Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: What Data is Sent Over CB Event Forwarder?

EDR: What Data is Sent Over CB Event Forwarder?

Environment

  • EDR: All Versions
  • CB Event Forwarder: All Supported Versions

Question

What data is sent over CB Event Forwarder to the SIEM?

Answer

SettingDefault ValueOptional ValuesDescriptionAssociated CB.Conf Setting
audit_log
  • False
  • True
  • audit.log.useractivity
  • audit.log.liveresponse
  • audit.log.isolation
  • audit.log.banning
  • EnableExtendedApiAuditLogging=true
  • EnableAuditLogsToEvents=true
api_token
  • None
  • None
  • Additional info from the REST API
  • None
remove_from_output
  • highlights_by_doc
  • None
  • Prevents this field from causing issues with QRadar and Splunk
  • None
events_watchlist
  • All
  • watchlist.hit.process
  • watchlist.hit.binary
  • watchlist.storage.hit.process
  • watchlist.storage.hit.binary
  • Watchlist Hits
  • None
events_feed
  • All
  • feed.ingress.hit.process
  • feed.ingress.hit.binary
  • feed.ingress.hit.host
  • feed.storage.hit.process
  • feed.storage.hit.binary
  • feed.query.hit.process
  • feed.query.hit.binary
  • Feed Hits
  • None
events_alert
  • All
  • alert.watchlist.hit.ingress.process
  • alert.wtachlist.hit.ingress.binary
  • alert.watchlist.hit.ingress.host
  • alert.watchlist.hit.query.process
  • alert.watchlist.hit.query.binary
  • Alert Events
  • None
events_binary_observed
  • All
  • binaryinfo.observed
  • binaryinfo.host.observed
  • binaryinfo.group.observed
  • Binary Observed Events
  • None
events_binary_upload
  • All
  • binarystore.file.added
  • Binary Upload Events
  • None
  • use_raw_sensor_exchange
  • events_raw_sensor
  • False
  • 0 (Disabled)
  • ingress.event.process
  • ingress.event.procstart
  • ingress.event.netconn
  • ingress.event.procend
  • ingress.event.childproc
  • ingress.event.moduleload
  • ingress.event.module
  • ingress.event.filemod
  • ingress.event.regmod
  • ingress.event.tamper
  • ingress.event.crossprocopen
  • ingress.event.remotethread
  • ingress.event.processblock
  • ingress.event.emetmitigation
  • Raw Sensor (endpoint) Events
  • EnableRawSensorDataBroadcast=true

Additional Notes

  • Enabling the "events_raw_sensor" setting can create a very high load and consume a Splunk license.
  • If the "events_raw_sensor" feature causes performance issues on a Cloud instance it will be disabled and the contact on record will be notified.
  • For a description of the events being sent look here

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
3968
Contributors