Document toolboxDocument toolbox

endpoint.carbonblack

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Feb 17, 2022
1 min read

Introduction

The tags beginning with endpoint.carbonblack identify events generated by VMware Carbon Black.

Valid tags and data tables

The full tag must have 3 levels. The first two are fixed as endpoint.carbonblack. The third level identifies the type of events sent.

Technology

Brand

Type

endpoint

carbonblack

protection

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

endpoint.carbonblack.protection

endpoint.carbonblack.protection

Log samples

The following are sample logs sent to each of the endpoint.carbonblack data tables. Also, find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

endpoint.carbonblack.protection

2022-01-05 08:21:46.027 localhost=127.0.0.1 endpoint.bitdefender.agent.alert: {"AlertName":"Alert.DNS.DGA.SuspiciousDomain","AlertType":"ATTACK","ctc_version":"0.0.0.0","Description":"Network probe has detected a request to a suspicious DNS domain.","DestinationIp":"192.168.123.123","DestinationMAC":"00:11:22:a3:b4:cd","DestinationPort":1234,"event_name":"alert","EventHeurID":123456,"MitreBetaIDs":[1234567],"SourceIp":"192.168.123.124","SourceMAC":"00:11:22:33:aa:bc","SourcePort":45678,"TimeCreated":1637156581272}

And this is how the log would be parsed:

Field

Value

Type

Field transformation

Source field name

Extra field

eventdate

2022-02-16 19:22:59.816

timestamp




hostname

localhost

str




leefVer

1.0

str




vendor

Carbon_Black

str




product

Protection

str




version

8.1.6.436

str




eventID

Certificate_checked

str




cat

Discovery

str




sev

4

int4




devTime

2021-04-05 17:10:37.0

timestamp

parsedate(devTime_tmp, dateformat("MMM DD YYYY HH:mm:ss.SSS [UTC]", "UTC", "en-US"))

devTime_tmp


msg

Agent detected that certificate 'adsfasdfasdfasdfasdfasdfasdfasdf' is valid.

str




externalId

1318779

str




src

10.1.5.2

ip4




srcHostName

DEVOINC\\BCHost01

str




policy

Hyperion

str




dstHostName

PRDHost01.devoinc.devo.net

str




receivedTime

2021-04-05 17:11:27.183

timestamp

parsedate(receivedTime_tmp, dateformat("MMM DD YYYY HH:mm:ss.SSS [UTC]", "UTC", "en-US"))

receivedTime_tmp


srcProcess

null

str




usrName

null

str




filePath

null

str




fileName

null

str




fileHash

null

str




fileId

null

str




rootHash

null

str




installerFileName

null

str




ruleName

null

str




processKey

null

str




fileTrust

null

str




fileThreat

null

str




processTrust

null

str




processThreat

null

str




prevalence

null

str




hostchain

localhost=127.0.0.1

str



✓

tag

endpoint.carbonblack.protection

str



✓

rawMessage

LEEF:1.0|Carbon_Black|Protection|8.1.6.436|Certificate_checked|cat=Discovery sev=4 devTime=Apr 05 2021 17:10:37.000 UTC msg=Agent detected that certificate 'adsfasdfasdfasdfasdfasdfasdfasdf' is valid. externalId=1318779 src=10.1.5.2 srcHostName=DEVOINC\\BCHost01 policy=Hyperion dstHostName=PRDHost01.devoinc.devo.net receivedTime=Apr 05 2021 17:11:27.183 UTC

str



✓