edr.carbonblack
Introduction
The tags beginning with edr.carbonblack identify events generated by VMware Carbon Black.
Tag structure
The full tag must have 3 levels. The first two are fixed as edr.carbonblack. The third level identifies the type of events sent.
Technology | Brand | Type |
---|---|---|
edr | carbonblack |
|
Therefore, the valid tags and tables include:
- edr.carbonblack.alert
- edr.carbonblack.binary
- edr.carbonblack.feed
- edr.carbonblack.ingress
- edr.carbonblack.watchlist
How is the data sent to Devo?
You can forward logs generated by VMware Carbon Black using any Syslog drain (for example, Syslog-ng) or through The Devo In-House Relay.
Log samples
The following are sample logs sent to each of the edr.carbonblack tags. Also, find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
edr.carbonblack.alert
2016-10-07 13:30:20.930 localhost=192.168.1.1 edr.carbonblack.alert: {"alert_severity":3.375,"alert_type":"watchlist.hit.ingress.process","cb_server":"cbserver","childproc_count":0,"comms_ip":"192.168.191.1","computer_name":"laptop-dkojg99e","created_time":"2019-07-31T17:20:49.407402Z","crossproc_count":3,"feed_id":14,"feed_name":"attackframework","feed_rating":3.0,"filemod_count":2,"group":"default group","hostname":"laptop-dkojg99e","interface_ip":"192.168.0.2","ioc_confidence":0.5,"ioc_query_index":"events","ioc_query_string":"(modload:crypt32.dll -process_name:mscorsvw.exe -process_name:logonui.exe -process_name:taskhost.exe -process_name:mobsync.exe -process_name:googleupdate.exe -process_name:upd.exe -process_name:audiodg.exe -process_name:wmiprvse.exe -process_name:chrome.exe -process_name:svchost.exe -process_name:backgroundtaskhost.exe -process_name:searchprotocolhost.exe)","ioc_type":"query","ioc_value":"{index_type: events}","link_md5":"https://192.168.191.131/#/binary/CC07C007FA4B9D3B4C69D98DD7CE1C58","link_process":"https://192.168.191.131/#analyze/00000002-0000-3d90-01d5-47c771de9d1c/1","link_sensor":"https://192.168.191.131/#/host/2","md5":"CC07C007FA4B9D3B4C69D98DD7CE1C58","modload_count":66,"netconn_count":0,"os_type":"windows","process_guid":"00000002-0000-3d90-01d5-47c771de9d1c","process_id":"00000002-0000-3d90-01d5-47c771de9d1c","process_name":"taskhostw.exe","process_path":"c:","process_unique_id":"00000002-0000-3d90-01d5-47c771de9d1c-016c490c76fc","regmod_count":1,"report_link":"https://attack.mitre.org/wiki/Technique/T1002","report_score":5,"report_title":"Data Compressed #4","segment_id":"1","sensor_criticality":3.0,"sensor_id":2,"sha256":"d5907d58a3e8a9f5610941d1e281f8dac6437de648ffca08974490fdf7f74acd","status":"Unresolved","timestamp":1564593649.330,"type":"alert.watchlist.hit.ingress.process","unique_id":"bc0309eb-302a-4567-bf36-9080811da106","username":"SYSTEM","watchlist_id":"565652","watchlist_name":"565652"}
And this is how the logs would be parsed:
Field | Value | Type | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
|
| ||
alert_severity |
|
| ||
alert_type |
