Package Details

The application consists of the following component:

1. Compiled Normalizer
   • CEFCompiledNormalizer

Enhancement

A minor update has been done in the application’s normalizer for better signature handling. 

Installation

Follow these steps to install the CEF Compiled Normalizer v3.4.0 application:

1. Download the CEF Compiled Normalizer package from the Download section above.
2. Add the required device in LogPoint.
3. Create a normalization policy, and add the required CEFCompiledNormalizer package.
4. Create a collection policy with the Syslog collector and appropriate processing policy. 
5. Assign the log collection policy to the device.

Supported Devices

The supported devices with LogPoint in this configuration are:

• Trend Micro Deep Security CEF
• Rhebo CEF
• Malwarebytes CEF
• Trend Micro Deep Discovery CEF
• FireEye CEF
• ForeScout CEF
• PaloAlto CEF
• SentinelOne CEF
• RedSocks CEF
• Any device with CEF format

Configuration of Sources

Expected Log Format

CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|[Extension]

Please note that the Extension field in the aforementioned log format is optional. 

Log Sample

Jan 20 2020 15:19:10 Win7 CEF:0|Malwarebytes|Malwarebytes Breach Remediation|2.7.1.1627 [eng:v1.1.11.1 rul:v1111.11.11.11 act:v111.11.11.11 sws:v2016.11.11.11]|1001|Malware Detected|10|cs3=1a111111-1111-111a-b61e-62f34b947584 cs3Label=SessionId cs5="C:\\mbbr\\mbbr.exe" scan -threat -remove -noreboot -noarchive -ignorepu -ark -pfi:1 -stdout:summary -stdlog:C:\\mbbr\\logs\\scanResults-WIN7-20161220-031802.xml  cs5Label=CmdLine dvchost=Win8 deviceMacAddress=00:00:XX:XX:XX:XX suser=SYSTEM outcome=failed rt=Dec 20 2016 15:19:10 cs1Label=MalwareName cs2Label=MalwareHash cs4Label=MalwareClass cs1=Trojan-xxxx cs2=702644a56a30c76fcc1f4e2b30d105fb cs4=1 filePath=C:\\temp\\aaaAAAAaAAaa.exe act=none cat=virus