====== Threat Logs ======
Remember, Threat, URL and Data logs are all classified in the same 'pool'.

===== Threats =====
<code>( subtype eq wildfire-virus ) and ( severity eq medium )</code>
<code>( subtype eq ml-virus ) and ( severity eq medium )</code>
<code>( subtype eq virus ) and ( severity eq medium )</code>
<code>( subtype eq spyware ) and ( action eq sinkhole )</code>
<code>( subtype eq spyware ) and ( name-of-threatid eq 344426259 )  and ( action eq sinkhole )</code>
<code>( subtype eq spyware ) and ( name-of-threatid eq 'generic:www.groupenci.com' ) and ( action eq sinkhole )</code>

===== Possible False Positives =====
<code>( subtype eq vulnerability ) and ( name-of-threatid eq 'HTTP Unauthorized Brute Force Attack' ) and ( severity eq high )</code>
<code>( subtype eq vulnerability ) and ( name-of-threatid eq 'HTTP: User Authentication Brute Force Attempt' ) and ( severity eq high )</code>
<code>( subtype eq vulnerability ) and ( name-of-threatid eq 'SMB: User Password Brute Force Attempt' ) and ( severity eq high )</code>
<code>( subtype eq spyware ) and ( name-of-threatid eq 'DNS Tunnel Data Infiltration Traffic' ) and ( severity eq informational )</code>

===== Triggered by Zone Protection Profile =====
<code>( subtype eq scan ) and ( name-of-threatid eq 'SCAN: Host Sweep' ) and ( severity eq medium)</code>
<code>( subtype eq scan ) and ( name-of-threatid eq 'SCAN: TCP Port Scan' ) and ( severity eq medium)</code>
<code>( subtype eq scan ) and ( name-of-threatid eq 'SCAN: UDP Port Scan' ) and ( severity eq medium)</code>
<code>( subtype eq packet ) and ( name-of-threatid eq 'TCP SYN with data' ) and ( severity eq informational )</code>
<code>( subtype eq packet ) and ( name-of-threatid eq 'TCP SYN with data' ) and ( severity eq informational )</code>
<code>( subtype eq packet ) and ( name-of-threatid eq 'TCP Fast Open' ) and ( severity eq informational )</code>
<code>( subtype eq packet ) and ( name-of-threatid eq 'IP Option Record Route' ) and ( severity eq informational )</code>

===== Zone Protection Profile - Flood Protection - ALERT =====
<code>( subtype eq flood ) and ( name-of-threatid eq 'UDP Flood' ) and ( action eq allow ) and ( severity eq critical )</code>
<code>( subtype eq flood ) and ( name-of-threatid eq 'TCP Flood' ) and ( action eq allow ) and ( severity eq critical )</code>
<code>( subtype eq flood ) and ( name-of-threatid eq 'ICMP Flood' ) and ( action eq allow ) and ( severity eq critical )</code>

===== Zone Protection Profile - Flood Protection - DROP =====
<code>( subtype eq flood ) and ( name-of-threatid eq 'UDP Flood' ) and ( action eq drop ) and ( severity eq critical )</code>
<code>( subtype eq flood ) and ( name-of-threatid eq 'TCP Flood' ) and ( action eq drop ) and ( severity eq critical )</code>
<code>( subtype eq flood ) and ( name-of-threatid eq 'ICMP Flood' ) and ( action eq drop ) and ( severity eq critical )</code>
===== DoS Protection Profile/Policy =====
<code>( subtype eq flood ) and (name-of-threatid eq 'Session Limit Event') and ( action eq drop ) and ( severity eq critical )</code>