Appendix: Technical reference
Overview
This section provides a technical reference for some of the Spectra Analyze appliance configuration options.
SNMP trap thresholds
info
For more information, see SNMP.
The Spectra Analyze appliance can receive notifications, or traps, about important system events via the Simple Network Management Protocol (SNMP).
Traps used for monitoring the average system load, and memory and disk usage, are generated by the Distributed Management Event Management Information Base (MIB): DISMAN-EVENT-MIB::mteTriggerFired. Traps related to Spectra Detect and classification queue sizes are generated by the tswQueueThreshold MIB.
To enable SNMP traps and configure the address of the trap sink server, adjust the values in the Administration > Configuration & Update > Configuration > SNMP dialog on the Spectra Analyze appliance. The dialog also allows setting thresholds for Supported events, described in more detail below.
Average system load
This trap is sent if the average load of the local system exceeds specified values of 1-minute, 5-minute or 15-minute averages. Values should be provided as percentages, which are recalculated into appropriate thresholds as reported with uptime or top commands.
The following examples show traps triggered by a high 1-minute, 5-minute and 15-minute system load average respectively:
2018-01-26 14:35:54 <UNKNOWN> [UDP: [192.168.123.247]:60418->[192.168.123.17]:162]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (13) 0:00:00.13
SNMPv2-MIB::snmpTrapOID.0 = OID:
DISMAN-EVENT-MIB::mteTriggerFired
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: laTable
DISMAN-EVENT-MIB::mteHotTargetName.0 = STRING:
DISMAN-EVENT-MIB::mteHotContextName.0 = STRING:
DISMAN-EVENT-MIB::mteHotOID.0 = OID:
UCD-SNMP-MIB::laErrorFlag.1
DISMAN-EVENT-MIB::mteHotValue.0 = INTEGER: 1
UCD-SNMP-MIB::laNames.1 = STRING: Load-1
UCD-SNMP-MIB::laErrMessage.1 = STRING: 1 min Load Average too high (= 2.56)
2018-01-26 14:35:54 <UNKNOWN> [UDP: [192.168.123.247]:60418->[192.168.123.17]:162]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (13) 0:00:00.13
SNMPv2-MIB::snmpTrapOID.0 = OID:
DISMAN-EVENT-MIB::mteTriggerFired
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: laTable
DISMAN-EVENT-MIB::mteHotTargetName.0 = STRING:
DISMAN-EVENT-MIB::mteHotContextName.0 = STRING:
DISMAN-EVENT-MIB::mteHotOID.0 = OID:
UCD-SNMP-MIB::laErrorFlag.2
DISMAN-EVENT-MIB::mteHotValue.0 = INTEGER: 1
UCD-SNMP-MIB::laNames.2 = STRING: Load-5
UCD-SNMP-MIB::laErrMessage.2 = STRING: 5 min Load Average too high (= 2.00)
2018-01-26 14:35:54 <UNKNOWN> [UDP: [192.168.123.247]:60418->[192.168.123.17]:162]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (13) 0:00:00.13
SNMPv2-MIB::snmpTrapOID.0 = OID:
DISMAN-EVENT-MIB::mteTriggerFired
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: laTable
DISMAN-EVENT-MIB::mteHotTargetName.0 = STRING:
DISMAN-EVENT-MIB::mteHotContextName.0 = STRING:
DISMAN-EVENT-MIB::mteHotOID.0 = OID:
UCD-SNMP-MIB::laErrorFlag.3
DISMAN-EVENT-MIB::mteHotValue.0 = INTEGER: 1
UCD-SNMP-MIB::laNames.3 = STRING: Load-15
