V 2.0 : Process Creation/Termination Events
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 : Process Creation/Termination Events | Base Rule | Process/Service Startup Or Shutdown Activity | Startup and Shutdown |
| V 2.0 : EVID 4688 : New Process Created | Sub Rule | Process/Service Started | Startup and Shutdown |
| V 2.0 : EVID 4689 : Process Terminated | Sub Rule | Process/Service Stopped | Startup and Shutdown |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Provider | N/A | N/A | Identifies the provider that logged the event. The Name and GUID attributes are included if the provider used an instrumentation manifest to define its events. The EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. |
| EventID | <vmid> | Number | The identifier that the provider used to identify the event. |
| Version | N/A | N/A | The version number of the event's definition. |
| Level | <severity> | String/Number/Text | The severity level defined in the event. |
| Task | <vendorinfo> | Text/String | The task defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged. |
| Opcode | N/A | N/A | The opcode defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged. |
| Keywords | <result> | Text/String | A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data). |
| TimeCreated | N/A | N/A | The time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute. |
| EventRecordID | N/A | N/A | The record number assigned to the event when it was logged. |
| Correlation | N/A | N/A | The activity identifiers that consumers can use to group related events together. |
| Execution | N/A | N/A | Contains information about the process and thread that logged the event. |
| Channel | N/A | N/A | The channel to which the event was logged. |
| Computer | <dname> | Text/String | The name of the computer on which the event occurred. |
| SubjectUserSid | N/A | N/A | The SID of account that requested the create process operation. |
| SubjectUserName | <login> | Text/String | The name of the account that requested the create process operation. |
| SubjectDomainName | <domainorigin> | Text/String | The subject’s domain or computer name. Formats vary, and include the following:
|
| SubjectLogonId | <session> | Text/String | A hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID. |
| NewProcessId | <processid> | Text/String | A hexadecimal Process ID of the new process. |
| NewProcessName | <object> <process> | Text/String | The full path and the name of the executable for the new process. |
| TokenElevationType | <objecttype> | Text/String | TokenElevationTypeDefault (1): Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account. TokenElevationTypeFull (2): Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. TokenElevationTypeLimited (3): Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. |
| ProcessId | <parentprocessid> | Text/String/Number | A hexadecimal Process ID of the process which ran the new process. |
| CommandLine | <command> | Text/String | Contains the name of executable and arguments which were passed to it. |
| TargetUserSid | N/A | N/A | The SID of target account. |
| TargetUserName | <account> | Text/String | The name of the target account. |
| TargetDomainName | <domainimpacted> | Text/String | The target's domain or computer name. Formats vary, and include the following:
|
| TargetLogonId | N/A | N/A | A hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID. |
| ParentProcessName | <parentprocesspath> <parentprocessname> | Text/String | The full path and the name of the executable for the process. |
| MandatoryLabel | N/A | N/A | The SID of integrity label which was assigned to the new process. |