Device Details

Device Name

CB Response LEEF

Vendor

Carbon Black

Device Type

Endpoint Detection and Response

Supported Model Name/Number

N/A

Supported Software Version

All

Collection Method

Syslog

Configurable Log Output

N/A

Log Source Type

Syslog - CB Response LEEF

Log Processing Policy

Logrhythm Default

Exceptions

N/A

Additional Information

https://www.carbonblack.com/products/endpoint-detection-and-response/

Supported Log Messages

(List of LR Tags used to parse the log information for each message type)

Type

Product Version

Supported Schema Fields

Alert Status Messages

N/A

<vendorinfo>, <status>, <sname>, <objectname>, <objecttype>, <hash>

Binary Info

N/A

<vmid>, <group>, <dname>, <objectname>, <hash>

Catch All : Level 1

N/A

<vmid>

CB Server Events

N/A

<severity>, <dinterface>, <domain>, <sender>, <group>, <sip>, <dip>, <hash>, <process>, <parentprocesspath>, <status>, <login>, <object>,<objectname>

CB Server Events 2

N/A

<severity>, <version>, <domain>, <sender>, <group>, <dname>, <sname>

CB-Enterprised Messages

N/A

<severity>, <process>, <processid>, <object>, <subject>

CB-Job-Runner Log Messages

N/A

<severity>, <process>, <processid>, <object>, <subject>

Child Process Ingress Event

N/A

<vmid>, <dname>, <tag1>, <objectname>, <hash>, <processid>

CROND Messages

N/A

<severity>, <process>, <processid>, <command>, <subject>

Cross Process Open Ingress Event

N/A

<vmid>, <dname>, <objectname>, <hash>, <process>, <processid>

Feed : Binary Storage Hit

N/A

<url>, <cve>, <sender>, <subject>, <result>, <tag1>, <hash>

Feed Hit : Binary Ingress

N/A

<sender>, <group>, <dname>,<objectname>,<hash>

Feed Hit : Host Hit

N/A

<sender>, <group>, <dname>

Feed Hit : Process Ingress

N/A

<sender>, <group>, <dname>,<objectname>,<hash>

Feed Query : Process Hit

N/A

<command>, <sender>, <group>, <dname>, <sip>, <result>, <parentprocessname>, <parentprocessid>, <process>, <objectname>, <hash>, <object>

Feed Synchronized

N/A

<object>

Feed: Process Storage Hit

N/A

<command>, <dinterface>, <sender>, <group>, <dname>, <sip>, <result>, <parentprocessname>, <parentprocessid>, <process>, <objectname>,<hash>,<object>, <processid>, <domain>, <login>

File Added To Binary Store

N/A

<parentprocesspath>, <process>, <objectname>, <hash>, <size>

File Modification Ingress Event

N/A

<vmid>, <command>, <action>, <dname>, <objecttype>, <objectname>, <hash>, <process>

Module Load Ingress Event

N/A

<vmid>, <dname>, <objectname>, <hash>, <process>, <object>

Network Connection Ingress Event

N/A

<vmid>, <tag1>, <url>, <dip>, <dport>, <objectname>, <hash>, <processid>, <process>, <protnum>, <sip>, <sport>

Process Ingress Event

N/A

<vmid>, <command>, <dname>, <objectname>, <hash>, <parentprocesspath>, <parentprocessname>, <process>, <processid>, <domain>, <account>

Registry Modification Ingress Event

N/A

<vmid>, <command>, <action>, <dname>, <objectname>, <hash>, <object>, <process>, <processid>

Remote Thread Ingress Event

N/A

<vmid>, <dname>, <objectname>, <hash>, <process>, <processid>

Watchlist Hit : Binary

N/A

<severity>, <result>, <tag1>, <subject>, <dname>, <version>, <group>, <objectname>, <hash>, <process>, <object>, <vmid>

Watchlist Hit : Binary Storage

N/A

<subject>, <result>, <tag1>, <dname>, <version>, <group>, <objectname>, <hash>, <process>, <object>, <vmid>

Watchlist Hit : Process

N/A

<quantity>, <version>, <command>, <sip>, <dname>, <parentprocessname>, <parentprocessid>, <process>, <objectname>,<hash>, <object>, <domain>, <login>, <vmid>

Watchlist Hit : Storage Process

N/A

<version>, <useragent>, <parentprocessname>, <parentprocessid>, <process>, <objectname>, <hash>, <object>, <processid>, <sname>, <objecttype>, <vmid>

Watchlist Hit Alert : Binary Ingress

N/A

<severity>, <subject>, <result>, <tag1>, <sender>, <dname>, <objectname>, <hash>, <process>, <quantity>,<status>

Watchlist Hit Alert : Feed Search Binary

N/A

<severity>, <subject>, <result>, <tag1>, <sender>, <dname>, <objectname>, <hash>, <process>, <quantity>, <status>, <vmid>

Watchlist Hit Alert : Host Ingress

N/A

<severity>, <sender>, <group>, <dname>,<status>, <vmid>

Watchlist Hit Alert : Process Ingress

N/A

<severity>, <sender>, <group>, <dname>, <sip>, <objecttype>, <domainimpacted>, <command>, <dip>, <object>, <hash>, <url>, <quantity>, <object>, <process>, <status>, <domain>, <login>, <vmid>

Watchlist Hit Alert: Query Process

N/A

<vmid>, <dname>, <sip>, <objectname>, <hash>, <process>, <status>, <tag1>, <account>

Revision History

KB Version

Log Type

Change Type

Details

KB 7.1.588.0

N/A

Documentation

Created documentation