UCD-SNMP-MIB::laErrMessage.3 = STRING: 15 min Load Average too high (= 2.05)
Used memory
This trap is sent if used memory on the local system exceeds the specified percentage. The default value is 80%. The following example shows an event triggered by memory usage that exceeded the configured trap threshold:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (8) 0:00:00.08
SNMPv2-MIB::snmpTrapOID.0 = OID:
DISMAN-EVENT-MIB::mteTriggerFired
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: memoryFree
DISMAN-EVENT-MIB::mteHotTargetName.0 = STRING:
DISMAN-EVENT-MIB::mteHotContextName.0 = STRING:
DISMAN-EVENT-MIB::mteHotOID.0 = OID:
UCD-SNMP-MIB::memTotalFree.0
DISMAN-EVENT-MIB::mteHotValue.0 = INTEGER: 2124816
UCD-SNMP-MIB::memTotalReal.0 = INTEGER: 16467096 kB
Used disk space
This trap is sent if used disk space on any of the mounted disks exceeds the specified percentage. The default value is 90%. The following example shows an event triggered by a disk with less than 10% of free disk space on the /boot partition:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (25) 0:00:00.25
SNMPv2-MIB::snmpTrapOID.0 = OID:
DISMAN-EVENT-MIB::mteTriggerFired
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: dskTable
DISMAN-EVENT-MIB::mteHotTargetName.0 = STRING:
DISMAN-EVENT-MIB::mteHotContextName.0 = STRING:
DISMAN-EVENT-MIB::mteHotOID.0 = OID:
UCD-SNMP-MIB::dskErrorFlag.26
DISMAN-EVENT-MIB::mteHotValue.0 = INTEGER: 1
UCD-SNMP-MIB::dskPath.26 = STRING: /boot
UCD-SNMP-MIB::dskErrorMsg.26 = STRING: /boot: less than 10% free (= 8%)
Spectra Detect queue size
This trap is sent if the number of messages in any of the queues used for Spectra Detect communication exceeds the specified value. Since the check is performed once every minute, it is possible to have the peak message count in the queue higher than the threshold, if the duration of the peak was shorter than 1 minute.
Logged events have two values, the name of the queue that triggered the event and the size of the queue at the moment the event was triggered.
Classifications queue size
This trap is sent if the number of messages in any of the queues used for classifications exceeds the specified value. Since the check is performed once every minute, it is possible to have the peak message count in the queue higher than the threshold, if the duration of the peak was shorter than 1 minute.
Logged events have two values, the name of the queue that triggered the event and the size of the queue at the moment the event was triggered.
Spectra Analyze MIB descriptions
| MIB Module | Value | OID | Description |
|---|---|---|---|
| RL-MIB | device | .1.3.6.1.4.1.48699.1.1 | |
| RL-MIB | a1000 | .1.3.6.1.4.1.48699.1.1.2 | |
| RL-TCBASE-MIB | tcbMib | .1.3.6.1.4.1.48699.1.1.2.1 | |
| RL-TCBASE-MIB | tcbMibObjects | .1.3.6.1.4.1.48699.1.1.2.1.1 | |
| RL-TCBASE-MIB | tcbScalars | .1.3.6.1.4.1.48699.1.1.2.1.1.1 | |
| RL-TCBASE-MIB | tcbQueuesApiLongState | .1.3.6.1.4.1.48699.1.1.2.1.1.1.1 | State for api_longrunning queue. |
| RL-TCBASE-MIB | tcbQueuesApiLongCons | .1.3.6.1.4.1.48699.1.1.2.1.1.1.2 | Number of consumers for api_longrunning queue. |
