Skip to main content
Sumo Logic

Collect logs for Carbon Black

This page provides instructions for adding a hosted collector and HTTP sources, then configuring collection agents to collect findings for Carbon Black App.

This page provides instructions for adding a hosted collector and HTTP sources, then configuring collection agents to collect findings for Carbon Black App. Click a link to jump to a section:

Collection overview

Carbon Black Response or Carbon Black EDR events can be sent to Sumo Logic via its event forwarder mechanism. The cb-event-forwarder can be installed on any 64-bit Linux machine running CentOS 6.x. It can be installed on the same machine as the Carbon Black server, or any other machine. Data can be sent in either JSON or LEEF format, both of which are supported by Sumo Logic.

Carbon Black Defense or Carbon Black Endpoint Standard events can be collected by a Carbon Black Defense source.

For more in-depth information, see the Carbon Black documentation for Defense (Endpoint Standard) and Response (EDR).

Step 1: Adding a Hosted Collector, an HTTP Source, and a Carbon Black Defense Source

This section demonstrates how to add a hosted Sumo Logic collector,  an HTTP Logs and Metrics source, and a Carbon Black Defense Source, to collect events for Carbon Black.

Prerequisite

Before creating the HTTP source and the Carbon Black Defense source, identify the Sumo Logic Hosted Collector you want to use or create a new Hosted Collector as described in the following task.

To add a hosted collector, an HTTP source, and a Carbon Black Defense Source, do the following:

  1. To create a new Sumo Logic Hosted Collector, perform the steps in Configure a Hosted Collector.

  2. Add HTTP Logs and Metrics Source for Carbon Black Response.

CB_Response-EditSource-dialog.png

CB_HTTP-Source-Address-dialog.png

  1. Add Carbon Black Defense Source for Carbon Black Defense.

    Add_Defense_Source.png

Step 2: Getting credentials and other required information from Carbon Black

Gather the following information:

  • Carbon Black Response (EDR)event forwarder requires a RabbitMQ Username and Password. Copy RabbitMQUser and RabbitMQPassword from /etc/cb.conf from the CB Response (EDR) server. These will be required in the next step.

Step 3: Configuring the event forwarder for Carbon Black Response (EDR)

This section provides instructions for configuring the collection of Carbon Black Response (EDR) events. 

To configure the collection of Carbon Black Response (EDR) events, do the following:
  1. If it isn't already present, install the CbOpenSource repository .
cd /etc/yum.repos.d
curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo
  1. Install the RPM with YUM.
yum install cb-event-forwarder
  1. Configure cb-event-forwarder

  • If installing on a machine other than the Carbon Black Response (EDR) server, copy the RabbitMQ username and password into the rabbit_mq_username and rabbit_mq_password variables in /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf file. Also fill out the cb_server_hostname with the hostname or IP address where the Cb Response (EDR) server can be reached.
  • If the cb-event-forwarder is forwarding events from a Carbon Black Response (EDR) cluster, the cb_server_hostname should be set to the hostname or IP address of the Cb Response (EDR) master node. More details here.
  • Additionally set the following variables in the cb-event-forwarder.conf:

- output_type as http

- output_format as json or leef as required

- httpout as the HTTP Source Address from the previous step

  • Ensure that the configuration is correct, by running (as root) the cb-event-forwarder in check mode:
/usr/share/cb/integrations/event-forwarder/cb-event-forwarder -check

If everything is OK, you will see a message starting with "Initialized output”. If there are errors, they will appear on your screen.

  1. Start and stop the service.

Once the service is installed, it is managed by the Upstart init system in CentOS 6.x. You can control the service with the initctl command:

  • To start the service: 
initctl start cb-event-forwarder
  • To stop the service: 
initctl stop cb-event-forwarder

Configuring the syslog connector for Carbon Black Defense (Endpoint Standard)

This section provides instructions for configuring the syslog connector for Carbon Black Defense (Endpoint Standard).

To install and configure the cb-defense-syslog-tls, do the following on the target Linux system:
  1. Log in as root user.
  2. If it is not already present, install the CbOpenSource repository.
cd /etc/yum.repos.d
curl -O
https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo
  1. Install the RPM with YUM.
sudo yum install python-cb-defense-syslog
  1. Configure cb-defense-syslog-tls in the following way:

a. Copy the example config file.

cd /etc/cb/integrations/cb-defense-syslog
sudo cp cb-defense-syslog.conf.example cb-defense-syslog.conf

b. Modify the config file /etc/cb/integrations/cb-defense-syslog/cb-defense-syslog.conf variables.

output_format=json
output_type=http
http_out=Sumologic HTTP Source Address
http_headers={}
https_ssl_verify=
connector_id=Cb Defense Connector ID
api_key=Cb Defense SIEM API Key
server_url=Cb Defense Server URL
ca_cert = /etc/cb/integrations/cb-defense/ca.pem

c. Optional. Multiple CB servers can be added. For details, go here.

