Skip to main content
Sumo Logic

Collect logs for Carbon Black

This page provides instructions for adding a hosted collector and HTTP sources, then configuring collection agents to collect findings for Carbon Black App.

This page provides instructions for adding a hosted collector and HTTP sources, then configuring collection agents to collect findings for Carbon Black App. Click a link to jump to a section:

Collection overview

Carbon Black Response events can be sent to Sumo Logic via its event forwarder mechanism. The cb-event-forwarder can be installed on any 64-bit Linux machine running CentOS 6.x. It can be installed on the same machine as the Carbon Black server, or any another machine. Data can be sent in either JSON or LEEF format, both of which are supported by Sumo Logic.

Carbon Black Defense events can be sent to Sumo via its connector. This connector is distributed as a binary RPM package compatible with any Red Hat or CentOS Linux distribution, CentOS/RHEL 6.x and above, running on a 64-bit Intel platform. Sumo Logic supports JSON format for Carbon Black Defense.

For more in-depth information, see the Carbon Black documentation for Defense and Response.

Step 1: Adding a Hosted Collector and HTTP Sources

This section demonstrates how to add a hosted Sumo Logic collector and HTTP Logs and Metrics source, to collect events for Carbon Black.

Prerequisite

Before creating the HTTP source, identify the Sumo Logic Hosted Collector you want to use, or create a new Hosted Collector as described in the following task.

To add a hosted collector and HTTP source, do the following:

  1. To create a new Sumo Logic Hosted Collector, perform the steps in Configure a Hosted Collector.

  2. Add two  HTTP Logs and Metrics Source one each for Defense and Response with different source categories.

CB_Response-EditSource-dialog.png

CB_Defense-EditSource-dialog.png

CB_HTTP-Source-Address-dialog.png

Step 2: Getting credentials and other required information from Carbon Black

Gather the following information:

  • Carbon Black Response event forwarder requires a RabbitMQ Username and Password. Copy RabbitMQUser and RabbitMQPassword from /etc/cb.conf from the CB Response server. These will be required in the next step.
  • Carbon Black Defense syslog connector requires the Carbon Black Defense connector ID, SIEM api key and API URL. The Carbon Black Defense API is accessible through a special hostname assigned to your organization. To find your organization’s API hostname, please refer to this KB article. Authentication is handled by an API key and Connector ID, which is generated from the Connectors page of the CB Defense console. More details here.
To create a SIEM key and notification rule, do the following:
  1. Log into your Carbon Black Defense Dashboard and select the Settings/Connector menu option.

  2. Create a new connector of “SIEM” type and give it a unique name.

  3. Select the Settings/Notifications menu option.

  4. Create a new Notification Rule and add your new SIEM connector to the list of notifiers. The Notification Rule defines what alerts are sent to the SIEM.

Step 3: Configuring the event forwarder for carbon black response

This section provides instructions for configuring the collection of Carbon Black Response events. 

To configure collection of Carbon Black Response events, do the following:
  1. If it isn't already present, install the CbOpenSource repository .
cd /etc/yum.repos.d
curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo
  1. Install the RPM with YUM.
yum install cb-event-forwarder
  1. Configure cb-event-forwarder

  • If installing on a machine other than the Carbon Black Response server, copy the RabbitMQ username and password into the rabbit_mq_username and rabbit_mq_password variables in /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf file. Also fill out the cb_server_hostname with the hostname or IP address where the Cb Response server can be reached.
  • If the cb-event-forwarder is forwarding events from a Carbon Black Response cluster, the cb_server_hostname should be set to the hostname or IP address of the Cb Response master node. More details here.
  • Additionally set the following variables in the cb-event-forwarder.conf:

- output_type as http

- output_format as json or leef as required

- httpout as the HTTP Source Address from the previous step

  • Ensure that the configuration is correct, by running (as root) the cb-event-forwarder in check mode:
/usr/share/cb/integrations/event-forwarder/cb-event-forwarder -check

If everything is OK, you will see a message starting with "Initialized output”. If there are errors, they will appear on your screen.

  1. Start and stop the service.

Once the service is installed, it is managed by the Upstart init system in CentOS 6.x. You can control the service with the initctl command:

  • To start the service: 
initctl start cb-event-forwarder
  • To stop the service: 
initctl stop cb-event-forwarder

Step 4: Configuring the syslog connector for Carbon Black Defense

This section provides instructions for configuring the syslog connector for Carbon Black Defense.

To install and configure the cb-defense-syslog-tls, do the following on the target Linux system:
  1. Log in as root user.
  2. If it is not already present, install the CbOpenSource repository.
cd /etc/yum.repos.d
curl -O
https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo
  1. Install the RPM with YUM.
sudo yum install python-cb-defense-syslog
  1. Configure cb-defense-syslog-tls in the following way:

a. Copy the example config file.

cd /etc/cb/integrations/cb-defense-syslog
sudo cp cb-defense-syslog.conf.example cb-defense-syslog.conf

b. Modify the config file /etc/cb/integrations/cb-defense-syslog/cb-defense-syslog.conf variables.

output_format=json
output_type=http
http_out=Sumologic HTTP Source Address from the previous step.
http_headers={}
https_ssl_verify=
connector_id=Cb Defense Connector ID
api_key=Cb Defense SIEM API Key
server_url=Cb Defense Server URL
ca_cert = /etc/cb/integrations/cb-defense/ca.pem

c. Optional. Multiple CB servers can be added. For details, go here.

