Getting Started with InsightIDR

Automation

How To

Concepts and Usage

Detection Library

InsightIDR REST APIs

Event Source Configuration

Administration

Release Notes

Support

Carbon Black Cloud

Carbon Black Cloud is a cloud-based, next-generation antivirus, endpoint detection and response provider. The event source retrieves alerts and observations that indicate interesting or suspicious activity in your environment.

The cloud-based event source polls both the alerts and observations API endpoints in Carbon Black:

Alerts indicate suspicious behavior and known threats in your environment.
Observations display interesting or suspicious activity in your environment that does not always reach the importance of generating an alert.

To set up Carbon Black Cloud:

Read the requirements and complete any prerequisite steps.
Configure Carbon Black Cloud to send data to InsightIDR.
Configure InsightIDR to collect data from the event source.
Test the configuration.

You can also:

Review sample logs.

Visit the third-party vendor's documentation

For the most accurate information about preparing your event source product for integration with InsightIDR, we recommend that you visit the third-party vendor's product documentation.

Configure Carbon Black Cloud to send data to InsightIDR

To ensure InsightIDR can receive data from Carbon Black Cloud, you must configure your event source.

Create a custom access level with the required permissions. Follow the Carbon Black instructions at: https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#carbon-black-cloud-manages-identities-and-roles.
- The permissions needed for alerts can be found at: https://developer.carbonblack.com/reference/carbon-black-cloud/platform/latest/observations-api/#authentication.
- The permissions needed for observations can be found at: https://developer.carbonblack.com/reference/carbon-black-cloud/platform/latest/observations-api/#authentication.
Obtain a Carbon Black Cloud API Secret Key and API ID with the assigned custom access level created in the previous step. Follow the instructions at: https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#carbon-black-cloud-manages-identities-and-roles.
Identify your Carbon Black URL using the documentation at: https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#hostname.
Obtain your Carbon Black Org Key using the documentation at: https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#org-key.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

Task 1: Select Carbon Black Cloud

Go to Data Collection and click Setup Event Source > Add Event Source.
Do one of the following:

Search for Carbon Black Cloud in the event sources search bar.
In the Product Type filter, select Cloud Services.

Select Carbon Black Cloud.

Task 2: Set up your collection method

To collect data from Carbon Black Cloud, you must set up a cloud connection. Cloud connections are quick to configure and allow your event logs to be directly ingested into InsightIDR.

From May 2024, only cloud connections are supported

You can integrate Carbon Black Cloud with InsightIDR using a cloud connection only. If you had configured this event source previously using a collector, you cannot reuse the existing on-premise credentials to create a cloud connection. You must create new credentials.

To set up a cloud connection:

In the Add Event Source panel, select Run On Cloud.
Name the event source. This will become the name of the log that contains the event data in Log Search.
Optionally, select the option to send unparsed data.
Select your LDAP Account Attribution preference:

Use short name attribution: Applies the short name of the user without the domain suffix in the username field. For example, if the username was jsmith@myorg.example.com, the short name would be jsmith.
Use fully qualified domain name attribution: If you have a multi-domain environment, this option works best to attribute users and assets.

Optionally, in a multi-domain environment, use the dropdown menu to select your main Active Directory domain. See Deploy in Multi-domain Environments and Advanced Event Source Settings.
Click Add a New Connection.
In the Create a Cloud Connection screen, enter a name for the new connection.
In the APP ID field, enter the APP ID that you obtained in the previous section, Configure Carbon Black Cloud to send data to InsightIDR.
In the Org Key field, enter the Org Key that you obtained in the previous section, Configure Carbon Black Cloud to send data to InsightIDR.
In the URL field, select the value of the URL that you obtained in the previous section, Configure Carbon Black Cloud to send data to InsightIDR.
In the API Secret Key field, add a new credential:

Name your credential.
Describe your credential.
Enter the API Secret Key that you obtained in the previous section, Configure Carbon Black Cloud to send data to InsightIDR.

Click Save Connection.
Click Save.

Test the configuration

To test that event data is flowing into InsightIDR:

From the Data Collection Management page, open the Event Sources tab.
Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to InsightIDR.
Wait approximately 7 minutes, then open Log Search.

Next, verify that log entries are appearing in Log Search:

In the Log Search filter panel, search for the event source you named in step 4 of Configure InsightIDR to collect data from the event source. Carbon Black Cloud logs should flow into these log sets:

Virus Infection
Third Party Alert
Intrusion Detection System
Firewall

Select the log sets and the logs within them.
Set the time range to Last 10 minutes and click Run.

The Results table displays all log entries that flowed into InsightIDR in the last 10 mins. The keys and values that are displayed are helpful to know when you want to build a query and search your logs.

Sample logs

In Log Search, the log that is generated uses the name of your event source by default. The log appears under the log set(s):

Virus Infection
Third Party Alert
Intrusion Detection System
Firewall

Here is a typical log entry that is created by the event source:

