Skip to main content
Skip table of contents

V 2.0 : New Anti-Virus Events

Vendor Documentation


Rule NameRule TypeCommon EventClassification
V 2.0 : New Anti-Virus EventsBase RuleDetected Virus ActivityMalware

Mapping with LogRhythm Schema

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
product<vmid>Text/StringProduct name
OriginipN/AN/AIP of the log origin 
originN/AN/AName of the first Security Gateway that reported this event
SIP<sip>IP AddressSource IP
SPort<sport>NumberSource host port number
DIP<dip>IP AddressDestination IP
protocol<protnum>NumberProtocol detected on the connection
src_machine_name<sname>Text/StringMachine name connected to source IP
dst_machine_name<dname>Text/StringMachine name connected to destination IP 
ifname<sinterface>Text/StringThe name of the Security Gateway interface through which a connection traverses
proxy_src_ip<snatip>IP AddressSender source IP (even when using proxy)
userN/AN/ASource user name
src_user_name<login>Text/StringUser name connected to source IP
dst_user_name<account>Text/StringConnected user name on the destination IP
source_osN/AN/AOS which generated the attack
confidence_levelN/AN/AConfidence level determined by ThreatCloud
Possible values:
0 - N/A
1 - Low
2 - Medium-Low
3 - Medium
4 - Medium-High
5 - High
severity<severity>NumberThreat severity determined by ThreatCloud
Possible values:
0 - Informational
1 - Low
2 - Medium
3 - High
4 - Critical
to<recipient>Text/StringSource mail recipient
from<sender>Text/StringSource mail address
sent_bytes<bytesin>NumberNumber of bytes sent during the connection
received_bytes<bytesout>NumberNumber of bytes received during connection
web_client_type<useragent>Text/StringWeb client detected in the HTTP request (e.g., Chrome)
Dst_DNS_Host<domainimpacted>Text/StringMalicious DNS request domain 
session_idN/AN/ALog UID
malware_action<vendorinfo>Text/StringDescription of detected malware activity
protection_name<threatname>Text/StringSpecific signature name of the attack
malware_familyN/AN/AAdditional information on protection
rule_nameN/AN/AAccess rule name
reason<reason>Text/StringInformation on the error occurred
file_type<objecttype>Text/StringClassified file type
file_name<object>Text/StringMalicious file name
scan_result<result>Text/String"Infected"/description of a failure 
timeN/AN/AThe time stamp when the log was created
protection_typeN/AN/AType of protection used to detect the attack
rule_uidN/AN/AAccess policy rule ID on which the connection was matched
informationN/AN/APolicy installation status for a specific blade (used only for Anti-Bot and Anti-Virus)
loguidN/AN/AUUID of unified logs 
sequencenumN/AN/ANumber added to order logs with the same Linux timestamp and origin
dst_countryN/AN/ADestination country
log_idN/AN/AUnique identity for logs includes: Type, Family, Product/Blade, or Category
malware_rule_idN/AN/AThreat prevention rule ID 
malware_rule_nameN/AN/AThreat prevention rule name
origin_sic_nameN/AN/AMachine SIC 
protection_id<threatid>Text/StringProtection malware ID
vendor_listN/AN/AThe vendor name that provided the verdict for a malicious URL
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.