|
| ||
cb_server |
|
| ||
childproc_count |
|
| ||
comms_ip |
|
| ||
computer_name |
|
| ||
created_time |
|
| ||
crossproc_count |
|
| ||
feed_id |
|
| ||
feed_name |
|
| ||
feed_rating |
|
| ||
filemod_count |
|
| ||
group2 |
|
| group | |
hostname |
|
| ||
interface_ip |
|
| ||
ioc_confidence |
|
| ||
ioc_query_index |
|
| ||
ioc_query_string |
|
| ||
ioc_type |
|
| ||
ioc_value |
|
| ||
link_md5 |
|
| ||
link_process |
|
| ||
link_sensor |
|
| ||
md5 |
|
| ||
modload_count |
|
| ||
netconn_count |
|
| ||
os_type |
|
| ||
process_guid |
|
| ||
process_id |
|
| ||
process_name |
|
| ||
process_path |
|
| ||
process_unique_id |
|
| ||
regmod_count |
|
| ||
report_link |
|
| ||
report_score |
|
| ||
report_title |
|
| ||
segment_id |
|
| ||
sensor_criticality |
|
| ||
sensor_id |
|
| ||
sha256 |
|
| ||
status |
|
| ||
timestamp |
|
| ||
type |
|
| ||
unique_id |
|
| ||
username |
|
| ||
watchlist_id |
|
| ||
watchlist_name |
|
| ||
report_ignored |
|
| ||
version |
|
| _version_ | |
description |
|
| ||
link |
|
| ||
total_hosts |
|
| ||
message |
|
| ||
hostchain |
|
| ✓ | |
tag |
|
| ✓ | |
raw |
|
| ✓ | |
rawMessage | {"alert_severity":3.375,"alert_type":"watchlist.hit.ingress.process","cb_server":"cbserver","childproc_count":0,"comms_ip":"192.168.191.1","computer_name":"laptop-dkojg99e","created_time":"2019-07-31T17:20:49.407402Z","crossproc_count":3,"feed_id":14,"feed_name":"attackframework","feed_rating":3.0,"filemod_count":2,"group":"default group","hostname":"laptop-dkojg99e","interface_ip":"192.168.0.2","ioc_confidence":0.5,"ioc_query_index":"events","ioc_query_string":"(modload:crypt32.dll -process_name:mscorsvw.exe -process_name:logonui.exe -process_name:taskhost.exe -process_name:mobsync.exe -process_name:googleupdate.exe -process_name:upd.exe -process_name:audiodg.exe -process_name:wmiprvse.exe -process_name:chrome.exe -process_name:svchost.exe -process_name:backgroundtaskhost.exe -process_name:searchprotocolhost.exe)","ioc_type":"query","ioc_value":"{index_type: events}","link_md5":"https://192.168.191.131/#/binary/CC07C007FA4B9D3B4C69D98DD7CE1C58","link_process":"https://192.168.191.131/#analyze/00000002-0000-3d90-01d5-47c771de9d1c/1","link_sensor":"https://192.168.191.131/#/host/2","md5":"CC07C007FA4B9D3B4C69D98DD7CE1C58","modload_count":66,"netconn_count":0,"os_type":"windows","process_guid":"00000002-0000-3d90-01d5-47c771de9d1c","process_id":"00000002-0000-3d90-01d5-47c771de9d1c","process_name":"taskhostw.exe","process_path":"c:","process_unique_id":"00000002-0000-3d90-01d5-47c771de9d1c-016c490c76fc","regmod_count":1,"report_link":"https://attack.mitre.org/wiki/Technique/T1002","report_score":5,"report_title":"Data Compressed #4","segment_id":"1","sensor_criticality":3.0,"sensor_id":2,"sha256":"d5907d58a3e8a9f5610941d1e281f8dac6437de648ffca08974490fdf7f74acd","status":"Unresolved","timestamp":1564593649.330,"type":"alert.watchlist.hit.ingress.process","unique_id":"bc0309eb-302a-4567-bf36-9080811da106","username":"SYSTEM","watchlist_id":"565652","watchlist_name":"565652"} | str | ✓ |
