Web Secure Event
Vendor Documentation
Classification
| Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| Web Secure Event | Base Rule | Activity | General Web Access |
| File Scan Result : Unknown | Sub Rule | Activity | Potentially Threatening File Observed |
| File Scan Result : Clean | Sub Rule | Activity | General Threat Message |
| File Scan Result : Malicious | Sub Rule | Malware | Detected Malware Activity |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| N/A | N/A | N/A | Timestamp since UNIX epoch. |
| N/A | <milliseconds> | Number | Elapsed time (latency) in milliseconds. |
| N/A | <sip> | IP Address | Client IP address. You can choose to mask the IP address in the access logs using the advancedproxyconfig > authentication CLI command. |
| N/A | N/A | N/A | Transaction result code. For more information, see W3C Compliant Access Log Files. |
| N/A | <responsecode> | Number | HTTP response code. |
| N/A | <size> | Number | Response size (headers + body). |
| N/A | <command> <url> | Text/String | First line of the request. When the first line of the request is for a native FTP transaction, some special characters in the file name are URL encoded in the access logs. For example, the “@” symbol is written as “%40” in the access logs. The following characters are URL encoded: & # % + , : ; = @ ^ { } [ ] |
| N/A | <login> | Text/String | Authenticated username. You can choose to mask the username in the access logs using the advancedproxyconfig > authentication CLI command. |
| N/A | N/A | N/A | Code that describes which server was contacted for the retrieving the request content. The most common values include:
|
| N/A | N/A | N/A | Data source or server IP address. |
| N/A | N/A | N/A | Response body MIME type. |
| N/A | N/A | N/A | ACL decision tag. The end of the ACL decision tag includes a dynamically generated number that the Web Proxy uses internally. You can ignore this number. For more information, see ACL Decision Tags. |
| N/A | <policy> | Text/String | Name of policy group responsible for the final decision on this transaction (Access Policy, Decryption Policy, or Data Security Policy). When the transaction matches a global policy, this value is “DefaultGroup.” Any space in the policy group name is replaced with an underscore ( _ ). |
| N/A | N/A | N/A | Identity policy group name. Any space in the policy group name is replaced with an underscore ( _ ). |
| N/A | N/A | N/A | Outbound Malware Scanning Policy group name. Any space in the policy group name is replaced with an underscore ( _ ). |
| N/A | N/A | N/A | Cisco Data Security Policy group name. When the transaction matches the global Cisco Data Security Policy, this value is “DefaultGroup.” This policy group name only appears when Cisco Data Security Filters is enabled. “NONE” appears when no Data Security Policy was applied. Any space in the policy group name is replaced with an underscore ( _ ). |
| N/A | N/A | N/A | External DLP Policy group name. When the transaction matches the global External DLP Policy, this value is “DefaultGroup.” “NONE” appears when no External DLP Policy was applied. Any space in the policy group name is replaced with an underscore ( _ ). |
| N/A | N/A | N/A | Routing Policy group name, displayed as ProxyGroupName/ProxyServerName. When the transaction matches the global Routing Policy, this value is “DefaultRouting.” When no upstream proxy server is used, this value is “DIRECT.” Any space in the policy group name is replaced with an underscore ( _ ). |
| N/A | N/A | N/A | The custom URL category assigned to the transaction, abbreviated. This field shows “nc” when no category is assigned. |
| N/A | N/A | N/A | Web Reputation filters score. This field either shows the score as a number, “ns” for no score, or “dns” when there is a DNS lookup error. |
| N/A | N/A | N/A | The malware scanning verdict Webroot passed to the DVS engine. Applies to responses detected by Webroot only. For more information, see Malware Scanning Verdict Values. |
| N/A | N/A | N/A | Name of the spyware that is associated with the object. Applies to responses detected by Webroot only. |
| N/A | N/A | N/A | The Webroot specific value associated with the Threat Risk Ratio (TRR) value that determines the probability that malware exists. Applies to responses detected by Webroot only. |
| N/A | N/A | N/A | A value that Webroot uses as a threat identifier. Cisco Customer Support may use this value when troubleshooting an issue. Applies to responses detected by Webroot only. |
| N/A | N/A | N/A | A value that Webroot uses as a trace identifier. Cisco Customer Support may use this value when troubleshooting an issue. Applies to responses detected by Webroot only. |
| N/A | N/A | N/A | The malware scanning verdict McAfee passed to the DVS engine. Applies to responses detected by McAfee only. For more information, see Malware Scanning Verdict Values. |
| N/A | N/A | N/A | The name of the file McAfee scanned. Applies to responses detected by McAfee only. |
| N/A | N/A | N/A | A value that McAfee uses as a scan error. Cisco Customer Support may use this value when troubleshooting an issue. Applies to responses detected by McAfee only. |
| N/A | N/A | N/A | A value that McAfee uses as a detection type. Cisco Customer Support may use this value when troubleshooting an issue. Applies to responses detected by McAfee only. |
| N/A | N/A | N/A | A value that McAfee uses as a virus type. Cisco Customer Support may use this value when troubleshooting an issue. Applies to responses detected by McAfee only. |
