Skip to content

Carbon Black App Control

cb_app_control

About

VMware Carbon Black is a cybersecurity company based in Waltham, Massachusetts. The company develops cloud-native endpoint security software that is designed to detect malicious behavior and to help prevent malicious files from attacking an organization.

Product Details

Vendor URL: VMware Security Solutions

Product Type: Endpoint Detection and Response

Product Tier: Tier I

Integration Method: Syslog

Integration URL: How To Setup Logging Events to a Syslog Server

Log Guide: Carbon Black Log Guide

Requirements

Syslog Format: Enhanced (RFC5424)

Parser Details

Log Format: CEF Syslog

Expected Normalization Rate: 75%

Data Label: CB_APP_CONTROL

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
severity security_result.security_result.severity
observer observer.hostname
observer observer.ip
dhost, dvchost principal.hostname
msg metadata.description
dhost, dvchost target.hostname
duser principal.user.userid
Defined metadata.event_type
registry target.registry.registry_key
service target.application
Defined extensions.auth.type
domain principal.administrative_domain
cs1Label additional.fields.addtional_cs1.key
cs1 additional.fields.addtional_cs1.value.string_value
cs2Label additional.fields.addtional_cs2.key
cs2 additional.fields.addtional_cs2.value.string_value
cs3Label additional.fields.addtional_cs3.key
cs3 additional.fields.addtional_cs3.value.string_value
cs4Label additional.fields.addtional_cs4.key
cs4 additional.fields.addtional_cs4.value.string_value
cs5Label additional.fields.addtional_cs5.key
cs5 additional.fields.addtional_cs5.value.string_value
cfp1Label additional.fields.addtional_cfp1.key
cfp1 additional.fields.addtional_cfp1.value.string_value
cfp2Label additional.fields.addtional_cfp2.key
cfp2 additional.fields.addtional_cfp2.value.string_value
cfp3Label additional.fields.addtional_cfp3.key
cfp3 additional.fields.addtional_cfp3.value.string_value
Defined additional.fields.addtional_prevalence.key
prevalence additional.fields.addtional_prevalence.value.string_value
flexString1Label additional.fields.addtional_flexString1.key
flexString1 additional.fields.addtional_flexString1.value.string_value
flexString2Label additional.fields.addtional_flexString2.key
flexString2 additional.fields.addtional_flexString2.value.string_value
filepath target.process.file.full_path
fhash target.process.file.sha256
sproc target.process.pid
filepath target.file.full_path
fhash target.file.sha256
Defined target.resource.type
dvchost intermediary

