Skip to main content
Sumo Logic

Collect logs for Carbon Black

This page provides instructions for adding a hosted collector and HTTP sources, then configuring collection agents to collect findings for Carbon Black App.

This page provides instructions for adding a hosted collector, HTTP, and S3 sources, then configuring collection agents to collect findings for the Carbon Black App.

Collection overview

Carbon Black EDR events can be sent to Sumo Logic via its event forwarder mechanism. The cb-event-forwarder can be installed on any 64-bit Linux machine running CentOS 6.x. It can be installed on the same machine as the Carbon Black server, or any other machine. Data can be sent in either JSON or LEEF format, both of which are supported by Sumo Logic.

Carbon Black Cloud Endpoint Standard events can be collected events can be collected via Carbon Black Event Forwarder S3 mechanism and a Sumo Logic S3 source. For more in-depth information, see the Carbon Black documentation for Endpoint Standard and EDR.

Step 1: Adding a Hosted Collector,

To add a hosted collector, perform the steps as defined on the page Configure a Hosted Collector.

Step 2: Configure Collection for Carbon Black EDR

Step 2a: Adding an HTTP Source for Carbon Black EDR

To add an HTTP source for Carbon Black EDR do the following

  1. Add HTTP Logs and Metrics Source for Carbon Black EDR.
     

CB_Response-EditSource-dialog.png

CB_HTTP-Source-Address-dialog.png

Step 2b: Getting credentials from Carbon Black EDR

Carbon Black EDR event forwarder requires a RabbitMQ Username and Password. Copy RabbitMQUser and RabbitMQPassword from /etc/cb.conf from the Carbon Black EDR server. These will be required in the next step.

Step 2c: Configuring the event forwarder for Carbon Black EDR

This section provides instructions for configuring the collection of Carbon Black EDR events. 

To configure the collection of Carbon Black EDR events

  1. If it isn't already present, install the CbOpenSource repository .

cd /etc/yum.repos.d
curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo
  1. Install the RPM with YUM.
yum install cb-event-forwarder
  1. Configure cb-event-forwarder

  • If installing on a machine other than the Carbon Black EDR server, copy the RabbitMQ username and password into the rabbit_mq_username and rabbit_mq_password variables in /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf file. Also fill out the cb_server_hostname with the hostname or IP address where the Carbon Black EDR server can be reached.
  • If the cb-event-forwarder is forwarding events from a Carbon Black EDR cluster, the cb_server_hostname should be set to the hostname or IP address of the Carbon Black EDR master node. More details here.
  • Additionally set the following variables in the cb-event-forwarder.conf:

- output_type as http

- output_format as json or leef as required

- httpout as the HTTP Source Address from the previous step

  • Ensure that the configuration is correct, by running (as root) the cb-event-forwarder in check mode:
/usr/share/cb/integrations/event-forwarder/cb-event-forwarder -check

If everything is OK, you will see a message starting with "Initialized output”. If there are errors, they will appear on your screen.

  1. Start and stop the service.

Once the service is installed, it is managed by the Upstart init system in CentOS 6.x. You can control the service with the initctl command:

  • To start the service: 
initctl start cb-event-forwarder
  • To stop the service: 
initctl stop cb-event-forwarder

Step 3: Configure Collection for Carbon Black Cloud Endpoint Standard

Step 3a: Adding an S3 Source for Carbon Black Cloud Endpoint Standard

To add an S3 source for Carbon Black Cloud Endpoint Standard, do the following

  1. Create a new bucket in S3 for Carbon Black Cloud Endpoint Standard events collection.
  2. Add an S3 for Carbon Black Cloud Endpoint Standard as per below example, populate the bucket name and path as created in the previous step.

Step 3b: Configuring Carbon Black Cloud Endpoint Standard to send alerts and events to S3

Carbon Black Cloud Endpoint Standard events will be pushed to S3 via Carbon Black Event Forwarder S3 and will be collected via Sumo logic S3 source. 

To configure the Event Forwarder, follow the steps as mentioned here. Please carefully evaluate this information to assure that your configuration reflects the data set you would like to send to Sumo Logic.

