V 2.0 URL Threat Messages
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|---|---|
Type (type) | <vmid> | <vmid> |
Threat/Content Type (subtype) | <vendorinfo> | <vendorinfo> |
Source address (src) | <sip> | <sip> |
Destination address (dst) | <dip> | <dip> |
NAT Source IP (natsrc) | <snatip> | <snatip> |
NAT Destination IP (natdst) | <dnatip> | <dnatip> |
Rule Name (rule) | <policy> | <policy> |
Source User (srcuser) | <domainorigin> | <domainorigin> |
Destination User (dstuser) | <account> | <domainimpacted> |
N/A | <process> | N/A |
N/A | <group> | N/A |
Inbound Interface (inbound_if) | <sinterface> | <sinterface> |
Outbound Interface (outbound_if) | <dinterface> | <dinterface> |
Session ID (sessionid) | <session> | <session> |
Repeat Count (repeatcnt) | <quantity> | <quantity> |
Source Port (sport) | <sport> | <sport> |
Destination Port (dport) | <dport> | <dport> |
NAT Source Port (natsport) | <snatport> | <snatport> |
NAT Destination Port (natdport) | <dnatport> | <dnatport> |
Flags (flags) | N/A | <sessiontype> |
IP Protocol (proto) | <protname> | <protname> |
Action (action) | <action> | <action> |
URL/Filename (misc) | N/A | <url> |
Threat/Content Name (threatid) | <object> | N/A |
N/A | <objectname> | N/A |
N/A | <action> | N/A |
Threat/Content Name (threatid) | <processid> | N/A |
Category (category) | <tag2> | <subject> |
Severity (severity) | <severity> | <severity> |
N/A | <hash> | N/A |
User Agent (user_agent) | N/A | <useragent> |
Sender (sender) | <sender> | N/A |
Subject (subject) | <subject> | N/A |
Recipient (recipient) | <recipient> | N/A |
Device Name (device_name) | N/A | <objectname> |
Application Characteristic (characteristic_of_app)** | N/A | <group> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Events | Classifications |
|---|---|---|---|---|
1000722 | THREAT Messages | Base Rule | General Attack Activity | Attack |
Potentially Threatening URL Allowed | Sub Rule | Web Activity Allowed | Activity | |
URL Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
URL Denied - Flood Detected | Sub Rule | General Attack Activity | Attack | |
URL Threat Detected - Session Dropped | Sub Rule | General Attack Activity | Attack | |
URL Threat Detected - Packets Dropped | Sub Rule | General Attack Activity | Attack | |
URL Threat Detected - Dropped - Reset Sent | Sub Rule | General Attack Activity | Attack | |
URL Blocked | Sub Rule | Traffic Denied by Network Firewall | Network Deny | |
Potential Virus Content Allowed | Sub Rule | Detected Virus Activity | Malware | |
Virus Content Allowed | Sub Rule | Detected Virus Activity | Malware | |
Virus Traffic Denied | Sub Rule | Failed Virus Activity | Failed Malware | |
Virus Traffic Dropped - Session Dropped | Sub Rule | Failed Virus Activity | Failed Malware | |
Virus Detected - Packets Dropped | Sub Rule | Failed Virus Activity | Failed Malware | |
Virus Detected - Dropped - Reset Sent | Sub Rule | Failed Virus Activity | Failed Malware | |
Malicious URL Blocked | Sub Rule | Failed Malware Activity | Failed Malware | |
Potential Spyware Content Allowed | Sub Rule | Detected Spyware Activity | Malware | |
Spyware Content Allowed | Sub Rule | Detected Spyware Activity | Malware | |
Spyware Traffic Denied | Sub Rule | Failed Spyware Activity | Failed Malware | |
Spyware Traffic Dropped - Session Dropped | Sub Rule | Failed Spyware Activity | Failed Malware | |
Spyware Detected - Packets Dropped | Sub Rule | Failed Spyware Activity | Failed Malware | |
Spyware Detected - Dropped - Reset Sent | Sub Rule | Failed Spyware Activity | Failed Malware | |
Spyware Blocked | Sub Rule | Failed Spyware Activity | Failed Malware | |
Potential Vulnerability Exploit Allowed | Sub Rule | Vuln High Severity : General | Vulnerability | |
Vulnerability Exploit Allowed | Sub Rule | Potential Vulnerability Exploit Allowed | Activity | |
Vulnerability Exploit Denied | Sub Rule | Failed General Attack Activity | Failed Attack | |
Vulnerability Exploit Traffic Drop - Session Drop | Sub Rule | Failed General Attack Activity | Failed Attack | |
Vulnerability Exploit Traffic Drop - Packet Drop | Sub Rule | Failed General Attack Activity | Failed Attack | |
Vulnerability Exploit Traffic Dropped - Reset Sent | Sub Rule | Failed General Attack Activity | Failed Attack | |
Vulnerability Exploit Dropped | Sub Rule | Failed General Attack Activity | Failed Attack | |
Potentially Threatening File Observed - Allowed | Sub Rule | Potentially Threatening File Observed | Activity | |
