cef0.malwarebytes.malwarebytes-endpoint-protection

Introduction

The table cef0.malwarebytes.malwarebytes-endpoint-protection identify events in CEF format generated by Malwarebytes.

Tag structure

Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.

In this case, the valid data tables are:

Tag	Data table
cef0.malwarebytes.malwarebytes-endpoint-protection	cef0.malwarebytes.malwarebytes-endpoint-protection

How is the data sent to Devo?

Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.

Log samples

The following is a sample log sent to cef0.malwarebytes.malwarebytes-endpoint-protection. Find how the information will be parsed in your data table under the sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

2018-04-13T21:06:05Z MININT-16Tjdoe CEF:0|Malwarebytes|Malwarebytes Endpoint Protection|Endpoint Protection 1.2.0.719|Detection|Website blocked|1|deviceExternalId=e150291a2b2513b9fd67941ab1135afa41111111 dvchost=MININT-16Tjdoe deviceDnsDomain=jdoeTest.local dvcmac=00:0C:29:33:C6:6A dvc=192.168.2.100 rt=Apr 13 2018 21:05:56 Z fileType=OutboundConnection cat=Website act=blocked msg=Website blocked\\nProcess name: C:\\Users\\vmadmin\\Desktop\\test.exe filePath=drivinfosproduits.info(81.171.14.67:49846) cs1Label=Detection name cs1=Malicious Websites

Field	Value	Type	Source field name	Extra field
eventdate	`2018-04-13T21:06:05Z`	`timestamp`
hostname	`localhost`	`str`
priorityCode	`14`	`str`
cefTag	`CEF`	`str`
cefVersion	`0`	`str`
embDeviceVendor	`Malwarebytes`	`str`
embDeviceProduct	`Malwarebytes Endpoint Protection`	`str`
deviceVersion	`Endpoint Protection 1.2.0.719`	`str`
signatureID	`Detection`	`str`
name	`Website Blocked`	`str`
severity	`1`	`str`
_cefVer	`0.1`	`str`
act	`blocked`	`str`
cat	`Malware`	`str`
cs1Label	`Detection name`	`str`
cs1	`Malicious Websites`	`str`
deviceDnsDomain	`jdoeTest.local`	`str`
deviceExternalId	`e150291a2b2513b9fd67941ab1135afa41111111`	`str`
dvchost	`MININT-16Tjdoe`	`str`
dvc	`192.168.2.100`	`str`
dvcmac	`00:0C:29:33:C6:6A`	`str`
filePath	`drivinfosproduits.info(81.171.14.67:49846) C:\users\vmadmin\Desktop\test.exe`	`str`
fileType	`OutboundConnection`	`str`
msg	`Website blocked\nProcess name: C:\Users\vmadmin\Desktop\test.exe`	`str`
rt	`Apr 13 2018 21:05:56 Z`	`str`
hostchain	`localhost=127.0.0.1`	`str`		✓
tag	`CEF`	`str`	cefTag	✓
rawMessage	2018-04-13T21:06:05Z MININT-16Tjdoe CEF:0\|Malwarebytes\|Malwarebytes Endpoint Protection\|Endpoint Protection 1.2.0.719\|Detection\|Website blocked\|1\|deviceExternalId=e150291a2b2513b9fd67941ab1135afa41111111 dvchost=MININT-16Tjdoe deviceDnsDomain=jdoeTest.local dvcmac=00:0C:29:33:C6:6A dvc=192.168.2.100 rt=Apr 13 2018 21:05:56 Z fileType=OutboundConnection cat=Website act=blocked msg=Website blocked\\nProcess name: C:\\Users\\vmadmin\\Desktop\\test.exe filePath=drivinfosproduits.info(81.171.14.67:49846) cs1Label=Detection name cs1=Malicious Websites	`str`		✓