Skip to main content
Skip table of contents

V 2.0 Wildfire-Virus Threat Messages 1

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log FieldLogRhythm DefaultLogRhythm Default v2.0
Type (type)<vmid><vmid>
Threat/Content Type (subtype)<vendorinfo>
<tag1>
<vendorinfo>
Source address (src)<sip><sip>
Destination address (dst)<dip><dip>
NAT Source IP (natsrc)<snatip><snatip>
NAT Destination IP (natdst)<dnatip><dnatip>
Rule Name (rule)<policy><policy>
Source User (srcuser)<domainorigin>
<login>
<domainorigin>
<login>
Destination User (dstuser)<account>N/A
N/A<process>N/A
N/A<group>N/A
Inbound Interface (inbound_if)<sinterface><sinterface>
Outbound Interface (outbound_if)<dinterface><dinterface>
Session ID (sessionid)<session><session>
Repeat Count (repeatcnt)<quantity><quantity>
Source Port (sport)<sport><sport>
Destination Port (dport)<dport><dport>
NAT Source Port (natsport)<snatport><snatport>
NAT Destination Port (natdport)<dnatport><dnatport>
IP Protocol (proto)<protname><protname>
Action (action)<action>
<tag4>
<command>
<action>
<tag1>
URL/Filename (misc)N/A<object>
Threat/Content Name (threatid)<object>
<objecttype>
<threatname>
N/A<objectname>
<url>
<domainimpacted>
<domainorigin>
N/A
N/A<action>N/A
Threat/Content Name (threatid)<processid><threatid>
Category (category)<tag2>
<process>
N/A
Severity (severity)<severity><severity>
N/A<hash>N/A
Sender (sender)<sender><sender>
Subject (subject)<subject><subject>
Recipient (recipient)<recipient><recipient>
Device Name (device_name)N/A<objectname>
Application Characteristic (characteristic_of_app)**N/A<result>

