Vendor Documentation


Classification

Rule Name

Rule Type

Common Event

Classification


Network Connection Ingress EventBase RuleGeneral Connection MessagesNetwork Traffic
Network Connection Event : InboundSub RuleGeneral Network TrafficNetwork Traffic
Network Connection Event : OutboundSub RuleGeneral Network TrafficNetwork Traffic


Sample Logs

02 07 2017 18:17:08 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|5.1|ingress.event.netconn|cb_server=cbserver computer_name=PIA-AD-02 direction=inbound domain= dst=20.20.20.20 dstPort=123 event_type=netconn ipv4=3.3.3.3 local_ip=4.4.4.4 local_port=123 md5=E3A2AD05E24105B35E986CF9CB38EC47 pid=420 port=123 process_guid=000000cc-0000-01a4-01d1-c68911ca217f process_path=c:\\windows\\system32\\svchost.exe proto=17 protocol=17 remote_ip=30.30.30.30 remote_port=63636 sensor_id=204 src=10.10.10.10 srcPort=63636 timestamp=1486513013 type=ingress.event.netconn

Mapping with LogRhythm Schema

Device Key in Log MessageLog ValueLogRhythm SchemaData Type
vmidingress.event.netconn<vmid>Text/String
directioninbound<tag1>Text/String
domainN/A<url>Text/String
dst20.20.20.20<dip>IP Address
dstport123<dport>Number
md5E3A2AD05E24105B35E986CF9CB38EC47

<objectname>

<hash>

Text/String
pid420<processid>Number
process_pathsvchost.exe<process>Text/String
proto17<protnum>Number/Text/String
src10.10.10.10<sip>IP Address
srcport63636<sport>Number