Product Event Types

Event UDM Event Classification
ComputerManagement - 1017 STATUS_UPDATE
ComputerManagement - 1018 STATUS_UPDATE
ComputerManagement - 1019 STATUS_UPDATE
ComputerManagement - 400 STATUS_UPDATE
ComputerManagement - 401 STATUS_UPDATE
ComputerManagement - 402 STATUS_UPDATE
ComputerManagement - 403 USER_CHANGE_PASSWORD
ComputerManagement - 404 STATUS_UPDATE
ComputerManagement - 405 STATUS_UPDATE
ComputerManagement - 406 STATUS_UPDATE
ComputerManagement - 407 STATUS_UPDATE
ComputerManagement - 408 STATUS_UPDATE
ComputerManagement - 409 STATUS_UPDATE
ComputerManagement - 410 STATUS_UPDATE
ComputerManagement - 411 STATUS_UPDATE
ComputerManagement - 412 STATUS_UPDATE
ComputerManagement - 413 STATUS_UPDATE
ComputerManagement - 414 SYSTEM_AUDIT_LOG_WIPE
ComputerManagement - 415 STATUS_UPDATE
ComputerManagement - 416 STATUS_UPDATE
ComputerManagement - 417 STATUS_UPDATE
ComputerManagement - 418 STATUS_UPDATE
ComputerManagement - 419 STATUS_UPDATE
ComputerManagement - 420 STATUS_UPDATE
ComputerManagement - 421 STATUS_UPDATE
ComputerManagement - 422 STATUS_UPDATE
ComputerManagement - 423 STATUS_UPDATE
ComputerManagement - 424 STATUS_UPDATE
ComputerManagement - 425 STATUS_UPDATE
ComputerManagement - 426 STATUS_UPDATE
ComputerManagement - 427 STATUS_UPDATE
ComputerManagement - 428 STATUS_UPDATE
ComputerManagement - 429 STATUS_UPDATE
ComputerManagement - 430 STATUS_UPDATE
ComputerManagement - 431 GENERIC_EVENT
ComputerManagement - 432 GENERIC_EVENT
ComputerManagement - 433 STATUS_UPDATE
ComputerManagement - 434 STATUS_UPDATE
ComputerManagement - 435 STATUS_UPDATE
ComputerManagement - 436 STATUS_UPDATE
ComputerManagement - 437 STATUS_UPDATE
ComputerManagement - 438 STATUS_UPDATE
ComputerManagement - 439 STATUS_UPDATE
ComputerManagement - 440 STATUS_UPDATE
ComputerManagement - 441 STATUS_UPDATE
ComputerManagement - 442 SETTING_CREATION
ComputerManagement - 443 STATUS_UPDATE
ComputerManagement - 444 SETTING_DELETION
ComputerManagement - 445 STATUS_UPDATE
ComputerManagement - 446 STATUS_UPDATE
ComputerManagement - 447 STATUS_UPDATE
ComputerManagement - 448 STATUS_UPDATE
ComputerManagement - 449 FILE_DELETION
ComputerManagement - 450 STATUS_UPDATE
ComputerManagement - 451 STATUS_UPDATE
ComputerManagement - 452 SETTING_UNCATEGORIZED
ComputerManagement - 453 STATUS_UPDATE
ComputerManagement - 454 FILE_DELETION
ComputerManagement - 455 STATUS_UPDATE
ComputerManagement - 456 STATUS_UPDATE
ComputerManagement - 457 STATUS_UPDATE
ComputerManagement - 458 STATUS_UPDATE
ComputerManagement - 459 STATUS_UPDATE
Discovery - 1000 STATUS_UPDATE
Discovery - 1001 FILE_CREATION
Discovery - 1003 FILE_UNCATEGORIZED
Discovery - 1004 FILE_CREATION
Discovery - 1005 FILE_UNCATEGORIZED
Discovery - 1007 PROCESS_LAUNCH
Discovery - 1008 STATUS_UPDATE
Discovery - 1009 STATUS_UPDATE
Discovery - 1010 STATUS_UPDATE
Discovery - 1011 STATUS_UPDATE
Discovery - 1012 STATUS_UPDATE
Discovery - 1013 STATUS_UPDATE
Discovery - 1014 STATUS_UPDATE
Discovery - 1015 SERVICE_CREATION
Discovery - 1016 SERVICE_DELETION
Discovery - 1020 FILE_CREATION
Discovery - 1021 FILE_CREATION
Discovery - 1099 STATUS_UPDATE
Discovery - 1200 FILE_UNCATEGORIZED
Discovery - 1201 STATUS_UPDATE
GeneralManagement - 1101 SETTING_CREATION
GeneralManagement - 1102 SETTING_DELETION
GeneralManagement - 1103 STATUS_UPDATE
GeneralManagement - 1104 STATUS_UPDATE
GeneralManagement - 1105 SETTING_UNCATEGORIZED
GeneralManagement - 1106 FILE_CREATION
GeneralManagement - 1107 FILE_MODIFICATION
GeneralManagement - 1108 FILE_DELETION
GeneralManagement - 1109 FILE_CREATION
GeneralManagement - 1110 SETTING_CREATION
GeneralManagement - 1111 STATUS_UPDATE
GeneralManagement - 1112 SETTING_DELETION
GeneralManagement - 1113 STATUS_UPDATE
GeneralManagement - 1114 SETTING_CREATION
GeneralManagement - 1115 STATUS_UPDATE
GeneralManagement - 1116 SETTING_DELETION
GeneralManagement - 1117 STATUS_UPDATE
GeneralManagement - 632 SETTING_CREATION
GeneralManagement - 633 SETTING_DELETION
GeneralManagement - 634 STATUS_UPDATE
PolicyEnforcement - 801 PROCESS_TERMINATION
PolicyEnforcement - 802 PROCESS_TERMINATION
PolicyEnforcement - 803 PROCESS_TERMINATION
