Syslog - CB Response LEEF
Device Details
Device Name | CB Response LEEF |
|---|---|
Vendor | Carbon Black |
Device Type | Endpoint Detection and Response |
Supported Model Name/Number | N/A |
Supported Software Version | All |
Collection Method | Syslog |
Configurable Log Output | N/A |
Log Source Type | Syslog - CB Response LEEF |
Log Processing Policy | Logrhythm Default |
Exceptions | N/A |
Additional Information | https://www.carbonblack.com/products/endpoint-detection-and-response/ |
Supported Log Messages
(List of LR Tags used to parse the log information for each message type)
Type | Product Version | Supported Schema Fields |
|---|---|---|
Alert Status Messages | N/A | <vendorinfo>, <status>, <sname>, <objectname>, <objecttype>, <hash> |
Binary Info | N/A | <vmid>, <group>, <dname>, <objectname>, <hash> |
Catch All : Level 1 | N/A | <vmid> |
CB Server Events | N/A | <severity>, <dinterface>, <domain>, <sender>, <group>, <sip>, <dip>, <hash>, <process>, <parentprocesspath>, <status>, <login>, <object>,<objectname> |
CB Server Events 2 | N/A | <severity>, <version>, <domain>, <sender>, <group>, <dname>, <sname> |
CB-Enterprised Messages | N/A | <severity>, <process>, <processid>, <object>, <subject> |
CB-Job-Runner Log Messages | N/A | <severity>, <process>, <processid>, <object>, <subject> |
Child Process Ingress Event | N/A | <vmid>, <dname>, <tag1>, <objectname>, <hash>, <processid> |
CROND Messages | N/A | <severity>, <process>, <processid>, <command>, <subject> |
Cross Process Open Ingress Event | N/A | <vmid>, <dname>, <objectname>, <hash>, <process>, <processid> |
Feed : Binary Storage Hit | N/A | <url>, <cve>, <sender>, <subject>, <result>, <tag1>, <hash> |
Feed Hit : Binary Ingress | N/A | <sender>, <group>, <dname>,<objectname>,<hash> |
Feed Hit : Host Hit | N/A | <sender>, <group>, <dname> |
Feed Hit : Process Ingress | N/A | <sender>, <group>, <dname>,<objectname>,<hash> |
Feed Query : Process Hit | N/A | <command>, <sender>, <group>, <dname>, <sip>, <result>, <parentprocessname>, <parentprocessid>, <process>, <objectname>, <hash>, <object> |
Feed Synchronized | N/A | <object> |
Feed: Process Storage Hit | N/A | <command>, <dinterface>, <sender>, <group>, <dname>, <sip>, <result>, <parentprocessname>, <parentprocessid>, <process>, <objectname>,<hash>,<object>, <processid>, <domain>, <login> |
File Added To Binary Store | N/A | <parentprocesspath>, <process>, <objectname>, <hash>, <size> |
File Modification Ingress Event | N/A | <vmid>, <command>, <action>, <dname>, <objecttype>, <objectname>, <hash>, <process> |
Module Load Ingress Event | N/A | <vmid>, <dname>, <objectname>, <hash>, <process>, <object> |
Network Connection Ingress Event | N/A | <vmid>, <tag1>, <url>, <dip>, <dport>, <objectname>, <hash>, <processid>, <process>, <protnum>, <sip>, <sport> |
Process Ingress Event | N/A | <vmid>, <command>, <dname>, <objectname>, <hash>, <parentprocesspath>, <parentprocessname>, <process>, <processid>, <domain>, <account> |
Registry Modification Ingress Event | N/A | <vmid>, <command>, <action>, <dname>, <objectname>, <hash>, <object>, <process>, <processid> |
Remote Thread Ingress Event | N/A | <vmid>, <dname>, <objectname>, <hash>, <process>, <processid> |
Watchlist Hit : Binary | N/A | <severity>, <result>, <tag1>, <subject>, <dname>, <version>, <group>, <objectname>, <hash>, <process>, <object>, <vmid> |
Watchlist Hit : Binary Storage | N/A | <subject>, <result>, <tag1>, <dname>, <version>, <group>, <objectname>, <hash>, <process>, <object>, <vmid> |
Watchlist Hit : Process | N/A | <quantity>, <version>, <command>, <sip>, <dname>, <parentprocessname>, <parentprocessid>, <process>, <objectname>,<hash>, <object>, <domain>, <login>, <vmid> |
Watchlist Hit : Storage Process | N/A | <version>, <useragent>, <parentprocessname>, <parentprocessid>, <process>, <objectname>, <hash>, <object>, <processid>, <sname>, <objecttype>, <vmid> |
Watchlist Hit Alert : Binary Ingress | N/A | <severity>, <subject>, <result>, <tag1>, <sender>, <dname>, <objectname>, <hash>, <process>, <quantity>,<status> |
Watchlist Hit Alert : Feed Search Binary | N/A | <severity>, <subject>, <result>, <tag1>, <sender>, <dname>, <objectname>, <hash>, <process>, <quantity>, <status>, <vmid> |
Watchlist Hit Alert : Host Ingress | N/A | <severity>, <sender>, <group>, <dname>,<status>, <vmid> |
Watchlist Hit Alert : Process Ingress | N/A | <severity>, <sender>, <group>, <dname>, <sip>, <objecttype>, <domainimpacted>, <command>, <dip>, <object>, <hash>, <url>, <quantity>, <object>, <process>, <status>, <domain>, <login>, <vmid> |
Watchlist Hit Alert: Query Process | N/A | <vmid>, <dname>, <sip>, <objectname>, <hash>, <process>, <status>, <tag1>, <account> |
Revision History
KB Version | Log Type | Change Type | Details |
|---|---|---|---|
KB 7.1.588.0 | N/A | Documentation | Created documentation |