ScanLogic group event classes
In the body of CEF messages for classes of ScanLogic group events, you can use keys in accordance with their semantics (see the table below).
Permissible values of the fields for classes of ScanLogic group events
Event class |
Key |
Value |
---|---|---|
All ScanLogic group classes |
cs1 |
Message ID. |
cs1Label |
Its value is always |
|
src |
IP address of the server from which the message was received. |
|
act |
Final action that was performed on the message. |
|
fsize |
Message size. |
|
suser |
Mail sender. The address is taken from the SMTP session. |
|
duser |
List of message recipients. The addresses are taken from the SMTP session. |
|
cs2 |
List of rules. |
|
cs2Label |
Its value is always |
|
outcome |
Scan status. |
|
cs3 |
List of recipients of notifications about triggered rules for which a notification is configured with the original message in an attachment. The addresses are taken from the SMTP session. |
|
cs3Label |
Its value is always |
|
fname |
File name. |
|
LMS_EV_SCAN_LOGIC_ALL_NOT_PROCESSED |
reason |
Reason for the event. Possible values:
|
LMS_EV_SCAN_LOGIC_AV_STATUS |
act |
Final action that was performed on the message. Possible values:
|
cs4 |
Detection method. Possible values:
|
|
outcome |
Scan status. Possible values:
|
|
reason |
Reason for the event. Possible values:
|
|
LMS_EV_SCAN_LOGIC_AS_STATUS |
act |
Final action that was performed on the message. Possible values:
|
cs4 |
Detection method. Possible values are subject to change and do not depend on the product version. |
|
cs4Label |
Its value is always |
|
outcome |
Scan status. Possible values:
|
|
reason |
Reason for the event. Possible values:
|
|
LMS_EV_SCAN_LOGIC_AP_STATUS |
act |
Final action that was performed on the message. Possible values:
|
cs4 |
Detection method. Possible values:
|
|
cs4Label |
Its value is always |
|
outcome |
Scan status. Possible values:
|
|
reason |
Reason for the event. Possible values:
|
|
LMS_EV_SCAN_LOGIC_MLF_STATUS |
act |
Final action that was performed on the message. Possible values:
|
cs4 |
Detection method. Possible values:
|
|
cs4Label |
Its value is always |
|
outcome |
Scan status. Possible values:
|
|
reason |
Reason for the event. Possible values:
|
|
LMS_EV_SCAN_LOGIC_MA_STATUS |
act |
Final action that was performed on the message. Possible values:
|
cs4 |
SPF status. Possible values:
|
|
cs4Label |
Its value is always |
|
cs5 |
DKIM status. |
|
cs5Label |
Its value is always |
|
cs6 |
DMARC status. |
|
cs6Label |
Its value is always |
|
outcome |
Scan status. Possible values:
|
|
reason |
Reason for the event. Possible values:
|
|
LMS_EV_SCAN_LOGIC_KT_STATUS |
act |
Final action that was performed on the message. Possible values:
|
suser |
Name of the user account that extracted the message from KATA Quarantine. |
|
cs4 |
Reason for skipping the scan. Possible values:
|
|
cs4Label |
Its value is always |
|
outcome |
Scan status. Possible values:
|
|
reason |
Reason for the event. Possible values:
|
|
LMS_EV_SCAN_LOGIC_CF_STATUS |
act |
Final action that was performed on the message. Possible values:
|
cs4 |
Possible values:
|
|
cs4Label |
The value is always |
|
outcome |
Scan status. Possible values:
|
|
reason |
Reason for the event. Possible values:
|
|
LMS_EV_SCAN_LOGIC_PART_RESULT |
cn1 |
Number of objects. |
cn1Label |
Its value is always |
|
cn2 |
Size of the blocked file. |
|
cn2label |
The value is always |
|
cs3 |
Unscanned files. |
|
cs3Label |
Its value is always |
|
cs4 |
List of names of detected threats. |
|
cs4Label |
Its value is always |
|
cs5 |
Name of the blocked file. |
|
cs5Label |
The value is always |
|
cs6 |
Format of the blocked file. |
|
cs6Label |
The value is always |
|
outcome |
Scan status. Possible values:
|
|
reason |
Reason for the event. Possible values:
|
|
LMS_EV_SCAN_LOGIC_MESSAGE_BACKUP |
act |
Final action that was performed on the message. Possible values:
|
reason |
Reason for the event. Possible values:
|
Each class of ScanLogic group events can contain only keys that are relevant to it (see the table below).
Relevant keys for classes of ScanLogic group events
Event class |
Relevant keys |
---|---|
LMS_EV_SCAN_LOGIC_ALL_NOT_PROCESSED |
cs1, cs1Label, src, act, fsize, suser, duser, reason |
LMS_EV_SCAN_LOGIC_AS_STATUS |
cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs4, cs4Label, reason, outcome |
LMS_EV_SCAN_LOGIC_AV_STATUS |
cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, cs4, reason, outcome |
LMS_EV_SCAN_LOGIC_AP_STATUS LMS_EV_SCAN_LOGIC_MLF_STATUS |
cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, cs4, cs4Label, outcome |
LMS_EV_SCAN_LOGIC_KT_STATUS |
cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, cs4, cs4Label, reason, suser, outcome |
LMS_EV_SCAN_LOGIC_MA_STATUS |
cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, reason, cs3, cs3Label, cs4, cs4Label, cs5, cs5Label, cs6, cs6Label, outcome |
LMS_EV_SCAN_LOGIC_CF_STATUS |
cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, cs4, cs4Label, outcome |
LMS_EV_SCAN_LOGIC_PART_RESULT |
cs1, cs1Label, cn1, cn1Label, fname, act, reason, cs2, cs2Label, cs3, cs3Label, cs4, cs4Label, cs5, cs5Label, cs6, cs6Label, cn2, cn2Label, outcome |
LMS_EV_SCAN_LOGIC_MESSAGE_BACKUP |
cs1, cs1Label, src, act, fsize, suser, duser, reason, cs2, cs2Label |
If the avStatus=Infected
or avStatus=Disinfected
status is indicated in the mime part field in a LMS_EV_SCAN_LOGIC_PART_RESULT event, the disinfectedObjects
or deletedObjects
list is indicated as the cn1
key value if one of these lists is available. If both lists are not empty, the cn1
and cn1Label
keys will be added twice.