endpoint.carbonblack
Introduction
The tags beginning with endpoint.carbonblack
identify events generated by VMware Carbon Black.
Valid tags and data tables
The full tag must have 3 levels. The first two are fixed as endpoint.carbonblack
. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Carbon Black Protection |
|
|
For more information, read more About Devo tags.
Table structure
These are the fields displayed in this table:
endpoint.carbonblack.protection
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
hostname |
| Â | Â | Â |
leefVer |
| Â | Â | Â |
vendor |
| Â | Â | Â |
product |
| Â | Â | Â |
version |
| Â | Â | Â |
eventID |
| Â | Â | Â |
cat |
| Â | Â | Â |
sev |
| Â | Â | Â |
devTime |
| Â parsedate(devTime_tmp, dateformat("MMM DD YYYY HH:mm:ss.SSS [UTC]", "UTC", "en-US")) Â | devTime_tmp | Â |
msg |
| Â | Â | Â |
externalId |
| Â | Â | Â |
src |
| Â | Â | Â |
srcHostName |
| Â | Â | Â |
policy |
| Â | Â | Â |
dstHostName |
| Â | Â | Â |
receivedTime |
| Â parsedate(receivedTime_tmp, dateformat("MMM DD YYYY HH:mm:ss.SSS [UTC]", "UTC", "en-US")) Â | receivedTime_tmp | Â |
srcProcess |
| Â | Â | Â |
usrName |
| Â | Â | Â |
filePath |
| Â | Â | Â |
fileName |
| Â | Â | Â |
fileHash |
| Â | Â | Â |
fileId |
| Â | Â | Â |
rootHash |
| Â | Â | Â |
installerFileName |
| Â | Â | Â |
ruleName |
| Â | Â | Â |
processKey |
| Â | Â | Â |
fileTrust |
| Â | Â | Â |
fileThreat |
| Â | Â | Â |
processTrust |
| Â | Â | Â |
processThreat |
| Â | Â | Â |
prevalence |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  |  | ✓ |