Carbon Black App Control¶
About¶
VMware Carbon Black is a cybersecurity company based in Waltham, Massachusetts. The company develops cloud-native endpoint security software that is designed to detect malicious behavior and to help prevent malicious files from attacking an organization.
Product Details¶
Vendor URL: VMware Security Solutions
Product Type: Endpoint Detection and Response
Product Tier: Tier I
Integration Method: Syslog
Integration URL: How To Setup Logging Events to a Syslog Server
Log Guide: Carbon Black Log Guide
Requirements¶
Syslog Format: Enhanced (RFC5424)
Parser Details¶
Log Format: CEF Syslog
Expected Normalization Rate: 75%
Data Label: CB_APP_CONTROL
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
severity | security_result.security_result.severity |
observer | observer.hostname |
observer | observer.ip |
dhost, dvchost | principal.hostname |
msg | metadata.description |
dhost, dvchost | target.hostname |
duser | principal.user.userid |
Defined | metadata.event_type |
registry | target.registry.registry_key |
service | target.application |
Defined | extensions.auth.type |
domain | principal.administrative_domain |
cs1Label | additional.fields.addtional_cs1.key |
cs1 | additional.fields.addtional_cs1.value.string_value |
cs2Label | additional.fields.addtional_cs2.key |
cs2 | additional.fields.addtional_cs2.value.string_value |
cs3Label | additional.fields.addtional_cs3.key |
cs3 | additional.fields.addtional_cs3.value.string_value |
cs4Label | additional.fields.addtional_cs4.key |
cs4 | additional.fields.addtional_cs4.value.string_value |
cs5Label | additional.fields.addtional_cs5.key |
cs5 | additional.fields.addtional_cs5.value.string_value |
cfp1Label | additional.fields.addtional_cfp1.key |
cfp1 | additional.fields.addtional_cfp1.value.string_value |
cfp2Label | additional.fields.addtional_cfp2.key |
cfp2 | additional.fields.addtional_cfp2.value.string_value |
cfp3Label | additional.fields.addtional_cfp3.key |
cfp3 | additional.fields.addtional_cfp3.value.string_value |
Defined | additional.fields.addtional_prevalence.key |
prevalence | additional.fields.addtional_prevalence.value.string_value |
flexString1Label | additional.fields.addtional_flexString1.key |
flexString1 | additional.fields.addtional_flexString1.value.string_value |
flexString2Label | additional.fields.addtional_flexString2.key |
flexString2 | additional.fields.addtional_flexString2.value.string_value |
filepath | target.process.file.full_path |
fhash | target.process.file.sha256 |
sproc | target.process.pid |
filepath | target.file.full_path |
fhash | target.file.sha256 |
Defined | target.resource.type |
dvchost | intermediary |
Product Event Types¶
Event | UDM Event Classification |
---|---|
ComputerManagement - 1017 | STATUS_UPDATE |
ComputerManagement - 1018 | STATUS_UPDATE |
ComputerManagement - 1019 | STATUS_UPDATE |
ComputerManagement - 400 | STATUS_UPDATE |
ComputerManagement - 401 | STATUS_UPDATE |
ComputerManagement - 402 | STATUS_UPDATE |
