V 2.0 : SEP General Suspicious Activity Detected

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field	LogRhythm Default	LogRhythm Default v2.0
N/A	<severity>	N/A
N/A	<dip>	<dip>
N/A	<dname>	<dname>
N/A	<account>	<account>
N/A	<domainorigin>	<domainorigin>
N/A	<process>	<process>
N/A	<object>	<object>
N/A	<subject>	<subject>
N/A	<threatname>	<threatname>
N/A	<hash>	<hash>
N/A	<url>	<url>
N/A	<action>	<action>
N/A	<quantity>	<quantity>
N/A	N/A	<size>
N/A	<tag1>	<tag1>
N/A	<tag2>	<tag2>
N/A	<vmid>	N/A
N/A	<sip>	N/A
N/A	<protname>	N/A
N/A	<session>	N/A
N/A	<parentprocesspath>	N/A
N/A	<objectname>	N/A
N/A	<objecttype>	N/A
N/A	<version>	N/A
N/A	<group>	N/A
N/A	<command>	N/A
N/A	<result>	N/A
N/A	<reason>	N/A
N/A	<status>	N/A
N/A	<sender>	N/A
N/A	<bytesin>	N/A
N/A	<bytesout>	N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID	Rule Name	Rule Type	Common Events	Classifications
1010649	General Malware Activity	Base Rule	Possible Malware Activity	Malware
	SONAR Detection: Quarantined	Sub Rule	Quarantined Message	Failed Activity
	Virus Found	Sub Rule	Detected Virus Activity	Malware
	Potential Risk Ignored	Sub Rule	Suspicious Activity	Suspicious
	Virus Deleted	Sub Rule	Failed Virus Activity	Failed Malware
	Security Risk Deleted	Sub Rule	Failed Virus Activity	Failed Malware
	Virus Quarantined	Sub Rule	Failed Virus Activity	Failed Malware
	Compressed File Quarantined	Sub Rule	Failed Virus Activity	Failed Malware
	Access Denied Due To Security Risk	Sub Rule	Failed Virus Activity	Failed Malware
	Virus Found : Deleted	Sub Rule	Failed Virus Activity	Failed Malware
	Virus Found: Process Terminated	Sub Rule	Failed Malware Activity	Failed Malware
	Failed Virus Activity	Sub Rule	Failed Malware Activity	Failed Malware
	SONAR Detection : Now Permitted : Left Alone	Sub Rule	Virus Scan Activity	Activity
	SONAR Detection : Now Permitted : Left Alone	Sub Rule	Virus Scan Activity	Activity

LogRhythm Default v2.0

Regex ID	Rule Name	Rule Type	Common Events	Classifications
1011170	V 2.0 : SEP General Suspicious Activity Detected	Base Rule	Suspicious Activity	Suspicious
	V 2.0 : SEP Suspicious Activity : Allowed By User	Sub Rule	General Security	Other Security
	V 2.0 : SEP Susp. Activity : All Actions Failed	Sub Rule	General Antivirus Error	Error
	V 2.0 : SEP Suspicious Activity : Quarantined	Sub Rule	Quarantined Message	Failed Activity
	V 2.0 : SEP Suspicious Activity : Access Denied	Sub Rule	Access Denied	Warning
	V 2.0 : SEP Malware Found : Partially Repaired	Sub Rule	Detected Malware Activity	Malware
	V 2.0 : SEP Malware Found : Details Pending	Sub Rule	Detected Malware Activity	Malware
	V 2.0 : SEP Malware Found : No Action Taken	Sub Rule	Detected Malware Activity	Malware
	V 2.0 : SEP Suspicious Activity	Sub Rule	Suspicious Activity	Suspicious
	V 2.0 : SEP Suspicious Activity : Details Pending	Sub Rule	Suspicious Activity	Suspicious
	V 2.0 : SEP Suspicious Activity : No Action Taken	Sub Rule	Suspicious Activity	Suspicious
	V 2.0 : SEP Malware Found : Quarantined	Sub Rule	Failed Malware Activity	Failed Malware
	V 2.0 : SEP Threat Found : Deleted	Sub Rule	Threat Deleted	Failed Activity