Logo
Sign in
  1. Logpoint Service Desk
  2. Products Hub
  3. Marketplace
app-360000934169.png

Carbon Black

Carbon Black for Logpoint SIEM allows you to monitor and identify threats in your organization using the Carbon Black data. Logpoint aggregates and normalizes event data from Carbon Black in the LEEF, JSON, or Syslog format. 

Release Details
Version: 5.2.0
Release date: May 08, 2024
Supported On: Logpoint v7.4.0 or later for log source template
SHA 256: 7885615c7e2e179154fb35b7b332e5aa8c6452f61a89f3472a1f725caf96eb40
Download

Package Details

Carbon Black components:

  1. Normalization Package
    • LP_Bit9 Security System 
  2. Compiled Normalizers
    • CarbonBlackCompiledNormalizer
    • CarbonblackJSONCompiledNormalizer

 

Enhancement

Description Issue ID Reference ID
Added Syslog Collector based CarbonBlack log source template, simplifying the log source configuration process. To learn more, go to Creating Log Source via a Template.

KB-23291

 -

Installation

To install Carbon Black:

  1. Download the .pak file from the Download link above. 
  2. Go to Settings >> System Settings from the navigation bar and click Applications.
  3. Click Import.
  4. Browse to the downloaded .pak file.
  5. Click Upload.

Past Releases

Carbon Black v5.1.0

Release Date: July 21, 2021

Supported On: Logpoint v6.7.0 and later

Download: CarbonBlack_5.1.0.pak

SHA256: 331c09687c99bc96b3b92a1ddb9363aa22258560dad412e81bee80ab7900e6aa

Enhancements

Description Issue ID Reference ID

Added a compiled normalizer CarbonblackJSONCompiledNormalizer to normalize the JSON events. 

 KB-10527,  KB-10582, KB-10576

 45411

In the compiled normalizer CarbonBlackCompiledNormalizer, the field username has been parsed as the user and domain fields.

The taxonomy of the following fields has been changed to maintain consistency:

Previously Used Field Name Modified Field Name

computer 

 workstation
start start_ts
last_update  last_update_ts

Bug Fix

Description
Issue ID
Reference ID

An issue in the compiled normalizer CarbonBlackCompiledNormalizer where some Carbon Black logs were not properly normalized.

 KB-10551 45411

Supported Version

Supported Logpoint versions work with the Bit9 Security System.

Log Formats

Expected Log Format

Bit9 Parity Syslog

Log Sample

<14>1 2012-06-19T09:11:15Z abc.local.com Parity --- Bit9 ParityServer? event: text="File 'c:\windows\system32\….' [6c2011890c8af41f] was executed for the first time." event_type="Discovery" event_subtype="First execution on network" hostname="WIN2003\xxxxxxxx" username="WINXXXXX\local" date="6/19/2012 9:10:23 AM"

