Watchlist Hit on Binary

This section describes the binary watchlist hit.

Binary Watchlist – Example

Mar 13 03:50:19 [1037] <warning> reason=watchlist.hit type=module md5=7931ADC31F0180855E05D6666630B3A3 host=WORKSTATION-2' sha256=F6F9A4834AFE57EBC0B77CF1E83F0C24B298C2FCBBF214CF6CC4DBD24E8BFB4B 
sensor_id=74 watchlist_id=8 watchlist_name='Newly Loaded Modules' timestamp='1426233008.59' first_seen='2014-11-13T07:47:17.862Z' group=['Default Group'] desc='AntiMalware Definition Update' company_name='Microsoft Corporation' product_name='Microsoft Malware Protection' product_version='1.193.2512.0' file_version='1.193.2512.0' signed='Signed'

Binary Watchlist – Default Template

reason=watchlist.hit type=module
md5={{doc["md5"]}}
sha256={{doc["sha256"]}}
host=’{{doc.get(’hostname’)}}’
sensor_id={{doc.get(’sensor_id’)}}
watchlist_id={{doc[’watchlist_id’]}}
watchlist_name=’{{doc[’watchlist_name’]}}’
timestamp=’{{doc[’event_timestamp’]}}’
first_seen=’{{doc["server_added_timestamp"]}}’
group={{doc["group"]}}
desc=’{{doc["file_desc"]}}’ company_name=’{{doc["company_name"]}}’
product_name=’{{doc["product_name"]}}’
product_version=’{{doc["product_version"]}}’
file_version=’{{doc["file_version"]}}’
signed=’{{doc["signed"]}}’
{% for k in doc %}{% ifk.startswith("alliance_") %}
{{k}}=’{{doc[k]}}’{% endif %}{% endfor %}

Binary Watchlist – Key-Value Pairs


Syslog Label	Solr Doc Reference	Description
reason	No doc reference	Text that describes the entry. The reason label is hard-coded in the syslog template and identifies the type of the event as "watchlist.hit," "feed.hit," or "binaryinfo."
type	No doc reference	Text that identifies the type of data that is returned with the event. For binary modules, the value is module .
md5	md5	MD5 hash value of a process, a parent process, a child process, a loaded module or a written file.
sha256	sha256	SHA-256 hash value of a process, a parent process, a child process, a loaded module or a written file.
host	hostname	Hostname of the computer on which the binary was observed.
sensor_id	sensor_id	Sensor ID of the computer on which the binary was observed.
watchlist_id	watchlist_id	The ID of the watchlist that matched the hit criteria (-1 is the internal syslog test).
watchlist_name	watchlist_name	Name of the watchlist that matched the hit criteria.
timestamp	event_timestamp	Epoch time of the watchlist hit event.
first_seen	server_added_ timestamp	Time that this binary was first seen by the Carbon Black EDR server.
group	group	First sensor group in which this binary was observed.
desc	file_desc	File description string from the class FileVersionInfo.
company_name	company_name	Company name string from the class FileVersionInfo.
product_name	product_name	Product name string from the class FileVersionInfo.
product_version	product_version	Product version string from the class FileVersionInfo.
file_version	file_version	File version string from the class FileVersionInfo.
signed	signed	Digital signature status of the binary.
for/if loops	_* ioc_attr	`alliance_` identifies and prints all attributes whose names start with "alliance_" in all documents that contain feed hits, including documents reported by watchlist hits. These attributes represent feed hits. `ioc_attr` identifies and prints additional attributes on IOC values that were matched. Note: for/if loops are not required. Their purpose is to report attributes that do not have predefined sets. You can create customized templates that do not contain them if you do not need to report on `alliance_` or `ioc_attr` attributes.