edr.carbonblack.binary
2016-10-07 13:30:20.930 localhost=192.168.1.1 edr.carbonblack.binary: {"cb_server": "d6715ecd51", "compressed_size": 80587, "file_path": "02526d248a4d54e1c0d1bef878d442a2d62a8678ec6b37b1acd12c1002526d248a4d54e", "link_md5": "016010f7f7088970cd193454ac856e919061497f16ef59d5ae870d4e016010f7f70", "md5": "6baf467309308b1b9055180d034d3d2c16", "node_id": 83544, "size": 83544, "timestamp": 1564593805.021, "type": "907e77352001196818ffed3d", "event_timestamp": 1397248033.914, "scores": {"alliance_score_virustotal": 72557}, "hostname": "2280f79", "sensor_id": 64283, "watchlists": {"watchlist_7": "2014-02-13T00:30:11.247Z", "watchlist_9": "2014-02-13T00:21:13.009Z"}}
And this is how the logs would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate |
|
| |
cb_server |
|
| |
md5 |
|
| |
node_id |
|
| |
file_path |
|
| |
size |
|
| |
compressed_size |
|
| |
link_md5 |
|
| |
event_timestamp |
|
| |
type |
|
| |
timestamp |
|
| |
scores_alliance_score_virustotal |
|
| |
hostname |
|
| |
sensor_id |
|
| |
watchlists |
|
| |
message |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
raw |
|
| ✓ |
rawMessage |
|
|
|
edr.carbonblack.feed
2016-10-07 13:30:20.930 localhost=192.168.1.1 edr.carbonblack.feed: {"cb_server": "d6715ecd51", "cb_version": "990aae47e31162f848b", "comms_ip": "193.172.50.23", "computer_name": "6b2c4", "docs": [{"alliance_data_attackframework": "43120bf4", "alliance_link_attackframework": "dc19d45d3ec8f8349c5e7f0b6944478b4d7616973b59845", "alliance_score_attackframework": 88119, "alliance_updated_attackframework": "2019-03-15T15:39:53.000Z", "childproc_count": 52372, "cmdline": "ceb113d63f6883166e7f49df0281dc06c2756", "crossproc_count": 52372, "filemod_count": 52372, "host_type": "68a88a672e39e", "last_update": "2014-09-09T18:57:34.267Z", "link_parent": "8d5efd38c7390dc1b29e471be", "link_process": "8d5efd38c7390dc1b29e471be", "link_process_md5": "8d5efd38c7390dc1b29e471be", "modload_count": 21733, "netconn_count": 456, "os_type": "d44c1bfbf", "parent_guid": "c47dd17", "parent_name": "200464adb48058", "parent_pid": 53058, "parent_segment_id": "109", "parent_unique_id": "41284856f03115f04332d9ceb2dc6ffb7682f4995ddabac", "path": "f1866e88e700ddc1c5dfe19a9f80acb4659c", "process_guid": "8ed5", "process_md5": "084ca50629ba181d65fefd3dc627853b0e", "process_name": "b04a297ff40d3", "process_pid": 42343, "process_sha256": "9828845f21c2f09fa277c922c5af57769998ede25aa84892c538a6889828845f21", "regmod_count": 52372, "segment_id": "7846d465ea2a809", "start": "2014-09-09T18:57:34.251Z", "unique_id": "bc637d02641e4eb84ca6b12bc5cc64213a0af2d89a7b5fb", "username": "28fa8e5e7d5517a98b64c9b", "watchlist_659": "5136e26ad738763349d6ab1eb64b8", "parent_md5": "96503c92676ce1a5ef0c3b309c788631", "group": ["0a4b759852e84d6"], "file_version": "223.76.178.28", "product_name": "bff1c3861b87aa39dd0c7e", "is_executable_image": false, "digsig_result": "ee035799e1", "observed_filename": ["49f8f5af4977906fb206f7b32a12daf4dcb370a7f37b581b1ae53f6"], "orig_mod_len": 