Carbon Black Cloud
Carbon Black Cloud is a cloud-based, next-generation antivirus, endpoint detection and response provider. The event source retrieves alerts and observations that indicate interesting or suspicious activity in your environment.
The cloud-based event source polls both the alerts and observations API endpoints in Carbon Black:
- Alerts indicate suspicious behavior and known threats in your environment.
- Observations display interesting or suspicious activity in your environment that does not always reach the importance of generating an alert.
To set up Carbon Black Cloud:
- Read the requirements and complete any prerequisite steps.
- Configure Carbon Black Cloud to send data to InsightIDR.
- Configure InsightIDR to collect data from the event source.
- Test the configuration.
You can also:
Visit the third-party vendor's documentation
For the most accurate information about preparing your event source product for integration with InsightIDR, we recommend that you visit the third-party vendor's product documentation.
Configure Carbon Black Cloud to send data to InsightIDR
To ensure InsightIDR can receive data from Carbon Black Cloud, you must configure your event source.
- Create a custom access level with the required permissions. Follow the Carbon Black instructions at: https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#carbon-black-cloud-manages-identities-and-roles.
- The permissions needed for alerts can be found at: https://developer.carbonblack.com/reference/carbon-black-cloud/platform/latest/alerts-api/#authentication.
- The permissions needed for observations can be found at: https://developer.carbonblack.com/reference/carbon-black-cloud/platform/latest/observations-api/#authentication.
- Obtain a Carbon Black Cloud API Secret Key and API ID with the assigned custom access level created in the previous step. Follow the instructions at: https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#carbon-black-cloud-manages-identities-and-roles.
- Identify your Carbon Black URL using the documentation at: https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#hostname.
- Obtain your Carbon Black Org Key using the documentation at: https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#org-key.
Configure InsightIDR to collect data from the event source
After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.
Task 1: Select Carbon Black Cloud
- Go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for Carbon Black Cloud in the event sources search bar.
- In the Product Type filter, select Cloud Services.
- Select Carbon Black Cloud.
Task 2: Set up your collection method
To collect data from Carbon Black Cloud, you must set up a cloud connection. Cloud connections are quick to configure and allow your event logs to be directly ingested into InsightIDR.
From May 2024, only cloud connections are supported
You can integrate Carbon Black Cloud with InsightIDR using a cloud connection only. If you had configured this event source previously using a collector, you cannot reuse the existing on-premise credentials to create a cloud connection. You must create new credentials. Event sources created using the collector method will no longer collect data following the deprecation of the Carbon Black Cloud Notification API on October 31, 2024.
To set up a cloud connection:
- In the Add Event Source panel, select Run On Cloud.
- Name the event source. This will become the name of the log that contains the event data in Log Search.
- Optionally, select the option to send unparsed data.
- Select your Account Attribution preference:
- Use short name attribution: The system first attempts to attribute data by email address, for example,
jsmith@myorg.example.com
. If the first attempt is unsuccessful, attribution is attempted by short name, for example,jsmith
. If the short name is unsuccessful, attribution is attempted by a user’s first and last name, for example,John Smith
. - Use fully qualified domain name attribution: The system first attempts to attribute data by email address, for example,
jsmith@myorg.example.com
. If the first attempt is unsuccessful, attribution is attempted by a user’s first and last name, for example,John Smith
. This option is best if your environment has collisions with short names.
- Use short name attribution: The system first attempts to attribute data by email address, for example,
- Optionally, in a multi-domain environment, use the dropdown menu to select your main Active Directory domain. See Deploy in Multi-domain Environments and Advanced Event Source Settings.
- Click Add a New Connection.
- In the Create a Cloud Connection screen, enter a name for the new connection.
- In the APP ID field, enter the APP ID that you obtained in the previous section, Configure Carbon Black Cloud to send data to InsightIDR.
- In the Org Key field, enter the Org Key that you obtained in the previous section, Configure Carbon Black Cloud to send data to InsightIDR.
- In the URL field, select the value of the URL that you obtained in the previous section, Configure Carbon Black Cloud to send data to InsightIDR.
- In the API Secret Key field, add a new credential:
- Name your credential.
- Describe your credential.
- Enter the API Secret Key that you obtained in the previous section, Configure Carbon Black Cloud to send data to InsightIDR.
- Click Save Connection.
- Click Save.
Test the configuration
To test that event data is flowing into InsightIDR:
- From the Data Collection Management page, open the Event Sources tab.
- Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to InsightIDR.
- Wait approximately 7 minutes, then open Log Search.
Next, verify that log entries are appearing in Log Search:
- In the Log Search filter panel, search for the event source you named in step 4 of Configure InsightIDR to collect data from the event source. Carbon Black Cloud logs should flow into these log sets:
- Virus Infection
- Third Party Alert
- Intrusion Detection System
- Firewall
- Select the log sets and the logs within them.
- Set the time range to Last 10 minutes and click Run.
The Results table displays all log entries that flowed into InsightIDR in the last 10 mins. The keys and values that are displayed are helpful to know when you want to build a query and search your logs.
