V 2.0 URL Threat Messages 1
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 URL Threat Messages | Base Rule | General Threat Message | Activity |
V 2.0 Potentially Malicious URL Allowed | Sub Rule | Traffic Allowed by Proxy | Network Allow |
| V 2.0 User Continue URL Block | Sub Rule | Traffic Allowed by Proxy | Network Allow |
| V 2.0 User Override URL Block | Sub Rule | Traffic Allowed by Proxy | Network Allow |
| V 2.0 Malicious URL Blocked | Sub Rule | Traffic Denied by Proxy | Network Deny |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Type (type) | <vmid> | Text/String | Specifies the type of log; the value is THREAT. |
| Threat/Content Type (subtype) | <vendorinfo> | Text/String | The subtype of threat log. Values include the following:
|
| Source address (src) | <sip> | IP Address | Original session source IP address |
| Destination address (dst) | <dip> | IP Address | Original session destination IP address |
| NAT Source IP (natsrc) | <snatip> | IP Address | If Source NAT is performed, the post-NAT Source IP address |
| NAT Destination IP (natdst) | <dnatip> | IP Address | If Destination NAT is performed, the post-NAT Destination IP address |
| Rule Name (rule) | <policy> | Text/String | Name of the rule that the session matched |
| Source User (srcuser) | <domainorigin> <login> | Text/String | The username of the user who initiated the session |
| Destination User (dstuser) | <domainimpacted> <account> | Text/String | The username of the user to which the session was destined |
| Inbound Interface (inbound_if) | <sinterface> | Text/String | Interface that the session was sourced from |
| Outbound Interface (outbound_if) | <dinterface> | Text/String | Interface that the session was destined to |
| Session ID (sessionid) | <session> | Number | An internal numerical identifier is applied to each session |
| Repeat Count (repeatcnt) | <quantity> | Number | Number of sessions with the same Source IP, Destination IP, Application, and Subtype seen within 5 seconds |
| Source Port (sport) | <sport> | Number | Source port utilized by the session |
| Destination Port (dport) | <dport> | Number | Destination port utilized by the session |
| NAT Source Port (natsport) | <snatport> | Number | Post-NAT source port |
| NAT Destination Port (natdport) | <dnatport> | Number | Post-NAT destination port |
| Flags (flags) | <sessiontype> | Text/String | A 32-bit field that provides details on the session |
| IP Protocol (proto) | <protname> | Text/String | IP protocol associated with the session |
| Action (action) | <action> <tag1> | Text/String | Action is taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url. alert—threat or URL detected but not blocked allow— flood detection alert deny—flood detection mechanism activated and deny traffic based on configuration drop— threat detected and associated session was dropped reset-client —threat detected and a TCP RST is sent to the client reset-server —threat detected and a TCP RST is sent to the server reset-both —threat detected and a TCP RST is sent to both the client and the server block-url —URL request was blocked because it matched a URL category that was set to be blocked block-ip—threat detected and client IP is blocked random-drop—flood detected and packet was randomly dropped sinkhole—DNS sinkhole activated syncookie-sent—syncookie alert block-continue (URL subtype only)—an HTTP request is blocked and redirected to a Continue page with a button for confirmation to proceed continue (URL subtype only)—response to a block-continue URL continue page indicating a block-continue request was allowed to proceed block-override (URL subtype only)—an HTTP request is blocked and redirected to an Admin override page that requires a passcode from the firewall administrator to continue override-lockout (URL subtype only)—too many failed admin override passcode attempts from the source IP. IP is now blocked from the block-override redirect page override (URL subtype only)—response to a block-override page where a correct passcode is provided and the request is allowed block (Wildfire only)—The file was blocked by the firewall and uploaded to Wildfire |
| URL/Filename (misc) | <url> | Text/String | Field with variable length. A Filename has a maximum of 63 characters. A URL has a maximum of 1023 characters The actual URI when the subtype is URL File name or file type when the subtype is a file File name when the subtype is virus File name when the subtype is wildfire-virus File name when the subtype is wildfire URL or File name when the subtype is vulnerable if applicable URL when Threat Category is domain-edl |
| Category (category) | <subject> | Text/String | For URL Subtype, it is the URL Category; For the WildFire subtype, it is the verdict on the file and is either ‘malicious’, ‘phishing’, ‘grayware’, or ‘benign’; For other subtypes, the value is ‘any’. |
| Severity (severity) | <severity> | Text/String | Severity associated with the threat; values are informational, low, medium, high, critical. |
| User Agent (user_agent) | <useragent> | Text/String | Only for the URL Filtering subtype; all other types do not use this field. The User Agent field specifies the web browser that the user used to access the URL, for example, Internet Explorer. This information is sent in the HTTP request to the server. |
| Device Name (device_name) | <objectname> | Text/String | The hostname of the firewall on which the session was logged. |
| Application Characteristic (characteristic_of_app)** | <result> | Text/String | Comma-separated list of applicable characteristics of the application |