Utilize the S3 bucket created in the previous steps while configuring the Event Forwarder.

Step 4: Verifying Sumo is receiving findings

In Sumo, open a Live Tail tab and run a search to verify Sumo is receiving findings. Search by the source category you assigned to the HTTP Source that receives the log data, for example:

_sourceCategory="cb_edr_events" or _sourceCategory="cb_endpoint_standard_events"

For more information about using Live Tail, see Live Tail.

Sample Log Messages

This section provides examples of JSON and LEEF log messages.

Carbon Black Cloud Endpoint Standard - JSON

{
  "type": "WATCHLIST",
  "id": "efaa284a-a995-4de9-b524-a548d3fb06da",
  "legacy_alert_id": "7DESJ9GN-00340e2b-000005a4-00000000-1d70b72a8bf72ad-6C3681D234D45B831699EB80627C96F6",
  "org_key": "7DESJ9GN",
  "create_time": "2021-03-03T09:31:45Z",
  "last_update_time": "2021-03-03T09:31:45Z",
  "first_event_time": "2021-03-03T09:27:30Z",
  "last_event_time": "2021-03-03T09:27:30Z",
  "threat_id": "CF6977EA8CB7343813145381835E9D25",
  "severity": 8,
  "category": "WARNING",
  "device_id": 3411499,
  "device_os": "WINDOWS",
  "device_name": "QA\\VM-2k12-DG01",
  "device_username": "user.abc@zxc.com",
  "policy_id": 6525,
  "policy_name": "Default",
  "target_value": "LOW",
  "workflow": {
"state": "OPEN",
"remediation": "",
"last_update_time": "2021-03-03T09:30:39Z",
"comment": "",
"changed_by": "Carbon Black"
  },
  "device_internal_ip": "10.4.2.153",
  "device_external_ip": "65.127.112.131",
  "alert_url": "https://defense.conferdeploy.net/cb/investigate/processes?orgId=1105&query=alert_id%3Aefaa284a-a995-4de9-b524-a548d3fb06da+AND+device_id%3A3411499&searchWindow=ALL",
  "reason_code": "Process procman.exe was detected by the report \"Processes NOT Listed and Not Signed\" in watchlist \"TEST Use Cases for Adaptive Response Actions\"",
  "process_name": "procman.exe",
  "threat_indicators": [
{
   "process_name": "procman.exe",
   "sha256": "c926606c9372da3b8033307011dbee69879ed374024d8dacea405d05c724f244",
   "ttps": [
     "3c1ae54d-96c8-42a7-ada0-d2db38c9a081"
   ]
}
  ],
  "threat_cause_actor_sha256": "c926606c9372da3b8033307011dbee69879ed374024d8dacea405d05c724f244",
  "threat_cause_actor_name": "procman.exe",
  "threat_cause_reputation": "NOT_LISTED",
  "threat_cause_threat_category": "RESPONSE_WATCHLIST",
  "threat_cause_vector": "UNKNOWN",
  "run_state": "RAN",
  "ioc_id": "3c1ae54d-96c8-42a7-ada0-d2db38c9a081",
  "ioc_hit": "(process_reputation:NOT_LISTED AND NOT process_publisher_state:FILE_SIGNATURE_STATE_SIGNED)",
  "watchlists": [
{
   "id": "BeCXz92RjiQxN1PnYlM6w",
   "name": "TEST Use Cases for Adaptive Response Actions"
}
  ],
  "process_guid": "7DESJ9GN-00340e2b-000005a4-00000000-1d70b72a8bf72ad",
  "process_path": "c:\\program files\\abc\\administration api\\admin api\\dependencies\\procman-beta\\procman.exe",
  "report_name": "Processes NOT Listed and Not Signed",
  "report_id": "7M4vlko3THG1v6a0kGOtpw",
  "status": "UNRESOLVED"

