Vendor Documentation


Classification

Rule Name

Rule Type

Common Event

Classification


Watchlist Hit : Storage ProcessBase RuleWatchlist HitActivity


Sample Logs

09 29 2019 23:30:06 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|6.3.1.190402.1530|watchlist.storage.hit.process|cb_server=cbserver cb_version=6.3.1.190402.1530 childproc_count=0 crossproc_count=0 filemod_count=14 host_type=workstation last_update=2019-09-29T20:19:33.035Z modload_count=0 netconn_count=0 os_type=windows parent_guid=00000a61-0000-0004-01d5-770316988840 parent_pid=4 parent_segment_id=1 parent_unique_id=00000a61-0000-0004-01d5-770316988840-000000000001 path=registry process_guid=00000a61-0000-0060-01d5-770316a0a968 process_id=00000a61-0000-0060-01d5-770316a0a968 process_name=registry process_pid=96 regmod_count=13 segment_id=1569789006704 server_name=dummy.server start=2019-09-29T20:18:42.553Z timestamp=1569789006.704 type=watchlist.storage.hit.process unique_id=00000a61-0000-0060-01d5-770316a0a968-016d7eb75370 username=SYSTEM watchlist_7=2019-09-29T20:30:03.595654Z watchlist_id=7 watchlist_name=Non-System Filemods to system32 watchlist_tag=7|Non-System Filemods to system32

Mapping with LogRhythm Schema

Device Key in Log MessageLog ValueLogRhythm SchemaData Type
 cb_version6.3.1.190402.1530<version>Number
host_typeworkstation<useragent>Text/String
parent_nameN/A<parentprocessname>Text/String
parent_id4<parentprocessid>Number
pathN/A<process>Text/String
process_md5N/A<objectname>Text/String
process_md5N/A<hash>Text/String
process_nameregistry<object>Text/String
process_pid96<processid>Number
server_namedummy.server<sname>Text/String
typewatchlist.storage.hit.process<objecttype>Text/String
watchlist_nameNon-System Filemods to system32<vmid>Text/String