Threat Name [7.2]

The name of a threat described in the log message (for example, malware, exploit name, or signature name). Do not overload with Policy. 

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type

String

Aliases

Field Relationships

• Threat ID
• VMID
• Vendor Message
• Object
• Object Name
• Object Type
• Process
• ProcessID
• Policy
• Reason

Common Applications

• IDS/IPS
• Vulnerability scanners
• Proxy

Use Case

• Threat Name frequency for reporting.
• Identifying threats.

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

• Signature names
• Malware names
• Vulnerability names
• Exploit names
• Can be used independently of Threat ID (for example, AV detections, or identifying malicious processes or objects)

Examples

• Cisco IDS/IPS

<sd:evIdsAlert eventId="2222222222222" vendor="Cisco" severity="high" xmlns:sd="http://example.org/2003/08/sdee">bhiips xmlns:cid="http://www.cisco.com/cids/2006/08/cidee">sensorApp xmlns:cid="http://www.cisco.com/cids/2006/08/cidee">9055 offset="-300" timeZone="GMT-05:00">1232562570119108000</sd:time><sd:signature description="MSSQL Resolution Service Stack Overflow" id="4703" cid:version="S367" cid:type="other" cid:created="20000101" xmlns:cid="http://www.cisco.com/cids/2006/08/cidee">0:...log sample truncated.

The description describes the threat indicated by signature ID 4703.

• Qualys Vulnerability Scanner

HOSTIP=1.1.1.1 HOSTNAME= USABLDRRECFLOW01HOSTOS=Linux 2.6 PORT= PROTOCOL= QID=115731 DETECTIONTYPE=Potential STATUS=New FIRSTFOUND=2010-10-05 01:20:11Z LASTFOUND=2010-10-05 01:20:11Z VULNERABILITY=Apache 1.3 and 2.0 Web Server Multiple Vulnerabilities VULNERABILITYTYPE=Vulnerability or Potential Vulnerability CATEGORY=Local SEVERITYLEVEL=3 PATCHABLE=1 KBLASTUPDATE=2010-09-13 18:52:19Z CVE=CVE-2006-5752(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752),CVE-2007-3304(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304)

Name of vulnerability.

• eStreamer

LOGTYPE=INT_EVT_51_IPV4 R_ID=24105 R_REV=9 S_IP=1.1.1.1 S_PORT=58730 D_IP=1.1.1.1 D_PORT=8080 U_ID=0 U= R_NAME=MALWARE-OTHER HTTP POST request to a GIF file CLASSIFICATION_ID=22 CLASSIFICATION=Detection of a Non-Standard Protocol or Event PROT_NUM=6 PROT= ING_IF=s1p5 EG_IF=s1p1 BLOCKED=NotBlocked MANAGED_DEV_ID=9 EVT_ID=263305 EVT_T=01/15/2015 20:42:56 GEN_ID=1 PRI_ID=2 PRI=medium IMPACT_FLAGS=MonitoredHost, MappedHost, ServerPortOrIp IMPACT=Orange MPLS_LABEL=0 VLAN_ID=0 POL=Intrusion Policy - Corporate AP_PROT=HTTP ACS_CTL_R=File Inspection Rule ACS_CTL_POL=Access Control Policy - CORPORATE ING_SEC_Z=Corporate BBQ_SEC_Z=OOB

R_NAME represents the signature ID (R_ID=24105) of the threat.

• Symantec Endpoint

05 22 2014 11:08:02 1.1.1.1 <LPTR:CRIT> May 22 10:55:13 SymantecServer USABLDRRECFLOW01USABLDRRECFLOW01,[SID: 25238] Fake App Attack: Misleading Application Website attack blocked. Traffic has been blocked for this application: \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\CHROME.EXE,Local: 1.1.1.1,Local: 000000000000,Remote: ,Remote: 1.1.1.1,Remote: 000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2014-05-22 10:53:42,End: 2014-05-22 10:53:42,Occurrences: 1,Application: /DEVICE/HARDDISKVOLUME1/PROGRAM FILES/GOOGLE/CHROME/APPLICATION/CHROME.EXE,Location: Coprorate Network,User: pete.store,Domain: safaware,Local Port 4295,Remote Port 80,CIDS Signature ID: 25238,CIDS Signature string: Fake App Attack: Misleading Application Website,CIDS Signature SubID: 70185,Intrusion URL: recordflow.biz,Intrusion Payload URL:

“Fake App Attack: Misleading Application Website attack” is the name of the possible threat detected of signature ID 25238.