Carbon Black Response

Tested Versions: Centos 6.10

Chronicle supports ingesting Carbon Black Response logs for security visibility into host activity

Chronicle Data Types

• CB_EDR

Requirements

• Chronicle Forwarder

Carbon Black Forwarder Setup

Reference: https://github.com/carbonblack/cb-event-forwarder

1. On the Carbon Black Response Server, install the CbOpenSource repository if not already installed:

   cd /etc/yum.repos.d
   curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo
   

2. Install the RPM via YUM:

   yum install cb-event-forwarder
   

3. Edit /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf to include the Chronicle Forwarder as a syslogout destination with the format of tcp:forwarder:port. Change output_type to 'syslog'. The necessary forwarder information will be provided by Cyderes.

4. Start the Carbon Black Event Forwarder with initctl start cb-event-forwarder

MITRE ATT&CK Coverage

View in the ATT&CK Navigator