Syslog VMWare Carbon Black Policy Enforcement Events
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
Carbon Black Policy Enforcement Events | Base Rule | Operation : Information | General POLICY Information |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
N/A | N/A | N/A | Device Product |
N/A | N/A | N/A | Device Vendor |
N/A | N/A | N/A | Device Version |
N/A | <vmid> | Number | Event ID |
N/A | <action> | Text/String | Name of Event |
N/A | N/A | N/A | Severity |
externalId | N/A | N/A | Unique auto-incremented ID of each generated App Control event. |
cat | <vendorinfo> | Text/String | App Control event type |
start | N/A | N/A | Timestamp when the event was created on the endpoint (in UTC). |
rt | N/A | N/A | Timestamp when the event was received by the App Control Server (in UTC). |
filePath | N/A | N/A | Full pathname of the file generating the event. |
fname | <object> | Text/String | N/A |
fileHash | <hash> | Text/String/Number | N/A |
fileId | N/A | N/A | N/A |
deviceProcessName | <process> | Text/String | N/A |
dst | <dip> | IP Address | IPv4 address of the machine generating the event (if available). |
dhost | <dname> | Text/String | Host name of the machine generating the event. |
duser | <account> | Text/String | User name of the user generating the event. |
dvchost | <domain> | Text/String | App Control Server host name. Note that this could be an IP address if that is what was entered during server installation. |
msg | <subject> | Text/String | Full text message of the App Control event. |
sproc | N/A | N/A | N/A |
prevalence | N/A | N/A | N/A |
global_state | N/A | N/A | N/A |
cs1Label | N/A | N/A | rootHash |
cs1 | N/A | N/A | Root hash of the file generating the event. |
cs2Label | N/A | N/A | installerFilename |
cs2 | N/A | N/A | Installer Filename of the file generating the event. |
cs3Label |
| N/A | Policy |
cs3 | <policy> | Text/String | App Control policy of the machine generating the event. |
cs5Label | N/A | N/A | ruleName |
cs5 | N/A | N/A | The name of the rule associated with the event (if any). |
cfp1Label | N/A | N/A | fileTrust |
cfp1 | N/A | N/A | File trust from Carbon Black File Reputation of the file associated with the event. Pending means that Carbon Black File Reputation lookup was not yet performed but will be. (Conditional) |
flexString1Label |
| N/A | fileThreat |
flexString1 | N/A | N/A | File threat from Carbon Black File Reputation of the file associated with the event. Pending means that Carbon Black File Reputation lookup was not yet performed but will be. (Conditional)“pending” |
cfp2Label |
| N/A | processTrust |
cfp2 | N/A | N/A | Parent process trust from Carbon Black File Reputation of the file associated with the event. Pending means that Carbon Black File Reputation lookup was not yet performed but will be. (Conditional) |
flexString2Label | N/A | N/A | processThreat |
flexString2 | N/A | N/A | Parent process threat from Carbon Black File Reputation of the file associated with the event. Pending implies that Carbon Black File Reputation lookup was not yet performed but will be. (Conditional) |