VMware Carbon Black App Control sample event messages

Use these sample event messages to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Carbon Black App Control sample message when you use the Syslog protocol

Sample 1: The following sample event message shows that a user logged out of a console.

LEEF:1.0|Carbon_Black|Protection|8.0.0.2141|Console_user_logout|cat=Session Management  sev=4  devTime=Mar 09 2017 18:32:11.110 UTC   msg=User 'admin' logged out.   externalId=22272   src=192.168.0.23   usrName=admin  dstHostName=tesla  receivedTime=Mar 09 2017 18:32:1    1.110 UTC
Table 1. Highlighted fields
QRadar field name Highlighted field name
Event ID Console_user_logout (Extracted from the LEEF header Event ID field in QRadar)
Event Category cat
Severity sev
Source IP src
Username usrName
Device Time devTime

Sample 2: The following sample event message shows that a server configuration was modified. This sample event is from Carbon Black App Control 8.5x.

Sep  3 15:42:17 carbonblack.appcontrol.test 1 2020-09-03T15:42:17.378058-04:00 AJW2019-1 Carbon Black App Control 7972 15 - LEEF:1.0|VMware_Carbon_Black|App_Control|8.5.0.37|Server_config_modified|cat=Server Management  sev=5  devTime=Sep 03 2020 19:42:11.033 UTC   msg=Configuration property 'syslogFormat' was changed from 'cef' to 'leef' by 'admin'. externalId=52  src=10.1.17.139    usrName=admin  dstHostName=tst2019-1.test.domain.test receivedTime=Sep03 2020 19:42:11.033 UTC
Table 2. Highlighted fields
QRadar field name Highlighted field name
Event ID Server_config_modified (Extracted from the LEEF header Event ID field in QRadar)
Event Category cat
Severity sev
Source IP src
Username usrName
Device Time devTime