Skip to main content
Skip table of contents

V 2.0 URL Threat Messages 1

Vendor Documentation

Classification

Rule Name

Rule Type

Common Event

Classification

V 2.0 URL Threat MessagesBase Rule

General Threat Message

Activity

V 2.0 Potentially Malicious URL Allowed

Sub RuleTraffic Allowed by ProxyNetwork Allow
V 2.0 User Continue URL BlockSub RuleTraffic Allowed by ProxyNetwork Allow
V 2.0 User Override URL BlockSub RuleTraffic Allowed by ProxyNetwork Allow
V 2.0 Malicious URL BlockedSub RuleTraffic Denied by ProxyNetwork Deny

Mapping with LogRhythm Schema  

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
Type (type)<vmid>Text/StringSpecifies the type of log; value is THREAT.
Threat/Content Type (subtype)<vendorinfo>Text/StringSubtype of threat log. Values include the following:
data—Data pattern matching a Data Filtering profile.
file—File type matching a File Blocking profile.
flood—Flood detected via a Zone Protection profile.
packet—Packet-based attack protection triggered by a Zone Protection profile.
scan—Scan detected via a Zone Protection profile.
spyware —Spyware detected via an Anti-Spyware profile.
url—URL filtering log.
ml-virus—Virus detected by WildFire Inline ML via an Antivirus profile.
virus—Virus detected via an Antivirus profile.
vulnerability —Vulnerability exploit detected via a Vulnerability Protection profile.
wildfire —A WildFire verdict generated when the firewall submits a file to WildFire per a WildFire Analysis profile and a verdict (malware, phishing, grayware, or benign, depending on what you are logging) is logged in the WildFire Submissions log.
wildfire-virus—Virus detected via an Antivirus profile.
Source address (src)<sip>IP AddressOriginal session source IP address
Destination address (dst)<dip>IP AddressOriginal session destination IP address
NAT Source IP (natsrc)<snatip>IP AddressIf Source NAT performed, the post-NAT Source IP address
NAT Destination IP (natdst)<dnatip>IP AddressIf Destination NAT performed, the post-NAT Destination IP address
Rule Name (rule)<policy>Text/StringName of the rule that the session matched
Source User (srcuser)<domainorigin>
<login>
Text/StringUsername of the user who initiated the session
Destination User (dstuser)<domainimpacted>
<account>
Text/StringUsername of the user to which the session was destined
Inbound Interface (inbound_if)<sinterface>Text/StringInterface that the session was sourced from
Outbound Interface (outbound_if)<dinterface>Text/StringInterface that the session was destined to
Session ID (sessionid)<session>NumberAn internal numerical identifier applied to each session
Repeat Count (repeatcnt)<quantity>NumberNumber of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds
Source Port (sport)<sport>NumberSource port utilized by the session
Destination Port (dport)<dport>NumberDestination port utilized by the session
NAT Source Port (natsport)<snatport>NumberPost-NAT source port
NAT Destination Port (natdport)<dnatport>NumberPost-NAT destination port
Flags (flags)<sessiontype>Text/String32-bit field that provides details on session
IP Protocol (proto)<protname>Text/StringIP protocol associated with the session
Action (action)<action>
<tag1>
Text/StringAction taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url.
alert—threat or URL detected but not blocked
allow— flood detection alert
deny—flood detection mechanism activated and deny traffic based on configuration
drop— threat detected and associated session was dropped
reset-client —threat detected and a TCP RST is sent to the client
reset-server —threat detected and a TCP RST is sent to the server
reset-both —threat detected and a TCP RST is sent to both the client and the server
block-url —URL request was blocked because it matched a URL category that was set to be blocked
block-ip—threat detected and client IP is blocked
random-drop—flood detected and packet was randomly dropped
sinkhole—DNS sinkhole activated
syncookie-sent—syncookie alert
block-continue (URL subtype only)—a HTTP request is blocked and redirected to a Continue page with a button for confirmation to proceed
continue (URL subtype only)—response to a block-continue URL continue page indicating a block-continue request was allowed to proceed
block-override (URL subtype only)—a HTTP request is blocked and redirected to an Admin override page that requires a pass code from the firewall administrator to continue
override-lockout (URL subtype only)—too many failed admin override pass code attempts from the source IP. IP is now blocked from the block-override redirect page
override (URL subtype only)—response to a block-override page where a correct pass code is provided and the request is allowed
block (Wildfire only)—file was blocked by the firewall and uploaded to Wildfire
URL/Filename (misc)<url>
<domainimpacted>
Text/StringField with variable length. A Filename has a maximum of 63 characters. A URL has a maximum of 1023 characters
The actual URI when the subtype is url
File name or file type when the subtype is file
File name when the subtype is virus
File name when the subtype is wildfire-virus
File name when the subtype is wildfire
URL or File name when the subtype is vulnerability if applicable
URL when Threat Category is domain-edl
Category (category)<subject>Text/StringFor URL Subtype, it is the URL Category; For WildFire subtype, it is the verdict on the file and is either ‘malicious’, ‘phishing’, ‘grayware’, or ‘benign’; For other subtypes, the value is ‘any’.
Severity (severity)<severity>Text/StringSeverity associated with the threat; values are informational, low, medium, high, critical.
User Agent (user_agent)<useragent>Text/StringOnly for the URL Filtering subtype; all other types do not use this field.
The User Agent field specifies the web browser that the user used to access the URL, for example Internet Explorer. This information is sent in the HTTP request to the server.
Application Characteristic (characteristic_of_app)**<objectname>Text/StringComma-separated list of applicable characteristic of the application
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.