V 2.0 : SEP Malware Scan Information 1
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 : SEP Malware Scan Information | Base Rule | Scan Activity | Information |
V 2.0 : SEP Malware Scan Cancelled | Sub Rule | Scan Cancelled | Warning |
| V 2.0 : SEP Malware Scan Completed | Sub Rule | Virus Scan Completed With No Errors Detected | Information |
| V 2.0 : SEP Malware Scan Started | Sub Rule | Scan Started | Information |
Mapping with LogRhythm Schema
| Device key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Time Stamp | N/A | N/A | Time stamp of the record, if "Export logs to a dump file" is enabled. |
| Scan ID | N/A | N/A | The scan ID provided by the agent. |
| Start date Time | N/A | N/A | The time that the scan started. |
| Stop date Time | N/A | N/A | The time that the scan stopped. |
| Status | <status> <tag1> | Text/String | Scan status as hard-coded English key: completed = Completed cancelled = Canceled started = Started |
| Duration | <seconds> | Number | The length of the scan, in seconds. |
| User Name 1 | N/A | N/A | User who was logged in when scan started. |
| User Name 2 | N/A | N/A | User who was logged in when scan stopped. |
| Message 1 | <subject> | Text/String | Scan message when scan started. |
| Message 2 | <result> | Text/String | Scan message when scan ended. |
| Command | <command> | Text/String | Command sent from the SEPM. ScanNow_Full = Do a full scan. ScanNow_Quick = Do an Active Scan. ScanNow_Custom = Do a custom scan. Update_ScanNow_Full = Update content and then do a full scan. Update_ScanNow_Quick = Update content and do an Active Scan. Update_ScanNow_Custom = Update content and do a custom scan. CancelScan = Cancel the scan. |
| # of threats found | N/A | N/A | The number of threats that the scan found. |
| # of infected files | N/A | N/A | The number of files that the scan found that were infected. |
| # of files scanned | <quantity> | Number | The number of files scanned. |
| # of files omitted | N/A | N/A | The number of files that were omitted. |
| Computer | <dname> | Text/String | Name of the machine on which the scan was run. |
| IP Address | <dip> | IP Address | IP address of the machine on which the scan was run. |
| Domain Name | <domainimpacted> | Text/String | Domain name to which the machine belongs. |
| Client Group Name | N/A | N/A | Client group name in the SEPM. |
| Server Name | N/A | N/A | Name of the server. |
| Scan Type | <objecttype> | Text/String | Scheduled Scan, DefWatch, ScanNow_Quick, ScanNow_Custom, ScanNow_Full, Manual. |