Vendor Documentation


Classification

Rule Name

Rule Type

Common Event

Classification


Watchlist Hit Alert : Binary IngressBase RuleWatchlist HitActivity
Watchlist Hit Alert : Signed Binary IngressSub RuleWatchlist HitActivity
Watchlist Hit Alert : Unsigned Binary IngressSub RuleWatchlist HitActivity


Sample Logs

05 18 2016 09:07:01 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|5.1|alert.watchlist.hit.ingress.binary|alert_severity=32.4 alert_type=watchlist.hit.ingress.binary assigned_to=dummy.usr cb_server=cbserver computer_name=USLT0736DUMMY created_time=2016-05-18T14:34:25.507Z digsig_result=Signed feed_id=6 feed_name=virustotal feed_rating=3.0 host_count=1 hostname=USLT0736DUMMY ioc_confidence=0.5 ioc_type=md5 ioc_value=ab1875d34e33ebf9fef6563ad337ba49 ioc_value_facet=ab1875d34e33ebf9fef6563ad337ba49 md5=AB1875D34E33EBF9FEF6563AD337BA49 observed_filename=c:\\program observed_filename_total_count=61 os_type=Windows process_guid=077c42de-c0e9-4ed2-ac18-9bceb667acd3 report_score=48 resolved_time=2016-05-18T16:00:37.593Z segment_id=1 sensor_criticality=3.0 status=Resolved timestamp=1463587252.597 type=alert.watchlist.hit.ingress.binary unique_id=077c42de-c0e9-4ed2-ac18-9bceb667acd3 watchlist_id=ab1875d34e33ebf9fef6563ad337ba49 watchlist_name=ab1875d34e33ebf9fef6563ad337ba49

Mapping with LogRhythm Schema

Device Key in log messageLog ValueLogRhythm SchemaData Type
alert_severity32.4<severity>Number
digsig_publisher/issuerN/A<subject>Text/String
digsig_resultSigned<result>Text/String
digsig_resultSigned<tag1>Text/String
feed_namevirustotal<sender>Text/String
hostnameUSLT0736DUMMY<dname>Text/String
md5AB1875D34E33EBF9FEF6563AD337BA49<objectname>Text/String
md5AB1875D34E33EBF9FEF6563AD337BA49<hash>Text/String
observed_filenameprogram<process>Text/String
observed_filename_total_count61<quantity>Number
statusResolved<status>Text/String