Detected threats are grouped by threat category. OneView displays detected threats by the category's full name and syslog or APIs display them by the category's abbreviated name.
This article details the threat categories for OneView and how to use the abbreviated versions to search syslog entries and filter API outputs.
Threat Category Table
OneView | Syslog & API |
Exploit | ae |
Malware | malware |
PUM | pum |
PUP | pup |
Ransomware | arw |
Remote Intrusion | rid |
Website | mwac |
Filter threat categories with API's
Filter API POST body by threat category to get detection details. Use this format to filter the data.
{
"category": "mwac"
}
Find threat in a syslog
Threat information is stored in OneView for 90 days. A syslog can maintain threat information past 90 days. To find detections that are older than 90 days and not shown in the console, search the syslog entries to find stored detections.
Filter syslog results using this format: Detection|Category
Here is a syslog example with an mwac threat.
2023-08-29T17:15:08Z klopp CEF:0|Malwarebytes|Malwarebytes Endpoint Protection|Endpoint Protection 1.2.0.1172|Detection|mwac blocked|1|deviceExternalId=e150291a2b2513b9fd67941ab1135afa41111111 dvchost=MININT-16Tjdoe deviceDnsDomain=jdoeTest.local dvcmac=00:0C:29:33:C6:6A dvc=192.168.2.100 rt=Apr 13 2018 21:05:56 Z fileType=OutboundConnection cat=Website act=blocked msg=Website blocked\\nProcess name: C:\\Users\\vmadmin\\Desktop\\test.exe filePath=drivinfosproduits.info(81.171.14.67:49846) cs1Label=Detection name cs1=Malicious Websites