This section describes the process storage feed hit.
Process Storage Feed Hit – Example
Aug 12 14:26:10 [26070] <warning> reason=feed.storage.hit type=event process_guid=00000001-0000-de04-01cf-b65a8ecb26cf segment_id=1488563344023 host=’SERV12R2X64-01’ sensor_id=1 feed_id=10 feed_name=’tor’ ioc_type=’ipv4’ ioc_value=’38.229.70.52’ direction=’Outbound’ protocol=’TCP’ port=’22’ timestamp=’1407867970.49’ start_time=’2014-08-12T18:23:47.602Z’ group=’Default Group’ process_md5=’a3ccfd0aa0b17fd23aa9fd0d84b86c05’ process_sha256=’7AFB56DD48565C3C9804F683C80EF47E5333F847F2D3211EC11ED13AD36061E1’ process_name=’putty.exe’ process_path=’c:\users\ssmith\desktop\putty.exe’ last_update=’2014-08-12T18:23:55.415Z’ alliance_link_tor=’http://www.torproject.org’ alliance_score_tor=’0’ alliance_updated_tor=’2014-05-06T17:15:23.000Z’ alliance_data_tor=’TOR-Node-38.229.70.52’Process Storage Feed Hit – Default Template
reason=feed.storage.hit type=event
process_guid={{doc['process_id']}
segment_id={{doc['segment_id']}}
host='{{doc['hostname']}}'
comms_ip='{{doc['comms_ip']}}'
interface_ip='{{doc['interface_ip']}}'
sensor_id={{doc['sensor_id']}}
feed_id={{doc['feed_id']}}
feed_name='{{doc['feed_name']}}'
ioc_type='{{doc['ioc_type']}}'
ioc_value='{{doc['ioc_value']}}'
{% for k in doc['ioc_attr'] %}
{{k}}='{{doc['ioc_attr'][k]}}'{% endfor %}
timestamp='{{doc['event_timestamp']}}'
start_time='{{doc['start']}}'
group='{{doc['group']}}'
process_md5='{{doc['process_md5']}}'
process_sha256=’{{doc['process_sha256']}}'
process_name='{{doc['process_name']}}'
process_path='{{doc['path']}}'
last_update='{{doc['last_update']}}'
{% for k in doc %}{% if k.startswith("alliance_") %}
{{k}}='{{doc[k]}}'{% endif %}{% endfor %}
Process Storage Feed Hit – Key-Value Pairs
| Syslog Label |
Solr Doc Reference |
Description |
|---|---|---|
| reason |
no doc reference |
Text that describes the entry. The reason label is hard-coded in the syslog template and identifies the type of the event as "watchlist.hit," "feed.hit," or "binaryinfo." |
| type |
no doc reference |
Text that identifies the type of data that is returned with the event. For process events, the value is ‘event’. |
| process_guid |
process_id |
Process doc identifier. |
| segment_id |
segment_id |
Process doc segment identifier. |
| host |
hostname |
Hostname of the computer on which the feed hit was detected. |
| comms_ip |
comms_ip |
IP address from which Carbon Black EDR received the event (which could be a NAT or proxy address, if one is configured for the computer on which the process executed; otherwise this is the same as interface_ip). |
| interface_ip |
Interface_ip |
IP address of the computer on which the process executed. |
| sensor_id |
sensor_id |
Sensor ID of endpoint that observed the feed hit. |
| feed_id |
feed_id |
ID of the feed that was matched. |
| feed_name |
feed_name |
Name of the feed that was matched. |
| report_title |
report_title |
Name of the item in the feed that was matched. |
| ioc_type |
ioc_type |
Type of the IOC that caused the hit. |
| ioc_value |
ioc_value |
Value of the IOC that matched. |
| for/if loops |
_* ioc_attr |
Note:
for/if loops are not required. They report attributes that do not have predefined sets. You can create customized templates that do not contain them if you do not need to report on |
| timestamp |
event_timestamp |
Epoch time of the feed hit event. |
| start_time |
start |
Start time of this process, in the computer’s local time. |
| group |
group |
Sensor group to which the sensor was assigned at the time of process execution. |
| process_md5 |
process_md5 |
MD5 hash value of the executable backing this process. |
| process_sha256 |
process_sha256 |
SHA-256 hash value of the executable backing this process. |
| process_name |
process_name |
Filename of the executable backing this process. |
| process_path |
path |
Full path to the executable backing this process. |
| last_update |
last_update |
Last activity in this process, in the computer’s local time. |
