EVID 3 : Network Connection Detected (Sysmon)
Event Details
| Event Type | Network Connection Detected |
|---|---|
| Event Description | 3 : Tracks network connection event logs and TCP/UDP connections on the machine. |
| Event ID | 3 |
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
| Log Field | LogRhythm Default | LogRhythm Default v2.0 | |||
|---|---|---|---|---|---|
| Provider | N/A | N/A | |||
| EventID | <vmid> | <vmid> | |||
| Version | <version> | N/A | |||
| Level | <severity> | <severity> | |||
| Task | N/A | <vendorinfo> | |||
| Opcode | N/A | N/A | |||
| Keywords | N/A | <result> | |||
| TimeCreated | N/A | N/A | |||
| EventRecordID | N/A | N/A | |||
| Correlation | N/A | N/A | |||
| Execution | <processid> | N/A | |||
| Channel | N/A | N/A | |||
| Computer | <dname> | N/A | |||
| Security | <domain>, <login> | N/A | |||
| ProcessGuid | N/A | N/A | |||
| ProcessId | <processid> | <processid> | |||
| Image | <object> | <process> | |||
| User | <login>, <domain> | <login>, <domainorigin> | |||
| Protocol | <protname> | <protname> | |||
| SourceIsIpv6 | <tag1> | N/A | |||
| Initiated | N/A | N/A | |||
| SourceIp | <sip> | <sip> | |||
| SourceHostName | <sname> | <sname> | |||
| SourcePort | <sport> | <sport> | |||
| SourcePortName | N/A | N/A | |||
| DestinationIsIpv6 | N/A | N/A | |||
| DestinationIp | <dip> | <dip> | |||
| DestinationHostName | <dname> | <dname> | |||
| DestinationPort | <dport> | <dport> | |||
| DestinationPortName | N/A | N/A | |||
| RuleName | <vendorinfo>, <subject> | <policy> | |||
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
| Regex ID | Rule Name | Rule Type | Common Events | Classifications |
|---|---|---|---|---|
| *1006439 | EVID 3 : Network Connection Detected | Base Rule | Network Connection Established | Network Traffic |
| *1010226 | EVID 3 : Network Connection | Base Rule | General Traffic Log | Network Traffic |
| *1010226 | EVID 3 : Inbound Network Connection Detected | Sub Rule | Inbound Connection Observed | Network Traffic |
| *1010226 | EVID 3 : Outbound Network Connection Detected | Sub Rule | Outbound Connection Observed | Network Traffic |
* Both Regex IDs represent logs that parse EVID 3, but 1006439 represents line-separated logs while 1010226 represents normal logs.
LogRhythm Default v2.0
| Regex ID | Rule Name | Rule Type | Common Events | Classifications |
|---|---|---|---|---|
| 1011220 | V 2.0 : EVID 3 : Network Connection Detected | Base Rule | Network Traffic | Network Traffic |