Device Details

Device NameCB Response LEEF
VendorCarbon Black
Device TypeEndpoint Detection and Response
Supported Model Name/NumberN/A
Supported Software VersionAll
Collection MethodSyslog
Configurable Log OutputN/A
Log Source TypeSyslog - CB Response LEEF
Log Processing PolicyLogrhythm Default
ExceptionsN/A
Additional Informationhttps://www.carbonblack.com/products/endpoint-detection-and-response/

Supported Log Messages

(List of LR Tags used to parse the log information for each message type)


TypeProduct VersionSupported Schema Fields
Alert Status MessagesN/A<vendorinfo>, <status>, <sname>, <objectname>, <objecttype>, <hash>
Binary InfoN/A<vmid>, <group>, <dname>, <objectname>, <hash>
Catch All : Level 1N/A<vmid>
CB Server EventsN/A<severity>, <dinterface>, <domain>, <sender>, <group>, <sip>, <dip>, <hash>, <process>, <parentprocesspath>, <status>, <login>, <object>,<objectname>
CB Server Events 2N/A<severity>, <version>, <domain>, <sender>, <group>, <dname>, <sname>
CB-Enterprised MessagesN/A<severity>, <process>, <processid>, <object>, <subject>
CB-Job-Runner Log MessagesN/A<severity>, <process>, <processid>, <object>, <subject>
Child Process Ingress EventN/A<vmid>, <dname>, <tag1>, <objectname>, <hash>, <processid>
CROND MessagesN/A<severity>, <process>, <processid>, <command>, <subject>
Cross Process Open Ingress EventN/A<vmid>, <dname>, <objectname>, <hash>, <process>, <processid>
Feed : Binary Storage HitN/A<url>, <cve>, <sender>, <subject>, <result>, <tag1>, <hash>
Feed Hit : Binary IngressN/A<sender>, <group>, <dname>,<objectname>,<hash>
Feed Hit : Host HitN/A<sender>, <group>, <dname>
Feed Hit : Process IngressN/A<sender>, <group>, <dname>,<objectname>,<hash>
Feed Query : Process HitN/A<command>, <sender>, <group>, <dname>, <sip>, <result>, <parentprocessname>, <parentprocessid>, <process>, <objectname>, <hash>, <object>
Feed SynchronizedN/A<object>
Feed: Process Storage HitN/A<command>, <dinterface>, <sender>, <group>, <dname>, <sip>, <result>, <parentprocessname>, <parentprocessid>, <process>, <objectname>,<hash>,<object>, <processid>, <domain>, <login>
File Added To Binary StoreN/A<parentprocesspath>, <process>, <objectname>, <hash>, <size>
File Modification Ingress EventN/A<vmid>, <command>, <action>, <dname>, <objecttype>, <objectname>, <hash>, <process>
Module Load Ingress EventN/A<vmid>, <dname>, <objectname>, <hash>, <process>, <object>
Network Connection Ingress EventN/A<vmid>, <tag1>, <url>, <dip>, <dport>, <objectname>, <hash>, <processid>, <process>, <protnum>, <sip>, <sport>
Process Ingress EventN/A<vmid>, <command>, <dname>, <objectname>, <hash>, <parentprocesspath>, <parentprocessname>, <process>, <processid>, <domain>, <account>
Registry Modification Ingress EventN/A<vmid>, <command>, <action>, <dname>, <objectname>, <hash>, <object>, <process>, <processid>
Remote Thread Ingress EventN/A<vmid>, <dname>, <objectname>, <hash>, <process>, <processid>
Watchlist Hit : BinaryN/A<severity>, <result>, <tag1>, <subject>, <dname>, <version>, <group>, <objectname>, <hash>, <process>, <object>, <vmid>
Watchlist Hit : Binary StorageN/A<subject>, <result>, <tag1>, <dname>, <version>, <group>, <objectname>, <hash>, <process>, <object>, <vmid>
Watchlist Hit : ProcessN/A<quantity>, <version>, <command>, <sip>, <dname>, <parentprocessname>, <parentprocessid>, <process>, <objectname>,<hash>, <object>, <domain>, <login>, <vmid>
Watchlist Hit : Storage ProcessN/A<version>, <useragent>, <parentprocessname>, <parentprocessid>, <process>, <objectname>, <hash>, <object>, <processid>, <sname>, <objecttype>, <vmid>
Watchlist Hit Alert : Binary IngressN/A<severity>, <subject>, <result>, <tag1>, <sender>, <dname>, <objectname>, <hash>, <process>, <quantity>,<status>
Watchlist Hit Alert : Feed Search BinaryN/A<severity>, <subject>, <result>, <tag1>, <sender>, <dname>, <objectname>, <hash>, <process>, <quantity>, <status>, <vmid>
Watchlist Hit Alert : Host IngressN/A<severity>, <sender>, <group>, <dname>,<status>, <vmid>
Watchlist Hit Alert : Process IngressN/A<severity>, <sender>, <group>, <dname>, <sip>, <objecttype>, <domainimpacted>, <command>, <dip>, <object>, <hash>, <url>, <quantity>, <object>, <process>, <status>, <domain>, <login>, <vmid>
Watchlist Hit Alert: Query ProcessN/A<vmid>, <dname>, <sip>, <objectname>, <hash>, <process>, <status>, <tag1>, <account>



