V 2.0 : SEP SONAR General Susp. Activity Detected
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|---|---|
| N/A | <severity> | <severity> |
| N/A | <dip> | <dip> |
| N/A | <dname> | <dname> |
| N/A | <account> | <account> |
| N/A | <domainorigin> | <domainorigin> |
| N/A | <process> | <process> |
| N/A | <object> | <object> |
| N/A | <subject> | <subject> |
| N/A | <threatname> | <threatname> |
| N/A | <hash> | <hash> |
| N/A | <url> | <url> |
| N/A | <action> | <action> |
| N/A | <quantity> | <quantity> |
| N/A | N/A | <size> |
| N/A | <tag1> | <tag1> |
| N/A | <tag2> | <tag2> |
| N/A | <vmid> | N/A |
| N/A | <sip> | N/A |
| N/A | <protname> | N/A |
| N/A | <session> | N/A |
| N/A | <parentprocesspath> | N/A |
| N/A | <objectname> | N/A |
| N/A | <objecttype> | N/A |
| N/A | <version> | N/A |
| N/A | <group> | N/A |
| N/A | <command> | N/A |
| N/A | <result> | N/A |
| N/A | <reason> | N/A |
| N/A | <status> | N/A |
| N/A | <sender> | N/A |
| N/A | <bytesin> | N/A |
| N/A | <bytesout> | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Events | Classifications |
|---|---|---|---|---|
| 1001590 | Malware Detection Messages | Base Rule | Possible Malware Activity | Malware |
| Virus Deleted | Sub Rule | Failed Virus Activity | Failed Malware | |
| Security Risk Deleted | Sub Rule | Failed Virus Activity | Failed Malware | |
| Virus Quarantined | Sub Rule | Failed Virus Activity | Failed Malware | |
| Potential Risk Ignored | Sub Rule | Suspicious Activity | Suspicious | |
| Application Ignored | Sub Rule | Suspicious Activity | Suspicious | |
| Virus Found | Sub Rule | Detected Virus Activity | Malware | |
| Security Risk Quarantined | Sub Rule | Failed Virus Activity | Failed Malware | |
| Security Risk : Partially Repaired | Sub Rule | General Attack Activity | Attack | |
| Forced SONAR Threat Detected : Left Alone | Sub Rule | Possible Malware Activity | Malware | |
| Security Risk Found | Sub Rule | Suspicious Activity | Suspicious | |
| Virus Found | Sub Rule | Detected Virus Activity | Malware | |
| SONAR Detection : Now Permitted | Sub Rule | Virus Scan Activity | Activity | |
| Virus Found : Deleted | Sub Rule | Failed Virus Activity | Failed Malware | |
| Virus Found : Left Alone | Sub Rule | Detected Virus Activity | Malware | |
| Virus Found : Cleaned | Sub Rule | Failed Virus Activity | Failed Malware | |
| Virus Found : Partially Repaired | Sub Rule | Possible Malware Activity | Malware | |
| Suspicious Application Detected | Sub Rule | Suspicious Activity | Suspicious | |
| Quarantined | Sub Rule | Quarantine | Activity | |
| SONAR Detection : Now Permitted : Quarantined | Sub Rule | Virus Scan Activity | Activity | |
| SONAR Detection : Now Permitted : Left Alone | Sub Rule | Virus Scan Activity | Activity | |
| SONAR Detection : Now Permitted : Deleted | Sub Rule | Virus Scan Activity | Activity | |
| SONAR Detection : Now Permitted : Moved Back | Sub Rule | Virus Scan Activity | Activity |
LogRhythm Default v2.0
Regex ID | Rule Name | Rule Type | Common Events | Classifications |
|---|---|---|---|---|
| 1011171 | V 2.0 : SEP SONAR General Susp. Activity Detected | Base Rule | Suspicious Activity | Suspicious |
| V 2.0 : SEP SONAR Susp. Activity : Allowed By User | Sub Rule | General Security | Other Security | |
| V 2.0 : SEP SONAR Susp. Actvty : All Actions Fail | Sub Rule | General Antivirus Error | Error | |
| V 2.0 : SEP SONAR Suspicious Actvty : Quarantined | Sub Rule | Quarantined Message | Failed Activity | |
| V 2.0 : SEP SONAR Susp. Activity : Access Denied | Sub Rule | Access Denied | Warning | |
| V 2.0 : SEP SONAR Malware Found : Partially Repair | Sub Rule | Detected Malware Activity | Malware | |
| V 2.0 : SEP SONAR Malware Found : Details Pending | Sub Rule | Detected Malware Activity | Malware | |
| V 2.0 : SEP SONAR Malware Found : No Action Taken | Sub Rule | Detected Malware Activity | Malware | |
| V 2.0 : SEP SONAR Suspicious Activity | Sub Rule | Suspicious Activity | Suspicious | |
| V 2.0 : SEP SONAR Susp. Activity : Details Pending | Sub Rule | Suspicious Activity | Suspicious | |
| V 2.0 : SEP SONAR Susp. Activity : No Action Taken | Sub Rule | Suspicious Activity | Suspicious | |
| V 2.0 : SEP SONAR Malware Found : Quarantined | Sub Rule | Failed Malware Activity | Failed Malware | |
| V 2.0 : SEP SONAR Threat Found : Deleted | Sub Rule | Threat Deleted | Failed Activity |