• LEEF (Log Event Extended Format) — The LEEF event format is a proprietary event format, which allows hardware manufacturers and software product manufacturers to read and map device events specifically designed for IBM QRadar integration.
• CEF (Common Event Format) — The CEF standard format is an open log management standard that simplifies log management. CEF allows third parties to create their own device schemas that are compatible with a standard thatis used industry-wide for normalizing security events.

When using “Syslog” as a destination in Data Connector, you can choose CEF or LEEF, both of which are fully compliant with RFC 5424. The headers (PRI, VERSION, TIMESTAMP, HOSTNAME, APP-NAME, PROCID, MSGID, and STRUCTURED-DATA) are added, and the date/time format is also updated.

When users try and disable Endpoint, it is logged in CSP under Monitor > Logs > Security logs (search for b1e.utility).

• Action: Create
• App Identifier: identity
• Resource type: users
• Event Summary: User is created

User: (will be the user who created the new account, not the new username)

• Action: Update
• App Identifier: tdlad
• Resource type:lookalike_target
• Event Summary: Lookalike Watch Domains have been updated.