Vendor Documentation


Classification

Rule Name

Rule Type

Common Event

Classification


Feed Query : Process HitBase RuleWatchlist HitActivity


Sample Logs

02 07 2017 17:31:36 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|5.1|feed.query.hit.process|cb_server=cbserver childproc_count=1 cmdline="dummy.path\\VMwareSensor.exe" -s\="smi-vc-01.dummy.net" -m\="vm-816408" -u\="dummy\\svc-prtg" -p\="L7U8HWTj2!NiO@sg" -a\="ignore" -i\="300" -sessionstore\="C:\\ProgramData\\Paessler\\PRTG Network Monitor\\Sensordata (NonPersistent)\\VMware Sessionpool\\ " comms_ip=3.3.3.3 computer_name=NETMONITOR1 crossproc_count=2 emet_count=0 feed_id=11 feed_name=bit9endpointvisibility filemod_count=0 filtering_known_dlls=false group=Default Group host_type=server hostname=NETMONITOR1 interface_ip=2.2.2.2 ioc_query_index=events ioc_query_string=(netconn_count:[1 TO *] digsig_result:unsigned) ioc_type=query ioc_value={"index_type": "events", "search_query": "cb.urlver\=1&q\=(netconn_count%3A%5B1%20TO%20*%5D%20digsig_result%3Aunsigned)"} last_update=2017-02-07T23:10:02.619Z link_parent=dummy.url link_process=dummy.url link_process_md5=dummy.url link_sensor=dummy.url modload_count=64 netconn_count=1 os_type=windows parent_guid=000007c0-0000-0688-01d2-5ad167cc6fba parent_md5=000000000000000000000000000000 parent_name=prtg probe.exe parent_pid=1672 parent_segment_id=1 parent_unique_id=000007c0-0000-0688-01d2-5ad167cc6fba-00000001 path=c:\\program files (x86)\\prtg network monitor\\sensor system\\vmwaresensor.exe process_guid=000007c0-0000-0158-01d2-81974f771f37 process_id=000007c0-0000-0158-01d2-81974f771f37 process_md5=261E37B36B5A77B7B2A0892E6707C9A5 process_name=vmwaresensor.exe process_pid=344 processblock_count=0 regmod_count=1 report_id=f435128d-f5c4-4fa1-9f1f-14d0051ff09c report_score=1 segment_id=1 sensor_id=1984 start=2017-02-07T23:10:02.041Z timestamp=1486510220.44 type=feed.query.hit.process unique_id=000007c0-0000-0158-01d2-81974f771f37-00000001 username=SYSTEM

Mapping with LogRhythm Schema

Device Key in Log MessageLog ValueLogRhythm SchemaData Type
cmdlinedummy.path\\VMwareSensor.exe<command>Text/String
feed_namebit9endpointvisibility<sender>Text/String
groupDefault Group<group>Text/String
hostnamenetmonitor1<dname>Text/String
interface_ip2.2.2.2<sip>IP Address
digsig_resultunsigned<result>Text/String
parent_nameprtg probe.exe<parentprocessname>Text/String
parent_pid1672<parentprocessid>Number
pathvmwaresensor.exe<process>Text/String
process_md5261E37B36B5A77B7B2A0892E6707C9A5<objectname>Text/String
process_md5261E37B36B5A77B7B2A0892E6707C9A5<hash>Text/String
process_namevmwaresensor.exe<object>Text/String