Carbon Black Cloud

The Carbon Black Cloud event source gathers alerts forwarded by the Carbon Black EDR Event Forwarder. Carbon Black Cloud is a cloud-based, next-generation antivirus, endpoint detection and response provider. Currently InsightIDR supports these Carbon Black Products:

  • Carbon Black Cloud Endpoint Standard
  • Carbon Black Cloud Enterprise EDR

If you have a license for Carbon Black Cloud, you can configure the Notifications API to send notifications to InsightIDR for further analysis, you can find more information on how to configure notifications at https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-How-to-Add-New-Notifications/ta-p/38863.

To set up Carbon Black Cloud, you’ll need to:

  1. Review the before you begin requirements.
  2. Set up the CarbonBlack event source in InsightIDR.
  3. Verify the configuration works.

Before You Begin

For CB Cloud to successfully send data to InsightIDR:

  1. Obtain a Carbon Black Cloud API Secret Key and API ID: You must obtain a Carbon Black Cloud API Secret Key, and API ID. Create a Carbon Black Cloud API Key of type “SIEM” by setting the Access-Level Type to SIEM. You will need this information when you set up a CB Cloud event source in InsightIDR. For instructions, see: https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/.
  2. Configure threat notifications and alert threshold in the Carbon Black Endpoint Standard Console: Before you can send data to InsightIDR, you must configure some additional settings in the Carbon Black Cloud console. From the Carbon Black Cloud console, go to Settings > Notifications, configure threat notifications for your API Key, and set the alert threshold.
  3. Determine the Carbon Black API URL: Follow the instructions outlined in the “Constructing your Request” section to determine the Carbon Black API URL: https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#creating-an-api-key.
    • For Cloud APIs, use the API URL for the hostname: https://api-prod05.conferdeploy.net.
    • For all other APIs (Platform, ThreatHunter, LiveOps), use the dashboard URL for the hostname. Please note that Carbon Black Cloud products fall under Platform and should use this URL: https://defense-prod05.conferdeploy.net/.
    • If using a host other than prod05, follow the Carbon Black documentation to determine the correct URL to use.

Set Up Carbon Black Cloud in InsightIDR

Once you have completed the requirements outlined in “Before You Begin”, you can start sending data that InsightIDR will use to generate Virus Infection alerts.

  1. From the left menu, go to Data Collection.
  2. When the “Data Collection” page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Virus Scan” section, click the Carbon Black Cloud icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. If you are sending additional events beyond alerts, select the unparsed logs checkbox. We recommend that you use TCP as your protocol.
  6. Enter the API URL for Carbon Black Cloud. You must include the protocol in the API URL, otherwise the data source will fail requests. For example, use https://api-prod05.conferdeploy.net instead of api-prod05.conferdeploy.net.
  7. Select Create New in the Credential field and name the credential the way you want it to appear in InsightIDR.
  8. In the SIEM API Key field, enter the API Secret Key and the API ID in the format [API Secret Key]/[API ID]. For more information about the API ID, see https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/.
  9. In the SIEM Connector ID field, enter the label given to the SIEM API key when it was created in Carbon Black Cloud.
  10. Click Save.

Verify the Configuration

To verify that your configuration is correct, go to Log Search to view your raw log data.

View Your Log Data

  1. From the left menu, click Log Search to view your raw logs to ensure events are making it to the Collector. Carbon Black Cloud logs flow into Virus Scan log sets.
  2. Perform a Log Search to ensure Carbon Black events are coming through.

Sample Input Log

The following is an example of what you can expect your input logs to look like:

{"threatInfo":{"incidentId":"ABCD1234","score":3,"summary":"A known virus (Trojan: Androm) was detected.","time":1570697388228,"indicators":[{"applicationName":"sbsimulation.exe","sha256Hash":"df6s5d4f65er468e46w51e35f1w6ef465e6w54e654w6e54f68ds684efe","indicatorName":"DETECTED_MALWARE_APP"}],"threatCause":{"reputation":"KNOWN_MALWARE","actor":"wefw65e4f5w6e132f1we321f3w2e13fw5ef46w5e46f5w4e65f46w5e46f5weffwe","actorName":"Trojan: Androm","reason":"T_DETECT_MALWARE","actorType":null,"threatCategory":"KNOWN_MALWARE","actorProcessPPid":"1234-32132165465465465-0","causeEventId":"asdas98d4a6s513d2a1wd84wd89q","originSourceType":"UNKNOWN"}},"url":"https://defense.conferdeploy.net/threat-hunter/investigate/events?query=alert_id:ABCD1234%20AND%20&searchWindow=ALL","eventTime":1570697359884,"eventDescription":"[Global Alert Notification] [Carbon Black has detected a threat against your company.] [https://defense.conferdeploy.net#incident/ABCD1234] [A known virus (Trojan: Androm) was detected.] [Incident id: ABCD1234] [Threat score: 3] [Group: R7 Policy] [Email: titus.labienus@rapid7.com] [Name: Win10-CarbonBlack] [Type and OS: WINDOWS Windows 10 x64] [Severity: Threat]\n","deviceInfo":{"deviceId":2569258,"groupName":"R7 Policy","deviceName":"Win10-CarbonBlack","email":"titus.labienus@rapid7.com","deviceType":"WINDOWS","deviceHostName":null,"deviceVersion":"Windows 10 x64","targetPriorityType":"MEDIUM","targetPriorityCode":0,"uemId":"","internalIpAddress":"172.12.34.56","externalIpAddress":"52.12.34.56"},"ruleName":"Global Alert Notification","type":"THREAT"}

Troubleshooting

If the event source displays any errors, review the collector.log to see if it has any additional context for the error. This log file can be found on the InsightIDR Collector. It is a diagnostic log that will be located in the same folder where the collector software is installed.