  1. While still logged in as root, test the new connector, in the following way:

a. Run the following command.

/usr/share/cb/integrations/cb-defense-syslog/cb-defense-syslog --config-file /etc/cb/integrations/cb-defense-syslog/cb-defense-syslog.conf --log-file /var/log/cb/integrations/cb-defense-syslog/cb-defense-syslog.log

b. Now run this command.

cat /var/log/cb/integrations/cb-defense-syslog/cb-defense-syslog.log

A successful run will resemble the following example.

2017-06-27 09:24:10,747 - __main__ - INFO - Found 1 Cb Defense Servers in config file
2017-06-27 09:24:10,748 - __main__ - INFO - Handling notifications for https://api-eap01.conferdeploy.net
2017-06-27 09:24:10,748 - __main__ - INFO - Attempting to connect to url: https://api-eap01.conferdeploy.net
2017-06-27 09:24:10,748 - __main__ - INFO - connectorID = XXXX
2017-06-27 09:24:10,845 - __main__ - INFO - <Response [200]>
2017-06-27 09:24:10,845 - __main__ - INFO - sessionId = XXXX
2017-06-27 09:24:10,888 - __main__ - INFO - <Response [200]>
2017-06-27 09:24:10,889 - __main__ - INFO - successfully connected, no alerts at this time
2017-06-27 09:24:10,889 - __main__ - INFO - There are no messages to forward to host
  1. Start the connector by enabling it with a cron job, as follows.

a. In an ascii editor (such as vi), open the /etc/cron.d/cb-defense-syslog file.

b.  Uncomment the Cb Defense Connector by removing the beginning # from the last line of the file.

By default, the connector will run once per hour.

Step 5: Verifying Sumo is receiving findings

In Sumo, open a Live Tail tab and run a search to verify Sumo is receiving findings. Search by the source category you assigned to the HTTP Source that receives the log data, for example:

_sourceCategory="cb_response_events"

For more information about using Live Tail, see Live Tail.

Sample Log Messages

This section provides examples of JSON and LEEF log messages.

CB Defense - JSON

{
  "eventTime":1549271951761,
  "eventDescription":"[Global Alert Notification] [Carbon Black has detected a threat against your company.] [https://defense.conferdeploy.net#device/1220670/incident/IJ8PELL5] [The application powershell.exe attempted to bypass policy settings.] [Incident id: IJ8PELL5] [Threat score: 2] [Group: Tenable_Policy] [Email: SYNCURITYLABS\\administrator] [Name: SYNCURITYLABS\\24s-winedr-test] [Type and OS: WINDOWS Windows 10 x64] [Severity: Monitored]\n",
  "url":"https://defense.conferdeploy.net/investigate?s[searchWindow]=ALL&s[c][DEVICE_ID][0]=1220670&s[c][INCIDENT_ID][0]=IJ8PELL5",
  "deviceInfo":{
  "deviceName":"SYNCURITYLABS\\24s-winedr-test",
  "targetPriorityCode":0,
  "internalIpAddress":"172.16.24.101",
  "deviceHostName":null,
  "groupName":"Tenable_Policy",
  "externalIpAddress":"107.151.2.133",
  "deviceType":"WINDOWS",
  "deviceId":1220670,
  "targetPriorityType":"MEDIUM",
  "email":"SYNCURITYLABS\\administrator",
  "deviceVersion":"Windows 10 x64"
  },
  "source":"cbdefense1",
  "ruleName":"Global Alert Notification",
  "type":"THREAT",
  "threatInfo":{
  "threatCause":{
     "causeEventId":"069733a2285e11e9874c63a0c6772cb2",
     "actorType":null,
     "originSourceType":"UNKNOWN",
     "actor":"d3f8fade829d2b7bd596c4504a6dae5c034e789b6a3defbe013bda7d14466677",
     "actorProcessPPid":"1312-1549271896054-18070",
     "reason":"R_POLICY_BYPASS",
     "reputation":"TRUSTED_WHITE_LIST",
     "threatCategory":"NON_MALWARE",
     "actorName":""
  },
  "summary":"The application powershell.exe attempted to bypass policy settings.",
  "score":2,
  "time":1549272007050,
  "indicators":[
     {
        "applicationName":"powershell.exe",
        "indicatorName":"MODIFY_MEMORY_PROTECTION",
        "sha256Hash":"d3f8fade829d2b7bd596c4504a6dae5c034e789b6a3defbe013bda7d14466677"
     },
     {
        "applicationName":"powershell.exe",
        "indicatorName":"ENUMERATE_PROCESSES",
        "sha256Hash":"d3f8fade829d2b7bd596c4504a6dae5c034e789b6a3defbe013bda7d14466677"
     },
     {
        "applicationName":"powershell.exe",
        "indicatorName":"BYPASS_POLICY",
        "sha256Hash":"d3f8fade829d2b7bd596c4504a6dae5c034e789b6a3defbe013bda7d14466677"
     },
     {
        "applicationName":"powershell.exe",
        "indicatorName":"MODIFY_PROCESS",
        "sha256Hash":"d3f8fade829d2b7bd596c4504a6dae5c034e789b6a3defbe013bda7d14466677"
     }
  ],
  "incidentId":"IJ8PELL5"
  }
}