55888, "company_name": "92a2ffbe3f5bcb1deda7550ad1a5d3", "server_added_timestamp": "2014-09-09T21:00:29.875Z", "internal_name": "5083240", "copied_mod_len": 55888, "product_version": "c4c1d3803d7748b36", "digsig_sign_time": "2010-11-21T00:37:00.000Z", "alliance_score_srstrust": 123, "digsig_result_code": "feb5f41d7a58", "file_desc": "c1092282838ca155bb13d4ee", "endpoint": ["2337d717d1db6e09188"], "legal_copyright": "5115cd1b091e623833d9ebf8a7d971b1db05184a6a75c6218a9052865", "original_filename": "dd3c809c", "is_64bit": false, "md5": "fa30e769889b2b3a80de3b85dffd5386c2", "digsig_publisher": "17bdf0131f101db5683ad81", "hostname": "1e9df001ce69d14ae", "host_count": 24376, "signed": "ee035799e1", "timestamp": "2014-09-09T21:00:29.875Z", "last_seen": "2014-09-09T21:00:29.875Z"}], "feed_id": 79636, "feed_name": "fa7f62422c", "from_feed_search": false, "group": "a9dc77b1f077cf7", "hostname": "1b1290cbe898", "interface_ip": "235.139.28.149", "ioc_attr": {}, "ioc_query_index": "4c2bda17", "ioc_query_string": "34253c5", "ioc_type": "4304f", "ioc_value": "1ba6a105f8e78e1e8389d0ace2c531961e8609d23c78c7329fceff2e1ba6a105f8e78e1e8389d", "link_process": "8d5efd38c7390dc1b29e471be", "link_sensor": "8d5efd38c7390dc1b29e471be", "process_guid": "8ed5", "process_id": "c5dd35dd035adaddef416aa890687b52868e0b", "report_id": "e65d7fee42e817ceee24f3", "report_link": "c267278cd3fa99", "report_score": 88119, "report_title": "0c0fa930c18ec6d85", "segment_id": 24376, "sensor_id": 24376, "server_name": "88d8519671e", "timestamp": 1564594850.07, "type": "f6a703c4ed886f9585cf215e59", "event_timestamp": 1410296635.26, "md5": "d8bc26387899436e4e47d3b904290d48f5", "ioc_attrs": {"highlights": ["e8c9793e1fcc4c8e87be573c767ed9a61f", "fe45f3507e2b419d4f03657a4c96fda982e73dac8d6f16f34bd0575bf"]}}
And this is how the logs would be parsed:
Field | Value | Type | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
|
| ||
cb_server |
|
| ||
cb_version |
|
| ||
comms_ip |
|
| ||
computer_name |
|
| ||
docs_alliance_data_attackframework |
|
| ||
docs_alliance_link_attackframework |
|
| ||
docs_alliance_score_attackframework |
|
| ||
docs_alliance_updated_attackframework |
|
| ||
docs_childproc_count |
|
| ||
docs_cmdline |
|
| ||
docs_crossproc_count |
|
| ||
docs_filemod_count |
|
| ||
docs_host_type |
|
| ||
docs_last_update |
|
| ||
docs_link_parent |
|
| ||
docs_link_process |
|
| ||
docs_link_process_md5 |
|
| ||
docs_modload_count |
|
| ||
docs_netconn_count |
|
| ||
docs_os_type |
|
| ||
docs_parent_guid |
|
| ||
docs_parent_name |
|
| ||
docs_parent_pid |
|
| ||
docs_parent_segment_id |
|
| ||
docs_parent_unique_id |
|
| ||
docs_path |
|
| ||
docs_process_guid |
|
| ||
docs_process_md5 |
|
| ||
docs_process_name |
|
| ||
docs_process_pid |
|
| ||
docs_process_sha256 |
|
| ||
docs_regmod_count |
|
| ||
docs_segment_id |
