Introduction
The table cef1.carbonBlack.protection identifies events in CEF format generated by Carbon Black.
Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cefx.deviceVendor.deviceProduct.
In this case, the valid data tables are:
How is the data sent to Devo?
You can send your product logs to Devo using any of the available methods, for example using any Syslog drain or using the Devo In-house Relay. Learn more about how to configure Forcepoint web protection solutions to send logs here.
Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.
Log samples
The following are sample logs sent to cef1.carbonBlack.protection. Find how the information will be parsed in your data table under each sample log.
cef0.forcepoint.security
2021-06-16 13:17:28.136 localhost=127.0.0.1 14 CEF:1|Carbon Black|Protection|8.1.8.258|812|File approved (publisher)|Medium| eventId=83 externalId=8306996307 msg=File \'/path/to/file.dll\' [1234abcd5678efgh] was approved by Publisher \'Microsoft Corporation\'. start=1617648869000 art=1617648893778 cat=Policy Enforcement deviceSeverity=4 rt=1617648874000 sproc=00000000-0000-21c4-01d7-2a4d122ad34d dhost=some_host1234 dst=1.2.3.4 destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8 duser=some_user fname=mip_protection_sdk.dll filePath=/path/to/file.dll fileId=110869496 fileHash=1234abcd5678efgh cs1=f4a183dbc844e0dbd74745b59c86c4606871c579affae17830c4ee914205712c cs2=microsoftedge_x64_89.0.774.68.exe.{asdfasdf-asdfasdf-asdfasdf-asdfasdf} cs3=GDIT Lockdown Win10 cs5=Approve writes from trusted processes flexString1=0 - Clean flexString2=0 - Clean cfp1=8.0 cfp2=8.0 cs1Label=rootHash cs2Label=installerFilename cs3Label=Policy cs5Label=ruleName cfp1Label=fileTrust cfp2Label=processTrust flexString1Label=fileThreat flexString2Label=processThreat ahost=1.2.3.4 agt=1.2.3.4 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8 amac=12-34-56-78-AB-CD av=7.10.0.8114.0 atz=America/New_York at=syslog dvchost=some_host dvc=1.2.3.4 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8 dtz=America/New_York deviceProcessName=c:myfile.exe _cefVer=1.0 ad.prevalence=9741 aid=asjhdfksajdhfka123455
And this is how these logs would be parsed:
Field | Value | Type | Extra fields |
---|
hostchain | localhost=127.0.0.1
| str
|
|
hostname | localhost
| str
|
|
priorityCode | 14
| str
|
|
cefTag | CEF
| str
|
|
cefVersion | 1
| str
|
|
embDeviceVendor | Carbon Black
| str
|
|
embDeviceProduct | Protection
| str
|
|
deviceVersion | 8.1.8.258
| str
|
|
signatureID | 812
| str
|
|
name | File approved (publisher)
| str
|
|
severity | Medium
| str
|
|
eventId | 83
| str
|
|
externalId | 8306996307
| int8
|
|
msg | File '/path/to/file.dll' [1234abcd5678efgh] was approved by Publisher 'Microsoft Corporation'.
| str
|
|
start | 1617648869000
| timestamp
|
|
art | 1617648893778
| str
|
|
cat | Policy Enforcement
| str
|
|
deviceSeverity | 4
| str
|
|
rt | 1617648874000
| timestamp
|
|
sproc | 00000000-0000-21c4-01d7-2a4d122ad34d
| str
|
|
dhost | some_host1234
| str
|
|
dst | 1.2.3.4
| ip4
|
|
destinationZoneURI | /All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8
| str
|
|
duser | some_user
| str
|
|
fname | mip_protection_sdk.dll
| str
|
|
filePath | /path/to/file.dll
| str
|
|
fileId | 110869496
| str
|
|
fileHash | 1234abcd5678efgh
| str
|
|
cs1 | f4a183dbc844e0dbd74745b59c86c4606871c579affae17830c4ee914205712c
| str
|
|
cs2 | microsoftedge_x64_89.0.774.68.exe.{asdfasdf-asdfasdf-asdfasdf-asdfasdf}
| str
|
|
cs3 | GDIT Lockdown Win10
| str
|
|
cs5 | Approve writes from trusted processes
| str
|
|
flexString1 | 0 - Clean
| str
|
|