| RL-TCBASE-MIB | tcbQueuesApiLongMsg | .1.3.6.1.4.1.48699.1.1.2.1.1.1.3 | Number of messages for api_longrunning queue. |
| RL-TCBASE-MIB | tcbQueuesApiReqsState | .1.3.6.1.4.1.48699.1.1.2.1.1.1.4 | State for api_requests queue. |
| RL-TCBASE-MIB | tcbQueuesApiReqsCons | .1.3.6.1.4.1.48699.1.1.2.1.1.1.5 | Number of consumers for api_requests queue. |
| RL-TCBASE-MIB | tcbQueuesApiReqsMsg | .1.3.6.1.4.1.48699.1.1.2.1.1.1.6 | Number of messages for api_requests queue. |
| RL-TCBASE-MIB | tcbQueuesCeleryState | .1.3.6.1.4.1.48699.1.1.2.1.1.1.7 | State for celery queue. |
| RL-TCBASE-MIB | tcbQueuesCeleryCons | .1.3.6.1.4.1.48699.1.1.2.1.1.1.8 | Number of consumers for celery queue. |
| RL-TCBASE-MIB | tcbQueuesCeleryMsg | .1.3.6.1.4.1.48699.1.1.2.1.1.1.9 | Number of messages for celery queue. |
| RL-TCBASE-MIB | tcbQueuesDefaultState | .1.3.6.1.4.1.48699.1.1.2.1.1.1.10 | State for default queue queue. |
| RL-TCBASE-MIB | tcbQueuesDefaultCons | .1.3.6.1.4.1.48699.1.1.2.1.1.1.11 | Number of consumers for default queue. |
| RL-TCBASE-MIB | tcbQueuesDefaultMsg | .1.3.6.1.4.1.48699.1.1.2.1.1.1.12 | Number of messages for default queue. |
| RL-TCBASE-MIB | tcbQueuesTasksApiState | .1.3.6.1.4.1.48699.1.1.2.1.1.1.13 | State for tasks.api queue. |
| RL-TCBASE-MIB | tcbQueuesTasksApiCons | .1.3.6.1.4.1.48699.1.1.2.1.1.1.14 | Number of consumers for tasks.api queue. |
| RL-TCBASE-MIB | tcbQueuesTasksApiMsg | .1.3.6.1.4.1.48699.1.1.2.1.1.1.15 | Number of messages for tasks.api queue. |
| RL-TCBASE-MIB | tcbQueuesTasksApiLongState | .1.3.6.1.4.1.48699.1.1.2.1.1.1.16 | State for tasks.api.longrunning queue. |
| RL-TCBASE-MIB | tcbQueuesTasksApiLongCons | .1.3.6.1.4.1.48699.1.1.2.1.1.1.17 | Number of consumers for tasks.api.longrunning queue. |
| RL-TCBASE-MIB | tcbQueuesTasksApiLongMsg | .1.3.6.1.4.1.48699.1.1.2.1.1.1.18 | Number of messages for tasks.api.longrunning queue. |
| RL-TCBASE-MIB | tcbQueuesTasksApiReqState | .1.3.6.1.4.1.48699.1.1.2.1.1.1.19 | State for tasks.api.requests queue. |
| RL-TCBASE-MIB | tcbQueuesTasksApiReqCons | .1.3.6.1.4.1.48699.1.1.2.1.1.1.20 | Number of consumers for tasks.api.requests queue. |
| RL-TCBASE-MIB | tcbQueuesTasksApiReqMsg | .1.3.6.1.4.1.48699.1.1.2.1.1.1.21 | Number of messages for tasks.api.requests queue. |
| RL-TCBASE-MIB | tcbQueuesTasksClassState | .1.3.6.1.4.1.48699.1.1.2.1.1.1.22 | State for tasks.classification queue. |
| RL-TCBASE-MIB | tcbQueuesTasksClassCons | .1.3.6.1.4.1.48699.1.1.2.1.1.1.23 | Number of consumers for tasks.classification queue. |
| RL-TCBASE-MIB | tcbQueuesTasksClassMsg | .1.3.6.1.4.1.48699.1.1.2.1.1.1.24 | Number of messages for tasks.classification queue. |
| RL-TCBASE-MIB | tcbQueuesTasksDefaultState | .1.3.6.1.4.1.48699.1.1.2.1.1.1.25 | State for tasks.default queue. |
| RL-TCBASE-MIB | tcbQueuesTasksDefaultCons | .1.3.6.1.4.1.48699.1.1.2.1.1.1.26 | Number of consumers for tasks.default queue. |
| RL-TCBASE-MIB | tcbQueuesTasksDefaultMsg | .1.3.6.1.4.1.48699.1.1.2.1.1.1.27 | Number of messages for tasks.default queue. |