ComputerManagement - 403 | USER_CHANGE_PASSWORD |
ComputerManagement - 404 | STATUS_UPDATE |
ComputerManagement - 405 | STATUS_UPDATE |
ComputerManagement - 406 | STATUS_UPDATE |
ComputerManagement - 407 | STATUS_UPDATE |
ComputerManagement - 408 | STATUS_UPDATE |
ComputerManagement - 409 | STATUS_UPDATE |
ComputerManagement - 410 | STATUS_UPDATE |
ComputerManagement - 411 | STATUS_UPDATE |
ComputerManagement - 412 | STATUS_UPDATE |
ComputerManagement - 413 | STATUS_UPDATE |
ComputerManagement - 414 | SYSTEM_AUDIT_LOG_WIPE |
ComputerManagement - 415 | STATUS_UPDATE |
ComputerManagement - 416 | STATUS_UPDATE |
ComputerManagement - 417 | STATUS_UPDATE |
ComputerManagement - 418 | STATUS_UPDATE |
ComputerManagement - 419 | STATUS_UPDATE |
ComputerManagement - 420 | STATUS_UPDATE |
ComputerManagement - 421 | STATUS_UPDATE |
ComputerManagement - 422 | STATUS_UPDATE |
ComputerManagement - 423 | STATUS_UPDATE |
ComputerManagement - 424 | STATUS_UPDATE |
ComputerManagement - 425 | STATUS_UPDATE |
ComputerManagement - 426 | STATUS_UPDATE |
ComputerManagement - 427 | STATUS_UPDATE |
ComputerManagement - 428 | STATUS_UPDATE |
ComputerManagement - 429 | STATUS_UPDATE |
ComputerManagement - 430 | STATUS_UPDATE |
ComputerManagement - 431 | GENERIC_EVENT |
ComputerManagement - 432 | GENERIC_EVENT |
ComputerManagement - 433 | STATUS_UPDATE |
ComputerManagement - 434 | STATUS_UPDATE |
ComputerManagement - 435 | STATUS_UPDATE |
ComputerManagement - 436 | STATUS_UPDATE |
ComputerManagement - 437 | STATUS_UPDATE |
ComputerManagement - 438 | STATUS_UPDATE |
ComputerManagement - 439 | STATUS_UPDATE |
ComputerManagement - 440 | STATUS_UPDATE |
ComputerManagement - 441 | STATUS_UPDATE |
ComputerManagement - 442 | SETTING_CREATION |
ComputerManagement - 443 | STATUS_UPDATE |
ComputerManagement - 444 | SETTING_DELETION |
ComputerManagement - 445 | STATUS_UPDATE |
ComputerManagement - 446 | STATUS_UPDATE |
ComputerManagement - 447 | STATUS_UPDATE |
ComputerManagement - 448 | STATUS_UPDATE |
ComputerManagement - 449 | FILE_DELETION |
ComputerManagement - 450 | STATUS_UPDATE |
ComputerManagement - 451 | STATUS_UPDATE |
ComputerManagement - 452 | SETTING_UNCATEGORIZED |
ComputerManagement - 453 | STATUS_UPDATE |
ComputerManagement - 454 | FILE_DELETION |
ComputerManagement - 455 | STATUS_UPDATE |
ComputerManagement - 456 | STATUS_UPDATE |
ComputerManagement - 457 | STATUS_UPDATE |
ComputerManagement - 458 | STATUS_UPDATE |
ComputerManagement - 459 | STATUS_UPDATE |
Discovery - 1000 | STATUS_UPDATE |
Discovery - 1001 | FILE_CREATION |
Discovery - 1003 | FILE_UNCATEGORIZED |
Discovery - 1004 | FILE_CREATION |
Discovery - 1005 | FILE_UNCATEGORIZED |
Discovery - 1007 | PROCESS_LAUNCH |
Discovery - 1008 | STATUS_UPDATE |
Discovery - 1009 | STATUS_UPDATE |
Discovery - 1010 | STATUS_UPDATE |
Discovery - 1011 | STATUS_UPDATE |
Discovery - 1012 | STATUS_UPDATE |
Discovery - 1013 | STATUS_UPDATE |
Discovery - 1014 | STATUS_UPDATE |
Discovery - 1015 | SERVICE_CREATION |
Discovery - 1016 | SERVICE_DELETION |
Discovery - 1020 | FILE_CREATION |
