The Type of Data that a Linux Sensor Can Capture
Article ID: 285010
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR
Issue/Introduction
What kind of data/events can a Linux sensor capture?
Environment
- Carbon Black Cloud Linux Sensor: All Versions
Resolution
There are two types of data we receive from the sensor: metaData and event type data.
- MetaData (searchable in the console via fields like: process_name, process_hash, device_name, etc.), is consistent for the life of the process or device.
- Event type data (searchable in the console via fields like: childproc, blocked/terminate, netconn, modload, etc.) are unique for every event.
Table below shows all event types and which are supported by the Linux sensor.
|
Event Type
|
Linux
|
| blocked/terminated | Yes |
| childproc | Yes |
| crossproc | No |
| emet | No |
| filemod | Yes |
| fork | Yes |
| modload | No |
| netconn IPV4/IPV6 | Yes (both) |
| posix_exec | Yes |
| regmod (create key, delete key, create value, delete value) | No |
| tamper | No |
| fileless scriptload | No |
Feedback
Yes
No
Powered by
