Skip to main content
Sumo Logic

Collect logs for Carbon Black

This page provides instructions for adding a hosted collector and HTTP sources, then configuring collection agents to collect findings for Carbon Black App.

This page provides instructions for adding a hosted collector and HTTP sources, then configuring collection agents to collect findings for Carbon Black App.

Collection overview

Carbon Black Response or Carbon Black EDR events can be sent to Sumo Logic via its event forwarder mechanism. The cb-event-forwarder can be installed on any 64-bit Linux machine running CentOS 6.x. It can be installed on the same machine as the Carbon Black server, or any other machine. Data can be sent in either JSON or LEEF format, both of which are supported by Sumo Logic.

Carbon Black Defense or Carbon Black Endpoint Standard events can be collected by a Carbon Black Defense source.

For more in-depth information, see the Carbon Black documentation for Defense (Endpoint Standard) and Response (EDR).

Step 1: Adding a Hosted Collector, an HTTP Source for Carbon Black Response, and a Carbon Black Defense Source

This section demonstrates how to add a hosted Sumo Logic collector,  an HTTP Logs and Metrics source for Carbon Black Response, and a Carbon Black Defense Source, to collect events for Carbon Black.

Prerequisites

Before creating the HTTP source for Carbon Black Response, and the Carbon Black Defense source, identify the Sumo Logic Hosted Collector you want to use or create a new Hosted Collector as described in the following task.

To add a hosted collector, an HTTP source for Carbon Black Response, and a Carbon Black Defense Source, do the following

  1. To create a new Sumo Logic Hosted Collector, perform the steps in Configure a Hosted Collector.

  2. Add HTTP Logs and Metrics Source for Carbon Black Response.

CB_Response-EditSource-dialog.png

CB_HTTP-Source-Address-dialog.png

  1. Add Carbon Black Defense Source for Carbon Black Defense. Add_Defense_Source.png

Step 2: Getting credentials from Carbon Black Response

Gather the following information:

  • Carbon Black Response (EDR)event forwarder requires a RabbitMQ Username and Password. Copy RabbitMQUser and RabbitMQPassword from /etc/cb.conf from the CB Response (EDR) server. These will be required in the next step.

Step 3: Configuring the event forwarder for Carbon Black Response (EDR)

This section provides instructions for configuring the collection of Carbon Black Response (EDR) events. 

To configure the collection of Carbon Black Response (EDR) events

  1. If it isn't already present, install the CbOpenSource repository .

cd /etc/yum.repos.d
curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo
  1. Install the RPM with YUM.
yum install cb-event-forwarder
  1. Configure cb-event-forwarder

  • If installing on a machine other than the Carbon Black Response (EDR) server, copy the RabbitMQ username and password into the rabbit_mq_username and rabbit_mq_password variables in /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf file. Also fill out the cb_server_hostname with the hostname or IP address where the Cb Response (EDR) server can be reached.
  • If the cb-event-forwarder is forwarding events from a Carbon Black Response (EDR) cluster, the cb_server_hostname should be set to the hostname or IP address of the Cb Response (EDR) master node. More details here.
  • Additionally set the following variables in the cb-event-forwarder.conf:

- output_type as http

- output_format as json or leef as required

- httpout as the HTTP Source Address from the previous step

  • Ensure that the configuration is correct, by running (as root) the cb-event-forwarder in check mode:
/usr/share/cb/integrations/event-forwarder/cb-event-forwarder -check

If everything is OK, you will see a message starting with "Initialized output”. If there are errors, they will appear on your screen.

  1. Start and stop the service.

Once the service is installed, it is managed by the Upstart init system in CentOS 6.x. You can control the service with the initctl command:

  • To start the service: 
initctl start cb-event-forwarder
  • To stop the service: 
initctl stop cb-event-forwarder

Step 4: Verifying Sumo is receiving findings

In Sumo, open a Live Tail tab and run a search to verify Sumo is receiving findings. Search by the source category you assigned to the HTTP Source that receives the log data, for example:

_sourceCategory="cb_response_events"

For more information about using Live Tail, see Live Tail.