|
| ||
docs_start |
|
| ||
docs_unique_id |
|
| ||
docs_username |
|
| ||
docs_watchlist_659 |
|
| ||
docs_parent_md5 |
|
| ||
docs_group |
|
| ||
docs_file_version |
|
| ||
docs_product_name |
|
| ||
docs_is_executable_image |
|
| ||
docs_digsig_result |
|
| ||
docs_observed_filename |
|
| ||
docs_orig_mod_len |
|
| ||
docs_company_name |
|
| ||
docs_server_added_timestamp |
|
| ||
docs_internal_name |
|
| ||
docs_copied_mod_len |
|
| ||
docs_product_version |
|
| ||
docs_digsig_sign_time |
|
| ||
docs_alliance_score_srstrust |
|
| ||
docs_digsig_result_code |
|
| ||
docs_file_desc |
|
| ||
docs_endpoint |
|
| ||
docs_legal_copyright |
|
| ||
docs_original_filename |
|
| ||
docs_is_64bit |
|
| ||
docs_md5 |
|
| ||
docs_digsig_publisher |
|
| ||
docs_hostname |
|
| ||
docs_host_count |
|
| ||
docs_signed |
|
| ||
docs_timestamp |
|
| ||
docs_last_seen |
|
| ||
feed_id |
|
| ||
feed_name |
|
| ||
from_feed_search |
|
| ||
group2 |
|
| group | |
hostname |
|
| ||
interface_ip |
|
| ||
ioc_attr |
|
| ||
ioc_query_index |
|
| ||
ioc_query_string |
|
| ||
ioc_type |
|
| ||
ioc_value |
|
| ||
link_process |
|
| ||
link_sensor |
|
| ||
process_guid |
|
| ||
process_id |
|
| ||
report_id |
|
| ||
report_link |
|
| ||
report_score |
|
| ||
report_title |
|
| ||
segment_id |
|
| ||
sensor_id |
|
| ||
server_name |
|
| ||
timestamp |
|
| ||
type |
|
| ||
event_timestamp |
|
| ||
md5 |
|
| ||
ioc_attrs |
|
| ||
message |
|
| ||
hostchain |
|
| ✓ | |
tag |
|
| ✓ | |
raw |
|
| ✓ |
edr.carbonblack.ingress
2016-10-07 13:30:20.930 localhost=192.168.1.1 edr.carbonblack.ingress: {"action":"delete","actiontype":4,"cb_server":"cbserver","computer_name":"LAPTOP-DKOJG99E","event_type":"filemod","filetype":0,"filetype_name":"Unknown","link_process":"https://192.168.191.131/analyze/00000002-0000-3d50-01d5-47a7e06b40d2/0","link_sensor":"https://192.168.191.131/host/2","md5":"3B346AB31AC51B6A1643CBD5E697C747","path":"c","pid":15696,"process_guid":"00000002-0000-3d50-01d5-47a7e06b40d2","process_path":"c","sensor_id":2,"sha256":"33DAB30AAD320BE105F10DF7DD9FF62E6AD72671B64EA0C9FD8B4FA9091C348C","tamper":false,"tamper_sent":false,"timestamp":1564596522,"type":"ingress.event.filemod","parent_pid":15696} 2016-10-07 13:30:20.930 localhost=192.168.1.1 edr.carbonblack.ingress: {"action": "writeval","actiontype": 2,"cb_server": "cbserver","computer_name": "JASON-WIN81-VM","event_type": "regmod","link_process": "https://cbtests/#analyze/00000001-0000-0484-01d1-1e951b7c000b/1","link_sensor": "https://cbtests/#/host/1","md5": "0E7196981EDE614F1F54FFF2C3843ADF","path": "stillalive","pid": 1156,"process_guid": "00000001-0000-0484-01d1-1e951b7c000b","sensor_id": 1,"timestamp": 1447696798,"type": "ingress.event.regmod"} 2016-10-07 13:30:20.930 localhost=192.168.1.1 edr.carbonblack.ingress: {"action": "create","actiontype": 1,"cb_server": "cbserver","computer_name": "JASON-WIN81-VM","event_type": "filemod","filetype": 0,"filetype_name": "Unknown","link_process": "https://cbtests/#analyze/00000001-0000-0c70-01d1-1e951aae7e2f/1","link_sensor": "https://cbtests/#/host/1","md5": "7A2870C2A8283B3630BF7670D0362B94","path": "b5e2.tmp","pid": 3184,"process_guid": "00000001-0000-0c70-01d1-1e951aae7e2f","sensor_id": 1,"timestamp": 1447696804,"type": "ingress.event.filemod"}
