic based on configuration drop— threat detected and associated session was dropped reset-client —threat detected and a TCP RST is sent to the client reset-server —threat detected and a TCP RST is sent to the server reset-both —threat detected and a TCP RST is sent to both the client and the server block-url —URL request was blocked because it matched a URL category that was set to be blocked block-ip—threat detected and client IP is blocked random-drop—flood detected and packet was randomly dropped sinkhole—DNS sinkhole activated syncookie-sent—syncookie alert block-continue (URL subtype only)—a HTTP request is blocked and redirected to a Continue page with a button for confirmation to proceed continue (URL subtype only)—response to a block-continue URL continue page indicating a block-continue request was allowed to proceed block-override (URL subtype only)—a HTTP request is blocked and redirected to an Admin override page that requires a pass code from the firewall administrator to continue override-lockout (URL subtype only)—too many failed admin override pass code attempts from the source IP. IP is now blocked from the block-override redirect page override (URL subtype only)—response to a block-override page where a correct pass code is provided and the request is allowed block (Wildfire only)—file was blocked by the firewall and uploaded to Wildfire |
URL/Filename (misc) | <object> | Text/String | Field with variable length. A Filename has a maximum of 63 characters. A URL has a maximum of 1023 characters The actual URI when the subtype is url File name or file type when the subtype is file File name when the subtype is virus File name when the subtype is wildfire-virus File name when the subtype is wildfire URL or File name when the subtype is vulnerability if applicable URL when Threat Category is domain-edl |
Threat/Content Name (threatid) | <threatname> <threatid> | Text/String/Number | Palo Alto Networks identifier for the threat. It is a description string followed by a 64-bit numerical identifier in parentheses for some Subtypes |
Category (category) | <subject> | Text/String | For URL Subtype, it is the URL Category; For WildFire subtype, it is the verdict on the file and is either ‘malicious’, ‘phishing’, ‘grayware’, or ‘benign’; For other subtypes, the value is ‘any’. |
Severity (severity) | <severity> | Text/String | Severity associated with the threat; values are informational, low, medium, high, critical. |
Sender (sender) | <sender> | Text/String | Specifies the name of the sender of an email. |
Subject (subject) | <subject> | Text/String | Specifies the subject of an email. |
Recipient (recipient) | <recipient> | Text/String | Specifies the name of the receiver of an email. |
Device Name (device_name) | <objectname> | Text/String | The hostname of the firewall on which the session was logged |
Application Characteristic (characteristic_of_app)** | <result> | Text/String | Comma-separated list of applicable characteristic of the application |