PolicyEnforcement - 804 PROCESS_TERMINATION
PolicyEnforcement - 805 PROCESS_TERMINATION
PolicyEnforcement - 806 PROCESS_TERMINATION
PolicyEnforcement - 807 PROCESS_LAUNCH
PolicyEnforcement - 808 PROCESS_TERMINATION
PolicyEnforcement - 809 FILE_MODIFICATION
PolicyEnforcement - 810 STATUS_UPDATE
PolicyEnforcement - 811 STATUS_UPDATE
PolicyEnforcement - 812 STATUS_UPDATE
PolicyEnforcement - 813 STATUS_UPDATE
PolicyEnforcement - 814 PROCESS_LAUNCH
PolicyEnforcement - 816 STATUS_UPDATE
PolicyEnforcement - 817 FILE_MODIFICATION
PolicyEnforcement - 818 PROCESS_LAUNCH
PolicyEnforcement - 819 PROCESS_TERMINATION
PolicyEnforcement - 820 PROCESS_TERMINATION
PolicyEnforcement - 821 STATUS_UPDATE
PolicyEnforcement - 822 PROCESS_LAUNCH
PolicyEnforcement - 823 FILE_MODIFICATION
PolicyEnforcement - 824 FILE_READ
PolicyEnforcement - 825 FILE_UNCATEGORIZED
PolicyEnforcement - 826 REGISTRY_MODIFICATION
PolicyEnforcement - 827 PROCESS_TERMINATION
PolicyEnforcement - 828 REGISTRY_MODIFICATION
PolicyEnforcement - 829 STATUS_UPDATE
PolicyEnforcement - 831 PROCESS_UNCATEGORIZED
PolicyEnforcement - 832 STATUS_UPDATE
PolicyEnforcement - 833 STATUS_UPDATE
PolicyEnforcement - 834 STATUS_UPDATE
PolicyEnforcement - 835 STATUS_UPDATE
PolicyEnforcement - 836 STATUS_UPDATE
PolicyEnforcement - 837 PROCESS_TERMINATION
PolicyEnforcement - 838 PROCESS_LAUNCH
PolicyEnforcement - 839 PROCESS_TERMINATION
PolicyEnforcement - 840 STATUS_UPDATE
PolicyEnforcement - 841 PROCESS_LAUNCH
PolicyEnforcement - 842 STATUS_UPDATE
PolicyEnforcement - 843 PROCESS_LAUNCH
PolicyEnforcement - 844 PROCESS_LAUNCH
PolicyEnforcement - 845 STATUS_UPDATE
PolicyEnforcement - 846 STATUS_UPDATE
PolicyEnforcement - 847 PROCESS_UNCATEGORIZED
PolicyEnforcement - 848 PROCESS_LAUNCH
PolicyEnforcement - 849 STATUS_UPDATE
PolicyEnforcement - 850 STATUS_UPDATE
PolicyManagement - 1006 STATUS_UPDATE
PolicyManagement - 129 STATUS_UPDATE
PolicyManagement - 130 STATUS_UPDATE
PolicyManagement - 131 SETTING_DELETION
PolicyManagement - 132 SETTING_CREATION
PolicyManagement - 133 STATUS_UPDATE
PolicyManagement - 134 SETTING_DELETION
PolicyManagement - 144 STATUS_UPDATE
PolicyManagement - 153 SETTING_CREATION
PolicyManagement - 154 SETTING_DELETION
PolicyManagement - 155 STATUS_UPDATE
PolicyManagement - 200 STATUS_UPDATE
PolicyManagement - 600 SETTING_CREATION
PolicyManagement - 601 SETTING_DELETION
PolicyManagement - 602 STATUS_UPDATE
PolicyManagement - 603 STATUS_UPDATE
PolicyManagement - 604 STATUS_UPDATE
PolicyManagement - 605 STATUS_UPDATE
PolicyManagement - 606 STATUS_UPDATE
PolicyManagement - 607 STATUS_UPDATE
PolicyManagement - 608 STATUS_UPDATE
PolicyManagement - 609 STATUS_UPDATE
PolicyManagement - 611 STATUS_UPDATE
PolicyManagement - 613 SETTING_CREATION
PolicyManagement - 614 STATUS_UPDATE
PolicyManagement - 615 SETTING_DELETION
PolicyManagement - 616 SETTING_CREATION
PolicyManagement - 617 SETTING_DELETION
PolicyManagement - 618 SETTING_CREATION
PolicyManagement - 619 SETTING_DELETION
PolicyManagement - 620 SERVICE_START
PolicyManagement - 621 SERVICE_STOP
PolicyManagement - 623 STATUS_UPDATE
PolicyManagement - 625 STATUS_UPDATE
PolicyManagement - 626 STATUS_UPDATE
PolicyManagement - 627 SETTING_CREATION
PolicyManagement - 628 STATUS_UPDATE
PolicyManagement - 629 SETTING_DELETION
PolicyManagement - 630 STATUS_UPDATE
PolicyManagement - 635 SETTING_CREATION
PolicyManagement - 636 STATUS_UPDATE
PolicyManagement - 637 SETTING_DELETION
PolicyManagement - 638 SETTING_CREATION
PolicyManagement - 639 STATUS_UPDATE
PolicyManagement - 640 SETTING_DELETION
PolicyManagement - 641 SETTING_CREATION
PolicyManagement - 642 SETTING_DELETION
PolicyManagement - 643 STATUS_UPDATE
PolicyManagement - 644 STATUS_UPDATE
PolicyManagement - 645 STATUS_UPDATE
PolicyManagement - 646 STATUS_UPDATE
PolicyManagement - 647 SETTING_CREATION
PolicyManagement - 648 SETTING_DELETION
PolicyManagement - 649 STATUS_UPDATE
PolicyManagement - 650 SETTING_CREATION
PolicyManagement - 651 STATUS_UPDATE
PolicyManagement - 652 STATUS_UPDATE
PolicyManagement - 653 STATUS_UPDATE
PolicyManagement - 654 STATUS_UPDATE