And this is how the logs would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate |
|
| |
action |
|
| |
actiontype |
|
| |
cb_server |
|
| |
computer_name |
|
| |
event_type |
|
| |
filetype |
|
| |
filetype_name |
|
| |
link_process |
|
| |
link_sensor |
|
| |
md5 |
|
| |
path |
|
| |
pid |
|
| |
process_guid |
|
| |
process_path |
|
| |
sensor_id |
|
| |
sha256 |
|
| |
tamper |
|
| |
tamper_sent |
|
| |
timestamp |
|
| |
type |
|
| |
direction |
|
| |
domain |
|
| |
ipv4 |
|
| |
port |
|
| |
local_ip |
|
| |
local_port |
|
| |
protocol |
|
| |
remote_ip |
|
| |
remote_port |
|
| |
child_process_guid |
|
| |
created |
|
| |
link_child |
|
| |
command_line |
|
| |
expect_followon_w_md5 |
|
| |
link_parent |
|
| |
parent_create_time |
|
| |
parent_md5 |
|
| |
parent_path |
|
| |
parent_process_guid |
|
| |
username |
|
| |
cross_process_type |
|
| |
is_target |
|
| |
link_target |
|
| |
requested_access |
|
| |
target_create_time |
|
| |
target_md5 |
|
| |
target_path |
|
| |
target_pid |
|
| |
target_process_guid |
|
| |
blocked |
|
| |
emet_timestamp |
|
| |
log_id |
|
| |
log_message |
|
| |
mitigation |
|
| |
blocked_event |
|
| |
blocked_reason |
|
| |
blocked_result |
|
| |
uid |
|
| |
tamper_type |
|
| |
parent_pid |
|
| |
message |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
raw |
|
| ✓ |
rawMessage |
|
| ✓ |
edr.carbonblack.watchlist
2016-10-07 13:30:20.930 localhost=192.168.1.1 edr.carbonblack.watchlist: {"cb_server": "d6715ecd51", "cb_version": "ad13bd5aecbc41d30", "docs": [{"cb_version": 90705, "comments": "e3440dff8ae8cf7", "company_name": "17bdf0131f101db5683ad81", "copied_mod_len": 26102, "digsig_result": "7275bbbc", "digsig_result_code": "6f7", "endpoint": ["e8e7a411ef180"], "event_partition_id": [1661220057], "facet_id": 42276, "file_desc": "4b6d8ee0bfeb379b", "file_version": "2a6a7fda09bbd6c2435f4bbf36825a6fbeb92cbc7c", "group": ["0a4b759852e84d6"], "host_count": 24376, "internal_name": "039ad0332017", "is_64bit": true, "is_executable_image": false, "last_seen": "2019-07-31T17:26:52.465Z", "legal_copyright": "4b53f173362315a9eaf0bdec373b84eb9b291421e0c92", "link_md5": "3f33acd74af24c70faf030bf40e667ba151042be5996274fa13b2f643f33acd74", "md5": "e78a432e60b5687b0b789c5016385aa6e1", "observed_filename": ["24e900b963ce7d5090b903b2102573fcd72f3"], "orig_mod_len": 26102, "original_filename": "303bce761820dd", "os_type": "44a48cd13", "private_build": "d89ae68062", "product_name": "5391496cdf88f98c830e4f601b7abb6ef4a0", "product_version": "5c20837a532a0793", "server_added_timestamp": "2014-08-09T11:19:04.009Z", "sha256": "887d7d0eedb051e315ed767437a87fa364cb89bb7af4efcffd7b13d0887d7d0eed", "signed": "7275bbbc", "timestamp": "2014-08-09T11:19:04.009Z", "process_md5": "c42c57209b7b57ad4f5b2d0ea81c2f7e74", "sensor_id": 