<< PREVIOUS               NEXT >>

LIBRARY MONITORING

1. Code: 41

2. Brief Description: Library Monitoring

3. Provided Information:

   1. Event ID

   2. Server Name – Name of the Application Instance

   3. Incident Level – Attack or Threat

   4. Incident Category

   5. Incident Type

   6. Incident Timestamp – When the incident occurred

   7. Username

   8. Start Time (Timestamp)

   9. Mod End

   10. Process Pid

   11. Checksum

   12. Action

   13. Mod Start

   14. Process Path

   15. Process Name

   16. Library Path

   17. Library Name

   18. Parameters

   19. Event Type

   20. Start Time (Timestamp)

   21. Parent Pid

   22. Number of Libraries

   23. Event Time

4. Sample log message:

   1. CEF format

       

      Jul  7 03:45:58 10.16.6.4 CEF: 1|Virsec Security Platform|Virsec|1.3.0|41|Library Monitoring|10|EventId=VS-LIBM-070720-A00269|Server_Name=win_webgoat_10 Incident_Level=ATTACK Incident_Category=FILE_INTEGRITY Incident_Type=Library Monitoring Incident_Timestamp=07 Jul 2020 07:47:03 AM UTC Username=administrator Start Time=2020-07-07 07:46:03.441 Mod End=140731872210944 Process Pid=2824 Checksum=d4ff8cb9f33e855bf060e48b88f86507 Action=Monitor Mod Start=140731871723520 Process Path=c:/users/administrator/appdata/local/google/chrome/user data/swreporter/43.208.200/software_reporter_tool.exe Process Name=software_reporter_tool.exe Library Path=c:/users/administrator/appdata/local/google/chrome/user data/swreporter/43.208.200/edls_64.dll Library Name=edls_64.dll Parameters=c:/users/administrator/appdata/local/google/chrome/user data/swreporter/43.208.200/software_reporter_tool.exe --enable-crash-reporting --use-crash-handler-with-id=//./pipe/crashpad_4252_NMCPELYUKEXXKVIB --sandboxed-process-id=2 --init-done-notifier=620 --sandbox-mojo-pipe-token=5846702992297162484 --mojo-platform-channel-handle=532 --engine=2 Event Type=New Library for Process Process Start Time=2020-07-07 07:45:56.75 Parent Pid=4252 Number of Libraries=1 description=Library Monitoring category=File Integrity eventTime=2020-07-07 07:46:03.441

   2. CEF - Fixed Key Definition format

       

      Sep  7 09:53:53 10.16.5.83 CEF: 1|Virsec Security Platform|Virsec|1.4.0|41|Library Monitoring|10|EventId=VS-LIBM-090720-A56157|cs1Label=Server_Name cs1=rhel-123 cs2Label=Incident_Level cs2=ATTACK cs3Label=Incident_Category cs3=FILE_INTEGRITY cs4Label=Incident_Type cs4=Library Monitoring cs5Label=Incident_Timestamp cs5=07 Sep 2020 01:54:47 PM UTC cs6Label=Action cs6=Monitor cs7Label=Incident Type cs7=Library Injection cs8Label=Event Type cs8=New Library for Process cs9Label=Username cs9=root cs10Label=Checksum cs10=cc914df4ca46d0982af337ec35fa54ec cs11Label=Library Path cs11=/home/virsec/badboy-x86_64.so cs12Label=Start Time cs12=2020-09- 7T13:54:44.936-04:00 cs13Label=Process Profile Name cs13=Profile_123 cs14Label=Process Path cs14=/home/virsec/server1 cs15Label=Parent Process Creation Time cs15=2020-09- 7T13:37:38.503-04:00 cs16Label=Parent Pid cs16=30432 cs17Label=Number of Libraries cs17=1 cs18Label=Parameters cs18=/home/virsec/server1  cs19Label=Library Name cs19=badboy-x86_64.so cs20Label=Library Checksum cs20=1e9ebaf6f421022ef4dc26cf22e7f67e cs21Label=Process Pid cs21=30556 cs22Label=Process Name cs22=server1 cs23Label=processObjectId cs23=5f563a6397a70017b8e0926f cs24Label=Parent Process Name cs24=bash cs25Label=description cs25=Library Monitoring cs26Label=category cs26=File Integrity cs27Label=eventTime cs27=2020-09- 7T13:54:44.936-04:00

<< PREVIOUS               NEXT >>