Vendor Documentation


Classification

Rule Name

Rule Type

Common Event

Classification


Watchlist Hit Alert : Process IngressBase RuleWatchlist HitActivity


Sample Logs

05 18 2016 08:40:17 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|5.1|alert.watchlist.hit.ingress.process|alert_severity=47.25 alert_type=watchlist.hit.ingress.process assigned_to=usr.name cb_server=cbserver childproc_count=0 comms_ip=3.3.3.3 computer_name=USLT1361DUMMY created_time=2016-05-17T23:12:56.657Z crossproc_count=5 feed_id=2 feed_name=cbtamper feed_rating=3.0 filemod_count=29 group=LogRhythm HQ hostname=USLT1361DUMMY interface_ip=2.2.2.2 ioc_attr={"hit_field_tamper": true, "hit_field_path": "C:\\\\Windows\\\\CarbonBlack\\\\InstallLogs\\\\install-5.1.1.60415-2016-05-17_160707.log", "hit_field_action": "actionFileModCreate"} ioc_confidence=0.5 ioc_type=class ioc_value=com.carbonblack.cbfs.ingress_search.detectors.SensorTamper$FileMod md5=14C7013653D2BE7A6ECF19A73B491B81 modload_count=63 netconn_count=0 os_type=windows process_guid=49824784-448d-489e-b696-1fc36a3532a2 process_id=0000001a-0000-2f64-01d1-b0887be86764 process_name=carbonblackclientsetup.exe process_path=dummy.path\\carbonblackclientsetup.exe regmod_count=0 report_score=70 resolved_time=2016-05-18T15:34:04.193Z segment_id=1 sensor_criticality=3.0 sensor_id=26 status=Resolved timestamp=1463585648.718 type=alert.watchlist.hit.ingress.process unique_id=49824784-448d-489e-b696-1fc36a3532a2 username=DOMAIN\\dummy.user watchlist_id=filemod_tamper watchlist_name=filemod_tamper

Mapping with LogRhythm Schema

Device Key in Log MessageLog ValueLogRhythm SchemaData Type
alert_severity47.25<severity>Text/String/Number
feed_namecbtamper<sender>Text/String
groupLogRhythm HQ<group>Text/String
hostnameuslt1361droha<dname>Text/String
interface_ip2.2.2.2<sip>IP Address
ioc_typeclass<objecttype>Text/String
ioc_valuecom.carbonblack.cbfs.ingress_search.detectors.SensorTamper$FileMod<domainimpacted>Text/String
ioc_valueN/A<command>Text/String
search_querycom.carbonblack.cbfs.ingress_search.detectors.SensorTamper$FileMod<command>Text/String
ioc_valueN/A<dip>IP Address
ioc_valueN/A<object>Text/String
ioc_valueN/A<hash>Text/String
ioc_valueN/A<url>Text/String
md514C7013653D2BE7A6ECF19A73B491B81<hash>Text/String
netconn_count0<quantity>Number
process_namecarbonblackclientsetup.exe<object>Text/String
process_pathcarbonblackclientsetup.exe<process>Text/String
statusResolved<status>Text/String
usernameDOMAIN<domain>Text/String
usernamedummy.user<login>Text/String
watchlist_namefilemod_tamper<vmid>Text/String