Device Details
|
Device Name |
CB Response LEEF |
|---|---|
|
Vendor |
Carbon Black |
|
Device Type |
Endpoint Detection and Response |
|
Supported Model Name/Number |
N/A |
|
Supported Software Version |
All |
|
Collection Method |
Syslog |
|
Configurable Log Output |
N/A |
|
Log Source Type |
Syslog - CB Response LEEF |
|
Log Processing Policy |
Logrhythm Default |
|
Exceptions |
N/A |
|
Additional Information |
https://www.carbonblack.com/products/endpoint-detection-and-response/ |
Supported Log Messages
(List of LR Tags used to parse the log information for each message type)
|
Type |
Product Version |
Supported Schema Fields |
|---|---|---|
|
Alert Status Messages |
N/A |
<vendorinfo>, <status>, <sname>, <objectname>, <objecttype>, <hash> |
|
Binary Info |
N/A |
<vmid>, <group>, <dname>, <objectname>, <hash> |
|
Catch All : Level 1 |
N/A |
<vmid> |
|
CB Server Events |
N/A |
<severity>, <dinterface>, <domain>, <sender>, <group>, <sip>, <dip>, <hash>, <process>, <parentprocesspath>, <status>, <login>, <object>,<objectname> |
|
CB Server Events 2 |
N/A |
<severity>, <version>, <domain>, <sender>, <group>, <dname>, <sname> |
|
CB-Enterprised Messages |
N/A |
<severity>, <process>, <processid>, <object>, <subject> |
|
CB-Job-Runner Log Messages |
N/A |
<severity>, <process>, <processid>, <object>, <subject> |
|
Child Process Ingress Event |
N/A |
<vmid>, <dname>, <tag1>, <objectname>, <hash>, <processid> |
|
CROND Messages |
N/A |
<severity>, <process>, <processid>, <command>, <subject> |
|
Cross Process Open Ingress Event |
N/A |
<vmid>, <dname>, <objectname>, <hash>, <process>, <processid> |
|
Feed : Binary Storage Hit |
N/A |
<url>, <cve>, <sender>, <subject>, <result>, <tag1>, <hash> |
|
Feed Hit : Binary Ingress |
N/A |
<sender>, <group>, <dname>,<objectname>,<hash> |
|
Feed Hit : Host Hit |
N/A |
<sender>, <group>, <dname> |
|
Feed Hit : Process Ingress |
N/A |
<sender>, <group>, <dname>,<objectname>,<hash> |
|
Feed Query : Process Hit |
N/A |
<command>, <sender>, <group>, <dname>, <sip>, <result>, <parentprocessname>, <parentprocessid>, <process>, <objectname>, <hash>, <object> |
|
Feed Synchronized |
N/A |
<object> |
|
Feed: Process Storage Hit |
N/A |
<command>, <dinterface>, <sender>, <group>, <dname>, <sip>, <result>, <parentprocessname>, <parentprocessid>, <process>, <objectname>,<hash>,<object>, <processid>, <domain>, <login> |
|
File Added To Binary Store |
N/A |
<parentprocesspath>, <process>, <objectname>, <hash>, <size> |
|
File Modification Ingress Event |
N/A |
<vmid>, <command>, <action>, <dname>, <objecttype>, <objectname>, <hash>, <process> |
|
Module Load Ingress Event |
N/A |
<vmid>, <dname>, <objectname>, <hash>, <process>, <object> |
|
Network Connection Ingress Event |
N/A |
<vmid>, <tag1>, <url>, <dip>, <dport>, <objectname>, <hash>, <processid>, <process>, <protnum>, <sip>, <sport> |
|
Process Ingress Event |
N/A |
<vmid>, <command>, <dname>, <objectname>, <hash>, <parentprocesspath>, <parentprocessname>, <process>, <processid>, <domain>, <account> |
|
Registry Modification Ingress Event |
N/A |
<vmid>, <command>, <action>, <dname>, <objectname>, <hash>, <object>, <process>, <processid> |
|
Remote Thread Ingress Event |
N/A |
<vmid>, <dname>, <objectname>, <hash>, <process>, <processid> |
|
Watchlist Hit : Binary |
N/A |
<severity>, <result>, <tag1>, <subject>, <dname>, <version>, <group>, <objectname>, <hash>, <process>, <object>, <vmid> |
|
Watchlist Hit : Binary Storage |
N/A |
<subject>, <result>, <tag1>, <dname>, <version>, <group>, <objectname>, <hash>, <process>, <object>, <vmid> |
|
Watchlist Hit : Process |
N/A |
<quantity>, <version>, <command>, <sip>, <dname>, <parentprocessname>, <parentprocessid>, <process>, <objectname>,<hash>, <object>, <domain>, <login>, <vmid> |
|
Watchlist Hit : Storage Process |
N/A |
<version>, <useragent>, <parentprocessname>, <parentprocessid>, <process>, <objectname>, <hash>, <object>, <processid>, <sname>, <objecttype>, <vmid> |
|
Watchlist Hit Alert : Binary Ingress |
N/A |
<severity>, <subject>, <result>, <tag1>, <sender>, <dname>, <objectname>, <hash>, <process>, <quantity>,<status> |
|
Watchlist Hit Alert : Feed Search Binary |
N/A |
<severity>, <subject>, <result>, <tag1>, <sender>, <dname>, <objectname>, <hash>, <process>, <quantity>, <status>, <vmid> |
|
Watchlist Hit Alert : Host Ingress |
N/A |
<severity>, <sender>, <group>, <dname>,<status>, <vmid> |
|
Watchlist Hit Alert : Process Ingress |
N/A |
<severity>, <sender>, <group>, <dname>, <sip>, <objecttype>, <domainimpacted>, <command>, <dip>, <object>, <hash>, <url>, <quantity>, <object>, <process>, <status>, <domain>, <login>, <vmid> |
|
Watchlist Hit Alert: Query Process |
N/A |
<vmid>, <dname>, <sip>, <objectname>, <hash>, <process>, <status>, <tag1>, <account> |
Revision History
|
KB Version |
Log Type |
Change Type |
Details |
|---|---|---|---|
|
KB 7.1.588.0 |
N/A |
Documentation |
Created documentation |