Detected threats are grouped by threat category. Nebula displays detected threats by the category's full name and syslog or APIs display them by the category's abbreviated name.
This article details the threat categories for Nebula and how to use the abbreviated versions to search syslog entries and filter API outputs.
Nebula Categories | Syslog & API Categories |
Exploit | ae |
Malware | malware |
PUM | pum |
PUP | pup |
Ransomware | arw |
Remote Intrusion | rid |
Website | mwac |
Filter threat categories with API's
Filter API POST body by threat category to get detection details. Use this format to filter the data.
{
"category": "mwac"
}
Find threat in a syslog
Threat information is stored in Nebula for 90 days. A syslog can maintain threat information past 90 days. To find detections that are older than 90 days and not shown in the console, search the syslog entries to find stored detections.
Filter syslog results using this format: Detection|Category
Here is a syslog example with an mwac threat.
2023-08-25T17:15:08Z klopp CEF:0|Malwarebytes|Malwarebytes Endpoint Protection|Endpoint Protection 1.2.0.1172|Detection|Malware quarantined|5|deviceExternalId=cd8f73c95ef73eccf8e837c3253abb83e044c85a dvchost=klopp deviceDnsDomain= dvcmac=005056C00001 dvc=192.168.80.1 rt=Aug 25 2023 17:15:08 Z fileType=file cat=Malware act=quarantined msg=Malware quarantined\nFile: C:\\TEST\\05FF83B2F8DFBD79BA5C58197C316128\nMD5: 05FF83B2F8DFBD79BA5C58197C316128\nSHA256: 1BEBB13E8E206C7635710DF5732EDAEE2FF19E3A097547B2787F9716619DE586 filePath=C:\\TEST\\05FF83B2F8DFBD79BA5C58197C316128 cs1Label=Detection name