ScanLogic group event classes

In the body of CEF messages for classes of ScanLogic group events, you can use keys in accordance with their semantics (see the table below).

Permissible values of the fields for classes of ScanLogic group events

Event class

Key

Value

All ScanLogic group classes

cs1

Message ID.

cs1Label

Its value is always MessageId.

src

IP address of the server from which the message was received.

act

Action.

fsize

Message size.

suser

Mail sender.

duser

List of message recipients.

reason

Reason for the event.

cs2

List of rules.

cs2Label

Its value is always Rules.

outcome

Scan status.

cs3

List of recipients of notifications about triggered rules for which a notification is configured with the original message in an attachment.

cs3Label

Its value is always UnsafeRecipients.

fname

File name.

LMS_EV_SCAN_LOGIC_AS_STATUS

LMS_EV_SCAN_LOGIC_AP_STATUS

LMS_EV_SCAN_LOGIC_MLF_STATUS

cs4

Detection method.

cs4Label

Its value is always Method.

LMS_EV_SCAN_LOGIC_MA_STATUS

cs4

SPF status.

cs4Label

Its value is always SpfVerdict.

cs5

DKIM status.

cs5Label

Its value is always DkimVerdict.

cs6

DMARC status.

cs6Label

Its value is always DmarcVerdict.

LMS_EV_SCAN_LOGIC_KT_STATUS

suser

Name of the user account that extracted the message from KATA Quarantine.

cs4

Reason for skipping the scan.

cs4Label

Its value is always SkipReason.

LMS_EV_SCAN_LOGIC_CF_STATUS

cs4

Possible values:

  • DetectedFileFormat
  • DetectedFileName
  • DetectedFileSize

cs4Label

The value is always DetectedEntity.

LMS_EV_SCAN_LOGIC_PART_RESULT

cn1

Number of objects.

cn1Label

Its value is always ObjectsNumber.

cn2

Size of the blocked file.

cn2Label

The value is always DetectedFileSize.

cs3

Unscanned files.

cs3Label

Its value is always AvExclude.

cs4

Names of threats.

cs4Label

Its value is always Threats.

cs5

Name of the blocked file.

cs5Label

The value is always DetectedFileName.

cs6

Format of the blocked file.

cs6Label

The value is always DetectedFileFormat.

Each class of ScanLogic group events can contain only keys that are relevant to it (see the table below).

Relevant keys for classes of ScanLogic group events

Event class

Relevant keys

LMS_EV_SCAN_LOGIC_ALL_NOT_PROCESSED

cs1, cs1Label, src, act, fsize, suser, duser, reason

LMS_EV_SCAN_LOGIC_AS_STATUS

cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs4, cs4Label, reason, outcome

LMS_EV_SCAN_LOGIC_AV_STATUS

cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, outcome

LMS_EV_SCAN_LOGIC_AP_STATUS

LMS_EV_SCAN_LOGIC_MLF_STATUS

cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, cs4, cs4Label, outcome

LMS_EV_SCAN_LOGIC_KT_STATUS

cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, cs4, cs4Label, reason, suser, outcome

LMS_EV_SCAN_LOGIC_MA_STATUS

cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, cs4, cs4Label, cs5, cs5Label, cs6, cs6Label, outcome

LMS_EV_SCAN_LOGIC_CF_STATUS

cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, cs4, cs4Label, outcome

LMS_EV_SCAN_LOGIC_PART_RESULT

cs1, cs1Label, cn1, cn1Label, fname, act, reason, cs2, cs2Label, cs3, cs3Label, cs4, cs4Label, cs5, cs5Label, cs6, cs6Label, outcome, cn2, cn2Label

LMS_EV_SCAN_LOGIC_MESSAGE_BACKUP

cs1, cs1Label, src, act, fsize, suser, duser, reason, cs2, cs2Label

If the avStatus=Infected or avStatus=Disinfected status is indicated in the mime part field in a LMS_EV_SCAN_LOGIC_PART_RESULT event, the disinfectedObjects or deletedObjects list is indicated as the cn1 key value if one of these lists is available. If both lists are not empty, the cn1 and cn1Label keys will be added twice.

Page top