Discovery - 1021 | FILE_CREATION |
Discovery - 1099 | STATUS_UPDATE |
Discovery - 1200 | FILE_UNCATEGORIZED |
Discovery - 1201 | STATUS_UPDATE |
GeneralManagement - 1101 | SETTING_CREATION |
GeneralManagement - 1102 | SETTING_DELETION |
GeneralManagement - 1103 | STATUS_UPDATE |
GeneralManagement - 1104 | STATUS_UPDATE |
GeneralManagement - 1105 | SETTING_UNCATEGORIZED |
GeneralManagement - 1106 | FILE_CREATION |
GeneralManagement - 1107 | FILE_MODIFICATION |
GeneralManagement - 1108 | FILE_DELETION |
GeneralManagement - 1109 | FILE_CREATION |
GeneralManagement - 1110 | SETTING_CREATION |
GeneralManagement - 1111 | STATUS_UPDATE |
GeneralManagement - 1112 | SETTING_DELETION |
GeneralManagement - 1113 | STATUS_UPDATE |
GeneralManagement - 1114 | SETTING_CREATION |
GeneralManagement - 1115 | STATUS_UPDATE |
GeneralManagement - 1116 | SETTING_DELETION |
GeneralManagement - 1117 | STATUS_UPDATE |
GeneralManagement - 632 | SETTING_CREATION |
GeneralManagement - 633 | SETTING_DELETION |
GeneralManagement - 634 | STATUS_UPDATE |
PolicyEnforcement - 801 | PROCESS_TERMINATION |
PolicyEnforcement - 802 | PROCESS_TERMINATION |
PolicyEnforcement - 803 | PROCESS_TERMINATION |
PolicyEnforcement - 804 | PROCESS_TERMINATION |
PolicyEnforcement - 805 | PROCESS_TERMINATION |
PolicyEnforcement - 806 | PROCESS_TERMINATION |
PolicyEnforcement - 807 | PROCESS_LAUNCH |
PolicyEnforcement - 808 | PROCESS_TERMINATION |
PolicyEnforcement - 809 | FILE_MODIFICATION |
PolicyEnforcement - 810 | STATUS_UPDATE |
PolicyEnforcement - 811 | STATUS_UPDATE |
PolicyEnforcement - 812 | STATUS_UPDATE |
PolicyEnforcement - 813 | STATUS_UPDATE |
PolicyEnforcement - 814 | PROCESS_LAUNCH |
PolicyEnforcement - 816 | STATUS_UPDATE |
PolicyEnforcement - 817 | FILE_MODIFICATION |
PolicyEnforcement - 818 | PROCESS_LAUNCH |
PolicyEnforcement - 819 | PROCESS_TERMINATION |
PolicyEnforcement - 820 | PROCESS_TERMINATION |
PolicyEnforcement - 821 | STATUS_UPDATE |
PolicyEnforcement - 822 | PROCESS_LAUNCH |
PolicyEnforcement - 823 | FILE_MODIFICATION |
PolicyEnforcement - 824 | FILE_READ |
PolicyEnforcement - 825 | FILE_UNCATEGORIZED |
PolicyEnforcement - 826 | REGISTRY_MODIFICATION |
PolicyEnforcement - 827 | PROCESS_TERMINATION |
PolicyEnforcement - 828 | REGISTRY_MODIFICATION |
PolicyEnforcement - 829 | STATUS_UPDATE |
PolicyEnforcement - 831 | PROCESS_UNCATEGORIZED |
PolicyEnforcement - 832 | STATUS_UPDATE |
PolicyEnforcement - 833 | STATUS_UPDATE |
PolicyEnforcement - 834 | STATUS_UPDATE |
PolicyEnforcement - 835 | STATUS_UPDATE |
PolicyEnforcement - 836 | STATUS_UPDATE |
PolicyEnforcement - 837 | PROCESS_TERMINATION |
PolicyEnforcement - 838 | PROCESS_LAUNCH |
PolicyEnforcement - 839 | PROCESS_TERMINATION |
PolicyEnforcement - 840 | STATUS_UPDATE |
PolicyEnforcement - 841 | PROCESS_LAUNCH |
PolicyEnforcement - 842 | STATUS_UPDATE |
PolicyEnforcement - 843 | PROCESS_LAUNCH |
PolicyEnforcement - 844 | PROCESS_LAUNCH |
PolicyEnforcement - 845 | STATUS_UPDATE |
PolicyEnforcement - 846 | STATUS_UPDATE |
