This section describes the binary ingress feed hit.

Binary Ingress Feed Hit – Example

Aug 12 14:06:39 [26070] <warning> reason=feed.ingress.hit type=module md5=B84E2D174DC84916A536572BB8F691A8 sha256=A23B2D174DC84916A539872CD8F775A8B84F1E234DC84916A564738DC4EA6B76 host=’SERV12R2X64-01’ sensor_id=1 feed_id=2 feed_name=’srstrust’ ioc_type=’md5’ ioc_value=’b84e2d174dc84916a536572bb8f691a8’ timestamp=’1407866781.79’
Binary Ingress Feed Hit – Default Template 
reason=feed.ingress.hit type=module
md5={{doc[’md5’]}}
sha256={{doc[’sha256’]}}
host=’{{doc[’hostname’]}}’
sensor_id={{doc[’sensor_id’]}}
feed_id={{doc[’feed_id’]}}
feed_name=’{{doc[’feed_name’]}}’
ioc_type=’{{doc[’ioc_type’]}}’
ioc_value=’{{doc[’ioc_value’]}} ’
{% for k in doc[’ioc_attr’] %} {{k}}=’{{doc[’ioc_attr’][k]}}’{% endfor %}
timestamp=’{{doc[’event_timestamp’]}}’
Binary Ingress Feed Hit – Key-Value Pairs

Syslog Label

Solr Doc Reference

Description

reason

no doc reference

Text that describes the entry. The reason label is hard-coded in the syslog template and identifies the type of the event as "watchlist.hit," "feed.hit," or "binaryinfo."

type

no doc reference

Text that identifies the type of data that is returned with the event. For example:

  • event (process events)

  • module (binary modules)

  • host (host level information only)

md5

md5

MD5 hash value of a process, a parent process, a child process, a loaded module or a written file.

sha256

sha256

SHA-256 hash value of a process, a parent process, a child process, a loaded module or a written file.

host

hostname

Hostname of the computer on which the feed hit was detected.

sensor_id

sensor_id

Sensor ID of the endpoint that detected the feed hit.

feed_id

feed_id

ID of the feed that was matched.

feed_name

feed_name

Name of the feed that was matched.

ioc_type

ioc_type

Type of IOC that caused the hit.

ioc_value

ioc_value

Value of the IOC that matched the hit criteria.

for/if loops

_* ioc_attr

  • alliance_* identifies and prints all attributes whose names start with "alliance_" in all documents that contain feed hits, including documents reported by watchlist hits. These attributes represent feed hits.

  • ioc_attr identifies and prints additional attributes on IOC values that were matched.

Note:

for/if loops are not required. They report attributes that do not have predefined sets. You can create customized templates that do not contain them if you do not need to report on alliance_* or ioc_attr attributes.

timestamp

event_timestamp

Epoch time of the feed hit event.