Expected Log Format

Carbon Black Security LEEF

Log Sample

<6> 2018-09-26T09:22:44Z vivacious-units.my.carbonblack.io /usr/share/cb/integrations/event-forwarder/cb-event-forwarder[16561]: LEEF:1.0|CB|CB|6.2.3.180809.1703|feed.storage.hit.process|alliance_data_alienvault=[spamming] alliance_link_alienvault=https://abc.com/ alliance_score_alienvault=30 alliance_updated_alienvault=2018-09-xxxxxx:xx:xx.xxxx cb_server=vivacious-units.my.carbonblack.io cb_version=6.2.3.180809.1703 childproc_count=2 cmdline="C:\\Program Files\\Internet Explorer\\iexplore.exe" SCODEF:3876 CREDAT:144385 /prefetch:2 comms_ip=xxx.xxx.xx.xxx computer_name=xxxxxxxxxxxx crossproc_count=7 dst=-xxxxxxxx dstPort=xxx feed_id=9 feed_name=alienvault filemod_count=3541 from_feed_search=false group=workstations host_type=workstation hostname=xxxxxxxxinterface_ip=xx.xx.xx.xx ioc_attr={"direction":"Outbound","dns_name":"abc.com","local_ip":"xxxxxxxxx","local_port":"xxxxx","port":"xxxxx","protocol":"TCP","remote_ip":"-xxxxxxx","remote_port":"xxx"} ioc_type=ipv4 ioc_value=185.44.142.4 last_update=2018-09-26T08:01:42.287Z link_parent=https://vivacious-units.my.carbonblack.io/#analyze/0000066a-0000-0f24-01d4-556e8f4795d4/1 link_parent_md5=https://vivacious-units.my.carbonblack.io/#/binary/3278E533281FFF3A33353D9EF191C207 link_process=https://vivacious-units.my.carbonblack.io/#analyze/0000066a-0000-1f60-01d4-556e8f9392f4/1537953053960 link_process_md5=https://vivacious-units.my.carbonblack.io/#/binary/3278E533281FFF3A33353D9EF191C207 link_sensor=https://vivacious-units.my.carbonblack.io/#/host/1642 modload_count=163 netconn_count=160 os_type=windows parent_guid=0000066a-0000-0f24-01d4-556e8f4795d4 parent_md5=3278E533281FFF3A33353D9EF191C207 parent_name=iexplore.exe parent_pid=3876 parent_segment_id=1 parent_unique_id=0000066a-0000-0f24-01d4-556e8f4795d4-000000000001 path=c:\\program files\\internet explorer\\iexplore.exe process_guid=0000066a-0000-1f60-01d4-556e8f9392f4 process_id=0000066a-0000-1f60-01d4-556e8f9392f4 process_md5=3278E533281FFF3A33353D9EF191C207 process_name=iexplore.exe process_pid=8032 proto=TCP regmod_count=26 report_id=spamming report_score=30 segment_id=1537953053960 sensor_id=1642 server_name=localhost src=xxxxxxxxxxxx srcPort=59011 start=2018-09-26T07:57:24.416Z timestamp=1537953764.269 type=feed.storage.hit.process unique_id=0000066a-0000-1f60-01d4-556e8f9392f4-016615253d08 username=logpoint''

Expected Log Sample

Carbon Black JSON

Log Sample

{"eventTime":1585814733000,"eventDescription":"[Global Alert Notification] [Carbon Black has detected a threat against your company.] [https://abc.com] [The application powershell.exe attempted to bypass policy settings.] [Incident id: xxxxx5] [Threat score: 2] [Group: Tenable_Policy]

[Email: ABC\\administrator] [Name: ABC] [Type and OS: WINDOWS Windows 10 x64] [Severity: Monitored]\n","url":"https://abc.com[searchWindow]=ALL&s[c][DEVICE_ID][0]=xxxxxxxxxx&s[c][INCIDENT_ID][0]=xxxxxxxxx", "deviceInfo":{"deviceName":"ABC\\xxx-win-test","targetPriorityCode":0,"internalIpAddress":"1.1.1.1","deviceHostName":"deviceHostName", "groupName":"Tenable_Policy","externalIpAddress":"1.1.1.1", "deviceType":"WINDOWS","deviceId":xxxxxxxxxx,"targetPriorityType": "MEDIUM","email":"ABC\\administrator","deviceVersion":"Windows 10 x64"},"source":"xxxxxxxxxxx","ruleName":"Global Alert Notification","type":"THREAT", "threatInfo":{"threatCause":{"causeEventId":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "actorType":"actorType", "originSourceType":"UNKNOWN","actor":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "actorProcessPPid":"xxxx-xxxxxxxxxxxxxx-xxxxx","reason":"R_POLICY_BYPASS","reputation":"TRUSTED_WHITE_LIST","threatCategory":"NON_MALWARE", "actorName":"actorName"},"summary":"The application xxxxxxxxxxxxxx attempted to bypass policy settings.","score":2,"time":xxxxxxxxxxxxxxxxxxx,"indicators":[{"applicationName":"xxxxxxxxx","indicatorName":"MODIFY_MEMORY_PROTECTION", sha256Hash":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"},{"applicationName":"xxxxxxxxxxx","indicatorName":"ENUMERATE_PROCESSES", "sha256Hash":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"},{"applicationName":"xxxxxxxxxxx","indicatorName":"BYPASS_POLICY"," sha256Hash":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"},{"applicationName":"xxxxxxxxxx","indicatorName":"MODIFY_PROCESS", "sha256Hash":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}]," incidentId":"xxxxxxxxx"}

Carbon Black v5.0.1

Enhancement

A minor update in the Carbon Black's normalizer for better signature handling.

Support

If you have any questions or require assistance, create a support ticket.

Comments

Article is closed for comments.

Follow

Related articles

  • Solar Winds Supply Chain Attack
  • BRO IDS
  • CAS Server
  • ChatGPT Integration
  • Support Overview
Privacy policy    EULA    Terms of service   
Copyright © , Logpoint. All rights reserved.

Note: We use cookies that are essential for the smooth functioning of our website.