Skip to main content
Skip table of contents

V 2.0 : Threat Extraction Events

Vendor Documentation

Classification

Rule Name

Rule Type

Common Event

Classification

V 2.0 : Threat Extraction EventsBase RuleGeneral Threat MessageActivity

Mapping with LogRhythm Schema

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
virtuallogsourceN/AN/AN/A
SubproductN/AN/ACan be VPN or non-VPN
Product<vmid>Text/StringProduct name
OriginipN/AN/AIP of the log origin 
originN/AN/AName of the first Security Gateway that reported this event
Action<action>Text/StringDescription of detected malware activity
SIP<sip>IP AddressSource IP
SPort<sport>NumberSource host port number
DIP<dip>IP AddressDestination IP
dport<dport>NumberDestination host port number
protocol<protnum>NumberProtocol detected on the connection
ifname<sinterface>Text/StringThe name of the Security Gateway interface through which a connection traverses
ifdirectionN/AN/AConnection direction
Reason<reason>Text/StringN/A
RuleN/AN/AN/A
InfoN/AN/AN/A
XlateSIP<snatip>IP AddressN/A
XlateSport<snatport>NumberN/A
XlateDIP<dnatip>IP AddressN/A
XlateDport<dnatport>NumberN/A
User<login>Text/StringSource user name 
alertN/AN/AAlert level of matched rule (for connection logs) 
icmp-codeN/AN/AN/A
icmp-typeN/AN/AN/A
matched_categoryN/AN/AN/A
rule_nameN/AN/AN/A
Url<url>Text/StringMatched URL
timeN/AN/AThe time stamp when the log was created
Severity<severity>NumberThreat severity determined by ThreatCloud
Possible values:
0 - Informational
1 - Low
2 - Medium
3 - High
4 - Critical
to<recipient>Text/StringRecipient email address 
from<sender>Text/StringSender email address 
Protection_name<threatname>Text/StringSpecific signature name of the attack 
SmartDefense_ProfileN/AN/AN/A
Protection_TypeN/AN/AType of protection used to detect the attack 
scope_ipN/AN/AN/A
Email_Subject<subject>Text/StringOriginal email subject 
file_md5<hash>Text/StringFile md5  
file_name<object>Text/StringMalicious file name / Matched file size 
file_type<objecttype>Text/StringClassified file type 
file_size<size>NumberAttachment file size / Matched file size 
flagsN/AN/ACheckpoint internal field
loguidN/AN/AUUID of unified logs  
originsicnameN/AN/AN/A
sequencenumN/AN/ANumber added to order logs with the same Linux timestamp and origin
versionN/AN/AN/A
__policy_id_tagN/AN/AN/A
content_riskN/AN/AN/A
file_idN/AN/AN/A
file_sha1N/AN/AFile sha1 
log_idN/AN/AUnique identity for logs includes: Type, Family, Product/Blade, Category 
mail_idN/AN/AN/A
malware_rule_idN/AN/AThreat prevention rule ID  
malware_rule_nameN/AN/AThreat prevention rule name 
original_queue_idN/AN/AN/A
policy<policy>Text/StringN/A
policy_timeN/AN/AN/A
scrub_activityN/AN/AN/A
scrubbed_contentN/AN/AN/A
log_linkN/AN/AN/A
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.