Classification

Rule Name

Rule Type

Common Event

Classification

EVID 1 : CVE MessagesBase RuleVuln High Severity : WindowsVulnerability

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Audit-CVE' Guid='{85a62a0d-7e17-485f-9d4f-749a287193a6}'/><EventID>1</EventID><Version>0</Version><Level>Warning</Level><Task>None</Task><Opcode>Info</Opcode><Keywords></Keywords><TimeCreated SystemTime='2020-01-17T19:38:33.935487300Z'/><EventRecordID>12777246</EventRecordID><Correlation/><Execution ProcessID='6948' ThreadID='6652'/><Channel>Application</Channel><Computer>_destinationHostname</Computer><Security UserID='_destinationUser'/></System><EventData><Data Name='CVEID'>[CVE-2020-0601] cert validation</Data><Data Name='AdditionalDetails'>CA: <Microsoft ECC Product Root Certificate Authority 2018> sha1: 06F1AA330B927B753A40E68CDF22E34BCBEF3352 para: 06052B81040022 otherPara: 30820157020101303C06072A8648CE3D0101023100FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF307B0430FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC0430B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF031500A335926AA319A27A1D00896A6773A4827ACDAC73046104C711162A761D568EBEB96265D4C3CEB4F0C330EC8F6DD76E39BCC849ABABB8E34378D581065DEFC77D9FCED6B39075DE0CB090DE23BAC8D13E67E019A91B86311E5F342DEE17FD15FB7E278A32A1EAC98FC97E18CB2F3B2C487A7DA6F40107AC023100FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973020101</Data></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in log message

Log Value

LogRhythm Schema

Data Type

Eventid1<vmid>Number
LevelWarning<severity>Text/String
Computer_destinationHostname<dname>Text/String
userid_destinationUser<account>Text/String
ProcessID6948<processid>Number
sha106F1AA330B927B753A40E68CDF22E34BCBEF3352<object>Text/Number
cveidCVE-2020-0601<cve>Text/Number
N/ACVE-2020-0601<tag1>Text/Number