| RL-TCBASE-MIB | tcbQueuesTasksTransferState | .1.3.6.1.4.1.48699.1.1.2.1.1.1.28 | State for tasks.transfer queue. |
| RL-TCBASE-MIB | tcbQueuesTasksTransferCons | .1.3.6.1.4.1.48699.1.1.2.1.1.1.29 | Number of consumers for tasks.transfer queue. |
| RL-TCBASE-MIB | tcbQueuesTasksTransferMsg | .1.3.6.1.4.1.48699.1.1.2.1.1.1.30 | Number of messages for tasks.transfer queue. |
| RL-TCBASE-MIB | tcbQueuesTcbaseCollectorState | .1.3.6.1.4.1.48699.1.1.2.1.1.1.31 | State for tcbase.collector queue. |
| RL-TCBASE-MIB | tcbQueuesTcbaseCollectorCons | .1.3.6.1.4.1.48699.1.1.2.1.1.1.32 | Number of consumers for tcbase.collector queue. |
| RL-TCBASE-MIB | tcbQueuesTcbaseCollectorMsg | .1.3.6.1.4.1.48699.1.1.2.1.1.1.33 | Number of messages for tcbase.collector queue. |
| RL-TCBASE-MIB | tcbQueuesHagentErrorState | .1.3.6.1.4.1.48699.1.1.2.1.1.1.34 | State for tiscale.hagent_error queue. |
| RL-TCBASE-MIB | tcbQueuesHagentErrorCons | .1.3.6.1.4.1.48699.1.1.2.1.1.1.35 | Number of consumers for tiscale.hagent_error queue. |
| RL-TCBASE-MIB | tcbQueuesHagentErrorMsg | .1.3.6.1.4.1.48699.1.1.2.1.1.1.36 | Number of messages for tiscale.hagent_error queue. |
| RL-TCBASE-MIB | tcbQueuesHagentInputState | .1.3.6.1.4.1.48699.1.1.2.1.1.1.37 | State for tiscale.hagent_input queue. |
| RL-TCBASE-MIB | tcbQueuesHagentInputCons | .1.3.6.1.4.1.48699.1.1.2.1.1.1.38 | Number of consumers for tiscale.hagent_input queue. |
| RL-TCBASE-MIB | tcbQueuesHagentInputMsg | .1.3.6.1.4.1.48699.1.1.2.1.1.1.39 | Number of messages for tiscale.hagent_input queue. |
| RL-TCBASE-MIB | tcbQueuesHagentRetryState | .1.3.6.1.4.1.48699.1.1.2.1.1.1.40 | State for tiscale.hagent_retry queue. |
| RL-TCBASE-MIB | tcbQueuesHagentRetryCons | .1.3.6.1.4.1.48699.1.1.2.1.1.1.41 | Number of consumers for tiscale.hagent_retry queue. |
| RL-TCBASE-MIB | tcbQueuesHagentRetryMsg | .1.3.6.1.4.1.48699.1.1.2.1.1.1.42 | Number of messages for tiscale.hagent_retry queue. |
| RL-TCBASE-MIB | tcbQueueName | .1.3.6.1.4.1.48699.1.1.2.1.1.1.43 | Queue name. |
| RL-TCBASE-MIB | tcbQueueSize | .1.3.6.1.4.1.48699.1.1.2.1.1.1.44 | Queue size. |
| RL-TCBASE-MIB | tcbQueuesTasksIntegrationsState | .1.3.6.1.4.1.48699.1.1.2.1.1.1.45 | State for tasks.integrations queue. |
| RL-TCBASE-MIB | tcbQueuesTasksIntegrationsCons | .1.3.6.1.4.1.48699.1.1.2.1.1.1.46 | Number of consumers for tasks.integrations queue. |
| RL-TCBASE-MIB | tcbQueuesTasksIntegrationsMsg | .1.3.6.1.4.1.48699.1.1.2.1.1.1.47 | Number of messages for tasks.integrations queue. |
| RL-TCBASE-MIB | tcbTables | .1.3.6.1.4.1.48699.1.1.2.1.1.2 | |
| RL-TCBASE-MIB | tcbMibNotifications | .1.3.6.1.4.1.48699.1.1.2.1.2 | |
| RL-TCBASE-MIB | tcbQueueThreshold | .1.3.6.1.4.1.48699.1.1.2.1.2.1 | Queue size exceeded configured threshold. |
| RL-TCBASE-MIB | redundancyTrigger | .1.3.6.1.4.1.48699.1.1.2.1.2.2 | Failover on HA system. |
| RL-TCBASE-MIB | redundancyTriggerOk | .1.3.6.1.4.1.48699.1.1.2.1.2.3 | HA System resumed operation. |
| RL-TCBASE-MIB | tcbMibConformance | .1.3.6.1.4.1.48699.1.1.2.1.3 |
Download the MIB file in CSV format.
System alerting
info
For more information, see System alerting.
