Fortinet black logo

External Systems Configuration Guide

Carbon Black Security Platform

Carbon Black Security Platform

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog Logs Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "Carbon Black" to see the event types associated with this device.

Rules

  • Carbon Black Agent Uninstalled or File Tracking Disabled
  • Carbon Black Fatal Errors
  • Blocked File Execution
  • Unapproved File Execution

Reports

  • Carbon Black Account Group Changes
  • Carbon Black Fatal and Warnings Issues
  • Carbon Black Functionality Stopped
  • Carbon Black Security Configuration Downgrades

Carbon Black Configuration

Syslog

The following guide should be used to install the python Carbon Black Cloud Syslog Connector on your FortiSIEM collector.

Note: You may need your Carbon Black account to view the Unix instructions.

https://developer.carbonblack.com/reference/carbon-black-cloud/integrations/syslog-connector/

An install guide with a sample configuration file is available here:

https://pypi.org/project/cbc-syslog/1.3.1/

FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM on port 514. CEF formatted logs are also supported.

Sample Syslog

Standard Syslog:

<14>1 2015-04-06T16:24:02Z server1.foo.com - - - - Carbon Black event:  text="Server discovered new file 'c:\usersacct\appdata\local\temp\3cziegdd.dll' [361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f]." type="Discovery" subtype="New file on network" hostname="SVR123" username="SVR123\acct" date="4/6/2015 4:22:52 PM" ip_address="10.168.1.1" process="c:\abc\infrastructure\bin\scannerreset.exe" file_path="c:\users\acct\appdata\local\temp\3cziegdd.dll" file_name="3cziegdd.dll" file_hash="361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f" installer_name="csc.exe" policy="High Enforce" process_key="00000000-0000-1258-01d0-7085edb50080" server_version="7.2.0.1395" file_trust="-2" file_threat="-2" process_trust="-1" process_threat="-1				

CEF Formatted Syslog:

<14>May 06 13:28:09 host1 CEF:0|Carbon Black|Protection|8.0.0.2562|809|Report write (custom rule)|4|externalId=649219 cat=Policy Enforcement start=May 06 13:27:41 UTC rt=May 06 13:28:02 UTC filePath=c:\\windows\\system32\\perfdisk.dll fname=perfdisk.dll fileHash=60b8a55c0f3228b18d918a3fd6684c401442f6447f2cec5dad9860a8c1d6462c fileId=39126 deviceProcessName="C:\\ProgramData\\Microsoft\\Windows Defender\\platform\\4.14.17639.18041-0\\MsMDEV.exe" dst=172.30.31.13 dhost=EXAMPLE\\DC01 duser=NT AUTHORITY\\SYSTEM dvchost=cbprotection msg='c:\\windows\\system32\\perfdisk.dll' was created by 'NT AUTHORITY\\SYSTEM'. sproc=00000000-0000-15b8-01d3-dd191e70c6d3 cs1Label=rootHash cs1=e1c32fca51d86aad28c2dd13ec427eccd03f9d6900f8f1fe90b99f85550a8a98 cs2Label=installerFilename cs2=msi669d.tmp cs3Label=Policy cs3=Domain Controllers cs5Label=ruleName cs5=[File Integrity Monitoring] Changes to system files cfp1Label=fileTrust cfp1=10 flexString1Label=fileThreat flexString1=0 - Clean cfp2Label=processTrust cfp2=10 flexString2Label=processThreat flexString2=0 - Clean

Carbon Black Security Platform

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog Logs Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "Carbon Black" to see the event types associated with this device.

Rules

  • Carbon Black Agent Uninstalled or File Tracking Disabled
  • Carbon Black Fatal Errors
  • Blocked File Execution
  • Unapproved File Execution

Reports

  • Carbon Black Account Group Changes
  • Carbon Black Fatal and Warnings Issues
  • Carbon Black Functionality Stopped
  • Carbon Black Security Configuration Downgrades

Carbon Black Configuration

Syslog

The following guide should be used to install the python Carbon Black Cloud Syslog Connector on your FortiSIEM collector.

Note: You may need your Carbon Black account to view the Unix instructions.

https://developer.carbonblack.com/reference/carbon-black-cloud/integrations/syslog-connector/

An install guide with a sample configuration file is available here:

https://pypi.org/project/cbc-syslog/1.3.1/

FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM on port 514. CEF formatted logs are also supported.

Sample Syslog

Standard Syslog:

<14>1 2015-04-06T16:24:02Z server1.foo.com - - - - Carbon Black event:  text="Server discovered new file 'c:\usersacct\appdata\local\temp\3cziegdd.dll' [361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f]." type="Discovery" subtype="New file on network" hostname="SVR123" username="SVR123\acct" date="4/6/2015 4:22:52 PM" ip_address="10.168.1.1" process="c:\abc\infrastructure\bin\scannerreset.exe" file_path="c:\users\acct\appdata\local\temp\3cziegdd.dll" file_name="3cziegdd.dll" file_hash="361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f" installer_name="csc.exe" policy="High Enforce" process_key="00000000-0000-1258-01d0-7085edb50080" server_version="7.2.0.1395" file_trust="-2" file_threat="-2" process_trust="-1" process_threat="-1				

CEF Formatted Syslog:

<14>May 06 13:28:09 host1 CEF:0|Carbon Black|Protection|8.0.0.2562|809|Report write (custom rule)|4|externalId=649219 cat=Policy Enforcement start=May 06 13:27:41 UTC rt=May 06 13:28:02 UTC filePath=c:\\windows\\system32\\perfdisk.dll fname=perfdisk.dll fileHash=60b8a55c0f3228b18d918a3fd6684c401442f6447f2cec5dad9860a8c1d6462c fileId=39126 deviceProcessName="C:\\ProgramData\\Microsoft\\Windows Defender\\platform\\4.14.17639.18041-0\\MsMDEV.exe" dst=172.30.31.13 dhost=EXAMPLE\\DC01 duser=NT AUTHORITY\\SYSTEM dvchost=cbprotection msg='c:\\windows\\system32\\perfdisk.dll' was created by 'NT AUTHORITY\\SYSTEM'. sproc=00000000-0000-15b8-01d3-dd191e70c6d3 cs1Label=rootHash cs1=e1c32fca51d86aad28c2dd13ec427eccd03f9d6900f8f1fe90b99f85550a8a98 cs2Label=installerFilename cs2=msi669d.tmp cs3Label=Policy cs3=Domain Controllers cs5Label=ruleName cs5=[File Integrity Monitoring] Changes to system files cfp1Label=fileTrust cfp1=10 flexString1Label=fileThreat flexString1=0 - Clean cfp2Label=processTrust cfp2=10 flexString2Label=processThreat flexString2=0 - Clean