Log Types: CarbonBlack
- Leigh Purdie (Unlicensed)
Overview
Carbon Black is a system monitor that injects itself into several windows system calls, and can use signatures and holistic analysis to forward data on potential attack indications.
The CarbonBlack event forwarder sends JSON events to the Snare Server, encapsulated in a non-complaint version of RFC 5424.
The syslog collection subsystem can process this as a RFC5424 message, if it is configured to ignore the lack of a syslog version code near the start of the message.
The JSON content presented by the carbon black agent, is not formally structured across event types, and is therefore not suitable for JSON extraction directly to a predetermined structure.
https://developer.carbonblack.com/reference/enterprise-response/event-forwarder/event-schema/
As such, much of the content of the Carbon Black event, is placed in a generic 'strings' container, with the following general exceptions, which are reasonably consistent across events:
Date
Time
System
Event ID/Type
The JSON Message will be flattened into a dot-separated-key / value pair, with four spaces used as a delimiter.
Sample Events
<158> 2016-08-12T07:08:09+10:30 ws1100 cb-event-forwarder[7862]: {"alert_severity":3.375,"alert_type":"watchlist.hit.ingress.process","cb_server":"cbserver","childproc_count":2,"comms_ip":"10.1.15.7","computer_name":"win2012r2vendor","created_time":"2018-11-05T04:00:18.878195Z","crossproc_count":3,"feed_id":22,"feed_name":"attackframework","feed_rating":3.0,"filemod_count":0,"group":"default group","hostname":"win2012r2vendor","interface_ip":"10.1.15.7","ioc_confidence":0.5,"ioc_query_index":"events","ioc_query_string":"(modload:crypt32.dll -process_name:mscorsvw.exe -process_name:logonui.exe -process_name:taskhost.exe -process_name:mobsync.exe -process_name:googleupdate.exe -process_name:upd.exe -process_name:audiodg.exe -process_name:wmiprvse.exe -process_name:chrome.exe -process_name:svchost.exe -process_name:backgroundtaskhost.exe -process_name:searchprotocolhost.exe)","ioc_type":"query","ioc_value":"{\"index_type\": \"events\", \"search_query\": \"cb.urlver=1\u0026q=(modload%3Acrypt32.dll%20-process_name%3Amscorsvw.exe%20-process_name%3Alogonui.exe%20-process_name%3Ataskhost.exe%20-process_name%3Amobsync.exe%20-process_name%3Agoogleupdate.exe%20-process_name%3Aupd.exe%20-process_name%3Aaudiodg.exe%20-process_name%3Awmiprvse.exe%20-process_name%3Achrome.exe%20-process_name%3Asvchost.exe%20-process_name%3Abackgroundtaskhost.exe%20-process_name%3Asearchprotocolhost.exe)\"}","md5":"B2FA87E8F814BF08E1599B6B2FDC9720","modload_count":46,"netconn_count":2,"os_type":"windows","process_guid":"00000001-0000-0f34-01d4-74bb4b95c9f1","process_id":"00000001-0000-0f34-01d4-74bb4b95c9f1","process_name":"configure-smremoting.exe","process_path":"c:\\windows\\system32\\configure-smremoting.exe","process_unique_id":"00000001-0000-0f34-01d4-74bb4b95c9f1-0166e20743b2","regmod_count":0,"report_score":5,"segment_id":"1","sensor_criticality":3.0,"sensor_id":1,"status":"Unresolved","timestamp":1541390418.89,"type":"alert.watchlist.hit.ingress.process","unique_id":"c2d001a8-b9d3-4bf7-a4e3-be8de308f2cb","username":"WIN2012R2VENDOR\\Administrator","watchlist_id":"565652","watchlist_name":"565652"}
Identification
The string 'cb-event-forwarder' will be included with syslog messages.
Fields
Field | Description |
|---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | CarbonBlack |
TYPE | Alert type |
STRINGS | The first message highlighted below in the 'samples' section below, will be converted as follows, and injected into the strings section:
|