Document toolboxDocument toolbox

cef1.carbonBlack.protection

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Jan 10, 2022Version comment
2 min read

Introduction

The table cef1.carbonBlack.protection identifies events in CEF format generated by Carbon Black.

Tag structure

Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cefx.deviceVendor.deviceProduct.

In this case, the valid data tables are:

  • cef1.carbonBlack.protection

How is the data sent to Devo?

You can send your product logs to Devo using any of the available methods, for example using any Syslog drain or using the Devo In-house Relay. Learn more about how to configure Forcepoint web protection solutions to send logs here.

Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.

Log samples

The following are sample logs sent to cef1.carbonBlack.protection. Find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

cef0.forcepoint.security

2021-06-16 13:17:28.136 localhost=127.0.0.1 14 CEF:1|Carbon Black|Protection|8.1.8.258|812|File approved (publisher)|Medium| eventId=83 externalId=8306996307 msg=File \'/path/to/file.dll\' [1234abcd5678efgh] was approved by Publisher \'Microsoft Corporation\'. start=1617648869000 art=1617648893778 cat=Policy Enforcement deviceSeverity=4 rt=1617648874000 sproc=00000000-0000-21c4-01d7-2a4d122ad34d dhost=some_host1234 dst=1.2.3.4 destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8 duser=some_user fname=mip_protection_sdk.dll filePath=/path/to/file.dll fileId=110869496 fileHash=1234abcd5678efgh cs1=f4a183dbc844e0dbd74745b59c86c4606871c579affae17830c4ee914205712c cs2=microsoftedge_x64_89.0.774.68.exe.{asdfasdf-asdfasdf-asdfasdf-asdfasdf} cs3=GDIT Lockdown Win10 cs5=Approve writes from trusted processes flexString1=0 - Clean flexString2=0 - Clean cfp1=8.0 cfp2=8.0 cs1Label=rootHash cs2Label=installerFilename cs3Label=Policy cs5Label=ruleName cfp1Label=fileTrust cfp2Label=processTrust flexString1Label=fileThreat flexString2Label=processThreat ahost=1.2.3.4 agt=1.2.3.4 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8 amac=12-34-56-78-AB-CD av=7.10.0.8114.0 atz=America/New_York at=syslog dvchost=some_host dvc=1.2.3.4 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8 dtz=America/New_York deviceProcessName=c:myfile.exe _cefVer=1.0 ad.prevalence=9741 aid=asjhdfksajdhfka123455

And this is how these logs would be parsed:

Field

Value

Type

Extra fields

hostchain

localhost=127.0.0.1

str


hostname

localhost

str


priorityCode

14

str


cefTag

CEF

str


cefVersion

1

str


embDeviceVendor

Carbon Black

str


embDeviceProduct

Protection

str


deviceVersion

8.1.8.258

str


signatureID

812

str


name

File approved (publisher)

str


severity

Medium

str


eventId

83

str


externalId

8306996307

int8


msg

File '/path/to/file.dll' [1234abcd5678efgh] was approved by Publisher 'Microsoft Corporation'.