If system alerting is enabled under Administration > Configuration & Update > Configuration > System alerting, the following system operations and services are monitored. Syslog notifications are sent when any of the services or operations meets the condition(s) defined in the table.
| SYSTEM OPERATION OR SERVICE | NOTIFICATION TRIGGER |
|---|---|
| RAM | Usage is over 90% for 10 minutes. |
| CPU | Usage is over 40% for 2 minutes. |
| CPU wait (waiting for IO) | Over 20% for 2 minutes. |
| Disk usage | Over 90% for 10 minutes. |
| UWSGI service | Down for 2 minutes. |
| NGINX service | Down for 2 minutes. |
| RABBIT-MQ service | Down for 2 minutes. |
| POSTGRES service | Down for 2 minutes. |
| MEMCACHED service | Down for 2 minutes. |
| CROND service | Down for 2 minutes. |
| SSHD service | Down for 2 minutes. |
| SUPERVISORD service | Down for 2 minutes. |
| SMTP | Enabled, but stopped for 4 minutes. |
| NTPD | Enabled, but stopped for 4 minutes. |
| Any of the SUPERVISORD services | Crashed. |
| SCALE socket | Not detected/does not exist for 4 minutes. |
| SCALE INPUT queue | Receiving over 500 messages for 10 minutes. |
| SCALE RETRY queue | Receiving over 100 messages for 10 minutes. |
| COLLECTOR queue | Receiving over 1000 messages for 10 minutes. |
| CLASSIFICATION queue | Receiving over 5000 messages for 10 minutes. |
Connector alerts
When Connectors are configured and running, CEF messages for supported events are sent to syslog if system alerting is properly configured on the appliance.
Most alerts are shared between connectors, but there are some connector-specific messages. For the full list of all supported CEF event fields, refer to the table below.
info
Threat detection CEF messages are sent only when the Enable automatic file sorting option is selected in the Connectors configuration dialog.
CEF event formatting schema
CEF:0|{device.vendor}|{device.name}|{device.version}|{signature.id}|{name}|{severity}|
csxLabel={label.value} csx={field.value}
CEF event fields
| Signature IDs | CEF event field | Description | Supported connectors |
|---|---|---|---|
| Threat detection | cs1Label | cs1 field label. Always equals classification. | Network File Share, AbuseBox, S3 |
| Threat detection | cs1 | File classification status (malicious, suspicious, goodware, unknown). | Network File Share, AbuseBox, S3 |
| Threat detection | cs2label | cs2 field label. Always equals detectionName. | Network File Share, AbuseBox, S3 |
| Threat detection | cs2 | The detected threat name, formatted according to the Malware naming standard. | Network File Share, AbuseBox, S3 |
| Threat detection | cs3label | cs3 field label. Always equals detectionReason. | Network File Share, AbuseBox, S3 |
| Threat detection | cs3 | The appliance that analyzed and classified the file. Possible values are A1000, TitaniumScale. | Network File Share, AbuseBox, S3 |
| connector_health | cs4Label | cs4 field label. Always equals app_health. | Network File Share, AbuseBox, S3 |
| connector_health | cs4 | Sent if there are any errors or performance issues with the connector or the appliance. Always equals FAILED. | Network File Share, AbuseBox, S3 |
| connector_mount_success, connector_mount_failure | cs5Label | cs5 field label. Always equals mount. | Network File Share |
| connector_mount_success, connector_mount_failure | cs5 | Sent on network resource mount events. Possible values are SUCCESS for connector_mount_success and FAILED for connector_mount_failure. | Network File Share |
| connector_read | cs6Label | cs6 field label. Always equals file_read. | Network File Share, AbuseBox, S3 |
| connector_read | cs6 | Sent when the connector fails to read the file from the connected storage/mail account. Always equals FAILED. | Network File Share, AbuseBox, S3 |
| connector_upload | cs7Label | cs7 field label. Always equals analysis. | Network File Share, AbuseBox, S3 |
| connector_upload | cs7 | Sent when files fail to upload to the appliance for analysis. Always equals FAILED. | Network File Share, AbuseBox, S3 |
| connector_move_files | cs8Label | cs8 field label. Always equals file_moving. | Network File Share, S3 |
| connector_move_files | cs8 | If advanced file sorting is enabled for the connector, this event is sent for each file move. Possible values are FAILED, SUCCESS. | Network File Share, S3 |
| connector_unmount_success, connector_unmount_failure | cs9Label | cs9 field label for connector unmount events. Always equals unmount. | Network File Share |
