Carbon Black App Control¶
About¶
VMware Carbon Black is a cybersecurity company based in Waltham, Massachusetts. The company develops cloud-native endpoint security software that is designed to detect malicious behavior and to help prevent malicious files from attacking an organization.
Product Details¶
Vendor URL: VMware Security Solutions
Product Type: Endpoint Detection and Response
Product Tier: Tier I
Integration Method: Syslog
Integration URL: How To Setup Logging Events to a Syslog Server
Log Guide: Carbon Black Log Guide
Requirements¶
Syslog Format: Enhanced (RFC5424)
Parser Details¶
Log Format: CEF Syslog
Expected Normalization Rate: 75%
Data Label: CB_APP_CONTROL
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| severity | security_result.security_result.severity |
| observer | observer.hostname |
| observer | observer.ip |
| dhost, dvchost | principal.hostname |
| msg | metadata.description |
| dhost, dvchost | target.hostname |
| duser | principal.user.userid |
| Defined | metadata.event_type |
| registry | target.registry.registry_key |
| service | target.application |
| Defined | extensions.auth.type |
| domain | principal.administrative_domain |
| cs1Label | additional.fields.addtional_cs1.key |
| cs1 | additional.fields.addtional_cs1.value.string_value |
| cs2Label | additional.fields.addtional_cs2.key |
| cs2 | additional.fields.addtional_cs2.value.string_value |
| cs3Label | additional.fields.addtional_cs3.key |
| cs3 | additional.fields.addtional_cs3.value.string_value |
| cs4Label | additional.fields.addtional_cs4.key |
| cs4 | additional.fields.addtional_cs4.value.string_value |
| cs5Label | additional.fields.addtional_cs5.key |
| cs5 | additional.fields.addtional_cs5.value.string_value |
| cfp1Label | additional.fields.addtional_cfp1.key |
| cfp1 | additional.fields.addtional_cfp1.value.string_value |
| cfp2Label | additional.fields.addtional_cfp2.key |
| cfp2 | additional.fields.addtional_cfp2.value.string_value |
| cfp3Label | additional.fields.addtional_cfp3.key |
| cfp3 | additional.fields.addtional_cfp3.value.string_value |
| Defined | additional.fields.addtional_prevalence.key |
| prevalence | additional.fields.addtional_prevalence.value.string_value |
| flexString1Label | additional.fields.addtional_flexString1.key |
| flexString1 | additional.fields.addtional_flexString1.value.string_value |
| flexString2Label | additional.fields.addtional_flexString2.key |
| flexString2 | additional.fields.addtional_flexString2.value.string_value |
| filepath | target.process.file.full_path |
| fhash | target.process.file.sha256 |
| sproc | target.process.pid |
| filepath | target.file.full_path |
| fhash | target.file.sha256 |
| Defined | target.resource.type |
| dvchost | intermediary |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| ComputerManagement - 1017 | STATUS_UPDATE |
| ComputerManagement - 1018 | STATUS_UPDATE |
| ComputerManagement - 1019 | STATUS_UPDATE |
| ComputerManagement - 400 | STATUS_UPDATE |
| ComputerManagement - 401 | STATUS_UPDATE |
| ComputerManagement - 402 | STATUS_UPDATE |
| ComputerManagement - 403 | USER_CHANGE_PASSWORD |