Threatening File Allowed | Sub Rule | Unauthorized Program/Process | Misuse | |
Threatening File Type Denied | Sub Rule | Failed Malware Activity | Failed Malware | |
Threatening File Dropped - Session Dropped | Sub Rule | Failed Malware Activity | Failed Malware | |
Threatening File Dropped - Packets Dropped | Sub Rule | Failed Malware Activity | Failed Malware | |
Threatening File Dropped - Reset Sent | Sub Rule | Failed Malware Activity | Failed Malware | |
Threatening File Blocked | Sub Rule | Failed Malware Activity | Failed Malware | |
Scan Detected | Sub Rule | Port Scan | Reconnaissance | |
DoS Detected | Sub Rule | Host Denial Of Service | Denial Of Service | |
Data Pattern Filtered | Sub Rule | Data Pattern Filtered | Failed Activity | |
Threat Allow - Dead-Sites | Sub Rule | Unauthorized Website | Misuse | |
Threat Allow - Dating | Sub Rule | Social Media Activity | Misuse | |
Threat Allow - Cult-And-Occult | Sub Rule | Unauthorized Activity | Misuse | |
Threat Allow - Computer-And-Internet-Security | Sub Rule | Unauthorized Website | Misuse | |
Threat Allow - Computer-And-Internet-Info | Sub Rule | Unauthorized Website | Misuse | |
Threat Allow - Business-And-Economy | Sub Rule | Unauthorized Website | Misuse | |
Threat Allow - Auctions | Sub Rule | Unauthorized Activity | Misuse | |
Threat Allow - Any | Sub Rule | Unauthorized Website | Misuse | |
Threat Alert - Web-Hosting | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Web-Based-Email | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Unknown | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Travel | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Training-And-Tools | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Swimsuits-And-Intimate-Apparel | Sub Rule | Failed Adult Content | Failed Misuse | |
Threat Alert - Streaming-Media | Sub Rule | Failed Streaming Media | Failed Misuse | |
Threat Alert - Spyware-And-Adware | Sub Rule | Failed Spyware Activity | Failed Malware | |
Threat Alert - Sports | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Spam-URLs | Sub Rule | Failed Unauthorized E-mail | Failed Misuse | |
Threat Alert - Society | Sub Rule | Failed Social Media Activity | Failed Misuse | |
Threat Alert - Shopping | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Shareware-And-Freeware | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Search-Engines | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Religion | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Reference-And-Research | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Real-Estate | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Private-IP-Addresses | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Philosophy-And-Political-Advocacy | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Personal-Sites-And-Blogs | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Pay-To-Surf | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Parked-Domains | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Online-Personal-Storage | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - News-And-Media | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Motor-Vehicles | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Malware-Sites | Sub Rule | Possible Malware Activity | Malware | |
Threat Alert - Job-Search | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Internet-Portals | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Internet-Communications | Sub Rule | Failed IM/Chat Activity | Failed Misuse | |
Threat Alert - Individual-Stock-Advice-And-Tools | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Image-And-Video-Search | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Hunting-And-Fishing | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Health-And-Medicine | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Government | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Games | Sub Rule | Failed Game Activity | Failed Misuse | |
Threat Alert - Financial-Services | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Entertainment-And-Arts | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Educational-Institutions | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Dead-Sites | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Dating | Sub Rule | Failed Social Media Activity | Failed Misuse | |
