VMware Carbon Black App Control sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Carbon Black App Control sample message when you use the Syslog protocol
Sample 1: The following sample event message shows that a user logged out of a console.
LEEF:1.0|Carbon_Black|Protection|8.0.0.2141|Console_user_logout|cat=Session Management sev=4 devTime=Mar 09 2017 18:32:11.110 UTC msg=User 'admin' logged out. externalId=22272 src=192.168.0.23 usrName=admin dstHostName=tesla receivedTime=Mar 09 2017 18:32:1 1.110 UTC
QRadar field name | Highlighted field name |
---|---|
Event ID | Console_user_logout (Extracted from the LEEF header Event ID field in QRadar) |
Event Category | cat |
Severity | sev |
Source IP | src |
Username | usrName |
Device Time | devTime |
Sample 2: The following sample event message shows that a server configuration was modified. This sample event is from Carbon Black App Control 8.5x.
Sep 3 15:42:17 carbonblack.appcontrol.test 1 2020-09-03T15:42:17.378058-04:00 AJW2019-1 Carbon Black App Control 7972 15 - LEEF:1.0|VMware_Carbon_Black|App_Control|8.5.0.37|Server_config_modified|cat=Server Management sev=5 devTime=Sep 03 2020 19:42:11.033 UTC msg=Configuration property 'syslogFormat' was changed from 'cef' to 'leef' by 'admin'. externalId=52 src=10.1.17.139 usrName=admin dstHostName=tst2019-1.test.domain.test receivedTime=Sep03 2020 19:42:11.033 UTC
QRadar field name | Highlighted field name |
---|---|
Event ID | Server_config_modified (Extracted from the LEEF header Event ID field in QRadar) |
Event Category | cat |
Severity | sev |
Source IP | src |
Username | usrName |
Device Time | devTime |