V 2.0 Scan Threat Messages 1
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
| Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|---|---|
| N/A | <vmid> | <vmid> |
| N/A | <vendorinfo> <tag1> | <vendorinfo> |
| N/A | <sip> | <sip> |
| N/A | <dip> | <dip> |
| N/A | <snatip> | <snatip> |
| N/A | <dnatip> | <dnatip> |
| N/A | <policy> | <policy> |
| N/A | <domainorigin> <login> | <domainorigin> <login> |
| N/A | <account> | <domainimpacted> <account> |
| N/A | <process> | N/A |
| N/A | <group> | N/A |
| N/A | <subject> | N/A |
| N/A | <sinterface> | <sinterface> |
| N/A | <dinterface> | <dinterface> |
| N/A | <session> | <session> |
| N/A | <quantity> | <quantity> |
| N/A | <sport> | <sport> |
| N/A | <dport> | <dport> |
| N/A | <snatport> | <snatport> |
| N/A | <dnatport> | <dnatport> |
| N/A | <protname> | <protname> |
| N/A | <action> <tag4> <command> | <action> |
| N/A | N/A | N/A |
| N/A | <object> <objecttype> | <threatname> |
| N/A | <objectname> <url> <domainimpacted> <domainorigin> | N/A |
| N/A | <action> | N/A |
| N/A | <processid> | <threatid> |
| N/A | <tag2> <process> | N/A |
| N/A | <severity> | <severity> |
| N/A | <hash> | N/A |
| N/A | <sender> | N/A |
| N/A | <subject> | N/A |
| N/A | <recipient> | N/A |
| N/A | N/A | <objectname> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
| Regex ID | RuleName | Rule Type | CommonEvents | Classifications |
|---|---|---|---|---|
| 1000722 | THREAT Messages | Base Rule | General Attack Activity | Attack |
| Potentially Threatening URL Allowed | Sub Rule | Web Activity Allowed | Activity | |
| URL Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
| URL Denied - Flood Detected | Sub Rule | General Attack Activity | Attack | |
| URL Threat Detected - Session Dropped | Sub Rule | General Attack Activity | Attack | |
| URL Threat Detected - Packets Dropped | Sub Rule | General Attack Activity | Attack | |
| URL Threat Detected - Dropped - Reset Sent | Sub Rule | General Attack Activity | Attack | |
| URL Blocked | Sub Rule | Traffic Denied by Network Firewall | Network Deny | |
| Potential Virus Content Allowed | Sub Rule | Detected Virus Activity | Malware | |
| Virus Content Allowed | Sub Rule | Detected Virus Activity | Malware | |
| Virus Traffic Denied | Sub Rule | Failed Virus Activity | Failed Malware | |
| Virus Traffic Dropped - Session Dropped | Sub Rule | Failed Virus Activity | Failed Malware | |
| Virus Detected - Packets Dropped | Sub Rule | Failed Virus Activity | Failed Malware | |
| Virus Detected - Dropped - Reset Sent | Sub Rule | Failed Virus Activity | Failed Malware | |
| Malicious URL Blocked | Sub Rule | Failed Malware Activity | Failed Malware | |
| Potential Spyware Content Allowed | Sub Rule | Detected Spyware Activity | Malware | |
| Spyware Content Allowed | Sub Rule | Detected Spyware Activity | Malware | |
| Spyware Traffic Denied | Sub Rule | Failed Spyware Activity | Failed Malware | |
| Spyware Traffic Dropped - Session Dropped | Sub Rule | Failed Spyware Activity | Failed Malware | |
| Spyware Detected - Packets Dropped | Sub Rule | Failed Spyware Activity | Failed Malware | |
| Spyware Detected - Dropped - Reset Sent | Sub Rule | Failed Spyware Activity | Failed Malware | |
| Spyware Blocked | Sub Rule | Failed Spyware Activity | Failed Malware | |
| Potential Vulnerability Exploit Allowed | Sub Rule | Vuln High Severity : General | Vulnerability | |
| Vulnerability Exploit Allowed | Sub Rule | Potential Vulnerability Exploit Allowed | Activity | |
| Vulnerability Exploit Denied | Sub Rule | Failed General Attack Activity | Failed Attack | |
| Vulnerability Exploit Traffic Drop - Session Drop | Sub Rule | Failed General Attack Activity | Failed Attack | |
| Vulnerability Exploit Traffic Drop - Packet Drop | Sub Rule | Failed General Attack Activity | Failed Attack | |
| Vulnerability Exploit Traffic Dropped - Reset Sent | Sub Rule | Failed General Attack Activity | Failed Attack | |
