search

carbonblack / cb-event-forwarder

Subscribe to raw VMware Carbon Black EDR event feed and forward to another system, such as Splunk.
Other
73 stars 43 forks source link

ingress.event.remotethread events are on the wrong queue #190

Open jeromekleinen opened 4 years ago

jeromekleinen commented 4 years ago

Hello,

Not really a bug with the cb-event-forwarder per se but something we noticed and we hope you could relay to the right team at CB.

We are interested in offloading the ingress.event.remotethread logs. There is a separate queue that should contain these logs. However, after some trial and error we noticed that these logs are actually stored on the ingress.event.crossprocopen queue, which is much more noisy due to the many open_process events (at least in our environment).

If this is by design than this is definitely not properly reflected in the documentation, f.e. at https://developer.carbonblack.com/reference/enterprise-response/event-forwarder/event-schema/#raw-endpoint-events

We are running cb response version 7.1.0.

Thanks!

jeromekleinen commented 4 years ago

any feedback on this whatsoever?