| ComputerManagement - 404 | STATUS_UPDATE |
| ComputerManagement - 405 | STATUS_UPDATE |
| ComputerManagement - 406 | STATUS_UPDATE |
| ComputerManagement - 407 | STATUS_UPDATE |
| ComputerManagement - 408 | STATUS_UPDATE |
| ComputerManagement - 409 | STATUS_UPDATE |
| ComputerManagement - 410 | STATUS_UPDATE |
| ComputerManagement - 411 | STATUS_UPDATE |
| ComputerManagement - 412 | STATUS_UPDATE |
| ComputerManagement - 413 | STATUS_UPDATE |
| ComputerManagement - 414 | SYSTEM_AUDIT_LOG_WIPE |
| ComputerManagement - 415 | STATUS_UPDATE |
| ComputerManagement - 416 | STATUS_UPDATE |
| ComputerManagement - 417 | STATUS_UPDATE |
| ComputerManagement - 418 | STATUS_UPDATE |
| ComputerManagement - 419 | STATUS_UPDATE |
| ComputerManagement - 420 | STATUS_UPDATE |
| ComputerManagement - 421 | STATUS_UPDATE |
| ComputerManagement - 422 | STATUS_UPDATE |
| ComputerManagement - 423 | STATUS_UPDATE |
| ComputerManagement - 424 | STATUS_UPDATE |
| ComputerManagement - 425 | STATUS_UPDATE |
| ComputerManagement - 426 | STATUS_UPDATE |
| ComputerManagement - 427 | STATUS_UPDATE |
| ComputerManagement - 428 | STATUS_UPDATE |
| ComputerManagement - 429 | STATUS_UPDATE |
| ComputerManagement - 430 | STATUS_UPDATE |
| ComputerManagement - 431 | GENERIC_EVENT |
| ComputerManagement - 432 | GENERIC_EVENT |
| ComputerManagement - 433 | STATUS_UPDATE |
| ComputerManagement - 434 | STATUS_UPDATE |
| ComputerManagement - 435 | STATUS_UPDATE |
| ComputerManagement - 436 | STATUS_UPDATE |
| ComputerManagement - 437 | STATUS_UPDATE |
| ComputerManagement - 438 | STATUS_UPDATE |
| ComputerManagement - 439 | STATUS_UPDATE |
| ComputerManagement - 440 | STATUS_UPDATE |
| ComputerManagement - 441 | STATUS_UPDATE |
| ComputerManagement - 442 | SETTING_CREATION |
| ComputerManagement - 443 | STATUS_UPDATE |
| ComputerManagement - 444 | SETTING_DELETION |
| ComputerManagement - 445 | STATUS_UPDATE |
| ComputerManagement - 446 | STATUS_UPDATE |
| ComputerManagement - 447 | STATUS_UPDATE |
| ComputerManagement - 448 | STATUS_UPDATE |
| ComputerManagement - 449 | FILE_DELETION |
| ComputerManagement - 450 | STATUS_UPDATE |
| ComputerManagement - 451 | STATUS_UPDATE |
| ComputerManagement - 452 | SETTING_UNCATEGORIZED |
| ComputerManagement - 453 | STATUS_UPDATE |
| ComputerManagement - 454 | FILE_DELETION |
| ComputerManagement - 455 | STATUS_UPDATE |
| ComputerManagement - 456 | STATUS_UPDATE |
| ComputerManagement - 457 | STATUS_UPDATE |
| ComputerManagement - 458 | STATUS_UPDATE |
| ComputerManagement - 459 | STATUS_UPDATE |
| Discovery - 1000 | STATUS_UPDATE |
| Discovery - 1001 | FILE_CREATION |
| Discovery - 1003 | FILE_UNCATEGORIZED |
| Discovery - 1004 | FILE_CREATION |
| Discovery - 1005 | FILE_UNCATEGORIZED |
| Discovery - 1007 | PROCESS_LAUNCH |
| Discovery - 1008 | STATUS_UPDATE |
| Discovery - 1009 | STATUS_UPDATE |
| Discovery - 1010 | STATUS_UPDATE |
| Discovery - 1011 | STATUS_UPDATE |
| Discovery - 1012 | STATUS_UPDATE |
| Discovery - 1013 | STATUS_UPDATE |
| Discovery - 1014 | STATUS_UPDATE |
| Discovery - 1015 | SERVICE_CREATION |
| Discovery - 1016 | SERVICE_DELETION |
| Discovery - 1020 | FILE_CREATION |
