V 2.0 : SEP Malware Scan Information 1

https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Scan

Rule Name	Rule Type	Common Event	Classification
V 2.0 : SEP Malware Scan Information	Base Rule	Scan Activity	Information
V 2.0 : SEP Malware Scan Cancelled	Sub Rule	Scan Cancelled	Warning
V 2.0 : SEP Malware Scan Completed	Sub Rule	Virus Scan Completed With No Errors Detected	Information
V 2.0 : SEP Malware Scan Started	Sub Rule	Scan Started	Information

Device key in Log Message	LogRhythm Schema	Data Type	Schema Description
Time Stamp	N/A	N/A	Time stamp of the record, if "Export logs to a dump file" is enabled.
Scan ID	N/A	N/A	The scan ID provided by the agent.
Start date Time	N/A	N/A	The time that the scan started.
Stop date Time	N/A	N/A	The time that the scan stopped.
Status	<status> <tag1>	Text/String	Scan status as hard-coded English key: completed = Completed cancelled = Canceled started = Started
Duration	<seconds>	Number	The length of the scan, in seconds.
User Name 1	N/A	N/A	User who was logged in when scan started.
User Name 2	N/A	N/A	User who was logged in when scan stopped.
Message 1	<subject>	Text/String	Scan message when scan started.
Message 2	<result>	Text/String	Scan message when scan ended.
Command	<command>	Text/String	Command sent from the SEPM. ScanNow_Full = Do a full scan. ScanNow_Quick = Do an Active Scan. ScanNow_Custom = Do a custom scan. Update_ScanNow_Full = Update content and then do a full scan. Update_ScanNow_Quick = Update content and do an Active Scan. Update_ScanNow_Custom = Update content and do a custom scan. CancelScan = Cancel the scan.
# of threats found	N/A	N/A	The number of threats that the scan found.
# of infected files	N/A	N/A	The number of files that the scan found that were infected.
# of files scanned	<quantity>	Number	The number of files scanned.
# of files omitted	N/A	N/A	The number of files that were omitted.
Computer	<dname>	Text/String	Name of the machine on which the scan was run.
IP Address	<dip>	IP Address	IP address of the machine on which the scan was run.
Domain Name	<domainimpacted>	Text/String	Domain name to which the machine belongs.
Client Group Name	N/A	N/A	Client group name in the SEPM.
Server Name	N/A	N/A	Name of the server.
Scan Type	<objecttype>	Text/String	Scheduled Scan, DefWatch, ScanNow_Quick, ScanNow_Custom, ScanNow_Full, Manual.

Vendor Documentation

Classification

Mapping with LogRhythm Schema