Skip to content

Carbon Black Response

Tested Versions: Centos 6.10

Chronicle supports ingesting Carbon Black Response logs in order to visualize what is happening on the hosts themselves. Chronicle requires only a very simple syslog configuration along with a Chronicle Forwarder.

Chronicle Data Types

  • EDR

Requirements

  • Chronicle Forwarder

Carbon Black Forwarder Setup

Reference: https://github.com/carbonblack/cb-event-forwarder

  1. On the Cb Response Server, install the CbOpenSource repository if it isn't already present:

    cd /etc/yum.repos.d
curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo

  2. Install the RPM via YUM:

    yum install cb-event-forwarder

  3. Edit /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf to include the Chronicle Forwarder as a syslogout destination with the format of tcp:forwarder:port. Change the output_type to 'syslog'. The forwarder information will be provided by CYDERES.

  4. Start the Carbon Black Event Forwarder with initctl start cb-event-forwarder

MITRE ATT&CK Coverage

View in the ATT&CK Navigator

CBR Coverage