Vendor Documentation


Classification

Rule Name

Rule Type

Common Event

Classification


Feed: Process Storage HitBase RuleWatchlist HitActivity


Sample Logs

08 25 2016 22:02:07 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|5.1.1.160623.1033|feed.storage.hit.process|alliance_data_bit9endpointvisibility=f435128d-f5c4-4fa1-9f1f-14d0051ff09c alliance_link_bit9endpointvisibility=dummy.url alliance_score_bit9endpointvisibility=1 alliance_updated_bit9endpointvisibility=2016-06-10T12:38:11.000Z cb_server=cbserver cb_version=5.1.1.160623.1033 childproc_count=0 comms_ip=2.2.2.2 computer_name=USLT2376ABURR crossproc_count=31 feed_id=4 feed_name=bit9endpointvisibility filemod_count=1 from_feed_search=false group=LogRhythm HQ host_type=workstation hostname=USLT2376ABURR interface_ip=3.3.3.3 ioc_attr={} ioc_query_index=events ioc_query_string=(netconn_count:[1 TO *] digsig_result:unsigned) ioc_type=query ioc_value={"index_type": "events", "search_query": "cb.urlver\=1&q\=(netconn_count%3A%5B1%20TO%20*%5D%20digsig_result%3Aunsigned)"} last_update=2016-08-26T03:37:30.218Z modload_count=0 netconn_count=12 os_type=windows parent_id=-87640355148020404 parent_pid=3040 parent_unique_id=0000017a-0000-0be0-01d1-fefd6f0b9ed5-00000001 path=dummy.path\\anubis.exe process_guid=0000017a-0000-0c1c-01d1-fefd6f289cb8 process_id=0000017a-0000-0c1c-01d1-fefd6f289cb8 process_md5=e3c6cd3c2ae7e2dab6321a9527f2d7eb process_name=anubis.exe process_pid=3100 regmod_count=0 report_id=f435128d-f5c4-4fa1-9f1f-14d0051ff09c report_score=1 segment_id=1 sensor_id=378 server_name=localhost.localdomain start=2016-08-25T18:21:01.556Z timestamp=1472187336.215 type=feed.storage.hit.process unique_id=0000017a-0000-0c1c-01d1-fefd6f289cb8-00000001 username=SYSTEM watchlist_52=2016-08-26T04:50:02.478724Z

Mapping with LogRhythm Schema

Device Key in Log MessageLog ValueLogRhythm SchemaData Type
cmdlineN/A<command>Text/String
comms_ip2.2.2.2<dinterface>Number
feed_namebit9endpointvisibility<sender>Text/String
groupLogRhythm<group>Text/String
hostnameuslt2376aburr<dname>Text/String
sinterface_ip3.3.3.3<sip>IP Address
digsig_resultunsigned)<result>Text/String
parent_nameN/A<parentprocessname>Text/String
parent_id3040<parentprocessid>Number
pathprogram<process>Text/String
process_md5e3c6cd3c2ae7e2dab6321a9527f2d7eb<objectname>Text/String
process_md5e3c6cd3c2ae7e2dab6321a9527f2d7eb<hash>Text/String
sprocess_nameanubis.exe<object>Text/String
sprocess_pid3100<processid>Number
usernameN/A<domain>Text/String
usernamesystem<login>Text/String