Carbon Black
Carbon Black for Logpoint SIEM allows you to monitor and identify threats in your organization using the Carbon Black data. Logpoint aggregates and normalizes event data from Carbon Black in the LEEF, JSON, or Syslog format.
Package Details
Carbon Black components:
-
Normalization Package
- LP_Bit9 Security System
-
Compiled Normalizers
- CarbonBlackCompiledNormalizer
- CarbonblackJSONCompiledNormalizer
Enhancement
| Description | Issue ID | Reference ID |
|---|---|---|
| Added Syslog Collector based CarbonBlack log source template, simplifying the log source configuration process. To learn more, go to Creating Log Source via a Template. |
KB-23291 |
- |
Installation
To install Carbon Black:
- Download the .pak file from the Download link above.
- Go to Settings >> System Settings from the navigation bar and click Applications.
- Click Import.
- Browse to the downloaded .pak file.
- Click Upload.
Past Releases
Carbon Black v5.1.0
Supported On: Logpoint v6.7.0 and later
Download: CarbonBlack_5.1.0.pak
SHA256: 331c09687c99bc96b3b92a1ddb9363aa22258560dad412e81bee80ab7900e6aa
Enhancements
| Description | Issue ID | Reference ID | ||||||
|---|---|---|---|---|---|---|---|---|
|
Added a compiled normalizer CarbonblackJSONCompiledNormalizer to normalize the JSON events. |
KB-10527, KB-10582, KB-10576 |
45411 |
||||||
|
In the compiled normalizer CarbonBlackCompiledNormalizer, the field username has been parsed as the user and domain fields. |
||||||||
|
The taxonomy of the following fields has been changed to maintain consistency:
|
Bug Fix
|
Description
|
Issue ID
|
Reference ID
|
|---|---|---|
|
An issue in the compiled normalizer CarbonBlackCompiledNormalizer where some Carbon Black logs were not properly normalized. |
KB-10551 | 45411 |
Supported Version
Supported Logpoint versions work with the Bit9 Security System.
Log Formats
Expected Log Format
Bit9 Parity Syslog
Log Sample
<14>1 2012-06-19T09:11:15Z abc.local.com Parity --- Bit9 ParityServer? event: text="File 'c:\windows\system32\….' [6c2011890c8af41f] was executed for the first time." event_type="Discovery" event_subtype="First execution on network" hostname="WIN2003\xxxxxxxx" username="WINXXXXX\local" date="6/19/2012 9:10:23 AM"
Expected Log Format
Carbon Black Security LEEF
Log Sample
<6> 2018-09-26T09:22:44Z vivacious-units.my.carbonblack.io /usr/share/cb/integrations/event-forwarder/cb-event-forwarder[16561]: LEEF:1.0|CB|CB|6.2.3.180809.1703|feed.storage.hit.process|alliance_data_alienvault=[spamming] alliance_link_alienvault=https://abc.com/ alliance_score_alienvault=30 alliance_updated_alienvault=2018-09-xxxxxx:xx:xx.xxxx cb_server=vivacious-units.my.carbonblack.io cb_version=6.2.3.180809.1703 childproc_count=2 cmdline="C:\\Program Files\\Internet Explorer\\iexplore.exe" SCODEF:3876 CREDAT:144385 /prefetch:2 comms_ip=xxx.xxx.xx.xxx computer_name=xxxxxxxxxxxx crossproc_count=7 dst=-xxxxxxxx dstPort=xxx feed_id=9 feed_name=alienvault filemod_count=3541 from_feed_search=false group=workstations host_type=workstation hostname=xxxxxxxxinterface_ip=xx.xx.xx.xx ioc_attr={"direction":"Outbound","dns_name":"abc.com","local_ip":"xxxxxxxxx","local_port":"xxxxx","port":"xxxxx","protocol":"TCP","remote_ip":"-xxxxxxx","remote_port":"xxx"} ioc_type=ipv4 ioc_value=185.44.142.4 last_update=2018-09-26T08:01:42.287Z link_parent=https://vivacious-units.my.carbonblack.io/#analyze/0000066a-0000-0f24-01d4-556e8f4795d4/1 