| Discovery - 1021 | FILE_CREATION |
| Discovery - 1099 | STATUS_UPDATE |
| Discovery - 1200 | FILE_UNCATEGORIZED |
| Discovery - 1201 | STATUS_UPDATE |
| GeneralManagement - 1101 | SETTING_CREATION |
| GeneralManagement - 1102 | SETTING_DELETION |
| GeneralManagement - 1103 | STATUS_UPDATE |
| GeneralManagement - 1104 | STATUS_UPDATE |
| GeneralManagement - 1105 | SETTING_UNCATEGORIZED |
| GeneralManagement - 1106 | FILE_CREATION |
| GeneralManagement - 1107 | FILE_MODIFICATION |
| GeneralManagement - 1108 | FILE_DELETION |
| GeneralManagement - 1109 | FILE_CREATION |
| GeneralManagement - 1110 | SETTING_CREATION |
| GeneralManagement - 1111 | STATUS_UPDATE |
| GeneralManagement - 1112 | SETTING_DELETION |
| GeneralManagement - 1113 | STATUS_UPDATE |
| GeneralManagement - 1114 | SETTING_CREATION |
| GeneralManagement - 1115 | STATUS_UPDATE |
| GeneralManagement - 1116 | SETTING_DELETION |
| GeneralManagement - 1117 | STATUS_UPDATE |
| GeneralManagement - 632 | SETTING_CREATION |
| GeneralManagement - 633 | SETTING_DELETION |
| GeneralManagement - 634 | STATUS_UPDATE |
| PolicyEnforcement - 801 | PROCESS_TERMINATION |
| PolicyEnforcement - 802 | PROCESS_TERMINATION |
| PolicyEnforcement - 803 | PROCESS_TERMINATION |
| PolicyEnforcement - 804 | PROCESS_TERMINATION |
| PolicyEnforcement - 805 | PROCESS_TERMINATION |
| PolicyEnforcement - 806 | PROCESS_TERMINATION |
| PolicyEnforcement - 807 | PROCESS_LAUNCH |
| PolicyEnforcement - 808 | PROCESS_TERMINATION |
| PolicyEnforcement - 809 | FILE_MODIFICATION |
| PolicyEnforcement - 810 | STATUS_UPDATE |
| PolicyEnforcement - 811 | STATUS_UPDATE |
| PolicyEnforcement - 812 | STATUS_UPDATE |
| PolicyEnforcement - 813 | STATUS_UPDATE |
| PolicyEnforcement - 814 | PROCESS_LAUNCH |
| PolicyEnforcement - 816 | STATUS_UPDATE |
| PolicyEnforcement - 817 | FILE_MODIFICATION |
| PolicyEnforcement - 818 | PROCESS_LAUNCH |
| PolicyEnforcement - 819 | PROCESS_TERMINATION |
| PolicyEnforcement - 820 | PROCESS_TERMINATION |
| PolicyEnforcement - 821 | STATUS_UPDATE |
| PolicyEnforcement - 822 | PROCESS_LAUNCH |
| PolicyEnforcement - 823 | FILE_MODIFICATION |
| PolicyEnforcement - 824 | FILE_READ |
| PolicyEnforcement - 825 | FILE_UNCATEGORIZED |
| PolicyEnforcement - 826 | REGISTRY_MODIFICATION |
| PolicyEnforcement - 827 | PROCESS_TERMINATION |
| PolicyEnforcement - 828 | REGISTRY_MODIFICATION |
| PolicyEnforcement - 829 | STATUS_UPDATE |
| PolicyEnforcement - 831 | PROCESS_UNCATEGORIZED |
| PolicyEnforcement - 832 | STATUS_UPDATE |
| PolicyEnforcement - 833 | STATUS_UPDATE |
| PolicyEnforcement - 834 | STATUS_UPDATE |
| PolicyEnforcement - 835 | STATUS_UPDATE |
| PolicyEnforcement - 836 | STATUS_UPDATE |
| PolicyEnforcement - 837 | PROCESS_TERMINATION |
| PolicyEnforcement - 838 | PROCESS_LAUNCH |
| PolicyEnforcement - 839 | PROCESS_TERMINATION |
| PolicyEnforcement - 840 | STATUS_UPDATE |
| PolicyEnforcement - 841 | PROCESS_LAUNCH |
| PolicyEnforcement - 842 | STATUS_UPDATE |
| PolicyEnforcement - 843 | PROCESS_LAUNCH |
| PolicyEnforcement - 844 | PROCESS_LAUNCH |
| PolicyEnforcement - 845 | STATUS_UPDATE |
| PolicyEnforcement - 846 | STATUS_UPDATE |
