Carbon Black sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Carbon Black sample message when you use the Syslog protocol
Sample 1: The following sample event message shows a watchlist query that is matching a process.
LEEF:1.0|CB|CB|5.1|alert.watchlist.hit.query.process|alert_severity=50.625 alert_type=watchlist.hit.query.process alliance_score_srstrust=-100 cb_server=None childproc_count=1 comms_ip=192.168.230.5 computer_name=W7-LOW created_time=2015-10-29T04:33:06.713157Z crossproc_count=0 feed_id=-1 feed_name=My Watchlists feed_rating=3.0 filemod_count=0 group=Default Group hostname=W7-LOW interface_ip=192.168.230.5 ioc_attr={"highlights": ["PREPREPREacrord32.exePOSTPOSTPOST"]} ioc_confidence=0.5 ioc_type=query md5=AD7B9C14083B52BC532FBA5948342B98 modload_count=14 netconn_count=0 os_type=windows process_guid=00000016-0000-0804-01d1-17153be2e8cd process_name=cmd.exe process_path=c:\windows\system32\cmd.exe regmod_count=0 report_score=75 segment_id=1 sensor_criticality=3.0 sensor_id=22 status=Unresolved timestamp=1446093201.95 type=alert.watchlist.hit.query.process unique_id=3ee47556-3e8e-4232-b975-30ba7fbf0037 username=BIT9SEAD\user10 watchlist_id=11 watchlist_name=Unusual Parents
QRadar field name | Highlighted field names or values in the event payload |
---|---|
Event ID | alert.watchlist.hit.query.process |
Event Category | For this DSM, the value in QRadar is always CarbonBlack |
Source IP | interface_ip |
Username | username |
Device time | created_time |