EVID 1120 : Threat Hash Identified

EVID 1120 : Threat Hash Identified

Base Rule

Operations : Information 

General WinDefend Information

Device Key in log message

LogRhythm Schema

Data Type

Schema Description

Provider

Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events; otherwise, the EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event.

EventID

<vmid>
<tag1>

Number

The identifier that the provider used to identify the event.

Version

The version number of the event's definition.

Level

<severity>

String/Number

The severity level defined in the event.

Task

The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.

Opcode

The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.

Keywords

A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data).

TimeCreated 

The time stamp that identifies when the event was logged. The time stamp includes either the SystemTime attribute or the RawTime attribute.

EventRecordID

The record number assigned to the event when it was logged.

Correlation 

The activity identifiers that consumers can use to group related events together.

Execution 

Contains information about the process and thread that logged the event.

Channel

The channel to which the event was logged.

Computer

<dname>

Text/String

The name of the computer on which the event occurred.

Security 

<subject>

Text/String

A description of the event.

Current Platform Version

Threat Resource Path

Hashes

<hash>

Text/String