Values of fields in the body of CEF messages for classes of ScanLogic group events
July 4, 2024
ID 151789
In the body of CEF messages for classes of ScanLogic group events, you can use keys in accordance with their semantics (see the table below).
Permissible values of the fields for classes of ScanLogic group events
Event class | Key | Value |
|---|---|---|
All ScanLogic group classes | cs1 | Message ID. |
cs1Label | Its value is always | |
src | IP address of the server from which the message was received. | |
act | Action. | |
fsize | Message size. | |
suser | Mail sender. | |
duser | List of message recipients. | |
reason | Reason for the event. | |
cs2 | List of rules. | |
cs2Label | Its value is always | |
outcome | Scan status. | |
cs3 | List of recipients of the detected message (from the Skip action). | |
cs3Label | Its value is always | |
fname | File name. | |
LMS_EV_SCAN_LOGIC_AS_STATUS LMS_EV_SCAN_LOGIC_AP_STATUS | cs4 | Detection method. |
cs4Label | Its value is always | |
LMS_EV_SCAN_LOGIC_MA_STATUS | cs4 | SPF status. |
cs4Label | Its value is always | |
cs5 | DKIM status. | |
cs5Label | Its value is always | |
cs6 | DMARC status. | |
cs6Label | Its value is always | |
LMS_EV_SCAN_LOGIC_KT_STATUS | suser | Name of the user account that extracted the message from KATA Quarantine. |
cs4 | Reason for skipping the scan. | |
cs4Label | Its value is always | |
LMS_EV_SCAN_LOGIC_CF_STATUS | cs4 |
|
cs4Label | Its value is always | |
LMS_EV_SCAN_LOGIC_PART_RESULT | cn1 | Number of objects. |
cn1Label | Its value is always | |
cs2 | List of rules. | |
cs2Label | Its value is always | |
cs3 | Unscanned files. | |
cs3Label | Its value is always | |
cs4 | Names of threats. | |
cs4Label | Its value is always | |
cs5 | Name of the blocked file. | |
cs5Label | Its value is always | |
cs6 | Format of the blocked file. | |
cs6Label | Its value is always |
Each class of ScanLogic group events can contain only keys that are relevant to it (see the table below).
Relevant keys for classes of ScanLogic group events
Event class | Relevant keys |
|---|---|
LMS_EV_SCAN_LOGIC_ALL_NOT_PROCESSED | cs1, cs1Label, src, act, fsize, suser, duser |
LMS_EV_SCAN_LOGIC_AS_STATUS | cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label |
LMS_EV_SCAN_LOGIC_AV_STATUS | cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, outcome |
LMS_EV_SCAN_LOGIC_AP_STATUS | cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, cs4, cs4Label, outcome |
LMS_EV_SCAN_LOGIC_KT_STATUS | cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, suser, outcome |
LMS_EV_SCAN_LOGIC_MA_STATUS | cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, cs4, cs4Label, cs5, cs5Label, cs6, cs6Label, outcome |
LMS_EV_SCAN_LOGIC_CF_STATUS | cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, cs4, cs4Label, outcome |
LMS_EV_SCAN_LOGIC_PART_RESULT | cs1, cs1Label, cn1, cn1Label, fname, act, cn2, cn2Label, reason, cs2, cs2Label, cs3, cs3Label, cs4, cs4Label, cs5, cs5Label, cs6, cs6Label, outcome |
LMS_EV_SCAN_LOGIC_MESSAGE_BACKUP | cs1, cs1Label, src, act, fsize, suser, duser, reason, cs2, cs2Label |
