Vendor Documentation


Classification

Rule Name

Rule Type

Common Event

Classification


CB Server Events 2Base RuleGeneral File Monitoring EventInformation

Sample Logs

06 28 2018 16:57:56 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|6.2.1.180130.1054|Host7ess|cb_server=cb_AWS cb_version=6.2.1.180130.1054 computer_name=DESKTOP-HSOP5NQ feed_id=2 feed_name=cbtamper from_feed_search=false group=Default Group hostname=dummy.hostname ioc_attr={"hit_field_action":"actionFileModDelete","hit_field_path":"c:\\windows\\carbonblack\\upgrade\\Host5","hit_field_tamper":true} ioc_type=class ioc_value=Host4ess_Host3ctors.SensorTamper$FileMod os_type=Windows process_guid=00006229-0000-22b8-01d4-0f004ab24e59 process_id=00006229-0000-22b8-01d4-0f004ab24e59 report_id=filemod_tamper report_score=70 segment_id=1 sensor_id=25129 server_name=dummy.hostorigin timestamp=1530197877.89 type=Host7ess

Mapping with LogRhythm Schema

Device Key in Log MessageLog ValueLogRhythm SchemaData Type
severityNOTE<severity>Text/String
cb_version6.2.1.180130.1054<version>Number
computer_namedesktop-hsop5nq<domain>Text/String
feed_namecbtamper<sender>Text/String
groupDefault Group<group>Text/String
hostnamedummy.hostname<dname>Text/String
server_namedummy.hostorigin<sname>Text/String