Skip to main content
Skip table of contents

V 2.0 Wildfire-Virus Threat Messages 1

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field

LogRhythm Default

LogRhythm Default v2.0

Type (type)

<vmid>

<vmid>

Threat/Content Type (subtype)

<vendorinfo>
<tag1>

<vendorinfo>

Source address (src)

<sip>

<sip>

Destination address (dst)

<dip>

<dip>

NAT Source IP (natsrc)

<snatip>

<snatip>

NAT Destination IP (natdst)

<dnatip>

<dnatip>

Rule Name (rule)

<policy>

<policy>

Source User (srcuser)

<domainorigin>
<login>

<domainorigin>
<login>

Destination User (dstuser)

<account>

N/A

N/A

<process>

N/A

N/A

<group>

N/A

Inbound Interface (inbound_if)

<sinterface>

<sinterface>

Outbound Interface (outbound_if)

<dinterface>

<dinterface>

Session ID (sessionid)

<session>

<session>

Repeat Count (repeatcnt)

<quantity>

<quantity>

Source Port (sport)

<sport>

<sport>

Destination Port (dport)

<dport>

<dport>

NAT Source Port (natsport)

<snatport>

<snatport>

NAT Destination Port (natdport)

<dnatport>

<dnatport>

IP Protocol (proto)

<protname>

<protname>

Action (action)

<action>
<tag4>
<command>

<action>
<tag1>

URL/Filename (misc)

N/A

<object>

Threat/Content Name (threatid)

<object>
<objecttype>

<threatname>

N/A

<objectname>
<url>
<domainimpacted>
<domainorigin>

N/A

N/A

<action>

N/A

Threat/Content Name (threatid)

<processid>

<threatid>

Category (category)

<tag2>
<process>

N/A

Severity (severity)

<severity>

<severity>

N/A

<hash>

N/A

Sender (sender)

<sender>

<sender>

Subject (subject)

<subject>

<subject>

Recipient (recipient)

<recipient>

<recipient>

Device Name (device_name)

