[filteradd] Carbon Black Protection CEF format (#590)

docs/gettingstarted/index.md

@@ -37,6 +37,7 @@ using the SC4S defaults. SC4S can be easily customized to use different indexes
 
 * email
 * epav
+* epintel
 * netauth
 * netdlp
 * netdns
@@ -46,6 +47,7 @@ using the SC4S defaults. SC4S can be easily customized to use different indexes
 * netwaf
 * netproxy
 * netipam
+* oswin
 * oswinsec
 * osnix
 * em_metrics (Optional opt-in for SC4S operational metrics; ensure this is created as a metrics index)

docs/sources/VMWare/index.md

@@ -1,5 +1,61 @@
 # Vendor - Dell - VMware
 
+## Product - Carbon Black Protection
+
+| Ref            | Link                                                                                                    |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| Splunk Add-on CEF | none                                                  |
+| Splunk Add-on Source Specific | https://bitbucket.org/SPLServices/ta-cef-imperva-incapsula/downloads/                                                               |
+
+
+### Sourcetypes
+
+| sourcetype     | notes                                                                                                   |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| cef        | Common sourcetype                                                                                                 |
+
+### Source
+
+| source     | notes                                                                                                   |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| carbonblack:protection:cef       | Note this method of onboarding is not recommended for a more complete experience utilize the json format supported by he product with hec or s3                                                                            |
+
+### Index Configuration
+
+| key            | source     | index          | notes          |
+|----------------|----------------|----------------|----------------|
+| Carbon Black_Protection      | carbonblack:protection:cef      | epintel          | none          |
+
+### Filter type
+
+MSG Parse: This filter parses message content
+
+### Options
+
+Note listed for reference processing utilizes the Microsoft ArcSight log path as this format is a subtype of CEF
+
+| Variable       | default        | description    |
+|----------------|----------------|----------------|
+| SC4S_LISTEN_CEF_TCP_PORT      | empty string      | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
+| SC4S_LISTEN_CEF_UDP_PORT      | empty string      | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
+| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source |
+| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source |
+
+* NOTE:  Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how
+many ports are in use by this CEF source (or any others).  See the "Common Event Format" source
+documentation for more information.
+
+### Verification
+
+An active site will generate frequent events use the following search to check for new events
+
+Verify timestamp, and host values match as expected
+
+```
+index=<asconfigured> (sourcetype=cef source="carbonblack:protection:cef")
+```
+
+
 ## Product - vSphere - ESX NSX (Controller, Manager, Edge)
 
 

package/etc/context_templates/splunk_metadata.csv.example

@@ -2,8 +2,8 @@ bluecoat_proxy,index,netproxy
 brocade_syslog,index,netops
 ArcSight_ArcSight,index,main
 ArcSight_ArcSight,source,ArcSight:ArcSight
-Carbon Black_Protection,sourcetype,carbonblack:protection:cef
-Carbon Black_Protection,index,cb:cef
+Carbon Black_Protection,source,carbonblack:protection:cef
+Carbon Black_Protection,index,epintel
 Cyber-Ark_Vault,index,netauth
 Cyber-Ark_Vault,sourcetype,cyberark:epv:cef
 CyberArk_PTA,index,main