V 2.0 Scan Threat Messages 1
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
---|---|---|
N/A | <vmid> | <vmid> |
N/A | <tag1> | <tag1> |
N/A | N/A | <threatname> |
N/A | N/A | <threatid> |
N/A | <sip> | <sip> |
N/A | <dip> | <dip> |
N/A | <snatip> | <snatip> |
N/A | <dnatip> | <dnatip> |
N/A | <policy> | <policy> |
N/A | <domainorigin> | <domainorigin> |
N/A | <login> | <login> |
N/A | <account> | N/A |
N/A | <process> | N/A |
N/A | <group> | N/A |
N/A | <sinterface> | <sinterface> |
N/A | <dinterface> | <dinterface> |
N/A | <session> | N/A |
N/A | <quantity> | N/A |
N/A | <sport> | N/A |
N/A | <dport> | N/A |
N/A | <snatport> | N/A |
N/A | <dnatport> | N/A |
N/A | <protname> | <protname> |
N/A | <action> | <action> |
N/A | <objectname> | N/A |
N/A | <domainimpacted> | N/A |
N/A | <objecttype> | N/A |
N/A | <processid> | N/A |
N/A | <tag2> | <tag2> |
N/A | <severity> | <severity> |
N/A | <hash> | N/A |
N/A | <sender> | N/A |
N/A | <subject> | N/A |
N/A | <object> | N/A |
N/A | <tag4> | N/A |
N/A | <recipient> | N/A |
N/A | <command> | N/A |
N/A | <url> | N/A |
N/A | N/A | <session> |
N/A | N/A | <quantity> |
N/A | N/A | <sport> |
N/A | N/A | <dport> |
N/A | N/A | <snatport> |
N/A | N/A | <dnatport> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Events | Classifications |
---|---|---|---|---|
1000722 | THREAT Messages | Base Rule | General Attack Activity | Attack |
Potentially Threatening URL Allowed | Sub Rule | Web Activity Allowed | Activity | |
URL Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
URL Denied - Flood Detected | Sub Rule | General Attack Activity | Attack | |
URL Threat Detected - Session Dropped | Sub Rule | General Attack Activity | Attack | |
URL Threat Detected - Packets Dropped | Sub Rule | General Attack Activity | Attack | |
URL Threat Detected - Dropped - Reset Sent | Sub Rule | General Attack Activity | Attack | |
URL Blocked | Sub Rule | Traffic Denied by Network Firewall | Network Deny | |
Potential Virus Content Allowed | Sub Rule | Detected Virus Activity | Malware | |
Virus Content Allowed | Sub Rule | Detected Virus Activity | Malware | |
Virus Traffic Denied | Sub Rule | Failed Virus Activity | Failed Malware | |
Virus Traffic Dropped - Session Dropped | Sub Rule | Failed Virus Activity | Failed Malware | |
Virus Detected - Packets Dropped | Sub Rule | Failed Virus Activity | Failed Malware | |
Virus Detected - Dropped - Reset Sent | Sub Rule | Failed Virus Activity | Failed Malware | |
Malicious URL Blocked | Sub Rule | Failed Malware Activity | Failed Malware | |
Potential Spyware Content Allowed | Sub Rule | Detected Spyware Activity | Malware | |
Spyware Content Allowed | Sub Rule | Detected Spyware Activity | Malware | |
Spyware Traffic Denied | Sub Rule | Failed Spyware Activity | Failed Malware | |
Spyware Traffic Dropped - Session Dropped | Sub Rule | Failed Spyware Activity | Failed Malware | |
Spyware Detected - Packets Dropped | Sub Rule | Failed Spyware Activity | Failed Malware | |
Spyware Detected - Dropped - Reset Sent | Sub Rule | Failed Spyware Activity | Failed Malware | |
Spyware Blocked | Sub Rule | Failed Spyware Activity | Failed Malware | |
Potential Vulnerability Exploit Allowed | Sub Rule | Vuln High Severity : General | Vulnerability | |
Vulnerability Exploit Allowed | Sub Rule | Potential Vulnerability Exploit Allowed | Activity | |
Vulnerability Exploit Denied | Sub Rule | Failed General Attack Activity | Failed Attack | |
Vulnerability Exploit Traffic Drop - Session Drop | Sub Rule | Failed General Attack Activity | Failed Attack | |
Vulnerability Exploit Traffic Drop - Packet Drop | Sub Rule | Failed General Attack Activity | Failed Attack | |
Vulnerability Exploit Traffic Dropped - Reset Sent | Sub Rule | Failed General Attack Activity | Failed Attack | |
Vulnerability Exploit Dropped | Sub Rule | Failed General Attack Activity | Failed Attack | |
Potentially Threatening File Observed - Allowed | Sub Rule | Potentially Threatening File Observed | Activity | |
Threatening File Allowed | Sub Rule | Unauthorized Program/Process | Misuse | |
Threatening File Type Denied | Sub Rule | Failed Malware Activity | Failed Malware | |
