Classification

Rule Name

Rule Type

Common Event

Classification

EVID 1026 : .Net Process Terminated Unhandled Excp.Base RuleUnhandled ExceptionError

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='.NET Runtime'/><EventID Qualifiers='0'>1026</EventID><Level>Error</Level><Task>None</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-11-08T11:46:27.000000000Z'/><EventRecordID>713041</EventRecordID><Channel>Application</Channel><Computer>_destinationhostname</Computer><Security/></System><EventData><Data>Application: scsm.exe

Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.Runtime.InteropServices.COMException
Stack:
at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32, IntPtr)
at uk.h()
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Threading.ThreadHelper.ThreadStart(System.Object)
</Data></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in Log Message

Log Value

LogRhythm Schema

Data Type

Provider NameThe process was terminated due to an unhandled exception<venderinfo>Text/String
EventID Qualifiers1026<vmid>Number
LevelError<severity>Text/String
N/Ascsm.exe<process>Text/String
Computer_destinationhostname<dname>Text/String
N/Av4.0.30319<version>Number/Text/String