link_parent_md5=https://vivacious-units.my.carbonblack.io/#/binary/3278E533281FFF3A33353D9EF191C207 link_process=https://vivacious-units.my.carbonblack.io/#analyze/0000066a-0000-1f60-01d4-556e8f9392f4/1537953053960 link_process_md5=https://vivacious-units.my.carbonblack.io/#/binary/3278E533281FFF3A33353D9EF191C207 link_sensor=https://vivacious-units.my.carbonblack.io/#/host/1642 modload_count=163 netconn_count=160 os_type=windows parent_guid=0000066a-0000-0f24-01d4-556e8f4795d4 parent_md5=3278E533281FFF3A33353D9EF191C207 parent_name=iexplore.exe parent_pid=3876 parent_segment_id=1 parent_unique_id=0000066a-0000-0f24-01d4-556e8f4795d4-000000000001 path=c:\\program files\\internet explorer\\iexplore.exe process_guid=0000066a-0000-1f60-01d4-556e8f9392f4 process_id=0000066a-0000-1f60-01d4-556e8f9392f4 process_md5=3278E533281FFF3A33353D9EF191C207 process_name=iexplore.exe process_pid=8032 proto=TCP regmod_count=26 report_id=spamming report_score=30 segment_id=1537953053960 sensor_id=1642 server_name=localhost src=xxxxxxxxxxxx srcPort=59011 start=2018-09-26T07:57:24.416Z timestamp=1537953764.269 type=feed.storage.hit.process unique_id=0000066a-0000-1f60-01d4-556e8f9392f4-016615253d08 username=logpoint''
Expected Log Sample
Carbon Black JSON
Log Sample
{"eventTime":1585814733000,"eventDescription":"[Global Alert Notification] [Carbon Black has detected a threat against your company.] [https://abc.com] [The application powershell.exe attempted to bypass policy settings.] [Incident id: xxxxx5] [Threat score: 2] [Group: Tenable_Policy]
[Email: ABC\\administrator] [Name: ABC] [Type and OS: WINDOWS Windows 10 x64] [Severity: Monitored]\n","url":"https://abc.com[searchWindow]=ALL&s[c][DEVICE_ID][0]=xxxxxxxxxx&s[c][INCIDENT_ID][0]=xxxxxxxxx", "deviceInfo":{"deviceName":"ABC\\xxx-win-test","targetPriorityCode":0,"internalIpAddress":"1.1.1.1","deviceHostName":"deviceHostName", "groupName":"Tenable_Policy","externalIpAddress":"1.1.1.1", "deviceType":"WINDOWS","deviceId":xxxxxxxxxx,"targetPriorityType": "MEDIUM","email":"ABC\\administrator","deviceVersion":"Windows 10 x64"},"source":"xxxxxxxxxxx","ruleName":"Global Alert Notification","type":"THREAT", "threatInfo":{"threatCause":{"causeEventId":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "actorType":"actorType", "originSourceType":"UNKNOWN","actor":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "actorProcessPPid":"xxxx-xxxxxxxxxxxxxx-xxxxx","reason":"R_POLICY_BYPASS","reputation":"TRUSTED_WHITE_LIST","threatCategory":"NON_MALWARE", "actorName":"actorName"},"summary":"The application xxxxxxxxxxxxxx attempted to bypass policy settings.","score":2,"time":xxxxxxxxxxxxxxxxxxx,"indicators":[{"applicationName":"xxxxxxxxx","indicatorName":"MODIFY_MEMORY_PROTECTION", sha256Hash":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"},{"applicationName":"xxxxxxxxxxx","indicatorName":"ENUMERATE_PROCESSES", "sha256Hash":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"},{"applicationName":"xxxxxxxxxxx","indicatorName":"BYPASS_POLICY"," sha256Hash":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"},{"applicationName":"xxxxxxxxxx","indicatorName":"MODIFY_PROCESS", "sha256Hash":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}]," incidentId":"xxxxxxxxx"}
Carbon Black v5.0.1
Enhancement
A minor update in the Carbon Black's normalizer for better signature handling.
Support
If you have any questions or require assistance, create a support ticket.
Comments
Article is closed for comments.