Skip to main content
Sumo Logic

Carbon Black Cloud

The Carbon Black Cloud App analyzes alert and event data from the Endpoint Standard and Enterprise EDR products. App dashboards provide visibility into threats, TTPs, devices, and more.

The Carbon Black Cloud App analyzes alert and event data from Endpoint Standard and Enterprise EDR products and provides comprehensive visibility into the security posture of your endpoints, enabling you to determine the effects of breaches in your environment. The app provides visibility into key endpoint security data with preconfigured dashboards for alerts, threats intelligence, feeds, sensors, alerts, users, hosts, processes, IOCs, devices and network status.

Log types

 The Carbon Black Cloud App uses the following Carbon Black Cloud log types, which are set to the AWS S3 bucket sent by the Carbon Black Cloud Forwarder.

  • Alert Data
  • Event Data

Sample Log Message

For sample log messages, see Data Samples section in VMware help.

Query samples 

Carbon Black Cloud - Endpoint Standard queries

Alerts
_sourceCategory = Labs/CarbonBlackCloudAlerts 
| json field=_raw "id", "alert_url" , "severity","category", "device_name","device_username", "target_value", "device_group", "threat_id", "device_os", "type", "status", "sensor_action", "process_name", "reason", "create_time" as alert_id, alert_url ,severity, category ,device_name, user,target_priority, device_group, incident_id, device_os, type, status, sensor_action, process_name, reason, create_time nodrop //s3
| where type ="CB_ANALYTICS"
| json "threat_indicators[*].ttps" as threatInfo_indicators nodrop
| extract field=threatInfo_indicators "\"(?<indicators>.*?)\"(,|\])" multi nodrop
| json field=_raw "threat_cause_actor_name", "threat_cause_threat_category", "threat_cause_reputation" as threat_actor, threat_category, threat_reputation nodrop

Events
_sourceCategory = Labs/CarbonBlackCloudEvents
|json field=_raw "event_origin", "event_id", "event_description", "alert_id", "process_cmdline" as event_origin, event_id, event_description, alert_id, process_cmdline
| where event_origin="NGAV"

Carbon Black Cloud - Enterprise EDR

Alerts
_sourceCategory = Labs/CarbonBlackCloudAlerts 
| json field=_raw "id", "alert_url" , "severity","category", "device_name","device_username", "target_value", "threat_id", "device_os", "type", "status", "process_name", "reason", "create_time" as alert_id, alert_url ,severity, category ,device_name, user,target_priority, incident_id, device_os, type, status, process_name, reason, create_time nodrop //s3
| where type ="WATCHLIST"
| json "threat_indicators[*].ttps" as threatInfo_indicators nodrop
| extract field=threatInfo_indicators "\"(?<indicators>.*?)\"(,|\])" multi nodrop
| json field=_raw "threat_cause_actor_name", "threat_cause_threat_category", "threat_cause_reputation", "ioc_hit" as threat_actor, threat_category, threat_reputation, ioc_hit nodrop

Events_sourceCategory = Labs/CarbonBlackCloudEvents 
|json field=_raw "event_origin",  "process_guid", "process_cmdline", "parent_cmdline", "process_username" as event_origin, process_guid, process_cmdline, parent_cmdline, process_username nodrop
| where event_origin="EDR"