Carbon Black EDR - JSON 

{
  "cb_server":"cbserver",
  "cb_version":"6.2.4.181112.1308",
  "computer_name":"suse-agent1",
  "feed_id":34,
  "feed_name":"carbonstream",
  "from_feed_search":false,
  "group":"mnt 3rd wave",
  "hostname":"suse-agent1",
  "ioc_attr":{
  "direction":"Outbound",
  "dns_name":"qrgrakybjmcko.sumonetworks.com",
  "local_ip":"192.168.1.14",
  "local_port":7316,
  "port":7316,
  "protocol":"UDP",
  "remote_ip":"198.108.66.208",
  "remote_port":1381
  },
  "ioc_type":"ipv4",
  "ioc_value":"165.160.13.20",
  "os_type":"OSX",
  "process_guid":"000009a9-0000-4b8d-01d4-a897a4ce3f0a",
  "process_id":"0000408a-0000-3324-01d4-a7d3e8679254",
  "report_id":"2aaba46c8302f9805284c3b2bd6ce932",
  "report_score":100,
  "segment_id":"1547092507241",
  "sensor_id":850,
  "server_name":"localhost",
  "timestamp":"1548931379",
  "type":"feed.ingress.hit.process"
}

Carbon Black EDR LEEF


1234 <12>0 2019-01-31T16:12:54.111+0530 previous-gymnast cb-notifications 94538 - - 
reason=feed.storage.hit type=event process_guid=0000148e-0000-0c70-01d4-a8dc9f4b27b2 
segment_id=1547094054393 host='rhel-agent1' comms_ip='142.255.119.77' interface_ip='172.20.4.130'  
sensor_id=4994 feed_id=13 feed_name='bit9endpointvisibility' ioc_type='query' ioc_value='
{""index_type"": ""events"", ""search_query"": ""cb.urlver=1&q=(regmod%3Adomains%5Caccount%5Cusers%5Cnames%5C*)""}' 
timestamp='1548931374' start_time='2019-01-31T16:12:54.111+0530' group='aes 2nd wave' process_md5=
'0f9760b796dede249193b1f7844104b1' process_name='lsass.exe' process_path='c:\windows\system32\lsass.exe' 
last_update='2019-01-31T16:12:54.111+0530'  alliance_updated_bit9endpointvisibility='2018-10-31T17:11:39.000Z' 
alliance_data_bit9endpointvisibility='74ccc9e8-ffc6-4e0b-ba88-0e947cf7b146' alliance_link_bit9endpointvisibility='
' alliance_score_bit9endpointvisibility='20'

Query example

This section provides a sample query from the Top Processes panel of the EDR - Processes dashboard.

Parameters
  • Host_Name: *
  • IOC_Type: *
  • Feed_Name: *
  • Watchlist_Name: *
  • Group: *
  • Status: *
  • Process_Name: *
Query String
_sourceCategory="Labs/cb-edr-json" | parse regex "(?:process_name)(?:\"\:\"|=')
(?<process_name>.*?)(?:\"|')" multi | parse regex "ioc_type(?:\"\:\"|=')(?<ioc_type>.*?)(?:\"|')
" nodrop | parse regex "feed_name(?:\"\:\"|=')(?<feed_name>.*?)(?:\"|')" nodrop | parse regex 
"group(?:\"\:\"|=')(?<group>.*?)(?:\"|')" nodrop | parse regex "(?:hostname|host)(?:\"\:\"|=')
(?<hostname>.*?)(?:\"|')" nodrop | parse regex "watchlist_name(?:\"\:\"|=')(?<watchlist_name>.*?)
(?:\"|')" nodrop | parse regex "status(?:\"\:\"|=')(?<status>.*?)(?:\"|')" nodrop | where 
(isBlank(hostname) or hostname matches {{Host_Name}}) and (isBlank(ioc_type) or ioc_type matches 
{{IOC_Type}}) and (isBlank(feed_name) or feed_name matches {{Feed_Name}}) and (isBlank(watchlist_name)
 or watchlist_name matches {{Watchlist_Name}}) and (isBlank(group) or group matches {{Group}}) and 
 (isBlank(status) or status matches {{Status}}) and process_name matches {{Process_Name}} | 
 count by process_name | sort by _count | limit 10