PolicyManagement - 655 STATUS_UPDATE
PolicyManagement - 656 STATUS_UPDATE
PolicyManagement - 657 SETTING_CREATION
PolicyManagement - 659 SETTING_DELETION
PolicyManagement - 660 STATUS_UPDATE
PolicyManagement - 661 STATUS_UPDATE
PolicyManagement - 662 STATUS_UPDATE
PolicyManagement - 663 STATUS_UPDATE
PolicyManagement - 664 STATUS_UPDATE
PolicyManagement - 665 STATUS_UPDATE
ServerManagement - 100 SERVICE_STOP
ServerManagement - 101 SERVICE_START
ServerManagement - 102 STATUS_UPDATE
ServerManagement - 103 SERVICE_START
ServerManagement - 104 STATUS_UPDATE
ServerManagement - 105 STATUS_UPDATE
ServerManagement - 106 STATUS_UPDATE
ServerManagement - 107 SYSTEM_AUDIT_LOG_WIPE
ServerManagement - 108 STATUS_UPDATE
ServerManagement - 109 STATUS_UPDATE
ServerManagement - 110 SERVICE_STOP
ServerManagement - 111 STATUS_UPDATE
ServerManagement - 112 STATUS_UPDATE
ServerManagement - 113 STATUS_UPDATE
ServerManagement - 114 STATUS_UPDATE
ServerManagement - 115 STATUS_UPDATE
ServerManagement - 116 STATUS_UPDATE
ServerManagement - 117 STATUS_UPDATE
ServerManagement - 118 STATUS_UPDATE
ServerManagement - 119 STATUS_UPDATE
ServerManagement - 120 STATUS_UPDATE
ServerManagement - 121 STATUS_UPDATE
ServerManagement - 122 STATUS_UPDATE
ServerManagement - 123 STATUS_UPDATE
ServerManagement - 124 STATUS_UPDATE
ServerManagement - 125 STATUS_UPDATE
ServerManagement - 126 STATUS_UPDATE
ServerManagement - 127 STATUS_UPDATE
ServerManagement - 128 STATUS_UPDATE
ServerManagement - 135 STATUS_UPDATE
ServerManagement - 136 STATUS_UPDATE
ServerManagement - 137 STATUS_UPDATE
ServerManagement - 138 STATUS_UPDATE
ServerManagement - 139 STATUS_UPDATE
ServerManagement - 140 STATUS_UPDATE
ServerManagement - 141 STATUS_UPDATE
ServerManagement - 142 STATUS_UPDATE
ServerManagement - 145 SETTING_CREATION
ServerManagement - 146 SETTING_DELETION
ServerManagement - 147 STATUS_UPDATE
ServerManagement - 148 SETTING_DELETION
ServerManagement - 149 STATUS_UPDATE
ServerManagement - 150 STATUS_UPDATE
ServerManagement - 151 SERVICE_START
ServerManagement - 152 SERVICE_STOP
ServerManagement - 156 STATUS_UPDATE
ServerManagement - 157 STATUS_UPDATE
ServerManagement - 158 STATUS_UPDATE
ServerManagement - 160 STATUS_UPDATE
ServerManagement - 161 STATUS_UPDATE
ServerManagement - 162 STATUS_UPDATE
ServerManagement - 163 SETTING_CREATION
ServerManagement - 164 SETTING_DELETION
ServerManagement - 165 STATUS_UPDATE
ServerManagement - 166 STATUS_UPDATE
ServerManagement - 167 STATUS_UPDATE
ServerManagement - 168 STATUS_UPDATE
ServerManagement - 169 SETTING_DELETION
ServerManagement - 170 STATUS_UPDATE
ServerManagement - 171 STATUS_UPDATE
ServerManagement - 172 SETTING_CREATION
ServerManagement - 173 STATUS_UPDATE
ServerManagement - 174 SETTING_DELETION
ServerManagement - 175 STATUS_UPDATE
ServerManagement - 176 STATUS_UPDATE
ServerManagement - 177 STATUS_UPDATE
ServerManagement - 178 STATUS_UPDATE
ServerManagement - 179 STATUS_UPDATE
ServerManagement - 181 STATUS_UPDATE
ServerManagement - 182 SETTING_CREATION
ServerManagement - 183 STATUS_UPDATE
ServerManagement - 184 SETTING_DELETION
ServerManagement - 185 STATUS_UPDATE
ServerManagement - 186 STATUS_UPDATE
ServerManagement - 187 SETTING_DELETION
ServerManagement - 188 SETTING_CREATION
ServerManagement - 189 SETTING_DELETION
ServerManagement - 190 STATUS_UPDATE
ServerManagement - 191 STATUS_UPDATE
ServerManagement - 192 STATUS_UPDATE
ServerManagement - 193 STATUS_UPDATE
ServerManagement - 195 STATUS_UPDATE
ServerManagement - 196 STATUS_UPDATE
ServerManagement - 197 SETTING_CREATION
ServerManagement - 198 STATUS_UPDATE
ServerManagement - 280 SETTING_CREATION
ServerManagement - 281 SETTING_DELETION
ServerManagement - 282 STATUS_UPDATE
ServerManagement - 283 STATUS_UPDATE
SessionManagement - 300 STATUS_UPDATE
SessionManagement - 301 USER_LOGOUT
SessionManagement - 302 USER_CREATION
SessionManagement - 303 USER_UNCATEGORIZED
SessionManagement - 304 STATUS_UPDATE
SessionManagement - 305 USER_UNCATEGORIZED
SessionManagement - 306 SETTING_CREATION
SessionManagement - 307 SETTING_DELETION
SessionManagement - 308 SETTING_CREATION
SessionManagement - 309 USER_UNCATEGORIZED