  1. While still logged in as root, test the new connector, in the following way:

a. Run the following command.

/usr/share/cb/integrations/cb-defense-syslog/cb-defense-syslog --config-file /etc/cb/integrations/cb-defense-syslog/cb-defense-syslog.conf --log-file /var/log/cb/integrations/cb-defense-syslog/cb-defense-syslog.log

b. Now run this command.

cat /var/log/cb/integrations/cb-defense-syslog/cb-defense-syslog.log

A successful run will resemble the following example.

2017-06-27 09:24:10,747 - __main__ - INFO - Found 1 Cb Defense Servers in config file
2017-06-27 09:24:10,748 - __main__ - INFO - Handling notifications for https://api-eap01.conferdeploy.net
2017-06-27 09:24:10,748 - __main__ - INFO - Attempting to connect to url: https://api-eap01.conferdeploy.net
2017-06-27 09:24:10,748 - __main__ - INFO - connectorID = XXXX
2017-06-27 09:24:10,845 - __main__ - INFO - <Response [200]>
2017-06-27 09:24:10,845 - __main__ - INFO - sessionId = XXXX
2017-06-27 09:24:10,888 - __main__ - INFO - <Response [200]>
2017-06-27 09:24:10,889 - __main__ - INFO - successfully connected, no alerts at this time
2017-06-27 09:24:10,889 - __main__ - INFO - There are no messages to forward to host
  1. Start the connector by enabling it with a cron job, as follows.

a. In an ascii editor (such as vi), open the /etc/cron.d/cb-defense-syslog file.

b.  Uncomment the Cb Defense Connector by removing the beginning # from the last line of the file.

By default, the connector will run once per hour.

Step 5: Verifying Sumo is receiving findings

In Sumo, open a Live Tail tab and run a search to verify Sumo is receiving findings. Search by the source category you assigned to the HTTP Source that receives the log data, for example:

_sourceCategory="cb_response_events"

For more information about using Live Tail, see Live Tail.

Sample Log Messages

This section provides examples of JSON and LEEF log messages.

CB Defense (Endpoint Standard) - JSON

{
  "eventTime":1549271951761,
  "eventDescription":"[Global Alert Notification] [Carbon Black has detected a threat against your company.] [https://defense.conferdeploy.net#device/1220670/incident/IJ8PELL5] [The application powershell.exe attempted to bypass policy settings.] [Incident id: IJ8PELL5] [Threat score: 2] [Group: Tenable_Policy] [Email: SYNCURITYLABS\\administrator] [Name: SYNCURITYLABS\\24s-winedr-test] [Type and OS: WINDOWS Windows 10 x64] [Severity: Monitored]\n",
  "url":"https://defense.conferdeploy.net/investigate?s[searchWindow]=ALL&s[c][DEVICE_ID][0]=1220670&s[c][INCIDENT_ID][0]=IJ8PELL5",
  "deviceInfo":{
  "deviceName":"SYNCURITYLABS\\24s-winedr-test",
  "targetPriorityCode":0,
  "internalIpAddress":"172.16.24.101",
  "deviceHostName":null,
  "groupName":"Tenable_Policy",
  "externalIpAddress":"107.151.2.133",
  "deviceType":"WINDOWS",
  "deviceId":1220670,
  "targetPriorityType":"MEDIUM",
  "email":"SYNCURITYLABS\\administrator",
  "deviceVersion":"Windows 10 x64"
  },
  "ruleName":"Global Alert Notification",
  "type":"THREAT",
  "threatInfo":{
  "threatCause":{
     "causeEventId":"069733a2285e11e9874c63a0c6772cb2",
     "actorType":null,
     "originSourceType":"UNKNOWN",
     "actor":"d3f8fade829d2b7bd596c4504a6dae5c034e789b6a3defbe013bda7d14466677",
     "actorProcessPPid":"1312-1549271896054-18070",
     "reason":"R_POLICY_BYPASS",
     "reputation":"TRUSTED_WHITE_LIST",
     "threatCategory":"NON_MALWARE",
     "actorName":""
  },
  "summary":"The application powershell.exe attempted to bypass policy settings.",
  "score":2,
  "time":1549272007050,
  "indicators":[
     {
        "applicationName":"powershell.exe",
        "indicatorName":"MODIFY_MEMORY_PROTECTION",
        "sha256Hash":"d3f8fade829d2b7bd596c4504a6dae5c034e789b6a3defbe013bda7d14466677"
     },
     {
        "applicationName":"powershell.exe",
        "indicatorName":"ENUMERATE_PROCESSES",
        "sha256Hash":"d3f8fade829d2b7bd596c4504a6dae5c034e789b6a3defbe013bda7d14466677"
     },
     {
        "applicationName":"powershell.exe",
        "indicatorName":"BYPASS_POLICY",
        "sha256Hash":"d3f8fade829d2b7bd596c4504a6dae5c034e789b6a3defbe013bda7d14466677"
     },
     {
        "applicationName":"powershell.exe",
        "indicatorName":"MODIFY_PROCESS",
        "sha256Hash":"d3f8fade829d2b7bd596c4504a6dae5c034e789b6a3defbe013bda7d14466677"
     }
  ],
  "incidentId":"IJ8PELL5"
  }
}

