7 : Logs when a module is loaded in a specific process.
Event ID
7
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field
LogRhythm Default
LogRhythm Default v2.0
Provider
N/A
N/A
EventID
<vmid>
<vmid>
Version
N/A
N/A
Level
<severity>
<severity>
Task
<vendorinfo>
<vendorinfo>
Opcode
N/A
N/A
Keywords
N/A
<result>
TimeCreated
N/A
N/A
EventRecordID
N/A
N/A
Correlation
N/A
N/A
Execution
N/A
N/A
Channel
N/A
N/A
Computer
<dname>
<dname>
Security
N/A
N/A
ImageLoaded
<object>
<object>
Hashes
<hash>
<hash>
Signed
<tag1>
N/A
Signature
N/A
N/A
SignatureStatus
<status>, <tag2>
N/A
Userid
<domain>, <login>
N/A
RuleName
<policy>
<policy>
Image
<parentprocesspath>, <process>, <subject>
<process>
ProcessGuid
<session>
N/A
ProcessId
<processid>
<processid>
FileVersion
<version>
N/A
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID
Rule Name
Rule Type
Common Event
Classification
1009726
EVID 7 : Image Loaded
Base Rule
Object Accessed
Access Success
EVID 7 : Image Loaded : No Signature
Sub Rule
Object Accessed
Access Success
EVID 7 : Image Loaded : Invalid Signature
Sub Rule
Object Accessed
Access Success
EVID 7 : Image Loaded : Valid Signature
Sub Rule
Object Accessed
Access Success
LogRhythm Default v2.0
Regex ID
Rule Name
Rule Type
Common Event
Classification
1011223
V 2.0 : Object Loaded
Base Rule
Object Initialized
Access Success
V 2.0 : EVID 6 : Driver Loaded
Sub Rule
Object Initialized
Access Success
V 2.0 : EVID 7 : Image Loaded
Sub Rule
Object Initialized
Access Success
JavaScript errors detected
Please note, these errors can depend on your browser setup.
If this problem persists, please contact our support.