24376, "modload_count": 34640, "parent_unique_id": "08438fcb29eebd4a0268a5d690211d9575b958437af0bfb", "cmdline": "2f579333d6af950e8c40645ef103feec407bc3", "filemod_count": 52372, "id": "829ce298d1afe50f74f3bb65e6abff07a3ce49", "parent_name": "200464adb48058", "parent_md5": "a0e099270ceb2b47271a3a7020c2d40492", "hostname": "2c2a5498095", "last_update": "2014-08-08T15:15:47.544Z", "start": "2014-08-08T15:15:42.193Z", "regmod_count": 71334, "process_pid": 12971, "username": "ea22c7e9e6458ab1e6", "process_name": "f9f145c3bc4", "path": "2f579333d6af950e8c40645ef103feec407bc3", "netconn_count": 24376, "parent_pid": 74806, "segment_id": 24376, "host_type": "68a88a672e39e", "childproc_count": 52372, "unique_id": "0005b8ade9ec26f64aa2743c0d6efcb60b4704543947b37", "digsig_sign_time": "2010-11-21T00:37:00Z", "digsig_publisher": "17bdf0131f101db5683ad81"}], "highlights_by_doc": {}, "server_name": "3975ee7013cf489787bbe56", "timestamp": 1564594807.517112, "type": "919b082ad54e66c904d1f2", "watchlist_id": 28972, "watchlist_name": "fc69fcc2394", "event_timestamp": 1407583203.5}
And this is how the logs would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate |
|
| |
cb_server |
|
| |
cb_version |
|
| |
docs_cb_version |
|
| |
docs_comments |
|
| |
docs_company_name |
|
| |
docs_copied_mod_len |
|
| |
docs_digsig_result |
|
| |
docs_digsig_result_code |
|
| |
docs_endpoint |
|
| |
docs_event_partition_id |
|
| |
docs_facet_id |
|
| |
docs_file_desc |
|
| |
docs_file_version |
|
| |
docs_group |
|
| |
docs_host_count |
|
| |
docs_internal_name |
|
| |
docs_is_64bit |
|
| |
docs_is_executable_image |
|
| |
docs_last_seen |
|
| |
docs_legal_copyright |
|
| |
docs_link_md5 |
|
| |
docs_md5 |
|
| |
docs_observed_filename |
|
| |
docs_orig_mod_len |
|
| |
docs_original_filename |
|
| |
docs_os_type |
|
| |
docs_private_build |
|
| |
docs_product_name |
|
| |
docs_product_version |
|
| |
docs_server_added_timestamp |
|
| |
docs_sha256 |
|
| |
docs_signed |
|
| |
docs_timestamp |
|
| |
docs_process_md5 |
|
| |
docs_sensor_id |
|
| |
docs_modload_count |
|
| |
docs_parent_unique_id |
|
| |
docs_cmdline |
|
| |
docs_filemod_count |
|
| |
docs_id |
|
| |
docs_parent_name |
|
| |
docs_parent_md5 |
|
| |
docs_hostname |
|
| |
docs_last_update |
|
| |
docs_start |
|
| |
docs_regmod_count |
|
| |
docs_process_pid |
|
| |
docs_username |
|
| |
docs_process_name |
|
| |
docs_path |
|
| |
docs_netconn_count |
|
| |
docs_parent_pid |
|
| |
docs_segment_id |
|
| |
docs_host_type |
|
| |
docs_childproc_count |
|
| |
docs_unique_id |
|
| |
docs_digsig_sign_time |
|
| |
docs_digsig_publisher |
|
| |
highlights_by_doc |
|
| |
server_name |
|
| |
timestamp |
|
| |
type |
|
| |
watchlist_id |
|
| |
watchlist_name |
|
| |
event_timestamp |
|
| |
message |
|
| |
hostchain |
|
|
|
tag |
|
|
|
raw |
|
|
|
rawMessage |
|
|
|