Threat Alert - Cult-And-Occult | Sub Rule | Failed Adult Content | Failed Misuse | |
Threat Alert - Computer-And-Internet-Security | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Computer-And-Internet-Info | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Business-And-Economy | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Auctions | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Any | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Content-Delivery-Networks | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Home And Garden | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Legal | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Local Information | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Online Music | Sub Rule | Failed Streaming Media | Failed Misuse | |
Threat Alert - Social Networking | Sub Rule | Failed Social Media Activity | Failed Misuse | |
Threat Alert - Translation | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
Threat Alert - Web Advertisements | Sub Rule | Failed Unauthorized Activity | Failed Misuse | |
URL Block-Continue | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
Threatening File Forwarded | Sub Rule | File Intercepted | Activity | |
URL Allowed : Continue | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
Vulnerability Exploit Traffic Dropped - Reset Both | Sub Rule | Failed General Attack Activity | Failed Attack | |
Wildfire Upload - Skip | Sub Rule | Message Submission | Information | |
Wildfire Upload - Success | Sub Rule | Message Submission | Information | |
Brute Force Attack : FTP Login | Sub Rule | Vuln High Severity : Brute Force Attack | Vulnerability | |
Wildfire-Virus Detected - Reset Both | Sub Rule | Failed Virus Activity | Failed Malware | |
Wildfire - Potential Virus Content Allowed | Sub Rule | Detected Virus Activity | Malware | |
Wildfire-Virus Content Allowed | Sub Rule | Detected Virus Activity | Malware | |
Wildfire-Virus Traffic Denied | Sub Rule | Failed Virus Activity | Failed Malware | |
Wildfire-Virus Traffic Dropped - Session Dropped | Sub Rule | Failed Virus Activity | Failed Malware | |
Wildfire-Virus Detected - Packets Dropped | Sub Rule | Failed Virus Activity | Failed Malware | |
Wildfire-Virus Detected - Dropped - Reset Sent | Sub Rule | Failed Virus Activity | Failed Malware | |
Wildfire-Malicious URL Blocked | Sub Rule | Failed Malware Activity | Failed Malware | |
Virus Detected - Dropped - Reset Both | Sub Rule | Failed Virus Activity | Failed Malware | |
Spyware Detected - Dropped - Reset Both | Sub Rule | Failed Spyware Activity | Failed Malware | |
Vuln Exploit Traffic Dropped - Reset Server | Sub Rule | Failed General Attack Activity | Failed Attack | |
Vulnerability Exploit Detected : Low Severity | Sub Rule | Vuln Low Severity : General | Vulnerability | |
File Detected | Sub Rule | Suspicious File Download | Activity | |
Vulnerability Exploit Detected : High Severity | Sub Rule | Vuln High Severity : General | Vulnerability | |
Wildfire : Benign Determination | Sub Rule | Virus Scan Completed - No Viruses Found | Information | |
Wildfire : Grayware Determination | Sub Rule | Potentially Threatening File Observed | Activity | |
Wildfire : Malware Determination | Sub Rule | Detected Virus Activity | Malware | |
Potential Vulnerability Exploit Allowed : Low | Sub Rule | Vuln Low Severity : General | Vulnerability | |
Potential Vulnerability Exploit Allowed : Info | Sub Rule | Vuln Low Severity : Information Gathering | Vulnerability | |
Vulnerability Exploit Detected : Medium Severity | Sub Rule | Vuln Medium Severity : General | Vulnerability | |
Failed Attack : Packet Dropped | Sub Rule | Failed General Attack Activity | Failed Attack | |
Spyware Detected - Dropped - Reset Server | Sub Rule | Failed Spyware Activity | Failed Malware | |
Spyware Sinkhole Activity Messages | Sub Rule | Suspicious Network Activity | Suspicious |
LogRhythm Default v2.0
Regex ID | Rule Name | Rule Type | Common Events | Classifications |
|---|---|---|---|---|
1010875 | V 2.0 URL Threat Messages | Base Rule | General Threat Message | Activity |
V 2.0 Potentially Malicious URL Allowed | Sub Rule | Traffic Allowed by Proxy | Network Allow | |
V 2.0 User Continue URL Block | Sub Rule | Traffic Allowed by Proxy | Network Allow | |
V 2.0 User Override URL Block | Sub Rule | Traffic Allowed by Proxy | Network Allow | |
V 2.0 URL Request Blocked | Sub Rule | Traffic Denied by Proxy | Network Deny |