Threatening File Dropped - Session Dropped | Sub Rule | Failed Malware Activity | Failed Malware | |
Threatening File Dropped - Packets Dropped | Sub Rule | Failed Malware Activity | Failed Malware | |
Threatening File Dropped - Reset Sent | Sub Rule | Failed Malware Activity | Failed Malware | |
Threatening File Blocked | Sub Rule | Failed Malware Activity | Failed Malware | |
Scan Detected | Sub Rule | Port Scan | Reconnaissance | |
DoS Detected | Sub Rule | Host Denial Of Service | Denial Of Service | |
Data Pattern Filtered | Sub Rule | Data Pattern Filtered | Failed Activity | |
Threat Allow - Dead-Sites | Sub Rule | Unauthorized Website | Misuse | |
Threat Allow - Dating | Sub Rule | Social Media Activity | Misuse | |
Threat Allow - Cult-And-Occult | Sub Rule | Unauthorized Activity | Misuse | |
Threat Allow - Computer-And-Internet-Security | Sub Rule | Unauthorized Website | Misuse | |
Threat Allow - Computer-And-Internet-Info | Sub Rule | Unauthorized Website | Misuse | |
Threat Allow - Business-And-Economy | Sub Rule | Unauthorized Website | Misuse | |
Threat Allow - Auctions | Sub Rule | Unauthorized Activity | Misuse | |
Threat Allow - Any | Sub Rule | Unauthorized Website | Misuse | |
Threat Alert - Web-Hosting | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Web-Based-Email | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Unknown | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Travel | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Training-And-Tools | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Swimsuits-And-Intimate-Apparel | Sub Rule | Failed Adult Content | Failed Misuse | |
Threat Alert - Streaming-Media | Sub Rule | Failed Streaming Media | Failed Misuse | |
Threat Alert - Spyware-And-Adware | Sub Rule | Failed Spyware Activity | Failed Malware | |
Threat Alert - Sports | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Spam-URLs | Sub Rule | Failed Unauthorized E-mail | Failed Misuse | |
Threat Alert - Society | Sub Rule | Failed Social Media Activity | Failed Misuse | |
Threat Alert - Shopping | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Shareware-And-Freeware | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Search-Engines | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Religion | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Reference-And-Research | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Real-Estate | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Private-IP-Addresses | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Philosophy-And-Political-Advocacy | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Personal-Sites-And-Blogs | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Pay-To-Surf | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Parked-Domains | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Online-Personal-Storage | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - News-And-Media | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Motor-Vehicles | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Malware-Sites | Sub Rule | Possible Malware Activity | Malware | |
Threat Alert - Job-Search | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Internet-Portals | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Internet-Communications | Sub Rule | Failed IM/Chat Activity | Failed Misuse | |
Threat Alert - Individual-Stock-Advice-And-Tools | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Image-And-Video-Search | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Hunting-And-Fishing | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Health-And-Medicine | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Government | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Games | Sub Rule | Failed Game Activity | Failed Misuse | |
Threat Alert - Financial-Services | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Entertainment-And-Arts | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Educational-Institutions | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Dead-Sites | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Dating | Sub Rule | Failed Social Media Activity | Failed Misuse | |
