Syslog Common Event Format

The Common Event Format (CEF) is an ArcSight standard that aligns the output format of various technology vendors into a common form.

Carbon Black EDR watchlist syslog output supports fully-templated formats, enabling easy modification of the template to match the CEF-defined format.

Applying the Default CEF Templates

CEF syslog templates are located at /usr/share/cb/syslog_templates .

To use the CEF syslog templates, add the following lines to /etc/cb/cb.conf :

WatchlistSyslogTemplateProcess=/usr/share/cb/syslog_templates/process_cef.txt
WatchlistSyslogTemplateBinary=/usr/share/cb/syslog_templates/binary_cef.txt

The watchlist searcher process automatically picks up the new template when the next watchlist hit occurs.

The following is an example process watchlist hit in CEF format:

CEF:0|Carbon Black|Carbon Black|4.1.0.131118.1540|reason=process_watchlist_-1|
SyslogTest|10|dproc=wmiprvse.exe fname=c:\\windows\\system32\\wbem\\wmiprvse.exe
start=2014-01-14T20:36:19.526Z dhost=J-8205A0C27A0C4 msg=group:Default Group
process_md5:0ffae66e6d5b1c87cbd22d1f3b6079fd last_update:2014-01-14T20:36:19.526Z
guid:-5850106436655859636 segment_id:1488563344023

The following is an example binary watchlist hit in CEF format:

CEF:0|Carbon Black|Carbon Black|4.1.0.131118.1540|reason=binary_watchlist_-1|
SyslogTest|10|start=2014-01-13T14:49:55.189Z msg=md5:6D778E0F95447E6546553EEEA709D03C
desc:Windows Command Processor company_name:Microsoft Corporation
product_name:MicrosoftÂ:registered: WindowsÂ:registered: Operating System
product_version:5.1.2600.5512 file_version:5.1.2600.5512 (xpsp.080413-2111)
signed:Signed

Extension Dictionary

The CEF specification is influenced by network device vendors and, to a lesser extent, host-based antivirus products. Products like Carbon Black EDR, with rich endpoint visibility, did not exist when the specification was developed and, as a result, the built-in key names supported by the extension dictionary do not map well to the data in Carbon Black EDR.

In the default template, the catch-all msg parameter is used for the fields that do not map well to the specified list of default keys. This limits required configuration and avoids the limitations of custom extensions.

To use custom extension keys, configure your SIEM device to support the custom keys and modify the Carbon Black EDR default CEF template. Details are available in the CEF specification and in Syslog Templates. Contact your support representative with any questions.