Vendor Documentation


Classification

Rule Name

Rule Type

Common Event

Classification


Process Ingress EventBase RuleProcess/Service Startup Or Shutdown ActivityStartup and Shutdown
Process Ingress Event : StartSub RuleProcess/Service StartedStartup and Shutdown
Process Ingress Event : EndSub RuleProcess/Service StoppedStartup and Shutdown


Sample Logs

11 12 2016 17:33:07 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|5.1|ingress.event.procend|cb_server=cbserver command_line= computer_name=DUMMY-DEV event_type=proc expect_followon_w_md5=false md5=149DCC8EBC5F720E64868F3FF5FFAE26 parent_create_time=1478290870 parent_path= parent_process_guid=000005cd-0000-10f0-01d2-36d8fb5eba2a path=c:\\program files\\git\\cmd\\git.exe pid=34672 process_guid=000005cd-0000-8770-01d2-3d4560c14974 sensor_id=1485 timestamp=1478997133 type=ingress.event.procend

Mapping with LogRhythm Schema

Device Key in Log MessageLog ValueLogRhythm SchemaData Type
vmidingress.event.procend<vmid>Text/String
command_lineN/A<command>Text/String
computer_nameDUMMY-DEV<dname>Text/String
md5149DCC8EBC5F720E64868F3FF5FFAE26

<objectname>
<hash>

Text/String
parent_pathN/A

<parentprocesspath>
<parentprocessname>

Text/String
pathgit.exe<process>Text/String
pid34672<processid>Number
usernameN/A

<domain>

<account>

Text/String