Vendor Documentation


Classification

Rule Name

Rule Type

Common Event

Classification


Feed Hit : Host HitBase RuleWatchlist HitActivity


Sample Logs

05 16 2016 11:46:10 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|5.1.1.160416.0935|feed.ingress.hit.host|cb_server=cbserver cb_version=5.1.1.160416.0935 computer_name=USLT1963DUMMY feed_id=2 feed_name=cbtamper group=LogRhythm HQ hostname=USLT1963DUMMY ioc_attr={"hit_field_tamper_type":"AlertCbServiceStopped"} ioc_type=class ioc_value=com.carbonblack.cbfs.ingress_search.detectors.SensorTamper$Terminate os_type=Windows report_id=terminate report_score=70 sensor_id=1 server_name=localhost.localdomain timestamp=1463424002.382 type=feed.ingress.hit.host

Mapping with LogRhythm Schema

Device Key in Log MessageLog ValueLogRhythm SchemaData Type
feed_namecbtamper<sender>Text/String
groupLogRhythm HQ<group>Text/String
hostnameUSLT1963DUMMY<dname>Text/String