Sample Log Messages

This section provides examples of JSON and LEEF log messages.

CB Defense (Endpoint Standard) - JSON

{
  "eventTime":1549271951761,
  "eventDescription":"[Global Alert Notification] [Carbon Black has detected a threat against your company.] [https://defense.conferdeploy.net#device/1220670/incident/IJ8PELL5] [The application powershell.exe attempted to bypass policy settings.] [Incident id: IJ8PELL5] [Threat score: 2] [Group: Tenable_Policy] [Email: SYNCURITYLABS\\administrator] [Name: SYNCURITYLABS\\24s-winedr-test] [Type and OS: WINDOWS Windows 10 x64] [Severity: Monitored]\n",
  "url":"https://defense.conferdeploy.net/investigate?s[searchWindow]=ALL&s[c][DEVICE_ID][0]=1220670&s[c][INCIDENT_ID][0]=IJ8PELL5",
  "deviceInfo":{
  "deviceName":"SYNCURITYLABS\\24s-winedr-test",
  "targetPriorityCode":0,
  "internalIpAddress":"172.16.24.101",
  "deviceHostName":null,
  "groupName":"Tenable_Policy",
  "externalIpAddress":"107.151.2.133",
  "deviceType":"WINDOWS",
  "deviceId":1220670,
  "targetPriorityType":"MEDIUM",
  "email":"SYNCURITYLABS\\administrator",
  "deviceVersion":"Windows 10 x64"
  },
  "ruleName":"Global Alert Notification",
  "type":"THREAT",
  "threatInfo":{
  "threatCause":{
     "causeEventId":"069733a2285e11e9874c63a0c6772cb2",
     "actorType":null,
     "originSourceType":"UNKNOWN",
     "actor":"d3f8fade829d2b7bd596c4504a6dae5c034e789b6a3defbe013bda7d14466677",
     "actorProcessPPid":"1312-1549271896054-18070",
     "reason":"R_POLICY_BYPASS",
     "reputation":"TRUSTED_WHITE_LIST",
     "threatCategory":"NON_MALWARE",
     "actorName":""
  },
  "summary":"The application powershell.exe attempted to bypass policy settings.",
  "score":2,
  "time":1549272007050,
  "indicators":[
     {
        "applicationName":"powershell.exe",
        "indicatorName":"MODIFY_MEMORY_PROTECTION",
        "sha256Hash":"d3f8fade829d2b7bd596c4504a6dae5c034e789b6a3defbe013bda7d14466677"
     },
     {
        "applicationName":"powershell.exe",
        "indicatorName":"ENUMERATE_PROCESSES",
        "sha256Hash":"d3f8fade829d2b7bd596c4504a6dae5c034e789b6a3defbe013bda7d14466677"
     },
     {
        "applicationName":"powershell.exe",
        "indicatorName":"BYPASS_POLICY",
        "sha256Hash":"d3f8fade829d2b7bd596c4504a6dae5c034e789b6a3defbe013bda7d14466677"
     },
     {
        "applicationName":"powershell.exe",
        "indicatorName":"MODIFY_PROCESS",
        "sha256Hash":"d3f8fade829d2b7bd596c4504a6dae5c034e789b6a3defbe013bda7d14466677"
     }
  ],
  "incidentId":"IJ8PELL5"
  }
}

