LEEFNormalizer

General Description

The LEEFNormalizer application normalizes the LEEF event logs in LEEF format from various log sources. The application supports LEEF v1.0 and LEEF v2.0 logs.

Release Details

Fields	Details
Name	LEEFNormalizer
Version	5.0.0
Supported On	LogPoint v6.7.4 and later
Release Date	2021-07-01
Document Date	2021-07-01
Download	LEEF_5.0.0.pak
SHA256	413f1c001efefb3fa84200250598caffb0e5300e946aa17d1b3aafe78ad45fc4

 

Package Details

The application consists of the following component:

1. Compiled Normalizer
   • LEEFCompiledNormalizer

Installation 

Follow these steps to install the LEEFNormalizer v5.0.0 application:

1. Download the LEEFNormalizer package from the Download section above.
2. Add the required device in LogPoint.
3. Create a normalization policy, and add the required LEEFCompiledNormalizer package.
4. Create a collection policy with the Syslog collector and the appropriate processing policy. 
5. Assign the log collection policy to the device.

Supported Devices 

The application supports all the log sources with the LEEF format log.

Configuration of source

Basic LEEF Syntax

Syslog_Header LEEF_Header|Event_Attributes

LEEF Header

The LEEF header is pipe-delimited. It consists of the following fields:

• LEEF version

• Vendor

• Product name

• Product version

• Event ID

• Delimiter character (Optional); the LEEF v2.0 format log consists of delimiter specified (caret(^), caret hex value (5x), or bar (¦)) in the LEEF header.

Expected Log Sample

LEEF:Version|Vendor|Product|Version|EventID|

• LEEF:1.0|Microsoft|MSExchange|2013 SP1|15346|
• LEEF:2.0|Lancope|StealthWatch|6.5|41|^|

Event Attributes

 It contains key-value pairs separated by a tab or a delimiter as specified in the LEEF header.

Jun 14:27:23 myserver LEEF:Version|Vendor|Product|Version|EventID|Delimiter|src=1.1.1.1 → dst=1.1.1.2

Log Formats

Expected Log Format

LEEF v1.0

Log Sample

LEEF:1.0|KasperskyLab|SecurityCenter|1.1.1.1|KLSRV_HOST_STATUS_CRITICAL|cat=KLSC   EVC_EV_DESC=Computer "ABC" changed its status to "Critical": anti-virus is not running.    devTime=2021-07-21 08:40:12 devTimeFormat=yyyy-MM-dd HH:mm:ss   EVC_EV_DISP_HOST_NAME=AB-CD-01  src=1.1.1.2    identSrc=1.1.1.3   identNetBios= ABC   EVC_EV_KL_PRODUCT_DISPVER=1.1.1.4  EVC_EV_KL_PRODUCT_NAME=1012 EVC_EV_KL_PRODUCT_VER=1.1.1.5

Expected Log Format

LEEF v2.0

Log Sample

LEEF:2.0|CarbonBlack|CbDefense|0.1|FILELESS|identHostName=ClientA  deviceName=Clients sev=4   deviceHostName=None cat=THREAT  externalIpAddress=***************   deviceId=xxxxxxx    ruleName=Global Alert   Notification    identSrc=1.1.1.1   src=1.1.1.2    eventId=None    uemId=  incidentId=ABCDEFG resource=OfficeClient   targetPriorityCode=0    url=https://defense.net/ab/investigate/events?query=alert_id:ABCDEFG%20AND%20device_id:xxxxxxxx&searchWindow=ALL&orgId=xxxx internalIpAddress=1.1.1.4  dst=1.1.1.5    summary=The application powershell.exe  is  executing   a   fileless    script  or  command.    groupName=Standard  deviceType=WINDOWS  devTime=Sep-16-2020 01:10:02    GMT signature=Active_Threat devTimeFormat=MMM   dd  yyyy    HH:mm:ss    z   deviceVersion=Windows   10  x64 type=THREAT email=abc@data.com    targetPriorityType=MEDIUM   applicationName=powershell.exe  indicatorName=FILELESS  sha256Hash=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Support

If you have any queries or require assistance, please feel free to contact our support team:

Email:             servicedesk@logpoint.com

Phone:           +45 7060 6100

Best regards,