Skip to content

Carbon Black Response

Tested Versions: Centos 6.10

Chronicle supports ingesting Carbon Black Response logs for security visibility into host activity

Chronicle Data Types

  • CB_EDR


  • Chronicle Forwarder

Carbon Black Forwarder Setup


  1. On the Carbon Black Response Server, install the CbOpenSource repository if not already installed:

    cd /etc/yum.repos.d
    curl -O
  2. Install the RPM via YUM:

    yum install cb-event-forwarder
  3. Edit /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf to include the Chronicle Forwarder as a syslogout destination with the format of tcp:forwarder:port. Change output_type to 'syslog'. The necessary forwarder information will be provided by Cyderes.

  4. Start the Carbon Black Event Forwarder with initctl start cb-event-forwarder


View in the ATT&CK Navigator

CBR Coverage