Type

Product Version

Supported Schema Fields

Watchlist Hit : Storage Process

N/A<version>, <useragent>, <parentprocessname>, <parentprocessid>, <process>, <objectname>, <hash>, <object>, <processid>, <sname>, <objecttype>, <vmid>
Watchlist Hit : Binary StorageN/A<subject>, <result>, <tag1>, <dname>, <version>, <group>, <objectname>, <hash>, <process>, <object>, <vmid>
Watchlist Hit : ProcessN/A<quantity>, <version>, <command>, <sip>, <dname>, <parentprocessname>, <parentprocessid>, <process>, <objectname>,<hash>, <object>, <domain>, <login>, <vmid>
Watchlist Hit : BinaryN/A<severity>, <result>, <tag1>, <subject>, <dname>, <version>, <group>, <objectname>, <hash>, <process>, <object>, <vmid>
Watchlist Hit Alert : Process IngressN/A

<severity>, <sender>, <group>, <dname>, <sip>, <objecttype>, <domainimpacted>, <command>, <dip>, <object>, <hash>, <url>, <quantity>, <object>, <process>, <status>, <domain>, <login>, <vmid>

Watchlist Hit Alert : Host IngressN/A<severity>, <sender>, <group>, <dname>,<status>, <vmid>
Watchlist Hit Alert : Binary IngressN/A<severity>, <subject>, <result>, <tag1>, <sender>, <dname>, <objectname>, <hash>, <process>, <quantity>,<status>
Feed: Process Storage HitN/A<command>, <dinterface>, <sender>, <group>, <dname>, <sip>, <result>, <parentprocessname>, <parentprocessid>, <process>, <objectname>,<hash>,<object>, <processid>, <domain>, <login>
Feed : Binary Storage HitN/A<url>, <cve>, <sender>, <subject>, <result>, <tag1>, <hash>
Feed Query : Process HitN/A

<command>, <sender>, <group>, <dname>, <sip>, <result>, <parentprocessname>, <parentprocessid>, <process>, <objectname>, <hash>, <object>

Feed Hit : Host HitN/A<sender>, <group>, <dname>
File Added To Binary StoreN/A<parentprocesspath>, <process>, <objectname>, <hash>, <size>
Feed Hit : Binary IngressN/A<sender>, <group>, <dname>,<objectname>,<hash>
Feed Hit : Process IngressN/A<sender>, <group>, <dname>,<objectname>,<hash>

Watchlist Hit Alert : Feed Search Binary

N/A<severity>, <subject>, <result>, <tag1>, <sender>, <dname>, <objectname>, <hash>, <process>, <quantity>, <status>, <vmid>
Feed SynchronizedN/A<object>

Watchlist Hit Alert: Query Process

N/A<vmid>, <dname>, <sip>, <objectname>, <hash>, <process>, <status>, <tag1>, <account>
Binary InfoN/A<vmid>, <group>, <dname>, <objectname>, <hash>
Process Ingress EventN/A<vmid>, <command>, <dname>, <objectname>, <hash>, <parentprocesspath>, <parentprocessname>, <process>, <processid>, <domain>, <account>
Child Process Ingress EventN/A<vmid>, <dname>, <tag1>, <objectname>, <hash>, <processid>
Network Connection Ingress EventN/A<vmid>, <tag1>, <url>, <dip>, <dport>, <objectname>, <hash>, <processid>, <process>, <protnum>, <sip>, <sport>
Cross Process Open Ingress EventN/A<vmid>, <dname>, <objectname>, <hash>, <process>, <processid>
File Modification Ingress EventN/A<vmid>, <command>, <action>, <dname>, <objecttype>, <objectname>, <hash>, <process>
Module Load Ingress EventN/A<vmid>, <dname>, <objectname>, <hash>, <process>, <object>
Registry Modification Ingress EventN/A<vmid>, <command>, <action>, <dname>, <objectname>, <hash>, <object>, <process>, <processid>
Remote Thread Ingress EventN/A<vmid>, <dname>, <objectname>, <hash>, <process>, <processid>
CB Server EventsN/A<severity>, <dinterface>, <domain>, <sender>, <group>, <sip>, <dip>, <hash>, <process>, <parentprocesspath>, <status>, <login>, <object>,<objectname>
CB Server Events 2N/A<severity>, <version>, <domain>, <sender>, <group>, <dname>, <sname>
CB-Job-Runner Log MessagesN/A<severity>, <process>, <processid>, <object>, <subject>
CROND MessagesN/A<severity>, <process>, <processid>, <command>, <subject>
CB-Enterprised MessagesN/A<severity>, <process>, <processid>, <object>, <subject>
Alert Status MessagesN/A<vendorinfo>, <status>, <sname>, <objectname>, <objecttype>, <hash>
Catch All : Level 1N/A<vmid>

Revision History


KB Version

Log Type

Change Type

Details

KB 7.1.588.0N/ADocumentationCreated documentation