Vendor Documentation


Classification

Rule Name

Rule Type

Common Event

Classification


Feed : Binary Storage HitBase RuleWatchlist HitActivity
Feed Hit : Unsigned Binary StorageSub RuleWatchlist HitActivity
Feed Hit : Signed Binary StorageSub RuleWatchlist HitActivity


Sample Logs

05 16 2016 04:14:01 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|5.1|feed.storage.hit.binary|alliance_data_virustotal=["67ce63f83f05b6b3ba5ea8e0ad6e7fe0"] alliance_link_virustotal=dummy.url alliance_score_virustotal=9 alliance_updated_virustotal=2016-05-16T10:13:09.000Z cb_server=cbserver cb_version=511 comments=This installation was built with Inno Setup. company_name=uvnc bvba                                                    computer_name=USLT1963GFOSS copied_mod_len=3442064 digsig_issuer=Symantec Class 3 SHA256 Code Signing CA digsig_publisher=uvnc bvba digsig_result=Signed digsig_result_code=0 digsig_sign_time=2016-01-25T05:48:00.000Z digsig_subject=uvnc bvba endpoint=USLT1963GFOSS|1 feed_id=6 feed_name=virustotal file_desc=UltraVNC Setup                                              file_version=1.2.1.0              group=Default Group host_count=1 hostname=USLT1963GFOSS ioc_attr={} ioc_type=md5 ioc_value=67ce63f83f05b6b3ba5ea8e0ad6e7fe0 is_64bit=false is_executable_image=true last_seen=2016-05-16T00:10:24.770Z legal_copyright=UltraVnc Team                                                                                        md5=67CE63F83F05B6B3BA5EA8E0AD6E7FE0 observed_filename=dummy.pathx64_setup.exe orig_mod_len=3442064 os_type=Windows product_name=UltraVnc                                                    product_version=1.2.1.0                                            report_id=67ce63f83f05b6b3ba5ea8e0ad6e7fe0 report_score=9 sensor_id=1 server_added_timestamp=2016-05-11T17:02:14.056Z server_name=localhost.localdomain timestamp=1463396873.147 type=feed.storage.hit.binary watchlist_1=2016-05-11T17:10:03.213Z watchlist_92=2016-05-12T10:00:02.864Z

Mapping with LogRhythm Schema

Device Key in Log MessageLog ValueLogRhythm SchemaData Type
alliance_link_dummy.url<url>Text/String
CVEN/A

<cve>
<sender>

Text/String
digsig_publisher/issuerSymantec Class 3 SHA256 Code Signing CA<subject>Text/String
digsig_resultSigned

<result>
<tag1>

Text/String
md567CE63F83F05B6B3BA5EA8E0AD6E7FE0<hash>Text/String