V 2.0 Scan Threat Messages 1
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|---|---|
Type (type) | <vmid> | <vmid> |
Threat/Content Type (subtype) | <vendorinfo> | <vendorinfo> |
Source address (src) | <sip> | <sip> |
Destination address (dst) | <dip> | <dip> |
NAT Source IP (natsrc) | <snatip> | <snatip> |
NAT Destination IP (natdst) | <dnatip> | <dnatip> |
Rule Name (rule) | <policy> | <policy> |
Source User (srcuser) | <domainorigin> | <domainorigin> |
Destination User (dstuser) | <account> | <domainimpacted> |
N/A | <process> | N/A |
N/A | <group> | N/A |
Inbound Interface (inbound_if) | <sinterface> | <sinterface> |
Outbound Interface (outbound_if) | <dinterface> | <dinterface> |
Session ID (sessionid) | <session> | <session> |
Repeat Count (repeatcnt) | <quantity> | <quantity> |
Source Port (sport) | <sport> | <sport> |
Destination Port (dport) | <dport> | <dport> |
NAT Source Port (natsport) | <snatport> | <snatport> |
NAT Destination Port (natdport) | <dnatport> | <dnatport> |
IP Protocol (proto) | <protname> | <protname> |
Action (action) | <action> | <action> |
Threat/Content Name (threatid) | <object> | <threatname> |
N/A | <objectname> | N/A |
N/A | <action> | N/A |
Threat/Content Name (threatid) | <processid> | <threatid> |
Category (category) | <tag2> | N/A |
Severity (severity) | <severity> | <severity> |
N/A | <hash> | N/A |
Sender (sender) | <sender> | N/A |
Subject (subject) | <subject> | N/A |
Recipient (recipient) | <recipient> | N/A |
Device Name (device_name) | N/A | <objectname> |
Application Characteristic (characteristic_of_app)** | N/A | <group> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | RuleName | Rule Type | CommonEvents | Classifications |
|---|---|---|---|---|
1000722 | THREAT Messages | Base Rule | General Attack Activity | Attack |
Potentially Threatening URL Allowed | Sub Rule | Web Activity Allowed | Activity | |
URL Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
URL Denied - Flood Detected | Sub Rule | General Attack Activity | Attack | |
URL Threat Detected - Session Dropped | Sub Rule | General Attack Activity | Attack | |
URL Threat Detected - Packets Dropped | Sub Rule | General Attack Activity | Attack | |
URL Threat Detected - Dropped - Reset Sent | Sub Rule | General Attack Activity | Attack | |
URL Blocked | Sub Rule | Traffic Denied by Network Firewall | Network Deny | |
Potential Virus Content Allowed | Sub Rule | Detected Virus Activity | Malware | |
Virus Content Allowed | Sub Rule | Detected Virus Activity | Malware | |
Virus Traffic Denied | Sub Rule | Failed Virus Activity | Failed Malware | |
Virus Traffic Dropped - Session Dropped | Sub Rule | Failed Virus Activity | Failed Malware | |
Virus Detected - Packets Dropped | Sub Rule | Failed Virus Activity | Failed Malware | |
Virus Detected - Dropped - Reset Sent | Sub Rule | Failed Virus Activity | Failed Malware | |
Malicious URL Blocked | Sub Rule | Failed Malware Activity | Failed Malware | |
Potential Spyware Content Allowed | Sub Rule | Detected Spyware Activity | Malware | |
Spyware Content Allowed | Sub Rule | Detected Spyware Activity | Malware | |
Spyware Traffic Denied | Sub Rule | Failed Spyware Activity | Failed Malware | |
Spyware Traffic Dropped - Session Dropped | Sub Rule | Failed Spyware Activity | Failed Malware | |
Spyware Detected - Packets Dropped | Sub Rule | Failed Spyware Activity | Failed Malware | |
Spyware Detected - Dropped - Reset Sent | Sub Rule | Failed Spyware Activity | Failed Malware | |
Spyware Blocked | Sub Rule | Failed Spyware Activity | Failed Malware | |
Potential Vulnerability Exploit Allowed | Sub Rule | Vuln High Severity : General | Vulnerability | |
Vulnerability Exploit Allowed | Sub Rule | Potential Vulnerability Exploit Allowed | Activity | |
Vulnerability Exploit Denied | Sub Rule | Failed General Attack Activity | Failed Attack | |
Vulnerability Exploit Traffic Drop - Session Drop | Sub Rule | Failed General Attack Activity | Failed Attack | |
Vulnerability Exploit Traffic Drop - Packet Drop | Sub Rule | Failed General Attack Activity | Failed Attack | |
