Vendor Documentation


Classification

Rule Name

Rule Type

Common Event

Classification


Watchlist Hit Alert: Query ProcessBase RuleWatchlist HitActivity
Watchlist Hit Alert: Query Process: UnresolvedSub RuleWatchlist HitActivity
Watchlist Hit Alert: Query Process: ResolvedSub RuleWatchlist HitActivity


Sample Logs

02 07 2017 17:51:51 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|5.1|alert.watchlist.hit.query.process|alert_severity=50.625 alert_type=watchlist.hit.query.process cb_server=cbserver childproc_count=0 comms_ip=2.2.2.2 computer_name=SMI-DEVCI-1 created_time=2017-02-07T23:51:35.009415Z crossproc_count=2 feed_id=-1 feed_name=My Watchlists feed_rating=3.0 filemod_count=0 group=Default Servers hostname=SMI-DEVCI-1 interface_ip=3.3.3.3 ioc_confidence=0.5 ioc_type=query link_md5=https://pia-carbla-01.smchcn.net/#/binary/6EF437A9A14F3EDAAE753EE2A27E59ED link_process=https://pia-carbla-01.smchcn.net/#analyze/0000011d-0000-1630-01d2-819c91dd22ad/1 md5=6EF437A9A14F3EDAAE753EE2A27E59ED modload_count=43 netconn_count=35 os_type=windows process_guid=0000011d-0000-1630-01d2-819c91dd22ad process_id=0000011d-0000-1630-01d2-819c91dd22ad process_name=ssh.exe process_path=c:\\program files (x86)\\git\\bin\\ssh.exe regmod_count=0 report_score=75 segment_id=1 sensor_criticality=3.0 sensor_id=285 status=Unresolved timestamp=1486511510.209 type=alert.watchlist.hit.query.process unique_id=dc2342f8-bc21-4da7-adc7-6a150cab5c49 username=SYSTEM watchlist_id=20 watchlist_name=[Carbon Black] Unsigned NetConns

Mapping with LogRhythm Schema

Device Key in Log MessageLog ValueLogRhythm SchemaData Type
N/Aalert.watchlist.hit.query.process<vmid>Text/String
hostnamesmi-devci-1<dname>Text/String
interface_ip3.3.3.3<sip>IP Address
md56EF437A9A14F3EDAAE753EE2A27E59ED

<objectname>

<hash>

Text/String
process_namessh.exe<process>Text/String
statusunresolved

<status>

<tag1>

Text/String
usernamesystem<account>Text/String