PolicyEnforcement - 847 | PROCESS_UNCATEGORIZED |
PolicyEnforcement - 848 | PROCESS_LAUNCH |
PolicyEnforcement - 849 | STATUS_UPDATE |
PolicyEnforcement - 850 | STATUS_UPDATE |
PolicyManagement - 1006 | STATUS_UPDATE |
PolicyManagement - 129 | STATUS_UPDATE |
PolicyManagement - 130 | STATUS_UPDATE |
PolicyManagement - 131 | SETTING_DELETION |
PolicyManagement - 132 | SETTING_CREATION |
PolicyManagement - 133 | STATUS_UPDATE |
PolicyManagement - 134 | SETTING_DELETION |
PolicyManagement - 144 | STATUS_UPDATE |
PolicyManagement - 153 | SETTING_CREATION |
PolicyManagement - 154 | SETTING_DELETION |
PolicyManagement - 155 | STATUS_UPDATE |
PolicyManagement - 200 | STATUS_UPDATE |
PolicyManagement - 600 | SETTING_CREATION |
PolicyManagement - 601 | SETTING_DELETION |
PolicyManagement - 602 | STATUS_UPDATE |
PolicyManagement - 603 | STATUS_UPDATE |
PolicyManagement - 604 | STATUS_UPDATE |
PolicyManagement - 605 | STATUS_UPDATE |
PolicyManagement - 606 | STATUS_UPDATE |
PolicyManagement - 607 | STATUS_UPDATE |
PolicyManagement - 608 | STATUS_UPDATE |
PolicyManagement - 609 | STATUS_UPDATE |
PolicyManagement - 611 | STATUS_UPDATE |
PolicyManagement - 613 | SETTING_CREATION |
PolicyManagement - 614 | STATUS_UPDATE |
PolicyManagement - 615 | SETTING_DELETION |
PolicyManagement - 616 | SETTING_CREATION |
PolicyManagement - 617 | SETTING_DELETION |
PolicyManagement - 618 | SETTING_CREATION |
PolicyManagement - 619 | SETTING_DELETION |
PolicyManagement - 620 | SERVICE_START |
PolicyManagement - 621 | SERVICE_STOP |
PolicyManagement - 623 | STATUS_UPDATE |
PolicyManagement - 625 | STATUS_UPDATE |
PolicyManagement - 626 | STATUS_UPDATE |
PolicyManagement - 627 | SETTING_CREATION |
PolicyManagement - 628 | STATUS_UPDATE |
PolicyManagement - 629 | SETTING_DELETION |
PolicyManagement - 630 | STATUS_UPDATE |
PolicyManagement - 635 | SETTING_CREATION |
PolicyManagement - 636 | STATUS_UPDATE |
PolicyManagement - 637 | SETTING_DELETION |
PolicyManagement - 638 | SETTING_CREATION |
PolicyManagement - 639 | STATUS_UPDATE |
PolicyManagement - 640 | SETTING_DELETION |
PolicyManagement - 641 | SETTING_CREATION |
PolicyManagement - 642 | SETTING_DELETION |
PolicyManagement - 643 | STATUS_UPDATE |
PolicyManagement - 644 | STATUS_UPDATE |
PolicyManagement - 645 | STATUS_UPDATE |
PolicyManagement - 646 | STATUS_UPDATE |
PolicyManagement - 647 | SETTING_CREATION |
PolicyManagement - 648 | SETTING_DELETION |
PolicyManagement - 649 | STATUS_UPDATE |
PolicyManagement - 650 | SETTING_CREATION |
PolicyManagement - 651 | STATUS_UPDATE |
PolicyManagement - 652 | STATUS_UPDATE |
PolicyManagement - 653 | STATUS_UPDATE |
PolicyManagement - 654 | STATUS_UPDATE |
PolicyManagement - 655 | STATUS_UPDATE |
PolicyManagement - 656 | STATUS_UPDATE |
PolicyManagement - 657 | SETTING_CREATION |
PolicyManagement - 659 | SETTING_DELETION |
PolicyManagement - 660 | STATUS_UPDATE |
PolicyManagement - 661 | STATUS_UPDATE |
PolicyManagement - 662 | STATUS_UPDATE |
PolicyManagement - 663 | STATUS_UPDATE |