Vulnerability Exploit Traffic Dropped - Reset Sent | Sub Rule | Failed General Attack Activity | Failed Attack | |
Vulnerability Exploit Dropped | Sub Rule | Failed General Attack Activity | Failed Attack | |
Potentially Threatening File Observed - Allowed | Sub Rule | Potentially Threatening File Observed | Activity | |
Threatening File Allowed | Sub Rule | Unauthorized Program/Process | Misuse | |
Threatening File Type Denied | Sub Rule | Failed Malware Activity | Failed Malware | |
Threatening File Dropped - Session Dropped | Sub Rule | Failed Malware Activity | Failed Malware | |
Threatening File Dropped - Packets Dropped | Sub Rule | Failed Malware Activity | Failed Malware | |
Threatening File Dropped - Reset Sent | Sub Rule | Failed Malware Activity | Failed Malware | |
Threatening File Blocked | Sub Rule | Failed Malware Activity | Failed Malware | |
Scan Detected | Sub Rule | Port Scan | Reconnaissance | |
DoS Detected | Sub Rule | Host Denial Of Service | Denial Of Service | |
Data Pattern Filtered | Sub Rule | Data Pattern Filtered | Failed Activity | |
URL Block-Continue | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
Threatening File Forwarded | Sub Rule | File Intercepted | Activity | |
URL Allowed : Continue | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
Vulnerability Exploit Traffic Dropped - Reset Both | Sub Rule | Failed General Attack Activity | Failed Attack | |
Wildfire Upload - Skip | Sub Rule | Message Submission | Information | |
Wildfire Upload - Success | Sub Rule | Message Submission | Information | |
Brute Force Attack : FTP Login | Sub Rule | Vuln High Severity : Brute Force Attack | Vulnerability | |
Wildfire-Virus Detected - Reset Both | Sub Rule | Failed Virus Activity | Failed Malware | |
Wildfire - Potential Virus Content Allowed | Sub Rule | Detected Virus Activity | Malware | |
Wildfire-Virus Content Allowed | Sub Rule | Detected Virus Activity | Malware | |
Wildfire-Virus Traffic Denied | Sub Rule | Failed Virus Activity | Failed Malware | |
Wildfire-Virus Traffic Dropped - Session Dropped | Sub Rule | Failed Virus Activity | Failed Malware | |
Wildfire-Virus Detected - Packets Dropped | Sub Rule | Failed Virus Activity | Failed Malware | |
Wildfire-Virus Detected - Dropped - Reset Sent | Sub Rule | Failed Virus Activity | Failed Malware | |
Wildfire-Malicious URL Blocked | Sub Rule | Failed Malware Activity | Failed Malware | |
Virus Detected - Dropped - Reset Both | Sub Rule | Failed Virus Activity | Failed Malware | |
Spyware Detected - Dropped - Reset Both | Sub Rule | Failed Spyware Activity | Failed Malware | |
Vuln Exploit Traffic Dropped - Reset Server | Sub Rule | Failed General Attack Activity | Failed Attack | |
Vulnerability Exploit Detected : Low Severity | Sub Rule | Vuln Low Severity : General | Vulnerability | |
File Detected | Sub Rule | Suspicious File Download | Activity | |
Vulnerability Exploit Detected : High Severity | Sub Rule | Vuln High Severity : General | Vulnerability | |
Wildfire : Benign Determination | Sub Rule | Virus Scan Completed - No Viruses Found | Information | |
Wildfire : Grayware Determination | Sub Rule | Potentially Threatening File Observed | Activity | |
Wildfire : Malware Determination | Sub Rule | Detected Virus Activity | Malware | |
Potential Vulnerability Exploit Allowed : Info | Sub Rule | Vuln Low Severity : Information Gathering | Vulnerability | |
Vulnerability Exploit Detected : Medium Severity | Sub Rule | Vuln Medium Severity : General | Vulnerability | |
Failed Attack : Packet Dropped | Sub Rule | Failed General Attack Activity | Failed Attack | |
Spyware Detected - Dropped - Reset Server | Sub Rule | Failed Spyware Activity | Failed Malware | |
Spyware Sinkhole Activity Messages | Sub Rule | Suspicious Network Activity | Suspicious |
LogRhythm Default v2.0
Regex ID | Rule Name | Rule Type | Common Events | Classifications |
|---|---|---|---|---|
1010881 | V 2.0 Scan Threat Messages | Base Rule | General Threat Message | Activity |