Threat Alert - Cult-And-Occult | Sub Rule | Failed Adult Content | Failed Misuse | |
Threat Alert - Computer-And-Internet-Security | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Computer-And-Internet-Info | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Business-And-Economy | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Auctions | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Any | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Content-Delivery-Networks | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Home And Garden | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Legal | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Local Information | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Online Music | Sub Rule | Failed Streaming Media | Failed Misuse | |
Threat Alert - Social Networking | Sub Rule | Failed Social Media Activity | Failed Misuse | |
Threat Alert - Translation | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Web Advertisements | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
URL Block-Continue | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
Threatening File Forwarded | Sub Rule | File Intercepted | Activity | |
URL Allowed : Continue | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
Vulnerability Exploit Traffic Dropped - Reset Both | Sub Rule | Failed General Attack Activity | Failed Attack | |
Wildfire Upload - Skip | Sub Rule | Message Submission | Information | |
Wildfire Upload - Success | Sub Rule | Message Submission | Information | |
Brute Force Attack : FTP Login | Sub Rule | Vuln High Severity : Brute Force Attack | Vulnerability | |
Wildfire-Virus Detected - Reset Both | Sub Rule | Failed Virus Activity | Failed Malware | |
Wildfire - Potential Virus Content Allowed | Sub Rule | Detected Virus Activity | Malware | |
Wildfire-Virus Content Allowed | Sub Rule | Detected Virus Activity | Malware | |
Wildfire-Virus Traffic Denied | Sub Rule | Failed Virus Activity | Failed Malware | |
Wildfire-Virus Traffic Dropped - Session Dropped | Sub Rule | Failed Virus Activity | Failed Malware | |
Wildfire-Virus Detected - Packets Dropped | Sub Rule | Failed Virus Activity | Failed Malware | |
Wildfire-Virus Detected - Dropped - Reset Sent | Sub Rule | Failed Virus Activity | Failed Malware | |
Wildfire-Malicious URL Blocked | Sub Rule | Failed Malware Activity | Failed Malware | |
Virus Detected - Dropped - Reset Both | Sub Rule | Failed Virus Activity | Failed Malware | |
Spyware Detected - Dropped - Reset Both | Sub Rule | Failed Spyware Activity | Failed Malware | |
Vuln Exploit Traffic Dropped - Reset Server | Sub Rule | Failed General Attack Activity | Failed Attack | |
Vulnerability Exploit Detected : Low Severity | Sub Rule | Vuln Low Severity : General | Vulnerability | |
File Detected | Sub Rule | Suspicious File Download | Activity | |
Vulnerability Exploit Detected : High Severity | Sub Rule | Vuln High Severity : General | Vulnerability | |
Wildfire : Benign Determination | Sub Rule | Virus Scan Completed - No Viruses Found | Information | |
Wildfire : Grayware Determination | Sub Rule | Potentially Threatening File Observed | Activity | |
Wildfire : Malware Determination | Sub Rule | Detected Virus Activity | Malware | |
Potential Vulnerability Exploit Allowed : Low | Sub Rule | Vuln Low Severity : General | Vulnerability | |
Potential Vulnerability Exploit Allowed : Info | Sub Rule | Vuln Low Severity : Information Gathering | Vulnerability | |
Vulnerability Exploit Detected : Medium Severity | Sub Rule | Vuln Medium Severity : General | Vulnerability | |
Failed Attack : Packet Dropped | Sub Rule | Failed General Attack Activity | Failed Attack | |
Spyware Detected - Dropped - Reset Server | Sub Rule | Failed Spyware Activity | Failed Malware | |
Spyware Sinkhole Activity Messages | Sub Rule | Suspicious Network Activity | Suspicious |
LogRhythm Default v2.0
Regex ID | Rule Name | Rule Type | Common Events | Classifications |
---|---|---|---|---|
1010881 | V 2.0 Scan Threat Messages | Base Rule | General Threat Message | Activity |
V 2.0 Port Scan Detected | Sub Rule | Port Scan | Reconnaissance |