V 2.0 Data/File/Virus/Spyware Threat Messages 1
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
| Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|---|---|
| N/A | N/A | <vmid> |
| N/A | <tag1> | <tag1> |
| N/A | N/A | <sip> |
| N/A | <dip> | <dip> |
| N/A | N/A | <snatip> |
| N/A | <dname> | <dnatip> |
| N/A | N/A | <policy> |
| N/A | N/A | <domainorigin> |
| N/A | N/A | <login> |
| N/A | N/A | <sinterface> |
| N/A | N/A | <dinterface> |
| N/A | N/A | <session> |
| N/A | N/A | <quantity> |
| N/A | N/A | <sport> |
| N/A | N/A | <dport> |
| N/A | N/A | <snatport> |
| N/A | N/A | <dnatport> |
| N/A | N/A | <protname> |
| N/A | N/A | <action> |
| N/A | <tag2> | <tag2> |
| N/A | N/A | <object> |
| N/A | N/A | <threatname> |
| N/A | N/A | <threatid> |
| N/A | <subject> | <subject> |
| N/A | <severity> | <severity> |
| N/A | N/A | <sender> |
| N/A | N/A | <subject> |
| N/A | N/A | <recipient> |
| N/A | <version> | N/A |
| N/A | N/A | <domainimpacted> |
| N/A | N/A | <account> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Events | Classifications |
|---|---|---|---|---|
| 1004489 | Catch All : System Messages | Base Rule | General System Information | Information |
| All DNS Proxy Cache Entries Were Cleared | Sub Rule | Cache Information | Information | |
| Antivirus Update Job Succeeded | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| Auto Update Agent Found No New WildFire Updates | Sub Rule | General Automatic Updates Information | Information | |
| EBL Refresh Aborted : No Changes To List | Sub Rule | No Change Detected In Signature File | Information | |
| NTP Restart Synchronization Performed | Sub Rule | System Clock Synchronized | Information | |
| User Information Refreshed | Sub Rule | Updated User Data | Information | |
| WildFire Update Job Succeeded | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| Communication Error : Fail WildFire Upgrade Check | Sub Rule | Communication Failure | Error | |
| Antivirus Version Does Not Match | Sub Rule | General Antivirus Warning | Warning | |
| Wildfire Auto Update Failed | Sub Rule | Software Update Failed | Error | |
| Antivirus : Upload Deployment Job Failed | Sub Rule | File Upload Failed | Error | |
| Antivirus : Upload Deployment Job Succeeded | Sub Rule | File Uploaded | Information | |
| Content : Upload Deployment Job Failed | Sub Rule | File Upload Failed | Error | |
| Content : Upload Deployment Job Succeeded | Sub Rule | File Uploaded | Information | |
| License : Upload Deployment Job Failed | Sub Rule | File Upload Failed | Error | |
| Antivirus Install Failed | Sub Rule | General Software Installation Error | Error | |
| Antivirus Install Succeeded | Sub Rule | Software Installed | Configuration | |
| License Install Failed | Sub Rule | License Warning | Warning | |
| License Install Succeeded | Sub Rule | License Installed | Information | |
| Succeeded Exporting Config Bundle Via SSH | Sub Rule | Configuration Exporting | Other Audit Success | |
| Traffic And Logging Resumed | Sub Rule | General Traffic Other Alert | Critical | |
| Abnormal System Memory Usage | Sub Rule | Memory Usage Exceeded The Threshold | Warning | |
| Traffic And Logging Are Resumed | Sub Rule | General Traffic Other Alert | Critical | |
| Route Removed | Sub Rule | Static Route Removed | Information | |
| Route Recovered | Sub Rule | Route Created | Information |
LogRhythm Default v2.0
| Regex ID | Rule Name | Rule Type | Common Events | Classifications |
|---|---|---|---|---|
| 1010880 | V 2.0 Data/File/Virus/Spyware Threat Messages | Base Rule | General Threat Message | Activity |
| V 2.0 Potential Spyware Allowed Messages | Sub Rule | Possible Spyware Activity | Malware | |
| V 2.0 Potential Spyware Allowed | Sub Rule | Possible Spyware Activity | Malware | |
| V 2.0 User Overrode Spyware Block Messages | Sub Rule | Possible Spyware Activity | Malware | |
| V 2.0 User Overrode Spyware Block | Sub Rule | Possible Spyware Activity | Malware | |
| V 2.0 Potentially Threatening File Blocked | Sub Rule | Failed Spyware Activity | Failed Malware | |
| V 2.0 DLP Event Allowed | Sub Rule | Traffic Allowed by DLP | Network Allow | |
| V 2.0 DLP Event Allowed Messages | Sub Rule | Traffic Allowed by DLP | Network Allow | |
| V 2.0 User Overrode DLP Block | Sub Rule | Traffic Allowed by DLP | Network Allow | |
| V 2.0 User Overrode DLP Block Messages | Sub Rule | Traffic Allowed by DLP | Network Allow | |
| V 2.0 DLP Event Denied | Sub Rule | Traffic Denied by DLP | Network Deny | |
| V 2.0 Potentially Threatening File Allowed | Sub Rule | Potentially Threatening File Observed | Activity | |
| V 2.0Potentially Threatening File Allowed Messages | Sub Rule | Potentially Threatening File Observed | Activity | |
| V 2.0 User Overrode File Block | Sub Rule | Potentially Threatening File Observed | Activity | |
| V 2.0 User Overrode File Block Messages | Sub Rule | Potentially Threatening File Observed | Activity | |
| V 2.0 Potentially Threatening File Blocked | Sub Rule | Potentially Threatening File Observed | Activity | |
| V 2.0 Potentially Malicious Content Allowed | Sub Rule | Detected Malware Activity | Malware | |
| V 2.0 Potentially Malicious Content Alert | Sub Rule | Detected Malware Activity | Malware | |
| V 2.0 Potentially Threatening Malware Blocked | Sub Rule | Failed Malware Activity | Failed Malware |