| PolicyEnforcement - 847 | PROCESS_UNCATEGORIZED |
| PolicyEnforcement - 848 | PROCESS_LAUNCH |
| PolicyEnforcement - 849 | STATUS_UPDATE |
| PolicyEnforcement - 850 | STATUS_UPDATE |
| PolicyManagement - 1006 | STATUS_UPDATE |
| PolicyManagement - 129 | STATUS_UPDATE |
| PolicyManagement - 130 | STATUS_UPDATE |
| PolicyManagement - 131 | SETTING_DELETION |
| PolicyManagement - 132 | SETTING_CREATION |
| PolicyManagement - 133 | STATUS_UPDATE |
| PolicyManagement - 134 | SETTING_DELETION |
| PolicyManagement - 144 | STATUS_UPDATE |
| PolicyManagement - 153 | SETTING_CREATION |
| PolicyManagement - 154 | SETTING_DELETION |
| PolicyManagement - 155 | STATUS_UPDATE |
| PolicyManagement - 200 | STATUS_UPDATE |
| PolicyManagement - 600 | SETTING_CREATION |
| PolicyManagement - 601 | SETTING_DELETION |
| PolicyManagement - 602 | STATUS_UPDATE |
| PolicyManagement - 603 | STATUS_UPDATE |
| PolicyManagement - 604 | STATUS_UPDATE |
| PolicyManagement - 605 | STATUS_UPDATE |
| PolicyManagement - 606 | STATUS_UPDATE |
| PolicyManagement - 607 | STATUS_UPDATE |
| PolicyManagement - 608 | STATUS_UPDATE |
| PolicyManagement - 609 | STATUS_UPDATE |
| PolicyManagement - 611 | STATUS_UPDATE |
| PolicyManagement - 613 | SETTING_CREATION |
| PolicyManagement - 614 | STATUS_UPDATE |
| PolicyManagement - 615 | SETTING_DELETION |
| PolicyManagement - 616 | SETTING_CREATION |
| PolicyManagement - 617 | SETTING_DELETION |
| PolicyManagement - 618 | SETTING_CREATION |
| PolicyManagement - 619 | SETTING_DELETION |
| PolicyManagement - 620 | SERVICE_START |
| PolicyManagement - 621 | SERVICE_STOP |
| PolicyManagement - 623 | STATUS_UPDATE |
| PolicyManagement - 625 | STATUS_UPDATE |
| PolicyManagement - 626 | STATUS_UPDATE |
| PolicyManagement - 627 | SETTING_CREATION |
| PolicyManagement - 628 | STATUS_UPDATE |
| PolicyManagement - 629 | SETTING_DELETION |
| PolicyManagement - 630 | STATUS_UPDATE |
| PolicyManagement - 635 | SETTING_CREATION |
| PolicyManagement - 636 | STATUS_UPDATE |
| PolicyManagement - 637 | SETTING_DELETION |
| PolicyManagement - 638 | SETTING_CREATION |
| PolicyManagement - 639 | STATUS_UPDATE |
| PolicyManagement - 640 | SETTING_DELETION |
| PolicyManagement - 641 | SETTING_CREATION |
| PolicyManagement - 642 | SETTING_DELETION |
| PolicyManagement - 643 | STATUS_UPDATE |
| PolicyManagement - 644 | STATUS_UPDATE |
| PolicyManagement - 645 | STATUS_UPDATE |
| PolicyManagement - 646 | STATUS_UPDATE |
| PolicyManagement - 647 | SETTING_CREATION |
| PolicyManagement - 648 | SETTING_DELETION |
| PolicyManagement - 649 | STATUS_UPDATE |
| PolicyManagement - 650 | SETTING_CREATION |
| PolicyManagement - 651 | STATUS_UPDATE |
| PolicyManagement - 652 | STATUS_UPDATE |
| PolicyManagement - 653 | STATUS_UPDATE |
| PolicyManagement - 654 | STATUS_UPDATE |
| PolicyManagement - 655 | STATUS_UPDATE |
| PolicyManagement - 656 | STATUS_UPDATE |
| PolicyManagement - 657 | SETTING_CREATION |
| PolicyManagement - 659 | SETTING_DELETION |
| PolicyManagement - 660 | STATUS_UPDATE |
| PolicyManagement - 661 | STATUS_UPDATE |
| PolicyManagement - 662 | STATUS_UPDATE |
| PolicyManagement - 663 | STATUS_UPDATE |