Alert event


 
1
{
2
  "alert_notes_present": False,
3
  "alert_url": "https://defense.conferdeploy.net/alerts?s[c][query_string]=id:52fa009d-e2d1-4118-8a8d-04f521ae66aa&orgKey=ABCD1234",
4
  "backend_timestamp": "2023-04-14T21:30:40.570Z",
5
  "backend_update_timestamp": "2023-04-14T21:30:40.570Z",
6
  "childproc_cmdline": "",
7
  "childproc_guid": "",
8
  "childproc_username": "",
9
  "detection_timestamp": "2023-04-14T21:27:14.719Z",
10
  "determination": "None",
11
  "device_external_ip": "1.2.3.4",
12
  "device_id": 18118174,
13
  "device_location": "UNKNOWN",
14
  "device_name": "pscr-test-01-1677785028.620244-9",
15
  "device_os": "WINDOWS",
16
  "device_os_version": "Windows 10 x64 SP: 1",
17
  "device_policy": "123abcde-c21b-4d64-9e3e-53595ef9c7af",
18
  "device_policy_id": 1234567,
19
  "device_target_value": "LOW",
20
  "device_uem_id": "",
21
  "device_username": "user@example.com",
22
  "first_event_timestamp": "2023-04-14T21:21:42.193Z",
23
  "id": "12ab345cd6-e2d1-4118-8a8d-04f521ae66aa",
24
  "ioc_hit": "((process_name:InfDefaultInstall.exe)) -enriched:true",
25
  "ioc_id": "b4ee93fc-ec58-436a-a940-b4d33a613513-0",
26
  "is_updated": False,
27
  "last_event_timestamp": "2023-04-14T21:21:42.193Z",
28
  "mdr_alert": False,
29
  "ml_classification_final_verdict": "NOT_ANOMALOUS",
30
  "ml_classification_global_prevalence": "LOW",
31
  "ml_classification_org_prevalence": "LOW",
32
  "org_key": "ABCD1234",
33
  "policy_applied": "NOT_APPLIED",
34
  "primary_event_id": "-7RlZFHcSGWKSrF55B_4Ig-0",
35
  "process_cmdline": "InfDefaultInstall.exe C:\\\\Users\\\\username\\\\userdir\\\\Infdefaultinstall.inf",
36
  "process_effective_reputation": "LOCAL_WHITE",
37
  "process_guid": "ABCD1234-0114761e-00002ae4-00000000-19db1ded53e8000",
38
  "process_issuer": "Demo Code Signing CA - G2",
39
  "process_md5": "12c34567894a49f13193513b0138f72a9",
40
  "process_name": "infdefaultinstall.exe",
41
  "process_pid": 10980,
42
  "process_publisher": "Demo Test Authority",
43
  "process_reputation": "NOT_LISTED",
44
  "process_sha256": "1a2345cd88666a458f804e5d0fe925a9f55cf016733458c58c1980addc44cd774",
45
  "process_username": "DEMO\\\\DEMOUSER",
46
  "reason": "Process infdefaultinstall.exe was detected by the report Defense Evasion - Signed Binary Proxy Execution - InfDefaultInstall in 6 watchlists",
47
  "reason_code": "05696200-88e6-3691-a1e3-8d9a64dbc24e:7828aec8-8502-3a43-ae68-41b5050dab5b",
48
  "report_description": "\\n\\nThreat:\\nThis behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems.\\n\\nFalse Positives:\\nSome environments may legitimate use this, but should be rare.\\n\\nScore:\\n85",
49
  "report_id": "oJFtoawGS92fVMXlELC1Ow-b4ee93fc-ec58-436a-a940-b4d33a613513",
50
  "report_link": "https://attack.mitre.org/wiki/Technique/T1218",
51
  "report_name": "Defense Evasion - Signed Binary Proxy Execution - InfDefaultInstall",
52
  "report_tags": [
53
    "tag1"
54
  ],
55
  "run_state": "RAN",
56
  "sensor_action": "ALLOW",
57
  "severity": 8,
58
  "tags": [
59
    "tag1",
60
    "tag2"
61
  ],
62
  "threat_id": "0569620088E6669121E38D9A64DBC24E",
63
  "threat_notes_present": false,
64
  "type": "WATCHLIST",
65
  "user_update_timestamp": "None",
66
  "watchlists": [
67
    {
68
      "id": "hfnsh73543jdt",
69
      "name": "Carbon Black Advanced Threats"
70
    }
71
  ],
72
  "workflow": {
73
    "change_timestamp": "2023-04-14T21:30:40.570Z",
74
    "changed_by": "ALERT_CREATION",
75
    "changed_by_type": "SYSTEM",
76
    "closure_reason": "NO_REASON",
77
    "status": "OPEN"
78
  }
79
}

Observation event


 
1
{
2
  "backend_timestamp": "2024-04-25T13:13:14.268Z",
3
  "device_group_id": 0,
4
  "device_id": 1234567,
5
  "device_name": "device\\\\name",
6
  "device_policy_id": 1234,
7
  "device_timestamp": "2024-04-25T13:12:16.965Z",
8
  "enriched": True,
9
  "enriched_event_type": [
10
    "CREATE_PROCESS"
11
  ],
12
  "event_description": "Threat:\\nThis behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting",
13
  "event_id": "123abc456hij987",
14
  "event_type": "childproc",
15
  "ingress_time": 1714050766940,
16
  "legacy": True,
17
  "observation_description": "Threat:\\nThis behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting",
18
  "observation_id": "123abc456hij987",
19
  "observation_type": "CONTEXTUAL_ACTIVITY",
20
  "org_id": "ABCD123",
21
  "parent_guid": "7DESJ9GN-00663165-00000e3c-00000000-1da90da1398f66e",
22
  "parent_pid": 1234,
23
  "process_guid": "7DESJ9GN-00663165-0000490c-00000000-1da971229580df5",
24
  "process_hash": [
25
    "460091df9292bf9307cb92d1aef8d0e5",
26
    "e59c1ee25d223308115101b022e15bb887a3deba629be743ab03e08439c2b6f6"
27
  ],
28
  "process_name": "c:\\\\program files\\\\directory\\\\example.exe",
29
  "process_pid": [
30
    18700
31
  ],
32
  "process_username": [
33
    "USER\\\\NAME"
34
  ]
35
}

Did this page help you?

Event Source Configuration

Box.com

Event Source Configuration

Centrify SSO