CB Response - JSON 

{
  "cb_server":"cbserver",
  "cb_version":"6.2.4.181112.1308",
  "computer_name":"suse-agent1",
  "feed_id":34,
  "feed_name":"carbonstream",
  "from_feed_search":false,
  "group":"mnt 3rd wave",
  "hostname":"suse-agent1",
  "ioc_attr":{
  "direction":"Outbound",
  "dns_name":"qrgrakybjmcko.sumonetworks.com",
  "local_ip":"192.168.1.14",
  "local_port":7316,
  "port":7316,
  "protocol":"UDP",
  "remote_ip":"198.108.66.208",
  "remote_port":1381
  },
  "ioc_type":"ipv4",
  "ioc_value":"165.160.13.20",
  "os_type":"OSX",
  "process_guid":"000009a9-0000-4b8d-01d4-a897a4ce3f0a",
  "process_id":"0000408a-0000-3324-01d4-a7d3e8679254",
  "report_id":"2aaba46c8302f9805284c3b2bd6ce932",
  "report_score":100,
  "segment_id":"1547092507241",
  "sensor_id":850,
  "server_name":"localhost",
  "timestamp":"1548931379",
  "type":"feed.ingress.hit.process"
}

CB Response LEEF


1234 <12>0 2019-01-31T16:12:54.111+0530 previous-gymnast cb-notifications 94538 - - 
reason=feed.storage.hit type=event process_guid=0000148e-0000-0c70-01d4-a8dc9f4b27b2 
segment_id=1547094054393 host='rhel-agent1' comms_ip='142.255.119.77' interface_ip='172.20.4.130'  
sensor_id=4994 feed_id=13 feed_name='bit9endpointvisibility' ioc_type='query' ioc_value='
{""index_type"": ""events"", ""search_query"": ""cb.urlver=1&q=(regmod%3Adomains%5Caccount%5Cusers%5Cnames%5C*)""}' 
timestamp='1548931374' start_time='2019-01-31T16:12:54.111+0530' group='aes 2nd wave' process_md5=
'0f9760b796dede249193b1f7844104b1' process_name='lsass.exe' process_path='c:\windows\system32\lsass.exe' 
last_update='2019-01-31T16:12:54.111+0530'  alliance_updated_bit9endpointvisibility='2018-10-31T17:11:39.000Z' 
alliance_data_bit9endpointvisibility='74ccc9e8-ffc6-4e0b-ba88-0e947cf7b146' alliance_link_bit9endpointvisibility='
' alliance_score_bit9endpointvisibility='20'

Query example

This section provides a sample query from the Top Processes panel of the Response - Processes dashboard.

Parameters
  • Host_Name: *
  • IOC_Type: *
  • Feed_Name: *
  • Watchlist_Name: *
  • Group: *
  • Status: *
  • Process_Name: *
Query String
_sourceCategory="Labs/cb-response-json" | parse regex "(?:process_name)(?:\"\:\"|=')
(?<process_name>.*?)(?:\"|')" multi | parse regex "ioc_type(?:\"\:\"|=')(?<ioc_type>.*?)(?:\"|')
" nodrop | parse regex "feed_name(?:\"\:\"|=')(?<feed_name>.*?)(?:\"|')" nodrop | parse regex 
"group(?:\"\:\"|=')(?<group>.*?)(?:\"|')" nodrop | parse regex "(?:hostname|host)(?:\"\:\"|=')
(?<hostname>.*?)(?:\"|')" nodrop | parse regex "watchlist_name(?:\"\:\"|=')(?<watchlist_name>.*?)
(?:\"|')" nodrop | parse regex "status(?:\"\:\"|=')(?<status>.*?)(?:\"|')" nodrop | where 
(isBlank(hostname) or hostname matches {{Host_Name}}) and (isBlank(ioc_type) or ioc_type matches 
{{IOC_Type}}) and (isBlank(feed_name) or feed_name matches {{Feed_Name}}) and (isBlank(watchlist_name)
 or watchlist_name matches {{Watchlist_Name}}) and (isBlank(group) or group matches {{Group}}) and 
 (isBlank(status) or status matches {{Status}}) and process_name matches {{Process_Name}} | 
 count by process_name | sort by _count | limit 10