Sample logs
In Log Search, the log that is generated uses the name of your event source by default. The log appears under the log set(s):
- Virus Infection
- Third Party Alert
- Intrusion Detection System
- Firewall
Here is a typical log entry that is created by the event source:
Alert event
1{2"alert_notes_present": False,3"alert_url": "https://defense.conferdeploy.net/alerts?s[c][query_string]=id:52fa009d-e2d1-4118-8a8d-04f521ae66aa&orgKey=ABCD1234",4"backend_timestamp": "2023-04-14T21:30:40.570Z",5"backend_update_timestamp": "2023-04-14T21:30:40.570Z",6"childproc_cmdline": "",7"childproc_guid": "",8"childproc_username": "",9"detection_timestamp": "2023-04-14T21:27:14.719Z",10"determination": "None",11"device_external_ip": "1.2.3.4",12"device_id": 18118174,13"device_location": "UNKNOWN",14"device_name": "pscr-test-01-1677785028.620244-9",15"device_os": "WINDOWS",16"device_os_version": "Windows 10 x64 SP: 1",17"device_policy": "123abcde-c21b-4d64-9e3e-53595ef9c7af",18"device_policy_id": 1234567,19"device_target_value": "LOW",20"device_uem_id": "",21"device_username": "user@example.com",22"first_event_timestamp": "2023-04-14T21:21:42.193Z",23"id": "12ab345cd6-e2d1-4118-8a8d-04f521ae66aa",24"ioc_hit": "((process_name:InfDefaultInstall.exe)) -enriched:true",25"ioc_id": "b4ee93fc-ec58-436a-a940-b4d33a613513-0",26"is_updated": False,27"last_event_timestamp": "2023-04-14T21:21:42.193Z",28"mdr_alert": False,29"ml_classification_final_verdict": "NOT_ANOMALOUS",30"ml_classification_global_prevalence": "LOW",31"ml_classification_org_prevalence": "LOW",32"org_key": "ABCD1234",33"policy_applied": "NOT_APPLIED",34"primary_event_id": "-7RlZFHcSGWKSrF55B_4Ig-0",35"process_cmdline": "InfDefaultInstall.exe C:\\\\Users\\\\username\\\\userdir\\\\Infdefaultinstall.inf",36"process_effective_reputation": "LOCAL_WHITE",37"process_guid": "ABCD1234-0114761e-00002ae4-00000000-19db1ded53e8000",38"process_issuer": "Demo Code Signing CA - G2",39"process_md5": "12c34567894a49f13193513b0138f72a9",40"process_name": "infdefaultinstall.exe",41"process_pid": 10980,42"process_publisher": "Demo Test Authority",43"process_reputation": "NOT_LISTED",44"process_sha256": "1a2345cd88666a458f804e5d0fe925a9f55cf016733458c58c1980addc44cd774",45"process_username": "DEMO\\\\DEMOUSER",46"reason": "Process infdefaultinstall.exe was detected by the report Defense Evasion - Signed Binary Proxy Execution - InfDefaultInstall in 6 watchlists",47"reason_code": "05696200-88e6-3691-a1e3-8d9a64dbc24e:7828aec8-8502-3a43-ae68-41b5050dab5b",48"report_description": "\\n\\nThreat:\\nThis behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems.\\n\\nFalse Positives:\\nSome environments may legitimate use this, but should be rare.\\n\\nScore:\\n85",49"report_id": "oJFtoawGS92fVMXlELC1Ow-b4ee93fc-ec58-436a-a940-b4d33a613513",50"report_link": "https://attack.mitre.org/wiki/Technique/T1218",51"report_name": "Defense Evasion - Signed Binary Proxy Execution - InfDefaultInstall",52"report_tags": [53"tag1"54],55"run_state": "RAN",56"sensor_action": "ALLOW",57"severity": 8,58"tags": [59"tag1",60"tag2"61],62"threat_id": "0569620088E6669121E38D9A64DBC24E",63"threat_notes_present": false,64"type": "WATCHLIST",65"user_update_timestamp": "None",66"watchlists": [67{68"id": "hfnsh73543jdt",69"name": "Carbon Black Advanced Threats"70}71],72"workflow": {73"change_timestamp": "2023-04-14T21:30:40.570Z",74"changed_by": "ALERT_CREATION",75"changed_by_type": "SYSTEM",76"closure_reason": "NO_REASON",77"status": "OPEN"78}79}
Observation event
1{2"backend_timestamp": "2024-04-25T13:13:14.268Z",3"device_group_id": 0,4"device_id": 1234567,5"device_name": "device\\\\name",6"device_policy_id": 1234,7"device_timestamp": "2024-04-25T13:12:16.965Z",8"enriched": True,9"enriched_event_type": [10"CREATE_PROCESS"11],12"event_description": "Threat:\\nThis behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting",13"event_id": "123abc456hij987",14"event_type": "childproc",15"ingress_time": 1714050766940,16"legacy": True,17"observation_description": "Threat:\\nThis behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting",18"observation_id": "123abc456hij987",19"observation_type": "CONTEXTUAL_ACTIVITY",20"org_id": "ABCD123",21"parent_guid": "7DESJ9GN-00663165-00000e3c-00000000-1da90da1398f66e",22"parent_pid": 1234,23"process_guid": "7DESJ9GN-00663165-0000490c-00000000-1da971229580df5",24"process_hash": [25"460091df9292bf9307cb92d1aef8d0e5",26"e59c1ee25d223308115101b022e15bb887a3deba629be743ab03e08439c2b6f6"27],28"process_name": "c:\\\\program files\\\\directory\\\\example.exe",29"process_pid": [301870031],32"process_username": [33"USER\\\\NAME"34]35}