CB Event Forwarder 3.2.3 Released

Posted on August 3, 2016

---

This release is a minor bugfix release that fixed the following issues:

• Source and destination IP addresses are sometimes flipped in the LEEF output
• Unique ID for Alerts was incorrectly used to calculate the Process link (link_process)

In addition, two changes were made in this release:

• A link_sensor is now generated for all raw endpoint events
• The list of Watchlist, Feed, and Binarystore events is expanded to any EDR event type that starts with watchlist.*, feed.* and binarystore.* respectively.

Additional Documentation

A new Event Forwarder output reference was added to address the issues brought forward in issue 50 (wrong segment ID in deep links). Since the event forwarder receives the events before they’re stored on disk, the segment ID information is not available. Only events that contain a segment_id field (for example, watchlist/feed/alert hits) have the full process GUID and segment link available. For other events (notably raw sensor events) the deep process link will be made to the first segment of the process.

All users, especially users forwarding events to IBM QRadar, are encouraged to upgrade to 3.2.3.