Vendor Documentation


Classification

Rule Name

Rule Type

Common Event

Classification


CB Server EventsBase RuleGeneral File Monitoring EventInformaton


Sample Logs

12 31 2018 08:17:55 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|5.1|alert.watchlist.hit.ingress.process|alert_severity=67.5 alert_type=watchlist.hit.ingress.process assigned_to=loganathan.v cb_server=cb_AWS childproc_count=0 comms_ip=2.2.2.2 computer_name=desktop-48fidjl created_time=2018-11-16T02:09:37.623Z crossproc_count=3 feed_id=17 feed_name=srsthreat feed_rating=3.0 filemod_count=0 group=auto upgrade group hostname=desktop-48fidjl interface_ip=3.3.3.3 ioc_confidence=0.5 ioc_type=md5 ioc_value=3378de897abf7afcd415b9dfee6cfda4 ioc_value_facet=3378de897abf7afcd415b9dfee6cfda4 md5=3378DE897ABF7AFCD415B9DFEE6CFDA4 modload_count=13 netconn_count=1 os_type=windows process_guid=0000202f-0003-d17c-01d4-7d50f56e02c3 process_id=0000202f-0003-d17c-01d4-7d50f56e02c3 process_name=update.exe process_path=c:\\users\\cnh06861\\appdata\\roaming\\photoviewer\\update.exe process_unique_id=0000202f-0003-d17c-01d4-7d50f56e02c3-01671a47e103 regmod_count=0 report_score=100 segment_id=1 sensor_criticality=3.0 sensor_id=8239 status=In Progress timestamp=1546240675.338 type=alert.watchlist.hit.ingress.process unique_id=e68f47bb-668e-4e91-beda-f8bcd4edf87e username=domain\\usrname watchlist_id=3378de897abf7afcd415b9dfee6cfda4 watchlist_name=3378de897abf7afcd415b9dfee6cfda4

Mapping with LogRhythm Schema

Device Key in log messageLog ValueLogRhythm SchemaData Type
alert_severity67.5<severity>Text/String/Number
comms_ip2.2.2.2<dinterface>Text/String
computer_namedesktop-48fidjl<domain>Text/String
feed_namesrsthreat<sender>Text/String
groupauto upgrade group<group>Text/String
interface_ip3.3.3.3<sip>IP Address
ioc_valueN/A<dip>IP Address
md53378de897abf7afcd415b9dfee6cfda4<hash>Text/String
process_nameupdate.exe<process>Text/String
process_pathc:\\users\\cnh06861\\appdata\\roaming\\photoviewer\\update.exe<parentprocesspath>Text/String
statusIn<status>Text/String
usernamedomain\\usrname<login>Text/String
watchlist_id3378de897abf7afcd415b9dfee6cfda4<object>Text/String
watchlist_name3378de897abf7afcd415b9dfee6cfda4<objectname>Text/String