| Vulnerability Exploit Dropped | Sub Rule | Failed General Attack Activity | Failed Attack | |
| Potentially Threatening File Observed - Allowed | Sub Rule | Potentially Threatening File Observed | Activity | |
| Threatening File Allowed | Sub Rule | Unauthorized Program/Process | Misuse | |
| Threatening File Type Denied | Sub Rule | Failed Malware Activity | Failed Malware | |
| Threatening File Dropped - Session Dropped | Sub Rule | Failed Malware Activity | Failed Malware | |
| Threatening File Dropped - Packets Dropped | Sub Rule | Failed Malware Activity | Failed Malware | |
| Threatening File Dropped - Reset Sent | Sub Rule | Failed Malware Activity | Failed Malware | |
| Threatening File Blocked | Sub Rule | Failed Malware Activity | Failed Malware | |
| Scan Detected | Sub Rule | Port Scan | Reconnaissance | |
| DoS Detected | Sub Rule | Host Denial Of Service | Denial Of Service | |
| Data Pattern Filtered | Sub Rule | Data Pattern Filtered | Failed Activity | |
| URL Block-Continue | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
| Threatening File Forwarded | Sub Rule | File Intercepted | Activity | |
| URL Allowed : Continue | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
| Vulnerability Exploit Traffic Dropped - Reset Both | Sub Rule | Failed General Attack Activity | Failed Attack | |
| Wildfire Upload - Skip | Sub Rule | Message Submission | Information | |
| Wildfire Upload - Success | Sub Rule | Message Submission | Information | |
| Brute Force Attack : FTP Login | Sub Rule | Vuln High Severity : Brute Force Attack | Vulnerability | |
| Wildfire-Virus Detected - Reset Both | Sub Rule | Failed Virus Activity | Failed Malware | |
| Wildfire - Potential Virus Content Allowed | Sub Rule | Detected Virus Activity | Malware | |
| Wildfire-Virus Content Allowed | Sub Rule | Detected Virus Activity | Malware | |
| Wildfire-Virus Traffic Denied | Sub Rule | Failed Virus Activity | Failed Malware | |
| Wildfire-Virus Traffic Dropped - Session Dropped | Sub Rule | Failed Virus Activity | Failed Malware | |
| Wildfire-Virus Detected - Packets Dropped | Sub Rule | Failed Virus Activity | Failed Malware | |
| Wildfire-Virus Detected - Dropped - Reset Sent | Sub Rule | Failed Virus Activity | Failed Malware | |
| Wildfire-Malicious URL Blocked | Sub Rule | Failed Malware Activity | Failed Malware | |
| Virus Detected - Dropped - Reset Both | Sub Rule | Failed Virus Activity | Failed Malware | |
| Spyware Detected - Dropped - Reset Both | Sub Rule | Failed Spyware Activity | Failed Malware | |
| Vuln Exploit Traffic Dropped - Reset Server | Sub Rule | Failed General Attack Activity | Failed Attack | |
| Vulnerability Exploit Detected : Low Severity | Sub Rule | Vuln Low Severity : General | Vulnerability | |
| File Detected | Sub Rule | Suspicious File Download | Activity | |
| Vulnerability Exploit Detected : High Severity | Sub Rule | Vuln High Severity : General | Vulnerability | |
| Wildfire : Benign Determination | Sub Rule | Virus Scan Completed - No Viruses Found | Information | |
| Wildfire : Grayware Determination | Sub Rule | Potentially Threatening File Observed | Activity | |
| Wildfire : Malware Determination | Sub Rule | Detected Virus Activity | Malware | |
| Potential Vulnerability Exploit Allowed : Info | Sub Rule | Vuln Low Severity : Information Gathering | Vulnerability | |
| Vulnerability Exploit Detected : Medium Severity | Sub Rule | Vuln Medium Severity : General | Vulnerability | |
| Failed Attack : Packet Dropped | Sub Rule | Failed General Attack Activity | Failed Attack | |
| Spyware Detected - Dropped - Reset Server | Sub Rule | Failed Spyware Activity | Failed Malware | |
| Spyware Sinkhole Activity Messages | Sub Rule | Suspicious Network Activity | Suspicious |
LogRhythm Default v2.0
| Regex ID | Rule Name | Rule Type | Common Events | Classifications |
|---|---|---|---|---|
| 1010881 | V 2.0 Scan Threat Messages | Base Rule | General Threat Message | Activity |