The CEF specification is influenced by network device vendors and, to a lesser extent, host-based antivirus products. Products like Carbon Black EDR, with rich endpoint visibility, did not exist when the specification was developed and, as a result, the built-in key names supported by the extension dictionary do not map well to the data in Carbon Black EDR.

In the default template, the catch-all msg parameter is used for the fields that do not map well to the specified list of default keys. This limits required configuration and avoids the limitations of custom extensions.

To use custom extension keys, configure your SIEM device to support the custom keys and modify the Carbon Black EDR default CEF template. Details are available in the CEF specification and in See Syslog Templates. Contact your support representative with any questions.