Carbon Black EDR

The Carbon Black EDR event source gathers alerts forwarded by the Carbon Black EDR Event Forwarder. Follow the instructions to download and install it here: https://github.com/carbonblack/cb-event-forwarder#cb-response-event-forwarder

Carbon Black product name update

As of January 2020, Carbon Black Response is now called Carbon Black EDR.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Carbon Black EDR in the event sources search bar.
    • In the Product Type filter, select Third Party Alerts.
  3. Select the Carbon Black EDR event source tile.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. If you are sending additional events beyond alerts, check on unparsed logs.
  6. Configure your default domain settings and any Advanced Event Source Settings.
  7. Specify an unused port on the Collector that can receive forwarded Carbon Black events. It is recommended that you use TCP as your protocol.
  8. Click Save.

Configure Carbon Black EDR

To successfully receive events from your Carbon Black EDR server, follow the installation instructions on the Event Forwarder page for installing and configuring the Event Forwarder software.

You must install and configure the Carbon Black EDR Event Forwarder found here: https://github.com/carbonblack/cb-event-forwarder#cb-response-event-forwarder

Then, on the same system that you installed the event forwarder, open the /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf file to modify it. Complete the following steps:

  1. Locate these lines:
    • output_type=<tcp or udp>
    • output_format=json
    • tcpout=<collector IP>:<event source port> or udpout=<collector IP>:<event source port>
  2. Change the output type to tcp or udp.
  3. Locate the following lines and modify them to the following values:
    • events_raw_sensor=0
    • events_watchlist=0
    • events_feed=0
    • events_alert=ALL
    • events_binary_observed=0
    • events_binary_upload=0
    • events_storage_partition=0
  4. Save the file and close it.
  5. Restart the Carbon Black EDR Event Forwarder to ensure changes to /etc/cb/cb.conf are pushed by executing service cb-enterprise restart.

If you are configuring the cb-event-forwarder on a Cb EDR cluster, the DatastoreBroadcastEventTypes and/or EnableSolrBinaryInfoNotifications settings must be distributed to the /etc/cb/cb.conf configuration file on all minion nodes and the cluster stopped and started using the /usr/share/cb/cbcluster stop && /usr/share/cb/cbcluster start command.

Send Additional Events

If you want to send additional Carbon Black EDR event types to InsightIDR, you can modify the above lines to receive unparsed data in Log Search.

If you want to send additional events, check the “Send Unparsed Logs” option when configuring this event source in InsightIDR.

Note that these additional events may impact Carbon Black EDR Server and your InsightIDR Collector by increasing events volume, thus impacting your data limit in Log Search.

Verify Your Configuration

After saving and closing the configuration file, use the following command in a terminal window to verify the changes: /usr/share/cb/integrations/event-forwarder/cb-event-forwarder -check If the changes were successful, you will see a message that begins with “initialized output.”

If there were any errors, you will see them printed in the output.

For additional details about the health of the connect between the Event Forwarder and the Event source, see the logs in the /var/log/cb/integrations/cb-event-forwarder directory.

Verify the Integration

To verify InsightIDR integration, perform a test action that triggers a Carbon Black EDR alert on a system running a Carbon Black Sensor. The same alert should fire as a Third Party Alert within InsightIDR.