Vendor Documentation


Classification

Rule Name

Rule Type

Common Event

Classification


Watchlist Hit : ProcessBase RuleWatchlist HitActivity


Sample Logs

09 29 2019 23:30:06 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|6.3.1.190402.1530|watchlist.storage.hit.process|cb_server=cbserver cb_version=6.3.1.190402.1530 childproc_count=0 crossproc_count=0 filemod_count=14 host_type=workstation last_update=2019-09-29T20:19:33.035Z modload_count=0 netconn_count=0 os_type=windows parent_guid=00000a61-0000-0004-01d5-770316988840 parent_pid=4 parent_segment_id=1 parent_unique_id=00000a61-0000-0004-01d5-770316988840-000000000001 path=registry process_guid=00000a61-0000-0060-01d5-770316a0a968 process_id=00000a61-0000-0060-01d5-770316a0a968 process_name=registry process_pid=96 regmod_count=13 segment_id=1569789006704 server_name=dummy.server start=2019-09-29T20:18:42.553Z timestamp=1569789006.704 type=watchlist.storage.hit.process unique_id=00000a61-0000-0060-01d5-770316a0a968-016d7eb75370 username=SYSTEM watchlist_7=2019-09-29T20:30:03.595654Z watchlist_id=7 watchlist_name=Non-System Filemods to system32 watchlist_tag=7|Non-System Filemods to system32

Mapping with LogRhythm Schema

Device Key in Log MessageLog ValueLogRhythm SchemaData Type
alliance_score_virustotal1<quantity>Number
cb_version6.1.1.170602.1049<version>Number
cmdlinepowershell.exe -NoLogo -NonInteractive -WindowStyle Hidden -ExecutionPolicy Unrestricted -File c:\\Windows\\Temp\\PPE-Hostfile.ps1<command>Text/String
comms_ip2.2.2.2<sip>IP Address
hostnameus22lt00106<dname>Text/String
interface_ipN/A<sip>IP Address
parent_nametaskeng.exe<parentprocessname>Text/String
parent_pid1556<parentprocessid>Number
pathpowershell.exe<process>Text/String
process_md5852D67A27E454BD389FA7F02A8CBE23F<objectname>Text/String
process_md5852D67A27E454BD389FA7F02A8CBE23F<hash>Text/String
process_namepowershell.exe<object>Text/String
usernameSYSTEM<domain>Text/String
usernameN/A<login>Text/String
watchlist_namePossible Powershell Exploit #2<vmid>Text/String