| connector_unmount_success, connector_unmount_failure | cs9 | Shows the network resource unmount status. Possible values are SUCCESS for connector_unmount_success and FAILED for connector_unmount_failure. | Network File Share |
| Threat detection, connector_move_files, connector_upload, connector_read | cs9Label | cs9 field label for events related to file operations. Always equals fileName. | Network File Share, S3 |
| Threat detection, connector_move_files, connector_upload, connector_read | cs9 | Shows the name of the file related to the specific event. | Network File Share, S3 |
| connector_unmount_success, connector_unmount_failure | cs10Label | cs10 field label. Always equals mountAddress. | Network File Share |
| All event types except Threat detection | cs10 | The address of the network resource. | Network File Share |
| connector_email_fetch_failure, connector_email_fetch_success | cs11Label | cs11 field label. Always equals email_fetch. | AbuseBox |
| connector_email_fetch_failure, connector_email_fetch_success | cs11 | Sent when the connector fails/succeeds in downloading an email message from the connected email account to the appliance. Always equals FAILED for connector_email_fetch_failure and SUCCESS for connector_email_fetch_success. | AbuseBox |
| connector_email_fetch_failure, connector_email_fetch_success | cs12Label | cs12 field label. Always equals exchangeServer. | AbuseBox |
| connector_email_fetch_failure, connector_email_fetch_success | cs12 | The address of the Exchange server (without the protocol scheme) from which the connector is attempting to retrieve email. | AbuseBox |
| connector_email_fetch_failure | cs13Label | cs13 field label. Always equals failure_reason. | AbuseBox |
| connector_email_fetch_failure | cs13 | The reason why email failed to download. Possible values are:connection error, non_existing_smtp_address,authentication_error, non_existing_inbox_folder,disk_threshold_reached. | AbuseBox |
| connector_move_files | cs14Label | cs14 field label. Always equals destination. | AbuseBox |
| connector_move_files | cs14 | If advanced file sorting is enabled for the connector, this is the destination where the file was moved during processing. | Network File Share, S3 |
| All CEF messages except those that already contain the mountAddress field | cs15Label | cs15 field label. Always equals sourceAddress. | Network File Share, S3 |
| All CEF messages except those that already contain the mountAddress field | cs15 | The address of the file source (for example, a network file share, or an S3 bucket). | Network File Share, S3 |
Examples
Success mounting a network drive (Network File Share)
CEF:0|ReversingLabs|TitaniumCore|3.9.3.0|connector_mount_success|connector_mount_success|0|
cs5Label=mount cs5=SUCCESS
Failure reading files from a network drive (Network File Share)
CEF:0|ReversingLabs|TitaniumCore|3.9.3.0|connector_read|connector_read|10|cs6Label=file_read
cs6=FAILED cs9Label=fileName cs9=/mnt/incoming/installer.msi
Threat detection for files uploaded from a network drive (Network File Share)
CEF:0|ReversingLabs|TitaniumCore|3.9.3.0|detection|Threat detection|10|fileHash=93f5a83b850becd35f12fca8acs907ead
cs2Label=classification cs2=malicious cs1Label=detectionName cs1=ByteCode-MSIL.Trojan.Genkryptik reason=cloud
Success fetching email (AbuseBox)
CEF:0|ReversingLabs|A1000|5.11.0|connector_email_fetch_success|connector_email_fetch_success|0|
cs12Label=exchangeServer cs12=devops-exchange.exch.rl.lan cs11Label=email_fetch cs11=SUCCESS
Failure fetching email (AbuseBox)
CEF:0|ReversingLabs|A1000|5.11.0|connector_email_fetch_failure|connector_email_fetch_failure|10|
cs13Label=failure_reason cs13=authentication_error cs12Label=exchangeServer cs12=devops-exchange.exch.rl.lan cs11Label=email_fetch cs11=FAILED
Connector/appliance in an unhealthy state (Network File Share, AbuseBox, S3)
CEF:0|ReversingLabs|A1000|5.11.0|connector_health|connector_health|10|cs4Label=app_health cs4=FAILED
Failed file upload (Network File Share, AbuseBox, S3)
CEF:0|ReversingLabs|A1000|5.11.0|connector_upload|connector_upload|10|cs9Label=fileName cs9=application_windows.exe cs7Label=analysis cs7=FAILED
Successful file move (Network File Share, S3)
CEF:0|ReversingLabs|A1000|5.10.8-1|connector_move_files|connector_move_files|0|cs9Label=fileName cs9=BavPro_Setup_GL.zip cs8Label=file_moving cs8=SUCCESS cs14Label=destination cs14=/Malicious/BavPro_Setup_GL.zip