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID

Rule Name

Rule Type

Common Events

Classifications

1000722THREAT MessagesBase RuleGeneral Attack ActivityAttack
Potentially Threatening URL AllowedSub RuleWeb Activity AllowedActivity
URL AllowedSub RuleTraffic Allowed by Network FirewallNetwork Allow
URL Denied - Flood DetectedSub RuleGeneral Attack ActivityAttack
URL Threat Detected - Session DroppedSub RuleGeneral Attack ActivityAttack
URL Threat Detected - Packets DroppedSub RuleGeneral Attack ActivityAttack
URL Threat Detected - Dropped - Reset SentSub RuleGeneral Attack ActivityAttack
URL BlockedSub RuleTraffic Denied by Network FirewallNetwork Deny
Potential Virus Content AllowedSub RuleDetected Virus ActivityMalware
Virus Content AllowedSub RuleDetected Virus ActivityMalware
Virus Traffic DeniedSub RuleFailed Virus ActivityFailed Malware
Virus Traffic Dropped - Session DroppedSub RuleFailed Virus ActivityFailed Malware
Virus Detected - Packets DroppedSub RuleFailed Virus ActivityFailed Malware
Virus Detected - Dropped - Reset SentSub RuleFailed Virus ActivityFailed Malware
Malicious URL BlockedSub RuleFailed Malware ActivityFailed Malware
Potential Spyware Content AllowedSub RuleDetected Spyware ActivityMalware
Spyware Content AllowedSub RuleDetected Spyware ActivityMalware
Spyware Traffic DeniedSub RuleFailed Spyware ActivityFailed Malware
Spyware Traffic Dropped - Session DroppedSub RuleFailed Spyware ActivityFailed Malware
Spyware Detected - Packets DroppedSub RuleFailed Spyware ActivityFailed Malware
Spyware Detected - Dropped - Reset SentSub RuleFailed Spyware ActivityFailed Malware
Spyware BlockedSub RuleFailed Spyware ActivityFailed Malware
Potential Vulnerability Exploit AllowedSub RuleVuln High Severity : GeneralVulnerability
Vulnerability Exploit AllowedSub RulePotential Vulnerability Exploit AllowedActivity
Vulnerability Exploit DeniedSub RuleFailed General Attack ActivityFailed Attack
Vulnerability Exploit Traffic Drop - Session DropSub RuleFailed General Attack ActivityFailed Attack
Vulnerability Exploit Traffic Drop - Packet DropSub RuleFailed General Attack ActivityFailed Attack
Vulnerability Exploit Traffic Dropped - Reset SentSub RuleFailed General Attack ActivityFailed Attack
Vulnerability Exploit DroppedSub RuleFailed General Attack ActivityFailed Attack
Potentially Threatening File Observed - AllowedSub RulePotentially Threatening File ObservedActivity
Threatening File AllowedSub RuleUnauthorized Program/ProcessMisuse
Threatening File Type DeniedSub RuleFailed Malware ActivityFailed Malware
Threatening File Dropped - Session DroppedSub RuleFailed Malware ActivityFailed Malware
Threatening File Dropped - Packets DroppedSub RuleFailed Malware ActivityFailed Malware
Threatening File Dropped - Reset SentSub RuleFailed Malware ActivityFailed Malware
Threatening File BlockedSub RuleFailed Malware ActivityFailed Malware
Scan DetectedSub RulePort ScanReconnaissance
DoS DetectedSub RuleHost Denial Of ServiceDenial Of Service
Data Pattern FilteredSub RuleData Pattern FilteredFailed Activity
URL Block-ContinueSub RuleTraffic Allowed by Network FirewallNetwork Allow
Threatening File ForwardedSub RuleFile InterceptedActivity
URL Allowed : ContinueSub RuleTraffic Allowed by Network FirewallNetwork Allow
Vulnerability Exploit Traffic Dropped - Reset BothSub RuleFailed General Attack ActivityFailed Attack
Wildfire Upload - SkipSub RuleMessage SubmissionInformation
Wildfire Upload - SuccessSub RuleMessage SubmissionInformation
Brute Force Attack : FTP LoginSub RuleVuln High Severity : Brute Force AttackVulnerability
Wildfire-Virus Detected - Reset BothSub RuleFailed Virus ActivityFailed Malware
Wildfire - Potential Virus Content AllowedSub RuleDetected Virus ActivityMalware
Wildfire-Virus Content AllowedSub RuleDetected Virus ActivityMalware
Wildfire-Virus Traffic DeniedSub RuleFailed Virus ActivityFailed Malware
Wildfire-Virus Traffic Dropped - Session DroppedSub RuleFailed Virus ActivityFailed Malware
Wildfire-Virus Detected - Packets DroppedSub RuleFailed Virus ActivityFailed Malware
Wildfire-Virus Detected - Dropped - Reset SentSub RuleFailed Virus ActivityFailed Malware
Wildfire-Malicious URL BlockedSub RuleFailed Malware ActivityFailed Malware
Virus Detected - Dropped - Reset BothSub RuleFailed Virus ActivityFailed Malware
Spyware Detected - Dropped - Reset BothSub RuleFailed Spyware ActivityFailed Malware
Vuln Exploit Traffic Dropped - Reset ServerSub RuleFailed General Attack ActivityFailed Attack
Vulnerability Exploit Detected : Low SeveritySub RuleVuln Low Severity : GeneralVulnerability
File DetectedSub RuleSuspicious File DownloadActivity
Vulnerability Exploit Detected : High SeveritySub RuleVuln High Severity : GeneralVulnerability
Wildfire : Benign DeterminationSub RuleVirus Scan Completed - No Viruses FoundInformation
Wildfire : Grayware DeterminationSub RulePotentially Threatening File ObservedActivity
Wildfire : Malware DeterminationSub RuleDetected Virus ActivityMalware
Potential Vulnerability Exploit Allowed : InfoSub RuleVuln Low Severity : Information GatheringVulnerability
Vulnerability Exploit Detected : Medium SeveritySub RuleVuln Medium Severity : GeneralVulnerability
Failed Attack : Packet DroppedSub RuleFailed General Attack ActivityFailed Attack
Spyware Detected - Dropped - Reset ServerSub RuleFailed Spyware ActivityFailed Malware
Spyware Sinkhole Activity MessagesSub RuleSuspicious Network ActivitySuspicious

LogRhythm Default v2.0 

Regex IDRule NameRule TypeCommon EventsClassifications
1010898V 2.0 Wildfire-Virus Threat MessagesBase RuleGeneral Threat MessageActivity
V 2.0 Potentially Malicious File AllowedSub RuleDetected Malware ActivityMalware
V 2.0 Potentially Malicious File AllowedSub RuleDetected Malware ActivityMalware
V 2.0 Malicious File Blocked By WildfireSub RuleFailed Malware ActivityFailed Malware
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.