This section describes the process ingress feed hit.

Process Ingress – Example 

Aug 12 14:24:19 [26070] <warning> reason=feed.ingress.hit type=event process_guid=00000001-0000-de04-01cf-b65a8ecb26cf host=’SERV12R2X64-01’ sensor_id=1 feed_id=10 feed_name=’tor’ ioc_type=’ipv4’ ioc_value=’38.229.70.52’ direction=’Outbound’ protocol=’TCP’ port=’22’ timestamp=’1407867859.64’
Process Ingress – Default Template 
reason=feed.ingress.hit type=event 
process_guid={{doc[’process_id’]}}
host=’{{doc[’hostname’]}}’
sensor_id={{doc[’sensor_id’]}}
feed_id={{doc[’feed_id’]}}
feed_name=’{{doc[’feed_name’]}}’
ioc_type=’{{doc[’ioc_type’]}}’
ioc_value=’{{doc[’ioc_value’]}}’
{% for k in doc[’ioc_attr’] %}
{{k}}=’{{doc[’ioc_attr’][k]}}’{% endfor %}
timestamp=’{{doc[’event_timestamp’]}}’
Process Ingress – Key-Value Pairs

Syslog Label

Solr Doc Reference

Description

reason

no doc reference

Text that describes the entry. The reason label is hard-coded in the syslog template and identifies the type of the event as "watchlist.hit," "feed.hit," or "binaryinfo."

type

no doc reference

Text that identifies the type of data that is returned with the event. For process events, the value is ‘event’.

process_guid

process_id

Process doc identifier.

host

hostname

Hostname of the computer on which the feed hit was detected.

sensor_id

sensor_id

Sensor ID of endpoint that observed the feed hit.

feed_id

feed_id

ID of the feed that matched the hit criteria.

feed_name

feed_name

Name of the feed that matched the hit criteria.

ioc_type

ioc_type

Type of the IOC that caused the hit.

ioc_value

ioc_value

Value of the IOC that matched the hit criteria.

for/if loops

_* ioc_attr

  • alliance_* identifies and prints all attributes whose names start with "alliance_" in all documents that contain feed hits, including documents reported by watchlist hits. These attributes represent feed hits.

  • ioc_attr identifies and prints additional attributes on IOC values that were matched.

Note:

for/if loops are not required. Their purpose is to report attributes that do not have predefined sets. You can create customized templates that do not contain them if you do not need to report on alliance_* or ioc_attr attributes.

timestamp

event_timestamp

Epoch time (seconds since 00:00:00 on 1 January 1970) of the feed hit event.