V 2.0 URL Threat Messages 1
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|
V 2.0 URL Threat Messages | Base Rule | General Threat Message | Activity |
V 2.0 Potentially Malicious URL Allowed | Sub Rule | Traffic Allowed by Proxy | Network Allow |
V 2.0 User Continue URL Block | Sub Rule | Traffic Allowed by Proxy | Network Allow |
V 2.0 User Override URL Block | Sub Rule | Traffic Allowed by Proxy | Network Allow |
V 2.0 Malicious URL Blocked | Sub Rule | Traffic Denied by Proxy | Network Deny |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
Type (type) | <vmid> | Text/String | Specifies the type of log; the value is THREAT. |
Threat/Content Type (subtype) | <vendorinfo> | Text/String | The subtype of threat log. Values include the following:
|
Source address (src) | <sip> | IP Address | Original session source IP address |
Destination address (dst) | <dip> | IP Address | Original session destination IP address |
NAT Source IP (natsrc) | <snatip> | IP Address | If Source NAT is performed, the post-NAT Source IP address |
NAT Destination IP (natdst) | <dnatip> | IP Address | If Destination NAT is performed, the post-NAT Destination IP address |
Rule Name (rule) | <policy> | Text/String | Name of the rule that the session matched |
Source User (srcuser) | <domainorigin> | Text/String | The username of the user who initiated the session |
Destination User (dstuser) | <domainimpacted> | Text/String | The username of the user to which the session was destined |
Inbound Interface (inbound_if) | <sinterface> | Text/String | Interface that the session was sourced from |
Outbound Interface (outbound_if) | <dinterface> | Text/String | Interface that the session was destined to |
Session ID (sessionid) | <session> | Number | An internal numerical identifier is applied to each session |
Repeat Count (repeatcnt) | <quantity> | Number | Number of sessions with the same Source IP, Destination IP, Application, and Subtype seen within 5 seconds |
Source Port (sport) | <sport> | Number | Source port utilized by the session |
Destination Port (dport) | <dport> | Number | Destination port utilized by the session |
NAT Source Port (natsport) | <snatport> | Number | Post-NAT source port |
NAT Destination Port (natdport) | <dnatport> | Number | Post-NAT destination port |
Flags (flags) | <sessiontype> | Text/String | A 32-bit field that provides details on the session |
IP Protocol (proto) | <protname> | Text/String | IP protocol associated with the session |
Action (action) | <action> | Text/String | Action is taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url. |
URL/Filename (misc) | <url> | Text/String | Field with variable length. A Filename has a maximum of 63 characters. A URL has a maximum of 1023 characters |
Category (category) | <subject> | Text/String | For URL Subtype, it is the URL Category; For the WildFire subtype, it is the verdict on the file and is either ‘malicious’, ‘phishing’, ‘grayware’, or ‘benign’; For other subtypes, the value is ‘any’. |
Severity (severity) | <severity> | Text/String | Severity associated with the threat; values are informational, low, medium, high, critical. |
User Agent (user_agent) | <useragent> | Text/String | Only for the URL Filtering subtype; all other types do not use this field. |
Device Name (device_name) | <objectname> | Text/String | The hostname of the firewall on which the session was logged. |
Application Characteristic (characteristic_of_app)** | <group> | Text/String | Comma-separated list of applicable characteristics of the application |