Vendor Documentation


Classification

Rule Name

Rule Type

Common Event

Classification


Watchlist Hit : BinaryBase RuleWatchlist HitActivity
Watchlist Hit : Unsigned BinarySub RuleWatchlist HitActivity
Watchlist Hit : Signed BinarySub RuleWatchlist HitActivity


Sample Logs

02 07 2017 17:12:14 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|5.1|watchlist.hit.binary|cb_server=cbserver cb_version=525 comments=Microsoft.Data.DataFeedClient.dll company_name=(unknown) copied_mod_len=171232 digsig_issuer=Microsoft Code Signing PCA digsig_prog_name=Microsoft Corporation (R) digsig_publisher=Microsoft Corporation digsig_result=Signed digsig_result_code=0 digsig_sign_time=2016-06-24T07:33:00Z digsig_subject=Microsoft Corporation endpoint=["MCS-WIN8-DEV-02|2049"] file_desc=Microsoft.Data.DataFeedClient.dll file_version=13.1.0.0 group=["Default Group"] host_count=1 internal_name=Microsoft.Data.DataFeedClient.dll is_64bit=false is_executable_image=false last_seen=2017-02-07T23:07:29.396Z legal_copyright= link_md5=dummy.url md5=C5E41BCD5ADF678872966C611F14A18A observed_filename=["c:\\windows\\microsoft.net\\assembly\\gac_msil\\microsoft.data.datafeedclient\\v4.0_13.1.0.0__31bf3856ad364e35\\microsoft.data.datafeedclient.dll"] orig_mod_len=171232 original_filename=Microsoft.Data.DataFeedClient.dll os_type=Windows product_name=(unknown) product_version=13.1.0.0 server_added_timestamp=2017-02-07T23:07:29.396Z server_name=PIA-CarBla-01 signed=Signed timestamp=2017-02-07T23:07:29.396Z type=watchlist.hit.binary watchlist_id=2 watchlist_name=Default: Newly Loaded Modules

Mapping with LogRhythm Schema

Device Key in Log MessageLog ValueLogRhythm SchemaData Type
severityNOTE<severity>Text/String
resultSigned<result>Text/String
resultSigned<tag1>Text/String
digsig_publisher/digsig_issuerMicrosoft Code Signing PCA<subject>Text/String
endpointmcs-win8-dev-02<dname>Text/String
file_version13.1.0.0<version>Number
groupDefault Group<group>Text/String
md5C5E41BCD5ADF678872966C611F14A18A<objectname>Text/String
md5C5E41BCD5ADF678872966C611F14A18A<hash>Text/String
observed_filenamemicrosoft.data.datafeedclient.dll<process>Text/String
original_filenameMicrosoft.Data.DataFeedClient.dll<object>Text/String
watchlist_nameDefault: Newly Loaded Modules<vmid>Text/String