Use these tables to map data between App Control and LEEF.
The tables below provide the following LEEF-App Control mapping information:
- Mapping of App Control Event Data to LEEF Header Fields shows the mapping of App Control event data to LEEF Header fields
- Mapping of App Control Event Fields to LEEF Attributes shows the mapping of App Control events to LEEF Attributes
| LEEF Prefix Field | App Control Value | Description |
|---|---|---|
| Hostname | Hostname | Hostname of the App Control Server providing the Syslog output |
| LEEF Version | 1.0 | LEEF format version. By default this is 1.0. |
| Vendor | Carbon Black | The company name of the Syslog output provider. |
| Product* | Protection | The name of the product generating Syslog output. |
| Version | 8.5.0.xxx | The version of the product generating Syslog output, including the build number (represented here by “xxx”). The current App Control version is 8.5.0. |
| EventID | Event subtype name | Unique name identifying the event subtype as classified by Carbon Black App Control. |
| Attributes | (varies) | See Mapping of App Control Event Fields to LEEF Attributes. |
| LEEF Attribute (name in RAW view) | LEEF Property (Visible name in Console) | Regular Expression (to Extract) | App Control Event Field | Description |
|---|---|---|---|---|
| cat | Category | Event Type | App Control event category name | |
| sev | Severity | Severity | Severity of the App Control event. Mapped from App Control range 7-0 (0 is most important) into LEEF range 1-10 (10 = most important) |
|
| devTime | Device Time | Event Timestamp | Timestamp (UTC) when App Control event was generated; Converted to local time when displayed as “Log Source Time” in QRadar events view | |
| receivedTime1 | Received Time | receivedTime=([^\t]+)[\t]* | Received Time | Timestamp (UTC) when the event was received by the App Control Server |
| msg1 | Message | msg=([^\t]+)[\t]* | Event Description | Full message describing the event |
| externalID1 | External ID | externalId=([^\t]+)[\t]* | Event Id | Unique identifier of the event instance |
| src2 | Source Address | Ip Address | IP (IPv4) address of the computer generating the event | |
| srcHostName1,2 | Source Hostname | srcHostName=([^\t]+)[\t]* | Hostname | Hostname of the computer generating the event |
| srcProcess1,2 | Source Process | srcProcess=([^\t]+)[\t]* | Process | Name of the process generating the event |
| usrName2 | Username | Username | Username of the user generating the event | |
| filePath1,2 | File Path | filePath=([^\t]+)[\t]* | File Path | Full path of the file generating the event |
| fileName1,2 | Filename | fileName=([^\t]+)[\t]* | File Name | Filename of the file generating the event |
| fileHash1,2 | File Hash | fileHash=([^\t]+)[\t]* | File Hash | SHA256 hash of file generating the event |
| fileId1,2 | File ID | fileId=([^\t]+)[\t]* | Antibody Id | Unique identifier of file generating the event |
| rootHash1,2 | Root Hash | rootHash= ([^\t]+)[\t]* |
Root Hash | Root hash of the file generating the event |
| installerFileName1,2 | Installer Filename | installerFileName=([^\t]+)[\t]* | Installer Filename | Installer filename of the file generating the event |
| banName1,2 | Ban Name | banName=([^\t]+)[\t]* | Ban Name | For block events, name of the ban that blocked the file. Change Notes: This was “ruleName” prior to 7.0.1 Patch 3. |
| ruleName1,2 | Rule Name | ruleName=([^\t]+)[\t]* | Rule Name | Name of the rule associated with the event (if any) |
| updaterName1,2 | Updater Name | updaterName=([^\t]+)[\t]* | Updater Name | Name of the Updater associated with the event (if any) |
| indicatorName | indicatorName | indicatorName=([^\t]+)[\t]*
|
Indicator Name | Name of the threat indicator associated with the event (if any) |
| policy1,2 | Policy | policy=([^\t]+)[\t]* | Policy | App Control Policy of the computer generating the event |
| dstHostName1 | Destination Hostname | dstHostName=([^\t]+)[\t]* | Hostname | App Control Server computer receiving the event |
| processKey | Process Key | processKey=([^\t]+)[\t]* | Process Key | Unique proprietary key identifying the instance of the process on a specific computer |
| fileTrust | File Trust | fileTrust=([^\t]+)[\t]* | File Trust | File trust from Carbon Black File Reputation of the file associated with the event. Pending implies that file lookup was not yet performed but will be. (Conditional) -2 pending -1 unknown 0-10 Trust value |
| fileThreat | File Threat | fileThreat=([^\t]+)[\t]* | File Threat | File threat from Carbon Black File Reputation of the file associated with the event. Pending implies that file lookup was not yet performed but will be. (Conditional) -2 pending -1 unknown 0 No threat 1 Potential risk 2 Malicious |
| processTrust | Process Trust | processTrust=([^\t]+)[\t]* | Process Trust | Parent process trust from Carbon Black File Reputation of file associated with the event. Pending implies that file lookup was not yet performed but will be. (Conditional) -2 pending -1 unknown 0-10 Trust value |
| processThreat | Process Threat | processThreat=([^\t]+)[\t]* | Process Threat | Parent process threat from Carbon Black File Reputation of file associated with the event. Pending implies that file lookup was not yet performed but will be. (Conditional) -2 pending -1 unknown 0 No threat 1 Potential risk 2 Malicious |
| unifiedSource | Unified Source | unifiedSource=([^\t]+)[\t]* | Unified Server Source | Hostname of the Unified Server (if implemented) that is the source of an event |
| 1 These are custom LEEF attributes for App Control event fields with no predefined attribute name in LEEF. You must use the regular expressions next to each of these items to extract it as a custom attribute. See Manual Setup of App Control Custom Properties for instructions. 2 These LEEF Extensions are context-dependent and not available on all events. |
||||
