Carbon Black Security Platform
What is Discovered and Monitored
Protocol | Information Discovered | Metrics Collected | Used For |
---|---|---|---|
Syslog | Logs | Security Monitoring |
Event Types
In ADMIN > Device Support > Event Types, search for "Carbon Black" to see the event types associated with this device.
Rules
- Carbon Black Agent Uninstalled or File Tracking Disabled
- Carbon Black Fatal Errors
- Blocked File Execution
- Unapproved File Execution
Reports
- Carbon Black Account Group Changes
- Carbon Black Fatal and Warnings Issues
- Carbon Black Functionality Stopped
- Carbon Black Security Configuration Downgrades
Carbon Black Configuration
Syslog
The following guide should be used to install the python Carbon Black Cloud Syslog Connector on your FortiSIEM collector.
Note: You may need your Carbon Black account to view the Unix instructions.
https://developer.carbonblack.com/reference/carbon-black-cloud/integrations/syslog-connector/
An install guide with a sample configuration file is available here:
https://pypi.org/project/cbc-syslog/1.3.1/
FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM on port 514. CEF formatted logs are also supported.
Sample Syslog
Standard Syslog:
<14>1 2015-04-06T16:24:02Z server1.foo.com - - - - Carbon Black event: text="Server discovered new file 'c:\usersacct\appdata\local\temp\3cziegdd.dll' [361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f]." type="Discovery" subtype="New file on network" hostname="SVR123" username="SVR123\acct" date="4/6/2015 4:22:52 PM" ip_address="10.168.1.1" process="c:\abc\infrastructure\bin\scannerreset.exe" file_path="c:\users\acct\appdata\local\temp\3cziegdd.dll" file_name="3cziegdd.dll" file_hash="361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f" installer_name="csc.exe" policy="High Enforce" process_key="00000000-0000-1258-01d0-7085edb50080" server_version="7.2.0.1395" file_trust="-2" file_threat="-2" process_trust="-1" process_threat="-1
CEF Formatted Syslog:
<14>May 06 13:28:09 host1 CEF:0|Carbon Black|Protection|8.0.0.2562|809|Report write (custom rule)|4|externalId=649219 cat=Policy Enforcement start=May 06 13:27:41 UTC rt=May 06 13:28:02 UTC filePath=c:\\windows\\system32\\perfdisk.dll fname=perfdisk.dll fileHash=60b8a55c0f3228b18d918a3fd6684c401442f6447f2cec5dad9860a8c1d6462c fileId=39126 deviceProcessName="C:\\ProgramData\\Microsoft\\Windows Defender\\platform\\4.14.17639.18041-0\\MsMDEV.exe" dst=172.30.31.13 dhost=EXAMPLE\\DC01 duser=NT AUTHORITY\\SYSTEM dvchost=cbprotection msg='c:\\windows\\system32\\perfdisk.dll' was created by 'NT AUTHORITY\\SYSTEM'. sproc=00000000-0000-15b8-01d3-dd191e70c6d3 cs1Label=rootHash cs1=e1c32fca51d86aad28c2dd13ec427eccd03f9d6900f8f1fe90b99f85550a8a98 cs2Label=installerFilename cs2=msi669d.tmp cs3Label=Policy cs3=Domain Controllers cs5Label=ruleName cs5=[File Integrity Monitoring] Changes to system files cfp1Label=fileTrust cfp1=10 flexString1Label=fileThreat flexString1=0 - Clean cfp2Label=processTrust cfp2=10 flexString2Label=processThreat flexString2=0 - Clean