PolicyManagement - 664 | STATUS_UPDATE |
PolicyManagement - 665 | STATUS_UPDATE |
ServerManagement - 100 | SERVICE_STOP |
ServerManagement - 101 | SERVICE_START |
ServerManagement - 102 | STATUS_UPDATE |
ServerManagement - 103 | SERVICE_START |
ServerManagement - 104 | STATUS_UPDATE |
ServerManagement - 105 | STATUS_UPDATE |
ServerManagement - 106 | STATUS_UPDATE |
ServerManagement - 107 | SYSTEM_AUDIT_LOG_WIPE |
ServerManagement - 108 | STATUS_UPDATE |
ServerManagement - 109 | STATUS_UPDATE |
ServerManagement - 110 | SERVICE_STOP |
ServerManagement - 111 | STATUS_UPDATE |
ServerManagement - 112 | STATUS_UPDATE |
ServerManagement - 113 | STATUS_UPDATE |
ServerManagement - 114 | STATUS_UPDATE |
ServerManagement - 115 | STATUS_UPDATE |
ServerManagement - 116 | STATUS_UPDATE |
ServerManagement - 117 | STATUS_UPDATE |
ServerManagement - 118 | STATUS_UPDATE |
ServerManagement - 119 | STATUS_UPDATE |
ServerManagement - 120 | STATUS_UPDATE |
ServerManagement - 121 | STATUS_UPDATE |
ServerManagement - 122 | STATUS_UPDATE |
ServerManagement - 123 | STATUS_UPDATE |
ServerManagement - 124 | STATUS_UPDATE |
ServerManagement - 125 | STATUS_UPDATE |
ServerManagement - 126 | STATUS_UPDATE |
ServerManagement - 127 | STATUS_UPDATE |
ServerManagement - 128 | STATUS_UPDATE |
ServerManagement - 135 | STATUS_UPDATE |
ServerManagement - 136 | STATUS_UPDATE |
ServerManagement - 137 | STATUS_UPDATE |
ServerManagement - 138 | STATUS_UPDATE |
ServerManagement - 139 | STATUS_UPDATE |
ServerManagement - 140 | STATUS_UPDATE |
ServerManagement - 141 | STATUS_UPDATE |
ServerManagement - 142 | STATUS_UPDATE |
ServerManagement - 145 | SETTING_CREATION |
ServerManagement - 146 | SETTING_DELETION |
ServerManagement - 147 | STATUS_UPDATE |
ServerManagement - 148 | SETTING_DELETION |
ServerManagement - 149 | STATUS_UPDATE |
ServerManagement - 150 | STATUS_UPDATE |
ServerManagement - 151 | SERVICE_START |
ServerManagement - 152 | SERVICE_STOP |
ServerManagement - 156 | STATUS_UPDATE |
ServerManagement - 157 | STATUS_UPDATE |
ServerManagement - 158 | STATUS_UPDATE |
ServerManagement - 160 | STATUS_UPDATE |
ServerManagement - 161 | STATUS_UPDATE |
ServerManagement - 162 | STATUS_UPDATE |
ServerManagement - 163 | SETTING_CREATION |
ServerManagement - 164 | SETTING_DELETION |
ServerManagement - 165 | STATUS_UPDATE |
ServerManagement - 166 | STATUS_UPDATE |
ServerManagement - 167 | STATUS_UPDATE |
ServerManagement - 168 | STATUS_UPDATE |
ServerManagement - 169 | SETTING_DELETION |
ServerManagement - 170 | STATUS_UPDATE |
ServerManagement - 171 | STATUS_UPDATE |
ServerManagement - 172 | SETTING_CREATION |
ServerManagement - 173 | STATUS_UPDATE |
ServerManagement - 174 | SETTING_DELETION |
ServerManagement - 175 | STATUS_UPDATE |
ServerManagement - 176 | STATUS_UPDATE |
ServerManagement - 177 | STATUS_UPDATE |
ServerManagement - 178 | STATUS_UPDATE |
ServerManagement - 179 | STATUS_UPDATE |
ServerManagement - 181 | STATUS_UPDATE |
ServerManagement - 182 | SETTING_CREATION |
ServerManagement - 183 | STATUS_UPDATE |