| PolicyManagement - 664 | STATUS_UPDATE |
| PolicyManagement - 665 | STATUS_UPDATE |
| ServerManagement - 100 | SERVICE_STOP |
| ServerManagement - 101 | SERVICE_START |
| ServerManagement - 102 | STATUS_UPDATE |
| ServerManagement - 103 | SERVICE_START |
| ServerManagement - 104 | STATUS_UPDATE |
| ServerManagement - 105 | STATUS_UPDATE |
| ServerManagement - 106 | STATUS_UPDATE |
| ServerManagement - 107 | SYSTEM_AUDIT_LOG_WIPE |
| ServerManagement - 108 | STATUS_UPDATE |
| ServerManagement - 109 | STATUS_UPDATE |
| ServerManagement - 110 | SERVICE_STOP |
| ServerManagement - 111 | STATUS_UPDATE |
| ServerManagement - 112 | STATUS_UPDATE |
| ServerManagement - 113 | STATUS_UPDATE |
| ServerManagement - 114 | STATUS_UPDATE |
| ServerManagement - 115 | STATUS_UPDATE |
| ServerManagement - 116 | STATUS_UPDATE |
| ServerManagement - 117 | STATUS_UPDATE |
| ServerManagement - 118 | STATUS_UPDATE |
| ServerManagement - 119 | STATUS_UPDATE |
| ServerManagement - 120 | STATUS_UPDATE |
| ServerManagement - 121 | STATUS_UPDATE |
| ServerManagement - 122 | STATUS_UPDATE |
| ServerManagement - 123 | STATUS_UPDATE |
| ServerManagement - 124 | STATUS_UPDATE |
| ServerManagement - 125 | STATUS_UPDATE |
| ServerManagement - 126 | STATUS_UPDATE |
| ServerManagement - 127 | STATUS_UPDATE |
| ServerManagement - 128 | STATUS_UPDATE |
| ServerManagement - 135 | STATUS_UPDATE |
| ServerManagement - 136 | STATUS_UPDATE |
| ServerManagement - 137 | STATUS_UPDATE |
| ServerManagement - 138 | STATUS_UPDATE |
| ServerManagement - 139 | STATUS_UPDATE |
| ServerManagement - 140 | STATUS_UPDATE |
| ServerManagement - 141 | STATUS_UPDATE |
| ServerManagement - 142 | STATUS_UPDATE |
| ServerManagement - 145 | SETTING_CREATION |
| ServerManagement - 146 | SETTING_DELETION |
| ServerManagement - 147 | STATUS_UPDATE |
| ServerManagement - 148 | SETTING_DELETION |
| ServerManagement - 149 | STATUS_UPDATE |
| ServerManagement - 150 | STATUS_UPDATE |
| ServerManagement - 151 | SERVICE_START |
| ServerManagement - 152 | SERVICE_STOP |
| ServerManagement - 156 | STATUS_UPDATE |
| ServerManagement - 157 | STATUS_UPDATE |
| ServerManagement - 158 | STATUS_UPDATE |
| ServerManagement - 160 | STATUS_UPDATE |
| ServerManagement - 161 | STATUS_UPDATE |
| ServerManagement - 162 | STATUS_UPDATE |
| ServerManagement - 163 | SETTING_CREATION |
| ServerManagement - 164 | SETTING_DELETION |
| ServerManagement - 165 | STATUS_UPDATE |
| ServerManagement - 166 | STATUS_UPDATE |
| ServerManagement - 167 | STATUS_UPDATE |
| ServerManagement - 168 | STATUS_UPDATE |
| ServerManagement - 169 | SETTING_DELETION |
| ServerManagement - 170 | STATUS_UPDATE |
| ServerManagement - 171 | STATUS_UPDATE |
| ServerManagement - 172 | SETTING_CREATION |
| ServerManagement - 173 | STATUS_UPDATE |
| ServerManagement - 174 | SETTING_DELETION |
| ServerManagement - 175 | STATUS_UPDATE |
| ServerManagement - 176 | STATUS_UPDATE |
| ServerManagement - 177 | STATUS_UPDATE |
| ServerManagement - 178 | STATUS_UPDATE |
| ServerManagement - 179 | STATUS_UPDATE |
| ServerManagement - 181 | STATUS_UPDATE |
| ServerManagement - 182 | SETTING_CREATION |