str


start

1617648869000

timestamp


art

1617648893778

str


cat

Policy Enforcement

str


deviceSeverity

4

str


rt

1617648874000

timestamp


sproc

00000000-0000-21c4-01d7-2a4d122ad34d

str


dhost

some_host1234

str


dst

1.2.3.4

ip4


destinationZoneURI

/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8

str


duser

some_user

str


fname

mip_protection_sdk.dll

str


filePath

/path/to/file.dll

str


fileId

110869496

str


fileHash

1234abcd5678efgh

str


cs1

f4a183dbc844e0dbd74745b59c86c4606871c579affae17830c4ee914205712c

str


cs2

microsoftedge_x64_89.0.774.68.exe.{asdfasdf-asdfasdf-asdfasdf-asdfasdf}

str


cs3

GDIT Lockdown Win10

str


cs5

Approve writes from trusted processes

str


flexString1

0 - Clean

str


flexString2

0 - Clean

str


cfp1

8.0

float


cfp2

8.0

float


cs1Label

rootHash

str


cs2Label

installerFilename

str


cs3Label

Policy

str


cs5Label

ruleName

str


cfp1Label

fileTrust

str


cfp2Label

processTrust

str


flexString1Label

fileThreat

str


flexString2Label

processThreat

str


ahost

1.2.3.4

str


agt

1.2.3.4

str


agentZoneURI

/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8

str


amac

12-34-56-78-AB-CD

str


av

7.10.0.8114.0

str


atz

America/New_York

str


at

syslog

str


dvchost

some_host

str


dvc

1.2.3.4

ip4


deviceZoneURI

/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8

str


dtz

America/New_York

str


deviceProcessName

c:myfile.exe

str


_cefVer

1.0

str


ad_prevalence

9741

str


aid

asjhdfksajdhfka123455

str


extension

eventId=83 externalId=8306996307 msg=File '/path/to/file.dll' [1234abcd5678efgh] was approved by Publisher 'Microsoft Corporation'. start=1617648869000 art=1617648893778 cat=Policy Enforcement deviceSeverity=4 rt=1617648874000 sproc=00000000-0000-21c4-01d7-2a4d122ad34d dhost=some_host1234 dst=1.2.3.4 destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8 duser=some_user fname=mip_protection_sdk.dll filePath=/path/to/file.dll fileId=110869496 fileHash=1234abcd5678efgh cs1=f4a183dbc844e0dbd74745b59c86c4606871c579affae17830c4ee914205712c cs2=microsoftedge_x64_89.0.774.68.exe.{asdfasdf-asdfasdf-asdfasdf-asdfasdf} cs3=GDIT Lockdown Win10 cs5=Approve writes from trusted processes flexString1=0 - Clean flexString2=0 - Clean cfp1=8.0 cfp2=8.0 cs1Label=rootHash cs2Label=installerFilename cs3Label=Policy cs5Label=ruleName cfp1Label=fileTrust cfp2Label=processTrust flexString1Label=fileThreat flexString2Label=processThreat ahost=1.2.3.4 agt=1.2.3.4 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8 amac=12-34-56-78-AB-CD av=7.10.0.8114.0 atz=America/New_York at=syslog dvchost=some_host dvc=1.2.3.4 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8 dtz=America/New_York deviceProcessName=c:myfile.exe _cefVer=1.0 ad.prevalence=9741 aid=asjhdfksajdhfka123455

str


rawMessage

CEF:1|Carbon Black|Protection|8.1.8.258|812|File approved (publisher)|Medium| eventId=83 externalId=8306996307 msg=File '/path/to/file.dll' [1234abcd5678efgh] was approved by Publisher 'Microsoft Corporation'. start=1617648869000 art=1617648893778 cat=Policy Enforcement deviceSeverity=4 rt=1617648874000 sproc=00000000-0000-21c4-01d7-2a4d122ad34d dhost=some_host1234 dst=1.2.3.4 destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8 duser=some_user fname=mip_protection_sdk.dll filePath=/path/to/file.dll fileId=110869496 fileHash=1234abcd5678efgh cs1=f4a183dbc844e0dbd74745b59c86c4606871c579affae17830c4ee914205712c cs2=microsoftedge_x64_89.0.774.68.exe.{asdfasdf-asdfasdf-asdfasdf-asdfasdf} cs3=GDIT Lockdown Win10 cs5=Approve writes from trusted processes flexString1=0 - Clean flexString2=0 - Clean cfp1=8.0 cfp2=8.0 cs1Label=rootHash cs2Label=installerFilename cs3Label=Policy cs5Label=ruleName cfp1Label=fileTrust cfp2Label=processTrust flexString1Label=fileThreat flexString2Label=processThreat ahost=1.2.3.4 agt=1.2.3.4 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8 amac=12-34-56-78-AB-CD av=7.10.0.8114.0 atz=America/New_York at=syslog dvchost=some_host dvc=1.2.3.4 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8 dtz=America/New_York deviceProcessName=c:myfile.exe _cefVer=1.0 ad.prevalence=9741 aid=asjhdfksajdhfka123455

str