Skip to main content
Skip table of contents

Threat ID [7.2]

The ID number of a threat when available from an IDS/IPS signature, endpoint protection, or firewall log.

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type

String

Aliases

UseAlias

Client Console Full Name

Not applicable

Client Console Short Name

Not applicable

Web Console Tab/Name

Threat ID

Elasticsearch Field Name

threatId

Rule Builder Column Name

ThreatID

Regex Pattern

<threatid>

NetMon Name

Not applicable

Field Relationships

  • Threat Name
  • VMID
  • Vendor Message
  • Object
  • Object Name
  • Object Type
  • Process
  • Process ID

Common Applications

  • IDS/IPS
  • Vulnerability scanners
  • Proxy

Use Case

Correlating threats.

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

  • Signatures
  • Numeric or string identifiers for threats under different names

Examples

  • Cisco IDS/IPS

<sd:evIdsAlert eventId="222222222" vendor="Cisco" severity="high" xmlns:sd="http://example.org/2003/08/sdee">bhiips xmlns:cid="http://www.cisco.com/cids/2006/08/cidee">sensorApp xmlns:cid="http://www.cisco.com/cids/2006/08/cidee">9055 offset="-300" timeZone="GMT-05:00">1232562570119108000</sd:time><sd:signature description="MSSQL Resolution Service Stack Overflow" id="4703" cid:version="S367" cid:type="other" cid:created="20000101" xmlns:cid="http://www.cisco.com/cids/2006/08/cidee">0 sample truncated. 

Signature ID of a threat detectedeStreamer.

  • eStreamer

LOGTYPE=INT_EVT_51_IPV4 R_ID=24105 R_REV=9 S_IP=1.1.1.1 S_PORT=58730 D_IP=1.1.1.1 D_PORT=8080 U_ID=0 U= R_NAME=MALWARE-OTHER HTTP POST request to a GIF file CLASSIFICATION_ID=22 CLASSIFICATION=Detection of a Non-Standard Protocol or Event PROT_NUM=6 PROT= ING_IF=s1p5 EG_IF=s1p1 BLOCKED=NotBlocked MANAGED_DEV_ID=9 EVT_ID=263305 EVT_T=01/15/2015 20:42:56 GEN_ID=1 PRI_ID=2 PRI=medium IMPACT_FLAGS=MonitoredHost, MappedHost, ServerPortOrIp IMPACT=Orange BBQ_LABEL=0 VLAN_ID=0 POL=Intrusion Policy - Corporate AP_PROT=HTTP ACS_CTL_R=File Inspection Rule ACS_CTL_POL=Access Control Policy - CORPORATE nnq_nnq_Z=Corporate EG_bbq_Z=OOB

R_ID=24105 is the Threat ID from this IDS signature log.

  • Symantec Endpoint

05 22 2014 11:08:02 1.1.1.1 <LPTR:CRIT> May 22 10:55:13 SymantecServer USABLDRRECFLOW01: USABLDRRECFLOW01,[SID: 25238] Fake App Attack: Misleading Application Website attack blocked. Traffic has been blocked for this application: \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\CHROME.EXE,Local: 1.1.1.1,Local: 000000000000,Remote: ,Remote: 1.1.1.1,Remote: 000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2014-05-22 10:53:42,End: 2014-05-22 10:53:42,Occurrences: 1,Application: /DEVICE/HARDDISKVOLUME1/PROGRAM FILES/GOOGLE/CHROME/APPLICATION/CHROME.EXE,Location: Coprorate Network,User: Christina_McCloud,Domain: INDY,Local Port 4295,Remote Port 80,CIDS Signature ID: 25238,CIDS Signature string: Fake App Attack: Misleading Application Website,CIDS Signature SubID: 70185,Intrusion URL: pcfaster.info/usdown/?sence=asdifas892nsndsafusaljnsxckad,Intrusion Payload URL:

SID is the signature ID of the detected threat.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close