Content Analysis (CAS) and Malware Analysis (MA) alert(syslog/email) message formats
Article ID: 406109
Updated On:
Products
Content Analysis Software
Issue/Introduction
Understand the message formats used by CAS/MA for syslog/email alerts under Settings > Alert Location -> Type and whether these can be customized
Environment
Content Analysis (CAS) and Malware Analysis (MA)
Resolution
The below table outlines default message format used for syslog/email alert types and states which ones can be customized and the message templates used
Refer here for more details on the variables
| Alert Type | Default message format | Can be customized | Message templates used |
| Virus is found | "%TIMESTAMP\n Hardware serial number: %HWSERIALNUMBER\n %APPNAME %APPVERSION - http://www.symantec.com\n Antivirus Vendor: %AVVENDOR\n Scan Engine Version: %AVENGINEVERS\n Pattern File Version: %AVPATTERNVERS (Pattern date: %AVPATTERNDATE)\n\n Machine name: %MACHINENAME\n Machine IP address: %MACHINEIP\n Server: %SERVER\n Client: %CLIENT\n\n Virus/PUS: '%VIRUS' found!\n URL: %URL" | YES | Virus Upload, Virus Download |
| File was passed through without being scanned | "%REASON\n\n %ACTION\n\n %TIMESTAMP\n Hardware serial number: %HWSERIALNUMBER\n %APPNAME %APPVERSION - http://www.symantec.com\n Antivirus Vendor: %AVVENDOR\n Scan Engine Version: %AVENGINEVERS\n Pattern File Version: %AVPATTERNVERS (Pattern date: %AVPATTERNDATE)\n\n Machine name: %MACHINENAME\n Machine IP address: %MACHINEIP\n Server: %SERVER\n Client: %CLIENT\n\n URL: %URL" | YES | Can't scan uploads, Can't scan downloads |
| Intelligent Connection Traffic Monitoring (ICTM) | "%REASON\n\n %TIMESTAMP\n Hardware serial number: %HWSERIALNUMBER\n %APPNAME %APPVERSION - http://www.symantec.com\n Machine name: %MACHINENAME\n Machine IP address: %MACHINEIP\n\n 'Slow' ICAP connections:\n %URL" "%REASON\n\n Dropped 'slow' ICAP connections:\n %ACTION\n\n %TIMESTAMP\n Hardware serial number: %HWSERIALNUMBER\n %APPNAME %APPVERSION - http://www.symantec.com\n Machine name: %MACHINENAME\n Machine IP address: %MACHINEIP\n\n 'Slow' ICAP connections:\n %URL" |
YES | ICTM warning, ICTM critical |
| Sandboxing Threat Admin Alert (Asynchronous) | "%TIMESTAMP\n Hardware serial number: %HWSERIALNUMBER\n %APPNAME %APPVERSION - http://www.symantec.com\n Sandbox Vendor: %SANDBOX_VENDOR\n\n Machine name: %MACHINENAME\n Machine IP address: %MACHINEIP\n Server: %SERVER\n Client: %CLIENT\n\n Risk score: %THREAT_SCORE\n URL: %URL\n Results: %THREAT_HTML_URL\n CAS Threat Report: %CAS_REPORT_URL\n\n FireEye Results: %FIREEYE_THREAT_HTML_URL\n Solera PCAP: %SOLERA_PCAP_URL\n\n CounterTack Results: %COUNTERTACK_TEXT_DETAILS\n %COUNTERTACK_URL" | YES | Administrator Sandboxing Threat (Asynchronous) |
| Sandboxing Threat Alert | "%REASON\n\n %ACTION\n\n %TIMESTAMP\n Hardware serial number: %HWSERIALNUMBER\n %APPNAME %APPVERSION - http://www.symantec.com\n\n Machine name: %MACHINENAME\n Machine IP address: %MACHINEIP\n Server: %SERVER\n Client: %CLIENT\n\n URL: %URL\n\n Full report: %THREAT_HTML_URL\n %FIREEYE_THREAT_HTML_URL" | YES | Threat Blocked by Sandboxing Cache Download, Threat Blocked by Sandboxing Cache Upload |
