Vendor Documentation


Classification

Rule Name

Rule Type

Common Event

Classification


Watchlist Hit Alert : Host IngressBase RuleWatchlist HitActivity


Sample Logs

05 18 2016 08:40:17 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|5.1|alert.watchlist.hit.ingress.host|alert_severity=47.25 alert_type=watchlist.hit.ingress.host assigned_to=user.name cb_server=cbserver computer_name=USLT1361DUMMY created_time=2016-05-17T23:01:19.773Z feed_id=2 feed_name=cbtamper feed_rating=3.0 group=LogRhythm HQ hostname=USLT1361DUMMY ioc_attr={"hit_field_tamper_type": "AlertCbServiceStopped"} ioc_confidence=0.5 ioc_type=class ioc_value=com.carbonblack.cbfs.ingress_search.detectors.SensorTamper$Terminate os_type=Windows process_guid=c6d0ecfd-e154-4f85-840a-d3cae5a5aa2e report_score=70 resolved_time=2016-05-18T15:33:53.714Z segment_id=1 sensor_criticality=3.0 sensor_id=26 status=Resolved timestamp=1463585648.718 type=alert.watchlist.hit.ingress.host unique_id=c6d0ecfd-e154-4f85-840a-d3cae5a5aa2e watchlist_id=terminate watchlist_name=terminate

Mapping with LogRhythm Schema

Device Key in Log MessageLog ValueLogRhythm SchemaData Type
alert_severity47.25<severity>Number
feed_namecbtamper<sender>Text/String
groupLogRhythm HQ<group>Text/String
hostnameUSLT1361DUMMY<dname>Text/String
statusResolved<status>Text/String
watchlist_nameterminate<vmid>Text/String