V 2.0 : Spyware/Grayware Event
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| V 2.0 : Spyware/Grayware Event | Base Rule | Malware | Detected Spyware Activity |
| V 2.0 : Spyware/Grayware : Unknown | Sub Rule | Other Security | General Security |
| V 2.0 : Spyware/Grayware : Not Applicable | Sub Rule | Other Security | General Security |
| V 2.0 : Spyware/Grayware : File Cleaned | Sub Rule | Failed Malware | Failed Spyware Activity |
| V 2.0 : Spyware/Grayware : File Deleted | Sub Rule | Failed Malware | Failed Spyware Activity |
| V 2.0 : Spyware/Grayware : File Quarantined | Sub Rule | Activity | Quarantine |
| V 2.0 : Spyware/Grayware : File Renamed | Sub Rule | Malware | Detected Spyware Activity |
| V 2.0 : Spyware/Grayware : File Passed | Sub Rule | Malware | Detected Spyware Activity |
| V 2.0 : Spyware/Grayware : Unable To Clean File, Passed | Sub Rule | Malware | Detected Spyware Activity |
| V 2.0 : Spy/Grayware : Unable To Clean File, Deleted | Sub Rule | Failed Malware | Failed Spyware Activity |
| V 2.0 : Spy/Grayware : Unable To Clean File, Renamed | Sub Rule | Malware | Detected Spyware Activity |
| V 2.0 : Spy/Grayware : Unable To Clean File,Quarantine | Sub Rule | Activity | Quarantine |
| V 2.0 : Spyware/Grayware : File Dropped | Sub Rule | Failed Malware | Failed Spyware Activity |
| V 2.0 : Spy/Grayware : Unable To Clean File, Stripped | Sub Rule | Failed Malware | Failed Spyware Activity |
| V 2.0 : Spyware/Grayware : File Replaced | Sub Rule | Failed Malware | Failed Spyware Activity |
| V 2.0 : Spyware/Grayware : File Dropped | Sub Rule | Failed Malware | Failed Spyware Activity |
| V 2.0 : Spyware/Grayware : File Archived | Sub Rule | Malware | Detected Spyware Activity |
| V 2.0 : Spyware/Grayware : Blocked Successfully | Sub Rule | Failed Malware | Failed Spyware Activity |
| V 2.0 : Spyware/Grayware : Quarantined Successfully | Sub Rule | Activity | Quarantine |
| V 2.0 : Spyware/Grayware : Stamped Successfully | Sub Rule | Malware | Detected Spyware Activity |
| V 2.0 : Spyware/Grayware : File Uploaded | Sub Rule | Malware | Detected Spyware Activity |
| V 2.0 : Spyware/Grayware : Access Denied | Sub Rule | Malware | Detected Spyware Activity |
| V 2.0 : Spyware/ Grayware : No Action | Sub Rule | Malware | Detected Spyware Activity |
| V 2.0 : Spyware/ Grayware : Scan Stopped | Sub Rule | Information | Scan Stopped |
| V 2.0 : Spyware/ Grayware : Encrypted | Sub Rule | Activity | Encrypted Files Detected |
| V 2.0 : Spyware/ Grayware : Undefined | Sub Rule | Activity | General Activity |
| V 2.0 : Spyware/ Grayware : System Rebooted | Sub Rule | Startup and Shutdown | System Restarted |
| V 2.0 : Spyware/Grayware : Action Failed | Sub Rule | Activity | General Activity |
| V 2.0 : Spyware/Grayware : Action Required | Sub Rule | Activity | General Activity |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Header (logVer) | N/A | N/A | CEF format version |
| Header (vendor) | N/A | N/A | Appliance vendor |
| Header (pname) | N/A | N/A | Appliance product |
| Header (pver) | N/A | N/A | Appliance version |
| Header (eventid) | <vmid> | Text/String | Device event class ID |
| Header (eventName) | N/A | N/A | Event name |
| Header (severity) | <severity> | Number | Severity |
| deviceExternalId | N/A | N/A | ID |
| rt | N/A | N/A | Log generation time in UTC |
| cnt | <quantity> | Number | Number of detections |
| dhost | <dname> | Text/String/Number | Endpoint host name |
| cn1Label | N/A | N/A | Corresponding label for the "cn1" field |
| cn1 | N/A | N/A | Pattern type |
| cs1Label | N/A | N/A | Corresponding label for the "cs1" field |
| cs1 | <threatname> | Text/String | Spyware/Grayware |
| cs2Label | N/A | N/A | Corresponding label for the "cs2" field |
| cs2 | <verison> | Number | Engine version |
| cs5Label | N/A | N/A | Corresponding label for the "cs5" field |
| cs5 | <action> <tag1> | Text/String/Number | Action |
| cs6Label | N/A | N/A | Corresponding label for the "cs6" field |
| cs6 | N/A | N/A | Pattern version |
| cat | N/A | N/A | Log type |
| dvchost | N/A | N/A | Endpoint host name |
| fname | <object> | Text/String/Number | Resource |
| filePath | N/A | N/A | Resource |
| dst | <dip> | IP Address | Endpoint IPv4 address |
| c6a3Label | N/A | N/A | Corresponding label for the "c6a3" field |
| c6a3 | N/A | N/A | Endpoint IPv6 address |
| deviceFacility | N/A | N/A | Product |
| deviceNtDomain | N/A | N/A | Active Directory domain |
| dntdom | N/A | N/A | Apex One domain hierarchy |
| TMCMLogDetectedHost | <dname> | Text/String/Number | Endpoint name where the log event occurred |
| TMCMLogDetectedIP | <dip> | IP Address | IP address where the log event occurred |
| fileHash | <hash> | Text/String/Number | File SHA-1 |
| duser | <account> | Text/String/Number | User Name |
| cn2Label | N/A | N/A | Corresponding label for the "cn2" field |
| cn2 | N/A | N/A | Scan type |
| cn3Label | N/A | N/A | Corresponding label for the "cn3" field |
| cn3 | N/A | N/A | Security Threat Type |
| ApexCentralHost | N/A | N/A | Apex Central host name |
| devicePayloadId | N/A | N/A | Unique message GUID |