N/A

<objectname>

Application Characteristic (characteristic_of_app)**

N/A

<group>

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID

Rule Name

Rule Type

Common Events

Classifications

1000722

THREAT Messages

Base Rule

General Attack Activity

Attack

Potentially Threatening URL Allowed

Sub Rule

Web Activity Allowed

Activity

URL Allowed

Sub Rule

Traffic Allowed by Network Firewall

Network Allow

URL Denied - Flood Detected

Sub Rule

General Attack Activity

Attack

URL Threat Detected - Session Dropped

Sub Rule

General Attack Activity

Attack

URL Threat Detected - Packets Dropped

Sub Rule

General Attack Activity

Attack

URL Threat Detected - Dropped - Reset Sent

Sub Rule

General Attack Activity

Attack

URL Blocked

Sub Rule

Traffic Denied by Network Firewall

Network Deny

Potential Virus Content Allowed

Sub Rule

Detected Virus Activity

Malware

Virus Content Allowed

Sub Rule

Detected Virus Activity

Malware

Virus Traffic Denied

Sub Rule

Failed Virus Activity

Failed Malware

Virus Traffic Dropped - Session Dropped

Sub Rule

Failed Virus Activity

Failed Malware

Virus Detected - Packets Dropped

Sub Rule

Failed Virus Activity

Failed Malware

Virus Detected - Dropped - Reset Sent

Sub Rule

Failed Virus Activity

Failed Malware

Malicious URL Blocked

Sub Rule

Failed Malware Activity

Failed Malware

Potential Spyware Content Allowed

Sub Rule

Detected Spyware Activity

Malware

Spyware Content Allowed

Sub Rule

Detected Spyware Activity

Malware

Spyware Traffic Denied

Sub Rule

Failed Spyware Activity

Failed Malware

Spyware Traffic Dropped - Session Dropped

Sub Rule

Failed Spyware Activity

Failed Malware

Spyware Detected - Packets Dropped

Sub Rule

Failed Spyware Activity

Failed Malware

Spyware Detected - Dropped - Reset Sent

Sub Rule

Failed Spyware Activity

Failed Malware

Spyware Blocked

Sub Rule

Failed Spyware Activity

Failed Malware

Potential Vulnerability Exploit Allowed

Sub Rule

Vuln High Severity : General

Vulnerability

Vulnerability Exploit Allowed

Sub Rule

Potential Vulnerability Exploit Allowed

Activity

Vulnerability Exploit Denied

Sub Rule

Failed General Attack Activity

Failed Attack

Vulnerability Exploit Traffic Drop - Session Drop

Sub Rule

Failed General Attack Activity

Failed Attack

Vulnerability Exploit Traffic Drop - Packet Drop

Sub Rule

Failed General Attack Activity

Failed Attack

Vulnerability Exploit Traffic Dropped - Reset Sent

Sub Rule

Failed General Attack Activity

Failed Attack

Vulnerability Exploit Dropped

Sub Rule

Failed General Attack Activity

Failed Attack

Potentially Threatening File Observed - Allowed

Sub Rule

Potentially Threatening File Observed

Activity

Threatening File Allowed

Sub Rule

Unauthorized Program/Process

Misuse

Threatening File Type Denied

Sub Rule

Failed Malware Activity

Failed Malware

Threatening File Dropped - Session Dropped

Sub Rule

Failed Malware Activity

Failed Malware

Threatening File Dropped - Packets Dropped

Sub Rule

Failed Malware Activity

Failed Malware

Threatening File Dropped - Reset Sent

Sub Rule

Failed Malware Activity

Failed Malware

Threatening File Blocked

Sub Rule

Failed Malware Activity

Failed Malware

Scan Detected

Sub Rule

Port Scan

Reconnaissance

DoS Detected

Sub Rule

Host Denial Of Service

Denial Of Service

Data Pattern Filtered

Sub Rule

Data Pattern Filtered

Failed Activity

URL Block-Continue

Sub Rule

Traffic Allowed by Network Firewall

Network Allow

Threatening File Forwarded

Sub Rule

File Intercepted

Activity

URL Allowed : Continue

Sub Rule

Traffic Allowed by Network Firewall

Network Allow

Vulnerability Exploit Traffic Dropped - Reset Both

Sub Rule

Failed General Attack Activity

Failed Attack

Wildfire Upload - Skip

Sub Rule

Message Submission

Information

Wildfire Upload - Success

Sub Rule

Message Submission

Information

Brute Force Attack : FTP Login

Sub Rule

Vuln High Severity : Brute Force Attack

Vulnerability

Wildfire-Virus Detected - Reset Both

Sub Rule

Failed Virus Activity

Failed Malware

Wildfire - Potential Virus Content Allowed

Sub Rule

Detected Virus Activity

Malware

Wildfire-Virus Content Allowed

Sub Rule

Detected Virus Activity

Malware

Wildfire-Virus Traffic Denied

Sub Rule

Failed Virus Activity

Failed Malware

Wildfire-Virus Traffic Dropped - Session Dropped

Sub Rule

Failed Virus Activity

Failed Malware

Wildfire-Virus Detected - Packets Dropped

Sub Rule

Failed Virus Activity

Failed Malware

Wildfire-Virus Detected - Dropped - Reset Sent

Sub Rule

Failed Virus Activity

Failed Malware

Wildfire-Malicious URL Blocked

Sub Rule

Failed Malware Activity

Failed Malware

Virus Detected - Dropped - Reset Both

Sub Rule

Failed Virus Activity

Failed Malware

Spyware Detected - Dropped - Reset Both

Sub Rule

Failed Spyware Activity

Failed Malware

Vuln Exploit Traffic Dropped - Reset Server

Sub Rule

Failed General Attack Activity

Failed Attack

Vulnerability Exploit Detected : Low Severity

Sub Rule

Vuln Low Severity : General

Vulnerability

File Detected

Sub Rule

Suspicious File Download

Activity

Vulnerability Exploit Detected : High Severity

Sub Rule

Vuln High Severity : General

Vulnerability

Wildfire : Benign Determination

Sub Rule

Virus Scan Completed - No Viruses Found

Information

Wildfire : Grayware Determination

Sub Rule

Potentially Threatening File Observed

Activity

Wildfire : Malware Determination

Sub Rule

Detected Virus Activity

Malware

Potential Vulnerability Exploit Allowed : Info

Sub Rule

Vuln Low Severity : Information Gathering

Vulnerability

Vulnerability Exploit Detected : Medium Severity

Sub Rule

Vuln Medium Severity : General

Vulnerability

Failed Attack : Packet Dropped

Sub Rule

Failed General Attack Activity

Failed Attack

Spyware Detected - Dropped - Reset Server

Sub Rule

Failed Spyware Activity

Failed Malware

Spyware Sinkhole Activity Messages

Sub Rule

Suspicious Network Activity

Suspicious

LogRhythm Default v2.0 

Regex ID

Rule Name

Rule Type

Common Events

Classifications

1010898

V 2.0 Wildfire-Virus Threat Messages

Base Rule

General Threat Message

Activity

V 2.0 Potentially Malicious File Allowed

Sub Rule

Detected Malware Activity

Malware

V 2.0 Potentially Malicious File Allowed

Sub Rule

Detected Malware Activity

Malware

V 2.0 Malicious File Blocked By Wildfire

Sub Rule

Failed Malware Activity

Failed Malware

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.