|V 2.0 : SEP Malware Scan Information||Base Rule||Scan Activity||Information|
V 2.0 : SEP Malware Scan Cancelled
|Sub Rule||Scan Cancelled||Warning|
|V 2.0 : SEP Malware Scan Completed||Sub Rule||Virus Scan Completed With No Errors Detected||Information|
|V 2.0 : SEP Malware Scan Started||Sub Rule|
Mapping with LogRhythm Schema
|Device key in Log Message||LogRhythm Schema||Data Type||Schema Description|
|Time Stamp||N/A||N/A||Time stamp of the record, if "Export logs to a dump file" is enabled.|
|Scan ID||N/A||N/A||The scan ID provided by the agent.|
|Start date Time||N/A||N/A||The time that the scan started.|
|Stop date Time||N/A||N/A||The time that the scan stopped.|
|Text/String||Scan status as hard-coded English key:|
completed = Completed
cancelled = Canceled
started = Started
|Duration||<seconds>||Number||The length of the scan, in seconds.|
|User Name 1||N/A||N/A||User who was logged in when scan started.|
|User Name 2||N/A||N/A||User who was logged in when scan stopped.|
|Message 1||<subject>||Text/String||Scan message when scan started.|
|Message 2||<result>||Text/String||Scan message when scan ended.|
|Command||<command>||Text/String||Command sent from the SEPM.|
ScanNow_Full = Do a full scan.
ScanNow_Quick = Do an Active Scan.
ScanNow_Custom = Do a custom scan.
Update_ScanNow_Full = Update content and then do a full scan.
Update_ScanNow_Quick = Update content and do an Active Scan.
Update_ScanNow_Custom = Update content and do a custom scan.
CancelScan = Cancel the scan.
|# of threats found||N/A||N/A||The number of threats that the scan found.|
|# of infected files||N/A||N/A||The number of files that the scan found that were infected.|
|# of files scanned||<quantity>||Number||The number of files scanned.|
|# of files omitted||N/A||N/A||The number of files that were omitted.|
|Computer||<dname>||Text/String||Name of the machine on which the scan was run.|
|IP Address||<dip>||IP Address||IP address of the machine on which the scan was run.|
|Domain Name||<domainimpacted>||Text/String||Domain name to which the machine belongs.|
|Client Group Name||N/A||N/A||Client group name in the SEPM.|
|Server Name||N/A||N/A||Name of the server.|
|Scan Type||<objecttype>||Text/String||Scheduled Scan, DefWatch, ScanNow_Quick, ScanNow_Custom, ScanNow_Full, Manual.|