Help parse CEF2 Logs - SentinelOne

Hello guys,
I have a graylog environment receiving logs from my SentinelOne XDR console, but I am not able to parser the logs. The logs received are CEF2.
Here is a sample of the logs received:

20:34:57,360 sentinel - CEF:2|SentinelOne|Mgmt|ip=20.20.21.22|eventID=5126|eventDesc=SentinelOne: Device Control connected USB Microsoft Microsoft® LifeCam HD-3000 on PC-01 (kdbuu)|eventSeverity=1|rt=2022-07-11 20:33:24.267876|endpointDeviceControlRuleId=1397004722801134701 |endpointDeviceControlInterface=USB |endpointDeviceControlClass=01h|endpointDeviceControlVendor=45E|endpointDeviceControlProduct=779|endpointDeviceControlSerial=|endpointDeviceControlDeviceName=Microsoft Microsoft® LifeCam HD-3000|endpointDeviceControlBluetoothVersion=N/A|endpointDeviceControlBluetoothMinorClass=N/A|deviceRuleBluetoothLmpVersion=N/A|endpointDeviceControlBluetoothProfileUuids=N/A|endpointDeviceControlEventType=connected|bluetoothAddress=|gattServices=|manufacturerName=|deviceInformationServiceInfoKey=|deviceInformationServiceInfoValue=|cat=EndpointDeviceControlEvent|sourceAgentLastActivityTimestamp=2022-07-11 20:33:20.038312|sourceAgentRegisterTimestamp=2022-06-22 14:38:27.797086|sourceNetworkState=connected|sourceOsRevision=22000|sourceOsType=windows|sourceAgentUuid=9c63d05b65ce44298738e8a9dbabb3b3|sourceFqdn=PC01.LOCAL|sourceThreatCount=0|sourceMgmtPrecievedAddress=20.20.21.22|sourceDnsDomain=LOCAL|sourceHostName=PC-1|sourceUserName=kdbuuu|sourceUserId=S-1-5-21-2801299722-746852668-3695822339-4257|sourceAgentId=1448544056058951621|sourceGroupId=1301316714008478194|sourceGroupName=Default Group|sourceIpAddresses=[‘192.168.0.124’, ‘fe80::70b3:8760:77a8:e992’]|sourceMacAddresses=[‘34:64:a9:00:2f:ce’]|activityID=1462493442640841981|activityType=5126|siteId=1713983312369|siteName=AV01 - BRAZIL|accountId=672373269|accountName=SITE LOCAL|notificationScope=SITE

Can anybody help me?

Thanks

Hello && Welcome

Have you tried on of these INPUTs?

image

Hi!
I already tried to configure an INPUT of the CEF UDP type, but the logs do not appear!!
When I configure the input with SYSLOG UDP they appear but without the parser.
Do you have any idea why CEF UDP doesn’t work?

There are others you can try from the screen shot above, perhaps Raw/plaintext might work.

Not sure how you configure that input BUT you should have seen something on CEF UDP since the logs that are shipped are in CEF. Curious when you had CEF UDP input configured and did not see logs appear, by chance did you try a tcpdump on Graylog? This should have shown more info on what was happing.

Not sure, we would nee to see more info on what your seeing. Right now Im take a guess.

Hello, in CEF UDP I see the logs coming through tcpdump!! but I don’t see it in the graylog.

Check list:

Check if ports are correct on INPUT ( Input port config match the senders port)
If a firewall is in enabled insure the CEF UDP port is opened.
Check Date/time
Check configuration on CEF UDP are correct.
Use a different CEF input.

I’m just guessing at this point. Don’t have any clue how you configured your setup.

EDIT:

Question, how did you configure SentinelOne to send logs to Graylog?

Hello,
Firewall rules are ok! The logs are arriving on UDP port 5555 and I see the requests in tcpdump!
I configured the entry for RAW/PlainText UDP on port 5555 and the logs are being seen in the graylog, but without parser.

Tks

I configured SentinelOne to send the logs on port 5555 UDP (it only sends to UDP)…I tested it sending in CEF and CEF2, neither of them is parsed.

I found out why the parser doesn’t work!
The log is coming with these fields at the beginning

20:34:57,360 sentinel -

This is making the parser unable to work!
Is it possible to remove this part as soon as it enters my graylog?

20:34:57,360 sentinel - CEF:2|SentinelOne|Mgmt|ip=20.20.21.22|eventID=5126|eventDesc=SentinelOne: Device Control connected USB Microsoft Microsoft® LifeCam HD-3000 on PC-01 (kdbuu)|eventSeverity= 1|rt=2022-07-11 20:33:24.267876|endpointDeviceControlRuleId=1397004722801134701 |endpointDeviceControlInterface=USB |endpointDeviceControlClass=01h|endpointDeviceControlVendor=45E|endpointDeviceControlProduct=779|endpointDeviceControlSerial=|endpointDeviceControlDeviceName=Microsoft Microsoft® LifeCam HD-3000|endpointDeviceControlBluetoothVersion= N/A|endpointDeviceControlBluetoothMinorClass=N/A|deviceRuleBluetoothLmpVersion=N/A|endpointDeviceControlBluetoothProfileUuids=N/A|endpointDeviceControlEventType=connected|bluetoothAddress=|gattServices=|manufacturerName=|deviceInformationServiceInfoKey=|ControlDeviceInformationServiceInfoValue72Event2Amp=|cat=EndpointDeviceControlEvent2Event2| -11 20:33:20.038312|sourceAgentRegisterTimestamp=2022-06-22 14:38:27.797086|sourceNetworkState=c online 5-21-2801299722-746852668-3695822339-4257|sourceAgentId=1448544056058951621|sourceGroupId=1301316714008478194|sourceGroupName=Default Group|sourceIpAddresses=[‘192.168.0.124’, ‘fe80::70b3:8760:77a8:e992’]|sourceMacAddresses= [‘34:64:a9:00:2f:ce’]|activityID=1462493442640841981|activityType=5126|siteId=1713983312369|siteName=AV01 - BRAZIL|accountId=672373269|accountName=SITE LOCAL|notificationScope=SITE

Tks

Hello,

Oh :eyes: is that the date/time stamp?

You could try a extractor on the input but I’m not sure that would help. I can modify and create but as far as removing parts of the logs being sent and modify before the INPUT , I have not done that. I have had to adjust how logs were sent to correspond to the input used.

Maybe if @tmacgbay is around he may have an idea using a pipeline.

What doesn’t seam right is that why CEF Input is there because the type of log message is being sent. I looked in GitHub and seen other issues with CEF input. But that was for older versions of GL.

Maybe post here see if this is a bug or not.

Hi!

I am using a Syslog-TCP-Input with this pipeline-rule:

rule "Sentinelone Process CEF"
	when
		contains(to_string($message.message), "CEF:0", true)
	then
	    let result = regex(("(CEF:.*)$"),to_string($message.message));
        set_field("pure_cef", result["0"]);
        set_fields(parse_cef(to_string($message.pure_cef), false));
        set_field("message", $message.pure_cef);
	    remove_field("pure_cef");
end
1 Like

Hello my friend!!
Your pipeline rule worked!!! Thank you very much…
Have you ever made a pipe line rule to use with CEF2 instead of CEF?
Tks

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.