EVID 1120 : Threat Hash Identified
Vendor Documentation
Classification
| Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| EVID 1120 : Threat Hash Identified | Base Rule | Operations : Information | General WinDefend Information |
Mapping with LogRhythm Schema
| Device Key in log message | LogRhythm Schema | Data Type | Schema Description |
| Provider | Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events; otherwise, the EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. | ||
| EventID | <vmid> <tag1> | Number | The identifier that the provider used to identify the event. |
| Version | The version number of the event's definition. | ||
| Level | <severity> | String/Number | The severity level defined in the event. |
| Task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | ||
| Opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | ||
| Keywords | A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data). | ||
| TimeCreated | The time stamp that identifies when the event was logged. The time stamp includes either the SystemTime attribute or the RawTime attribute. | ||
| EventRecordID | The record number assigned to the event when it was logged. | ||
| Correlation | The activity identifiers that consumers can use to group related events together. | ||
| Execution | Contains information about the process and thread that logged the event. | ||
| Channel | The channel to which the event was logged. | ||
| Computer | <dname> | Text/String | The name of the computer on which the event occurred. |
| Security | |||
| <subject> | Text/String | A description of the event. | |
| Current Platform Version | |||
| Threat Resource Path | |||
| Hashes | <hash> | Text/String |