Vendor Documentation


Classification

Rule Name

Rule Type

Common Event

Classification


Watchlist Hit Alert : Feed Search BinaryBase RuleWatchlist HitActivity
Watchlist Feed Hit Alert : Unisigned BinarySub RuleWatchlist HitActivity
Watchlist Feed Hit Alert : Signed BinarySub RuleWatchlist HitActivity


Sample Logs

05 10 2019 03:50:44 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|5.1|alert.watchlist.hit.feedsearch.binary|alert_severity=33.75 alert_type=watchlist.hit.feedsearch.binary cb_server=dummy.server:8443 computer_name=tiw-00371 created_time=2019-05-10T07:50:44.744125Z digsig_result=Unsigned feed_id=14 feed_name=iconmatching feed_rating=3.0 host_count=1 hostname=tiw-00371 ioc_confidence=0.5 ioc_type=md5 ioc_value=4b07e4b313d2486643e3b80dd9c4a534 ioc_value_facet=4b07e4b313d2486643e3b80dd9c4a534 link_md5=dummy.url md5=4B07E4B313D2486643E3B80DD9C4A534 observed_filename=[d:\cbt's\cissp and csslp\cissp reviewers\cissp sybex 4ed (csb)\flashcards\pcflashcards\pcflashcards2.exe] observed_filename_total_count=1 os_type=Windows other_hostnames=[] report_score=50 sensor_criticality=3.0 status=Unresolved timestamp=1557474644.791 type=alert.watchlist.hit.feedsearch.binary unique_id=1c18c484-19e2-4da3-9b0c-24e8cfa4e597 watchlist_id=brandadobemedium watchlist_name=brandadobemedium

Mapping with LogRhythm Schema

Device Key in Log MessageLog ValueLogRhythm SchemaData Type
N/Aalert.watchlist.hit.feedsearch.binary<vmid>Text/String
alert_severity33.75<severity>Number
digsig_publisher/issuerN/A

<subject>

Text/String
digsig_resultUnsigned

<result>

<tag1>

Text/String
feed_nameiconmatching

<sender>

Text/String
hostnametiw-00371<dname>Text/String
md54B07E4B313D2486643E3B80DD9C4A534

<objectname>

<hash>

Text/String
observed_filenamepcflashcards2.exe<process>Text/String
observed_filename_total_count1<quantity>Number
statusUnresolved<status>Text/String