Log Sample

<14>Jun 08 17:10:31 device.domain.com CEF:0|Carbon Black|Protection|8.1.6.436|836|File approved (system update)|4|externalId=2309049 cat=Policy Enforcement start=Jun 08 17:09:30 UTC rt=Jun 08 17:10:31 UTC filePath=c:\windows\softwaredistribution\download\path fname=path fileHash=hash fileId=90980 deviceProcessName=c:\windows\system32\svchost.exe dst=xxx.xxx.xxx.xxx dhost=HOMEOFFICE\devicename duser=NT AUTHORITY\SYSTEM dvchost=dvchost.domain.com msg=File 'c:\windows\softwaredistribution\download\path' [hash] was approved due to a system update. sproc=proc prevalence=1 cs3Label=Policy cs3=test - POS - App cfp1Label=fileTrust cfp1=-2 flexString1Label=fileThreat flexString1=Pending cfp2Label=processTrust cfp2=-2 flexString2Label=processThreat flexString2=Pending

Sample Parsing

metadata.event_timestamp "2021-07-19T17:13:11Z"
metadata.event_type "PROCESS_LAUNCH"
metadata.vendor_name "Carbon Black"
metadata.product_name "App Control"
metadata.product_version "8.6.0.155"
metadata.product_event_type "Policy Enforcement - 807 - Report execution (Custom Rule)"
metadata.description "File 'c:\\windows\\syswow64\\wbem\\wmiprvse.exe' [ ] was executed."
metadata.ingested_timestamp "2021-07-19T17:13:41.281430Z"
additional.Policy "Policy Name"
additional.rule_name "Report Running Processes"
additional.external_id "2407621"
principal.hostname "hostname"
principal.user.userid "NT AUTHORITY\\LOCAL SERVICE"
principal.ip[0] "10.10.10.10"
principal.administrative_domain "subdomain.domain.com"
target.process.pid "00000000-0000-46b0-01d7-7cc159f94013"
target.process.file.full_path "c:\\windows\\syswow64\\wbem\\wmiprvse.exe"
intermediary[0].hostname "intermediary device"
observer.hostname ÔÇťobserver device"
security_result[0].severity "LOW"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon