Carbon Black Cloud

The Carbon Black Cloud event source gathers alerts forwarded by the Carbon Black EDR Event Forwarder. Carbon Black Cloud is a cloud-based, next-generation antivirus, endpoint detection and response provider. InsightIDR currently supports these Carbon Black Products:

  • Carbon Black Cloud Endpoint Standard
  • Carbon Black Cloud Enterprise EDR

If you have a license for Carbon Black Cloud, you can configure the Notifications API to send notifications to InsightIDR for further analysis. For more information about how to configure notifications, read the Carbon Black documentation at: https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-How-to-Add-New-Notifications/ta-p/38863.

To set up Carbon Black Cloud as an event source, you’ll need to:

  1. Review the Before You Begin section and complete all prerequisite tasks.
  2. Set up the Carbon Black event source in InsightIDR.
  3. Verify the configuration works.

Before You Begin

For Carbon Black Cloud to successfully send data to InsightIDR:

  1. Obtain a Carbon Black Cloud API Secret Key and API ID: You must obtain a Carbon Black Cloud API Secret Key and API ID. To do so, create a Carbon Black Cloud API Key of type "SIEM" by setting the Access-Level Type to SIEM. The API Secret Key and API ID make up the API Key that you create. You will need this information when you set up a Carbon Black Cloud event source in InsightIDR. For instructions, see: https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/.
  2. Configure threat notifications and alert threshold in the Carbon Black Endpoint Standard Console: Before you can send data to InsightIDR, you must configure some additional settings in the Carbon Black Cloud console. From the Carbon Black Cloud console, go to Settings > Notifications, configure threat notifications for your API Key, and set the alert threshold.
  3. Determine the Carbon Black API URL: Follow the instructions in the Constructing your Request section to determine the Carbon Black API URL: https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#creating-an-api-key.
    • For Cloud APIs, use the API URL for the hostname: https://api-prod05.conferdeploy.net.
    • For all other APIs (Platform, ThreatHunter, LiveOps), use the dashboard URL for the hostname. Please note that Carbon Black Cloud products fall under Platform and should use this URL: https://defense-prod05.conferdeploy.net/.
    • If using a host other than prod05, follow the Carbon Black documentation to determine the correct URL to use.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Carbon Black Cloud in the event sources search bar.
    • In the Product Type filter, select Virus Scan.
  3. Select the Carbon Black Cloud event source tile.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Select a timezone.
  6. Optionally, if you intend to send additional events beyond alerts, select Send Unparsed Data. We recommend that you use TCP as your protocol.
  7. Enter the API URL for Carbon Black Cloud. You must include the protocol in the API URL, otherwise the data source will fail requests. For example, enter https://api-prod05.conferdeploy.net instead of api-prod05.conferdeploy.net.
  8. In the Credential field, select Create New and name the credential.
  9. Enter the Carbon Black API ID, which is part of the API Key that you generated in Carbon Black Cloud.
  10. Enter the API Secret Key, which is part of the API Key that you generated in Carbon Black Cloud.
  11. Click Save.

Verify the Configuration

To verify that your configuration is correct, go to Log Search to view your raw log data.

View Your Log Data

  1. From the left menu, click Log Search to view your raw logs to ensure events are making it to the Collector. Carbon Black Cloud logs flow into Virus Scan log sets.
  2. Perform a Log Search to ensure Carbon Black events are coming through.

Sample Input Log

The following is an example of what you can expect your input logs to look like:

{"threatInfo":{"incidentId":"ABCD1234","score":3,"summary":"A known virus (Trojan: Androm) was detected.","time":1570697388228,"indicators":[{"applicationName":"sbsimulation.exe","sha256Hash":"df6s5d4f65er468e46w51e35f1w6ef465e6w54e654w6e54f68ds684efe","indicatorName":"DETECTED_MALWARE_APP"}],"threatCause":{"reputation":"KNOWN_MALWARE","actor":"wefw65e4f5w6e132f1we321f3w2e13fw5ef46w5e46f5w4e65f46w5e46f5weffwe","actorName":"Trojan: Androm","reason":"T_DETECT_MALWARE","actorType":null,"threatCategory":"KNOWN_MALWARE","actorProcessPPid":"1234-32132165465465465-0","causeEventId":"asdas98d4a6s513d2a1wd84wd89q","originSourceType":"UNKNOWN"}},"url":"https://defense.conferdeploy.net/threat-hunter/investigate/events?query=alert_id:ABCD1234%20AND%20&searchWindow=ALL","eventTime":1570697359884,"eventDescription":"[Global Alert Notification] [Carbon Black has detected a threat against your company.] [https://defense.conferdeploy.net#incident/ABCD1234] [A known virus (Trojan: Androm) was detected.] [Incident id: ABCD1234] [Threat score: 3] [Group: R7 Policy] [Email: titus.labienus@rapid7.com] [Name: Win10-CarbonBlack] [Type and OS: WINDOWS Windows 10 x64] [Severity: Threat]\n","deviceInfo":{"deviceId":2569258,"groupName":"R7 Policy","deviceName":"Win10-CarbonBlack","email":"titus.labienus@rapid7.com","deviceType":"WINDOWS","deviceHostName":null,"deviceVersion":"Windows 10 x64","targetPriorityType":"MEDIUM","targetPriorityCode":0,"uemId":"","internalIpAddress":"172.12.34.56","externalIpAddress":"52.12.34.56"},"ruleName":"Global Alert Notification","type":"THREAT"}

Troubleshooting

If the event source displays any errors, review the collector.log file to see if it contains any additional information about the error. This is a diagnostic log that is located in the same folder where the Insight Collector software is installed.