This section describes the binary storage feed hit.
Binary Storage Feed Hit – Example
Aug 12 14:06:39 [26070] <warning> reason=feed.storage.hit type=module md5=B84E2D174DC84916A536572BB8F691A8 sha256=7AFB56DD48565C3C9804F683C80EF47E5333F847F2D3211EC11ED13AD36061E1 host=’SERV12R2X64-01’ sensor_id=1 feed_id=2 feed_name=’srstrust’ ioc_type=’md5’ ioc_value=’b84e2d174dc84916a536572bb8f691a8’ timestamp=’1407866797.20’ first_seen=’2014-08-12T18:06:22.190Z’ group=[’Default Group’] desc=’Windows Security Center ISV API’ company_name=’Microsoft Corporation’ product_name=’Microsoft® Windows® Operating System’ product_version=’6.1.7600.16385’ file_version=’6.1.7600.16385 (win7_rtm.090713-1255)’ signed=’Signed’ alliance_updated_srstrust=’2014-05-16T04:39:55.000Z’ alliance_score_srstrust=’-100’ alliance_data_srstrust=’[’b84e2d174dc84916a536572bb8f691a8’]’ alliance_link_srstrust=’https://services.carbonblack.com/Services/extinfo.aspx?ak=b8b4e631d4884ad1c56f50e4a5ee9279&sg=0313e1735f6cec221b1d686bd4de23ee&md5=b84e2d174dc84916a536572bb8f691a8’Binary Storage Feed Hit – Default Template
reason=feed.storage.hit type=module
md5={{doc[’md5’]}}
sha256={{doc[’sha256’]}}
host=’{{doc[’hostname’]}}’
sensor_id={{doc[’sensor_id’]}}
feed_id={{doc[’feed_id’]}}
feed_name=’{{doc[’feed_name’]}}’
ioc_type=’{{doc[’ioc_type’]}}’
ioc_value=’{{doc[’ioc_value’]}} ’
{% for k in doc[’ioc_attr’] %} {{k}}=’{{doc[’ioc_attr’][k]}}’{% endfor %}
timestamp=’{{doc[’event_timestamp’]}}’ first_seen=’{{doc["server_added_timestamp"]}}’
group={{doc["group"]}}
desc=’{{doc["file_desc"]}}’
company_name=’{{doc["company_name"]}}’
product_name=’{{doc["product_name"]}}’
product_version=’{{doc["product_version"]}}’
file_version=’{{doc["file_version"]}}’
signed=’{{doc["digsig_result"]}}’
{% for k in doc %}{% if k.startswith("alliance_") %}
{{k}}=’{{doc[k]}}’{% endif %}{% endfor %}
Binary Storage Feed Hit – Key-Value Pairs
| Syslog Label |
Solr Doc Reference |
Description |
|---|---|---|
| reason |
no doc reference |
Text that describes the entry. The |
| type |
no doc reference |
Text that identifies the type of data that is returned with the event. For binary events, the value is ‘module’. |
| md5 |
md5 |
MD5 hash value of a process, a parent process, a child process, a loaded module, or a written file. |
| sha256 |
sha256 |
SHA-256 hash value of a process, a parent process, a child process, a loaded module, or a written file. |
| host |
hostname |
Hostname of the computer on which the feed hit was detected. |
| sensor_id |
sensor_id |
Sensor ID of the endpoint that observed the feed hit. |
| feed_id |
feed_id |
ID of the feed that was matched. |
| feed_name |
feed_name |
Name of the feed that was matched. |
| report_title |
report_title |
Name of the item in the feed that was matched. |
| ioc_type |
ioc_type |
Type of the IOC that caused the hit. |
| ioc_value |
ioc_value |
Value of the IOC that matched. |
| for/if loops |
_* ioc_attr |
Note:
for/if loops are not required. They report attributes that do not have predefined sets. You can create customized templates that do not contain them if you do not need to report on |
| timestamp |
event_timestamp |
Epoch time of the feed hit event. |
| first_seen |
server_added_ timestamp |
The time that this binary was first seen by the server. |
| group |
group |
First sensor group in which this binary was observed. |
| desc |
file_desc |
File description string from the class FileVersionInfo. |
| company_name |
company_name |
Company name string from the class FileVersionInfo. |
| product_name |
product_name |
Product name string from the class FileVersionInfo. |
| product_version |
product_version |
Product version string from the class FileVersionInfo. |
| file_version |
file_version |
File version string from the class FileVersionInfo. |
| signed |
signed |
Digital signature status of the binary. |
| for/if loops |
_* ioc_attr |
Note:
for/if loops are not required. They report attributes that do not have predefined sets. You can create customized templates that do not contain them if you do not need to report on |