| File Reputation Threat Alert | "%REASON\n\n %ACTION\n\n %TIMESTAMP\n Hardware serial number: %HWSERIALNUMBER\n %APPNAME %APPVERSION - http://www.symantec.com\n\n Machine name: %MACHINENAME\n Machine IP address: %MACHINEIP\n Server: %SERVER\n Client: %CLIENT\n\n URL: %URL" | YES | File Reputation Threat Download, File Reputation Threat Upload |
| Predictive Analysis Threat Alert | "%REASON\n\n%ACTION\n\n%TIMESTAMP\nHardware serial number: %HWSERIALNUMBER\n%APPNAME %APPVERSION - http://www.symantec.com\nPredictive Analysis Vendor: %AVVENDOR\nVersion: %AVENGINEVERS\n\nMachine name: %MACHINENAME\nMachine IP address: %MACHINEIP\nServer: %SERVER\nClient: %CLIENT\n\nURL: %URL\nThreat Score: %AV_SYMANTEC_AML_SCORE\nThreat Details:\n%AV_SYMANTEC_AML_DETAILS" | YES | Predictive Analysis Threat Download, Predictive Analysis Threat Upload |
| File was blocked by user blacklist | "%REASON\n\n%ACTION\n\n%TIMESTAMP\nHardware serial number: %HWSERIALNUMBER\n%APPNAME %APPVERSION - http://www.symantec.com\n\nMachine name: %MACHINENAME\nMachine IP address: %MACHINEIP\nServer: %SERVER\nClient: %CLIENT\nURL: %URL" | YES | Custom Blacklist Hash Upload, Custom Blacklist Hash Download |
| File was blocked (exclude virus case) | "%REASON\n\n %ACTION\n\n %TIMESTAMP\n Hardware serial number: %HWSERIALNUMBER\n %APPNAME %APPVERSION - http://www.symantec.com\n Antivirus Vendor: %AVVENDOR\n Scan Engine Version: %AVENGINEVERS\n Pattern File Version: %AVPATTERNVERS (Pattern date: %AVPATTERNDATE)\n\n Machine name: %MACHINENAME\n Machine IP address: %MACHINEIP\n Server: %SERVER\n Client: %CLIENT\n\n URL: %URL" | YES | Can't scan uploads, Can't scan downloads |
| Antivirus update failed | %TIMESTAMP\n%AVVENDOR on %MACHINENAME(%MACHINEIP) failed to update\nReason: %REASON | NO | N/A |
| Antivirus update succeeded | %TIMESTAMP\n%AVVENDOR on %MACHINENAME(%MACHINEIP) successfully updated\n"AV version: %AVENGINEVERS\nAV pattern version: %AVPATTERNVERS\nAV pattern date: %AVPATTERNDATE\n | NO | N/A |
| License is expired or expiring soon | A. License is expired %TIMESTAMP\nLicense for %AVVENDOR on %MACHINENAME(%MACHINEIP) expired <days_past_expire> days ago OR %TIMESTAMP\nLicense for %AVVENDOR on %MACHINENAME(%MACHINEIP) expired 1 days ago B. Expiring soon %TIMESTAMP\nLicense for %AVVENDOR on %MACHINENAME(%MACHINEIP) will expire in <days_remaining> days %TIMESTAMP\nLicense for %AVVENDOR on %MACHINENAME(%MACHINEIP) will expire in 1 day |
NO | N/A |
| Reboot | %TIMESTAMP\n%MACHINENAME(%MACHINEIP) rebooted\nReason: %REASON | NO | N/A |
| Hardware sensor detected a problem | %TIMESTAMP\n%MACHINENAME(%MACHINEIP) hardware failure detected for sensor "<sensor>", State: <sensor_state> OR %TIMESTAMP\n%MACHINENAME(%MACHINEIP) hardware failure resolved for sensor "<sensor>" |
NO | N/A |
Note that some of the Alerts under Settings->Alerts->Messages have two values (accessible by clicking on the red bell and the user). For those messages, the "red bell" will be the messages used for Syslog communication, and the "user" messages will be for email alerts. For Alerts with just the "red bell," that alert template will be used for both Syslog and email alerts.
Note that for syslog messages, the newlines ("\n") are replaced with commas. The newlines persist for email messages.
Feedback
Yes
No
Powered by
