V 2.0 : SEP Malware Scan Information 1
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|
V 2.0 : SEP Malware Scan Information | Base Rule | Scan Activity | Information |
V 2.0 : SEP Malware Scan Cancelled | Sub Rule | Scan Cancelled | Warning |
V 2.0 : SEP Malware Scan Completed | Sub Rule | Virus Scan Completed With No Errors Detected | Information |
V 2.0 : SEP Malware Scan Started | Sub Rule | Scan Started | Information |
Mapping with LogRhythm Schema
Device key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
Time Stamp | N/A | N/A | Time stamp of the record, if "Export logs to a dump file" is enabled. |
Scan ID | N/A | N/A | The scan ID provided by the agent. |
Start date Time | N/A | N/A | The time that the scan started. |
Stop date Time | N/A | N/A | The time that the scan stopped. |
Status | <status> <tag1> | Text/String | Scan status as hard-coded English key: completed = Completed cancelled = Canceled started = Started |
Duration | <seconds> | Number | The length of the scan, in seconds. |
User Name 1 | N/A | N/A | User who was logged in when scan started. |
User Name 2 | N/A | N/A | User who was logged in when scan stopped. |
Message 1 | <subject> | Text/String | Scan message when scan started. |
Message 2 | <result> | Text/String | Scan message when scan ended. |
Command | <command> | Text/String | Command sent from the SEPM. ScanNow_Full = Do a full scan. ScanNow_Quick = Do an Active Scan. ScanNow_Custom = Do a custom scan. Update_ScanNow_Full = Update content and then do a full scan. Update_ScanNow_Quick = Update content and do an Active Scan. Update_ScanNow_Custom = Update content and do a custom scan. CancelScan = Cancel the scan. |
# of threats found | N/A | N/A | The number of threats that the scan found. |
# of infected files | N/A | N/A | The number of files that the scan found that were infected. |
# of files scanned | <quantity> | Number | The number of files scanned. |
# of files omitted | N/A | N/A | The number of files that were omitted. |
Computer | <dname> | Text/String | Name of the machine on which the scan was run. |
IP Address | <dip> | IP Address | IP address of the machine on which the scan was run. |
Domain Name | <domainimpacted> | Text/String | Domain name to which the machine belongs. |
Client Group Name | N/A | N/A | Client group name in the SEPM. |
Server Name | N/A | N/A | Name of the server. |
Scan Type | <objecttype> | Text/String | Scheduled Scan, DefWatch, ScanNow_Quick, ScanNow_Custom, ScanNow_Full, Manual. |