ServerManagement - 184 | SETTING_DELETION |
ServerManagement - 185 | STATUS_UPDATE |
ServerManagement - 186 | STATUS_UPDATE |
ServerManagement - 187 | SETTING_DELETION |
ServerManagement - 188 | SETTING_CREATION |
ServerManagement - 189 | SETTING_DELETION |
ServerManagement - 190 | STATUS_UPDATE |
ServerManagement - 191 | STATUS_UPDATE |
ServerManagement - 192 | STATUS_UPDATE |
ServerManagement - 193 | STATUS_UPDATE |
ServerManagement - 195 | STATUS_UPDATE |
ServerManagement - 196 | STATUS_UPDATE |
ServerManagement - 197 | SETTING_CREATION |
ServerManagement - 198 | STATUS_UPDATE |
ServerManagement - 280 | SETTING_CREATION |
ServerManagement - 281 | SETTING_DELETION |
ServerManagement - 282 | STATUS_UPDATE |
ServerManagement - 283 | STATUS_UPDATE |
SessionManagement - 300 | STATUS_UPDATE |
SessionManagement - 301 | USER_LOGOUT |
SessionManagement - 302 | USER_CREATION |
SessionManagement - 303 | USER_UNCATEGORIZED |
SessionManagement - 304 | STATUS_UPDATE |
SessionManagement - 305 | USER_UNCATEGORIZED |
SessionManagement - 306 | SETTING_CREATION |
SessionManagement - 307 | SETTING_DELETION |
SessionManagement - 308 | SETTING_CREATION |
SessionManagement - 309 | USER_UNCATEGORIZED |
Log Sample¶
<14>Jun 08 17:10:31 device.domain.com CEF:0|Carbon Black|Protection|8.1.6.436|836|File approved (system update)|4|externalId=2309049 cat=Policy Enforcement start=Jun 08 17:09:30 UTC rt=Jun 08 17:10:31 UTC filePath=c:\windows\softwaredistribution\download\path fname=path fileHash=hash fileId=90980 deviceProcessName=c:\windows\system32\svchost.exe dst=xxx.xxx.xxx.xxx dhost=HOMEOFFICE\devicename duser=NT AUTHORITY\SYSTEM dvchost=dvchost.domain.com msg=File 'c:\windows\softwaredistribution\download\path' [hash] was approved due to a system update. sproc=proc prevalence=1 cs3Label=Policy cs3=test - POS - App cfp1Label=fileTrust cfp1=-2 flexString1Label=fileThreat flexString1=Pending cfp2Label=processTrust cfp2=-2 flexString2Label=processThreat flexString2=Pending
Sample Parsing¶
metadata.event_timestamp "2021-07-19T17:13:11Z"
metadata.event_type "PROCESS_LAUNCH"
metadata.vendor_name "Carbon Black"
metadata.product_name "App Control"
metadata.product_version "8.6.0.155"
metadata.product_event_type "Policy Enforcement - 807 - Report execution (Custom Rule)"
metadata.description "File 'c:\\windows\\syswow64\\wbem\\wmiprvse.exe' [ ] was executed."
metadata.ingested_timestamp "2021-07-19T17:13:41.281430Z"
additional.Policy "Policy Name"
additional.rule_name "Report Running Processes"
additional.external_id "2407621"
principal.hostname "hostname"
principal.user.userid "NT AUTHORITY\\LOCAL SERVICE"
principal.ip[0] "10.10.10.10"
principal.administrative_domain "subdomain.domain.com"
target.process.pid "00000000-0000-46b0-01d7-7cc159f94013"
target.process.file.full_path "c:\\windows\\syswow64\\wbem\\wmiprvse.exe"
intermediary[0].hostname "intermediary device"
observer.hostname “observer device"
security_result[0].severity "LOW"
Parser Alerting¶
This product currently does not have any Parser-based Alerting