CB Response (EDR) - JSON 

{
  "cb_server":"cbserver",
  "cb_version":"6.2.4.181112.1308",
  "computer_name":"suse-agent1",
  "feed_id":34,
  "feed_name":"carbonstream",
  "from_feed_search":false,
  "group":"mnt 3rd wave",
  "hostname":"suse-agent1",
  "ioc_attr":{
  "direction":"Outbound",
  "dns_name":"qrgrakybjmcko.sumonetworks.com",
  "local_ip":"192.168.1.14",
  "local_port":7316,
  "port":7316,
  "protocol":"UDP",
  "remote_ip":"198.108.66.208",
  "remote_port":1381
  },
  "ioc_type":"ipv4",
  "ioc_value":"165.160.13.20",
  "os_type":"OSX",
  "process_guid":"000009a9-0000-4b8d-01d4-a897a4ce3f0a",
  "process_id":"0000408a-0000-3324-01d4-a7d3e8679254",
  "report_id":"2aaba46c8302f9805284c3b2bd6ce932",
  "report_score":100,
  "segment_id":"1547092507241",
  "sensor_id":850,
  "server_name":"localhost",
  "timestamp":"1548931379",
  "type":"feed.ingress.hit.process"
}

CB Response (EDR) LEEF


1234 <12>0 2019-01-31T16:12:54.111+0530 previous-gymnast cb-notifications 94538 - - 
reason=feed.storage.hit type=event process_guid=0000148e-0000-0c70-01d4-a8dc9f4b27b2 
segment_id=1547094054393 host='rhel-agent1' comms_ip='142.255.119.77' interface_ip='172.20.4.130'  
sensor_id=4994 feed_id=13 feed_name='bit9endpointvisibility' ioc_type='query' ioc_value='
{""index_type"": ""events"", ""search_query"": ""cb.urlver=1&q=(regmod%3Adomains%5Caccount%5Cusers%5Cnames%5C*)""}' 
timestamp='1548931374' start_time='2019-01-31T16:12:54.111+0530' group='aes 2nd wave' process_md5=
'0f9760b796dede249193b1f7844104b1' process_name='lsass.exe' process_path='c:\windows\system32\lsass.exe' 
last_update='2019-01-31T16:12:54.111+0530'  alliance_updated_bit9endpointvisibility='2018-10-31T17:11:39.000Z' 
alliance_data_bit9endpointvisibility='74ccc9e8-ffc6-4e0b-ba88-0e947cf7b146' alliance_link_bit9endpointvisibility='
' alliance_score_bit9endpointvisibility='20'

Query example

This section provides a sample query from the Top Processes panel of the EDR - Processes dashboard.

Parameters
  • Host_Name: *
  • IOC_Type: *
  • Feed_Name: *
  • Watchlist_Name: *
  • Group: *
  • Status: *
  • Process_Name: *
Query String
_sourceCategory="Labs/cb-response-json" | parse regex "(?:process_name)(?:\"\:\"|=')
(?<process_name>.*?)(?:\"|')" multi | parse regex "ioc_type(?:\"\:\"|=')(?<ioc_type>.*?)(?:\"|')
" nodrop | parse regex "feed_name(?:\"\:\"|=')(?<feed_name>.*?)(?:\"|')" nodrop | parse regex 
"group(?:\"\:\"|=')(?<group>.*?)(?:\"|')" nodrop | parse regex "(?:hostname|host)(?:\"\:\"|=')
(?<hostname>.*?)(?:\"|')" nodrop | parse regex "watchlist_name(?:\"\:\"|=')(?<watchlist_name>.*?)
(?:\"|')" nodrop | parse regex "status(?:\"\:\"|=')(?<status>.*?)(?:\"|')" nodrop | where 
(isBlank(hostname) or hostname matches {{Host_Name}}) and (isBlank(ioc_type) or ioc_type matches 
{{IOC_Type}}) and (isBlank(feed_name) or feed_name matches {{Feed_Name}}) and (isBlank(watchlist_name)
 or watchlist_name matches {{Watchlist_Name}}) and (isBlank(group) or group matches {{Group}}) and 
 (isBlank(status) or status matches {{Status}}) and process_name matches {{Process_Name}} | 
 count by process_name | sort by _count | limit 10