CB Response (EDR) - JSON 

{
  "cb_server":"cbserver",
  "cb_version":"6.2.4.181112.1308",
  "computer_name":"suse-agent1",
  "feed_id":34,
  "feed_name":"carbonstream",
  "from_feed_search":false,
  "group":"mnt 3rd wave",
  "hostname":"suse-agent1",
  "ioc_attr":{
  "direction":"Outbound",
  "dns_name":"qrgrakybjmcko.sumonetworks.com",
  "local_ip":"192.168.1.14",
  "local_port":7316,
  "port":7316,
  "protocol":"UDP",
  "remote_ip":"198.108.66.208",
  "remote_port":1381
  },
  "ioc_type":"ipv4",
  "ioc_value":"165.160.13.20",
  "os_type":"OSX",
  "process_guid":"000009a9-0000-4b8d-01d4-a897a4ce3f0a",
  "process_id":"0000408a-0000-3324-01d4-a7d3e8679254",
  "report_id":"2aaba46c8302f9805284c3b2bd6ce932",
  "report_score":100,
  "segment_id":"1547092507241",
  "sensor_id":850,
  "server_name":"localhost",
  "timestamp":"1548931379",
  "type":"feed.ingress.hit.process"
}

CB Response (EDR) LEEF


1234 <12>0 2019-01-31T16:12:54.111+0530 previous-gymnast cb-notifications 94538 - - 
reason=feed.storage.hit type=event process_guid=0000148e-0000-0c70-01d4-a8dc9f4b27b2 
segment_id=1547094054393 host='rhel-agent1' comms_ip='142.255.119.77' interface_ip='172.20.4.130'  
sensor_id=4994 feed_id=13 feed_name='bit9endpointvisibility' ioc_type='query' ioc_value='
{""index_type"": ""events"", ""search_query"": ""cb.urlver=1&q=(regmod%3Adomains%5Caccount%5Cusers%5Cnames%5C*)""}' 
timestamp='1548931374' start_time='2019-01-31T16:12:54.111+0530' group='aes 2nd wave' process_md5=
'0f9760b796dede249193b1f7844104b1' process_name='lsass.exe' process_path='c:\windows\system32\lsass.exe' 
last_update='2019-01-31T16:12:54.111+0530'  alliance_updated_bit9endpointvisibility='2018-10-31T17:11:39.000Z' 
alliance_data_bit9endpointvisibility='74ccc9e8-ffc6-4e0b-ba88-0e947cf7b146' alliance_link_bit9endpointvisibility='
' alliance_score_bit9endpointvisibility='20'

Query example

This section provides a sample query from the Top Processes panel of the EDR - Processes dashboard.

Parameters
  • Host_Name: *
  • IOC_Type: *
  • Feed_Name: *
  • Watchlist_Name: *
  • Group: *
  • Status: *
  • Process_Name: *
Query String
_sourceCategory="Labs/cb-response-json" | parse regex "(?:process_name)(?:\"\:\"|=')
(?<process_name>.*?)(?:\"|')" multi | parse regex "ioc_type(?:\"\:\"|=')(?<ioc_type>.*?)(?:\"|')
" nodrop | parse regex "feed_name(?:\"\:\"|=')(?<feed_name>.*?)(?:\"|')" nodrop | parse regex 
"group(?:\"\:\"|=')(?<group>.*?)(?:\"|')" nodrop | parse regex "(?:hostname|host)(?:\"\:\"|=')
(?<hostname>.*?)(?:\"|')" nodrop | parse regex "watchlist_name(?:\"\:\"|=')(?<watchlist_name>.*?)
(?:\"|')" nodrop | parse regex "status(?:\"\:\"|=')(?<status>.*?)(?:\"|')" nodrop | where 
(isBlank(hostname) or hostname matches {{Host_Name}}) and (isBlank(ioc_type) or ioc_type matches 
{{IOC_Type}}) and (isBlank(feed_name) or feed_name matches {{Feed_Name}}) and (isBlank(watchlist_name)
 or watchlist_name matches {{Watchlist_Name}}) and (isBlank(group) or group matches {{Group}}) and 
 (isBlank(status) or status matches {{Status}}) and process_name matches {{Process_Name}} | 
 count by process_name | sort by _count | limit 10