Vendor Documentation


Classification

Rule Name

Rule Type

Common Event

Classification


Watchlist Hit : Binary StorageBase RuleWatchlist HitActivity
Watchlist Hit : Unsigned Binary StorageSub RuleWatchlist HitActivity
Watchlist Hit : Signed Binary StorageSub RuleWatchlist HitActivity


Sample Logs

02 07 2017 17:30:21 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|5.1|watchlist.storage.hit.binary|cb_server=cbserver cb_version=525 copied_mod_len=8704 digsig_result=Unsigned digsig_result_code=2148204800 endpoint=PIA-EX2010-01|2018 file_desc= file_version=0.0.0.0 group=Default Servers host_count=1 internal_name=rwl_hdls.dll is_64bit=false is_executable_image=false last_seen=2017-02-07T23:26:29.825Z legal_copyright= link_md5=dummy.url md5=5F897E95044D43F58E30806857092186 observed_filename=c:\\windows\\temp\\rwl_hdls.dll orig_mod_len=8704 original_filename=rwl_hdls.dll os_type=Windows product_version=0.0.0.0 server_added_timestamp=2017-02-07T23:26:29.825Z server_name=localhost timestamp=1486510220.266 type=watchlist.storage.hit.binary watchlist_2=2017-02-07T23:30:03.972203Z watchlist_id=2 watchlist_name=Default: Newly Loaded Modules

Mapping with LogRhythm Schema

Device Key in Log MessageLog ValueLogRhythm SchemaData Type
publisher/issuerN/A<subject>Text/String
digsig_resultUnsigned<result>Text/String
digsig_resultUnsigned<tag1>Text/String
endpointpia-ex2010-01<dname>Text/String
file_version0.0.0.0<version>Number
groupDefault Servers<group>Text/String
md55F897E95044D43F58E30806857092186<objectname>Text/String
md55F897E95044D43F58E30806857092186<hash>Text/String
observed_filenamerwl_hdls.dll<process>Text/String
original_filenamerwl_hdls.dll<object>Text/String
watchlist_nameDefault: Newly Loaded Modules<vmid>Text/String