Document toolboxDocument toolbox

endpoint.carbonblack

Introduction

The tags beginning with endpoint.carbonblack identify events generated by VMware Carbon Black.

Valid tags and data tables

The full tag must have 3 levels. The first two are fixed as endpoint.carbonblack. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Carbon Black Protection

endpoint.carbonblack.protection

endpoint.carbonblack.protection

For more information, read more About Devo tags.

Table structure

These are the fields displayed in this table:

endpoint.carbonblack.protection

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

hostname

str

 

 

 

leefVer

str

 

 

 

vendor

str

 

 

 

product

str

 

 

 

version

str

 

 

 

eventID

str

 

 

 

cat

str

 

 

 

sev

int4

 

 

 

devTime

timestamp

 

parsedate(devTime_tmp, dateformat("MMM DD YYYY HH:mm:ss.SSS [UTC]", "UTC", "en-US"))

 

devTime_tmp

 

msg

str

 

 

 

externalId

str

 

 

 

src

ip4

 

 

 

srcHostName

str

 

 

 

policy

str

 

 

 

dstHostName

str

 

 

 

receivedTime

timestamp

 

parsedate(receivedTime_tmp, dateformat("MMM DD YYYY HH:mm:ss.SSS [UTC]", "UTC", "en-US"))

 

receivedTime_tmp

 

srcProcess

str

 

 

 

usrName

str

 

 

 

filePath

str

 

 

 

fileName

str

 

 

 

fileHash

str

 

 

 

fileId

str

 

 

 

rootHash

str

 

 

 

installerFileName

str

 

 

 

ruleName

str

 

 

 

processKey

str

 

 

 

fileTrust

str

 

 

 

fileThreat

str

 

 

 

processTrust

str

 

 

 

processThreat

str

 

 

 

prevalence

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