| N/A | N/A | N/A | The name of the virus that McAfee scanned. Applies to responses detected by McAfee only. |
| N/A | N/A | N/A | The malware scanning verdict Sophos passed to the DVS engine. Applies to responses detected by Sophos only. For more information, see Malware Scanning Verdict Values. |
| N/A | N/A | N/A | A value that Sophos uses as a scan return code. Cisco Customer Support may use this value when troubleshooting an issue. Applies to responses detected by Sophos only. |
| N/A | N/A | N/A | The name of the file in which Sophos found the objectionable content. Applies to responses detected by Sophos only. |
| N/A | N/A | N/A | A value that Sophos uses as the threat name. Cisco Customer Support may use this value when troubleshooting an issue. Applies to responses detected by Sophos only. |
| N/A | N/A | N/A | The Cisco Data Security scan verdict based on the action in the Content column of the Cisco Data Security Policy. The following list describes the possible values for this field:
|
| N/A | N/A | N/A | The External DLP scan verdict based on the result given in the ICAP response. The following list describes the possible values for this field:
|
| N/A | <subject> | Text/String | The predefined URL category verdict determined during request-side scanning, abbreviated. This field lists a hyphen (-) when URL filtering is disabled. For a list of URL category abbreviations, see URL Category Descriptions. |
| N/A | N/A | N/A | The URL category verdict determined by the Dynamic Content Analysis engine during response-side scanning, abbreviated. Applies to the Cisco Web Usage Controls URL filtering engine only. Only applies when the Dynamic Content Analysis engine is enabled and when no category is assigned at request time (a value of “nc” is listed in the request-side scanning verdict). For a list of URL category abbreviations, see URL Category Descriptions. |
| N/A | <threatname> | Text/String | Unified response-side anti-malware scanning verdict that provides the malware category independent of which scanning engines are enabled. Applies to transactions blocked or monitored due to server response scanning. |
| N/A | N/A | N/A | The threat type returned by the Web Reputation filters which resulted in the target website receiving a poor reputation. Typically, this field is populated for sites at reputation of -4 and below. |
| N/A | N/A | N/A | The application name as returned by the AVC engine, if applicable. Only applies when the AVC engine is enabled. |
| N/A | N/A | N/A | The application type as returned by the AVC engine, if applicable. Only applies when the AVC engine is enabled. |
| N/A | N/A | N/A | The application behavior as returned by the AVC engine, if applicable. Only applies when the AVC engine is enabled. |
| N/A | N/A | N/A | Safe browsing scanning verdict. This value indicates whether either the safe search or the site content ratings feature was applied to the transaction. For a list of the possible values, see Logging Adult Content Access. |
| N/A | N/A | N/A | The average bandwidth consumed serving the request, in Kb/sec. |
| N/A | N/A | N/A | A value that indicates whether the request was throttled due to bandwidth limit control settings, where “1” indicates the request was throttled, and “0” indicates it was not. |
| N/A | N/A | N/A | The type of user making the request, either “[Local]” or “[Remote].” Only applies when AnyConnect Secure Mobility is enabled. When it is not enabled, the value is a hyphen (-). |
| N/A | N/A | N/A | Unified request-side anti-malware scanning verdict independent of which scanning engines are enabled. Applies to transactions blocked or monitored due to client request scanning when an Outbound Malware Scanning Policy applies. |
| N/A | N/A | N/A | The threat name assigned to the client request that was blocked or monitored due to an applicable Outbound Malware Scanning Policy. This threat name is independent of which anti-malware scanning engines are enabled. |
| N/A | N/A | N/A | Verdict from Advanced Malware Protection file scanning: 0: File is not malicious 1: File was not scanned because of its file type 2: File scan timed out 3: Scan error Greater than 3: File is malicious |
| N/A | N/A | N/A | Threat name, as determined by Advanced Malware Protection file scanning; "-" indicates no threat. |
| N/A | N/A | N/A | Reputation score from Advanced Malware Protection file scanning. This score is used only if the cloud reputation service is unable to determine a clear verdict for the file. For details, see information about the Threat Score and the reputation threshold in File Reputation Filtering and File Analysis. |
| N/A | N/A | N/A | Indicator of upload and analysis request: “0” indicates that Advanced Malware Protection did not request upload of the file for analysis. “1” indicates that Advanced Malware Protection did request upload of the file for analysis. |
| N/A | <objectname> | Text/String | The name of the file being downloaded and analyzed. |
| N/A | <hash> | Text/String | The SHA-256 identifier for this file. |
| N/A | <result> <tag1> | Text/String | Verdict from the AMP reputation server for the file: 1 – Unknown 2 – Clean 3 – Malicious 4 – Unscannable |
| N/A | N/A | N/A | Archive scan Verdict. |
| N/A | N/A | N/A | Archive scan Verdict Detail. If an Inspectable Archive file is blocked (ARCHIVESCAN_BLOCKEDFILETYPE) based on Access Policy: Custom Objects Blocking settings, this Verdict Detail entry includes the type of file blocked, and the name of the blocked file. |
| N/A | <useragent> | Text/String | Suspect user agent. |
