Carbon Black Defense

Carbon Black Defense (CB Defense) is a cloud-based, next-generation antivirus and endpoint detection and response provider. If you have a license for Carbon Black Defense, you can configure the Notifications API to send threatInfo notifications to InsightIDR for further analysis.

To set up Carbon Black Defense, you’ll need to:

  1. Review the requirements.
  2. Set up the CarbonBlack event source in InsightIDR.
  3. Verify the configuration works.

Before You Begin

For CB Defense to successfully send data to InsightIDR:

  1. Obtain a Carbon Black Defense API Secret Key and API ID: You must obtain a Carbon Black Defense API Secret Key, and API ID. Create a Carbon Black Defense API Key of type “SIEM” by setting the Access-Level Type to SIEM. You will need this information when you set up a CB Defense event source in InsightIDR. For instructions, see: https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/.
  2. Configure threat notifications and alert threshold in the Carbon Black Defense Console: Before you can send data to InsightIDR, you must configure some additional settings in the Carbon Black Defense console. From the Carbon Black Defense console, go to Settings > Notifications, configure threat notifications for your API Key, and set the alert threshold.
  3. Determine the Carbon Black API URL: Follow the instructions outlined in the “Constructing your Request” section to determine the Carbon Black API URL: https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#creating-an-api-key.
    • For Defense APIs, use the API URL for the hostname: https://api-prod05.conferdeploy.net.
    • For all other APIs (Platform, ThreatHunter, LiveOps), use the dashboard URL for the hostname. Please note that Carbon Black Cloud products fall under Platform and should use this URL: https://defense-prod05.conferdeploy.net/.
    • If using a host other than prod05, follow the Carbon Black documentation to determine the correct URL to use.

Set Up Carbon Black Defense in InsightIDR

Once you have completed the requirements outlined in “Before You Begin”, you can start sending data that InsightIDR will use to generate Virus Infection alerts.

  1. From the left menu, go to Data Collection.
  2. When the “Data Collection” page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Virus Scan” section, click the Carbon Black Defense icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. If you are sending additional events beyond alerts, select the unfiltered logs checkbox. We recommend that you use TCP as your protocol.
  6. Enter the API URL for Carbon Black Defense. You must include the protocol in the API URL, otherwise the data source will fail requests. For example, use https://api-prod05.conferdeploy.net instead of api-prod05.conferdeploy.net.
  7. Select Create New in the Credential field and name the credential the way you want it to appear in InsightIDR.
  8. In the SIEM API Key field, enter the API Secret Key and the API ID in the format [API Secret Key]/[API ID]. For more information about the API ID, see https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/.
  9. In the SIEM Connector ID field, enter the label given to the SIEM API key when it was created in Carbon Black Defense.
  10. Click Save.

Verify the Configuration

To verify that your configuration is correct, go to Log Search to view your raw log data.

View Your Log Data

  1. From the left menu, click Log Search to view your raw logs to ensure events are making it to the Collector. Carbon Black Defense logs flow into Virus Scan log sets.
  2. Next, perform a Log Search to make sure Carbon Black events are coming through.

Sample Input Log

The following is an example of what you can expect your input logs to look like:

{"threatInfo":{"incidentId":"ABCD1234","score":3,"summary":"A known virus (Trojan: Androm) was detected.","time":1570697388228,"indicators":[{"applicationName":"sbsimulation.exe","sha256Hash":"df6s5d4f65er468e46w51e35f1w6ef465e6w54e654w6e54f68ds684efe","indicatorName":"DETECTED_MALWARE_APP"}],"threatCause":{"reputation":"KNOWN_MALWARE","actor":"wefw65e4f5w6e132f1we321f3w2e13fw5ef46w5e46f5w4e65f46w5e46f5weffwe","actorName":"Trojan: Androm","reason":"T_DETECT_MALWARE","actorType":null,"threatCategory":"KNOWN_MALWARE","actorProcessPPid":"1234-32132165465465465-0","causeEventId":"asdas98d4a6s513d2a1wd84wd89q","originSourceType":"UNKNOWN"}},"url":"https://defense.conferdeploy.net/threat-hunter/investigate/events?query=alert_id:ABCD1234%20AND%20&searchWindow=ALL","eventTime":1570697359884,"eventDescription":"[Global Alert Notification] [Carbon Black has detected a threat against your company.] [https://defense.conferdeploy.net#incident/ABCD1234] [A known virus (Trojan: Androm) was detected.] [Incident id: ABCD1234] [Threat score: 3] [Group: R7 Policy] [Email: titus.labienus@rapid7.com] [Name: Win10-CarbonBlack] [Type and OS: WINDOWS Windows 10 x64] [Severity: Threat]\n","deviceInfo":{"deviceId":2569258,"groupName":"R7 Policy","deviceName":"Win10-CarbonBlack","email":"titus.labienus@rapid7.com","deviceType":"WINDOWS","deviceHostName":null,"deviceVersion":"Windows 10 x64","targetPriorityType":"MEDIUM","targetPriorityCode":0,"uemId":"","internalIpAddress":"172.12.34.56","externalIpAddress":"52.12.34.56"},"ruleName":"Global Alert Notification","type":"THREAT"}

Troubleshooting

If the event source displays any errors, review the collector.log to see if it has any additional context for the error. This log file can be found on the InsightIDR Collector. It is a diagnostic log that will be located in the same folder where the collector software is installed.