| ServerManagement - 183 | STATUS_UPDATE |
| ServerManagement - 184 | SETTING_DELETION |
| ServerManagement - 185 | STATUS_UPDATE |
| ServerManagement - 186 | STATUS_UPDATE |
| ServerManagement - 187 | SETTING_DELETION |
| ServerManagement - 188 | SETTING_CREATION |
| ServerManagement - 189 | SETTING_DELETION |
| ServerManagement - 190 | STATUS_UPDATE |
| ServerManagement - 191 | STATUS_UPDATE |
| ServerManagement - 192 | STATUS_UPDATE |
| ServerManagement - 193 | STATUS_UPDATE |
| ServerManagement - 195 | STATUS_UPDATE |
| ServerManagement - 196 | STATUS_UPDATE |
| ServerManagement - 197 | SETTING_CREATION |
| ServerManagement - 198 | STATUS_UPDATE |
| ServerManagement - 280 | SETTING_CREATION |
| ServerManagement - 281 | SETTING_DELETION |
| ServerManagement - 282 | STATUS_UPDATE |
| ServerManagement - 283 | STATUS_UPDATE |
| SessionManagement - 300 | STATUS_UPDATE |
| SessionManagement - 301 | USER_LOGOUT |
| SessionManagement - 302 | USER_CREATION |
| SessionManagement - 303 | USER_UNCATEGORIZED |
| SessionManagement - 304 | STATUS_UPDATE |
| SessionManagement - 305 | USER_UNCATEGORIZED |
| SessionManagement - 306 | SETTING_CREATION |
| SessionManagement - 307 | SETTING_DELETION |
| SessionManagement - 308 | SETTING_CREATION |
| SessionManagement - 309 | USER_UNCATEGORIZED |
Log Sample¶
<14>Jun 08 17:10:31 device.domain.com CEF:0|Carbon Black|Protection|8.1.6.436|836|File approved (system update)|4|externalId=2309049 cat=Policy Enforcement start=Jun 08 17:09:30 UTC rt=Jun 08 17:10:31 UTC filePath=c:\windows\softwaredistribution\download\path fname=path fileHash=hash fileId=90980 deviceProcessName=c:\windows\system32\svchost.exe dst=xxx.xxx.xxx.xxx dhost=HOMEOFFICE\devicename duser=NT AUTHORITY\SYSTEM dvchost=dvchost.domain.com msg=File 'c:\windows\softwaredistribution\download\path' [hash] was approved due to a system update. sproc=proc prevalence=1 cs3Label=Policy cs3=test - POS - App cfp1Label=fileTrust cfp1=-2 flexString1Label=fileThreat flexString1=Pending cfp2Label=processTrust cfp2=-2 flexString2Label=processThreat flexString2=Pending
Sample Parsing¶
metadata.event_timestamp "2021-07-19T17:13:11Z"
metadata.event_type "PROCESS_LAUNCH"
metadata.vendor_name "Carbon Black"
metadata.product_name "App Control"
metadata.product_version "8.6.0.155"
metadata.product_event_type "Policy Enforcement - 807 - Report execution (Custom Rule)"
metadata.description "File 'c:\\windows\\syswow64\\wbem\\wmiprvse.exe' [ ] was executed."
metadata.ingested_timestamp "2021-07-19T17:13:41.281430Z"
additional.Policy "Policy Name"
additional.rule_name "Report Running Processes"
additional.external_id "2407621"
principal.hostname "hostname"
principal.user.userid "NT AUTHORITY\\LOCAL SERVICE"
principal.ip[0] "10.10.10.10"
principal.administrative_domain "subdomain.domain.com"
target.process.pid "00000000-0000-46b0-01d7-7cc159f94013"
target.process.file.full_path "c:\\windows\\syswow64\\wbem\\wmiprvse.exe"
intermediary[0].hostname "intermediary device"
observer.hostname “observer device"
security_result[0].severity "LOW"
Parser Alerting¶
This product currently does not have any Parser-based Alerting