flexString2 | 0 - Clean
| str
|
|
cfp1 | 8.0
| float
|
|
cfp2 | 8.0
| float
|
|
cs1Label | rootHash
| str
|
|
cs2Label | installerFilename
| str
|
|
cs3Label | Policy
| str
|
|
cs5Label | ruleName
| str
|
|
cfp1Label | fileTrust
| str
|
|
cfp2Label | processTrust
| str
|
|
flexString1Label | fileThreat
| str
|
|
flexString2Label | processThreat
| str
|
|
ahost | 1.2.3.4
| str
|
|
agt | 1.2.3.4
| str
|
|
agentZoneURI | /All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8
| str
|
|
amac | 12-34-56-78-AB-CD
| str
|
|
av | 7.10.0.8114.0
| str
|
|
atz | America/New_York
| str
|
|
at | syslog
| str
|
|
dvchost | some_host
| str
|
|
dvc | 1.2.3.4
| ip4
|
|
deviceZoneURI | /All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8
| str
|
|
dtz | America/New_York
| str
|
|
deviceProcessName | c:myfile.exe
| str
|
|
_cefVer | 1.0
| str
|
|
ad_prevalence | 9741
| str
|
|
aid | asjhdfksajdhfka123455
| str
|
|
extension | eventId=83 externalId=8306996307 msg=File '/path/to/file.dll' [1234abcd5678efgh] was approved by Publisher 'Microsoft Corporation'. start=1617648869000 art=1617648893778 cat=Policy Enforcement deviceSeverity=4 rt=1617648874000 sproc=00000000-0000-21c4-01d7-2a4d122ad34d dhost=some_host1234 dst=1.2.3.4 destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8 duser=some_user fname=mip_protection_sdk.dll filePath=/path/to/file.dll fileId=110869496 fileHash=1234abcd5678efgh cs1=f4a183dbc844e0dbd74745b59c86c4606871c579affae17830c4ee914205712c cs2=microsoftedge_x64_89.0.774.68.exe.{asdfasdf-asdfasdf-asdfasdf-asdfasdf} cs3=GDIT Lockdown Win10 cs5=Approve writes from trusted processes flexString1=0 - Clean flexString2=0 - Clean cfp1=8.0 cfp2=8.0 cs1Label=rootHash cs2Label=installerFilename cs3Label=Policy cs5Label=ruleName cfp1Label=fileTrust cfp2Label=processTrust flexString1Label=fileThreat flexString2Label=processThreat ahost=1.2.3.4 agt=1.2.3.4 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8 amac=12-34-56-78-AB-CD av=7.10.0.8114.0 atz=America/New_York at=syslog dvchost=some_host dvc=1.2.3.4 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8 dtz=America/New_York deviceProcessName=c:myfile.exe _cefVer=1.0 ad.prevalence=9741 aid=asjhdfksajdhfka123455
| str
|
|
rawMessage | CEF:1|Carbon Black|Protection|8.1.8.258|812|File approved (publisher)|Medium| eventId=83 externalId=8306996307 msg=File '/path/to/file.dll' [1234abcd5678efgh] was approved by Publisher 'Microsoft Corporation'. start=1617648869000 art=1617648893778 cat=Policy Enforcement deviceSeverity=4 rt=1617648874000 sproc=00000000-0000-21c4-01d7-2a4d122ad34d dhost=some_host1234 dst=1.2.3.4 destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8 duser=some_user fname=mip_protection_sdk.dll filePath=/path/to/file.dll fileId=110869496 fileHash=1234abcd5678efgh cs1=f4a183dbc844e0dbd74745b59c86c4606871c579affae17830c4ee914205712c cs2=microsoftedge_x64_89.0.774.68.exe.{asdfasdf-asdfasdf-asdfasdf-asdfasdf} cs3=GDIT Lockdown Win10 cs5=Approve writes from trusted processes flexString1=0 - Clean flexString2=0 - Clean cfp1=8.0 cfp2=8.0 cs1Label=rootHash cs2Label=installerFilename cs3Label=Policy cs5Label=ruleName cfp1Label=fileTrust cfp2Label=processTrust flexString1Label=fileThreat flexString2Label=processThreat ahost=1.2.3.4 agt=1.2.3.4 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8 amac=12-34-56-78-AB-CD av=7.10.0.8114.0 atz=America/New_York at=syslog dvchost=some_host dvc=1.2.3.4 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 1.2.3.4-5.6.7.8 dtz=America/New_York deviceProcessName=c:myfile.exe _cefVer=1.0 ad.prevalence=9741 aid=asjhdfksajdhfka123455
| str
| ✓ |