Vendor Documentation


Classification

Rule Name

Rule Type

Common Event

Classification


Child Process Ingress EventBase RuleProcess/Service Startup Or Shutdown ActivityStartup and Shutdown
Child Process Ingress Event : CreatedSub RuleProcess/Service StartedStartup and Shutdown
Child Process Ingress Event : Not CreatedSub RuleUnsuccessful ActivityOther Audit Failure


Sample Logs

02 07 2017 18:17:09 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|5.1|ingress.event.childproc|cb_server=cbserver child_process_guid=00000439-0000-04a0-01d2-81a0a621ad66 computer_name=dummy.hostname created=false event_type=childproc md5=70771166581D9B3ED6CA02536402C2EF pid=7300 process_guid=00000439-0000-1c84-01d2-7c38d3d865c8 sensor_id=1081 timestamp=1486513013 type=ingress.event.childproc

Mapping with LogRhythm Schema

Device Key in Log MessageLog ValueLogRhythm SchemaData Type
vmidingress.event.childproc<vmid>Text/String
computer_namedummy.hostname

<dname>

Text/String
createdfalse<tag1>Text/String
md570771166581D9B3ED6CA02536402C2EF

<objectname>

<hash>

Text/String
pid7300<processid>Number