Skip to content

Carbon Black EDR

cb_edr

About

VMware Carbon Black is a cybersecurity company based in Waltham, Massachusetts. The company develops cloud-native endpoint security software that is designed to detect malicious behavior and to help prevent malicious files from attacking an organization.

Product Details

Vendor URL: VMware Security Solutions

Product Type: Endpoint Detection and Response

Product Tier: Tier I

Integration Method: Syslog and API

Integration URL: Carbon Black Defense - Cyderes Documentation

Integration URL: Carbon Black Response - Cyderes Documentation

Log Guide: Carbon Black Log Guide

Parser Details

Log Format: CEF Syslog and Json

Expected Normalization Rate: 95%

Data Label: CB_EDR

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
action additional.action
action metadata.product_event_type
alert_severity security_result.detection_fields.value.alert_severity
blocked_threat_category additional.blocked_threat_category
blocked_threat_category security_result.detection_fields.value.blocked_threat_category
cb_server intermediary.hostname
child_command_line target.process.command_line
child_pid target.process.pid
child_process_guid target.process.product_specific_process_id
child_username target.user.userid
childproc_guid target.process.product_specific_process_id
childproc_hash.0 target.process.file.md5
childproc_hash.1 target.process.file.sha256
childproc_pid target.process.pid
childproc_reputation additional.childproc_reputation
childproc_username target.user.userid
column1 csv_header
column2 csv_vendor
column3 csv_product
column4 csv_version
column5 log_version
column6 csv_event_type
column7 log_level
column8 csv_message_details
command_line target.process.command_line
comms_ip intermediary.port
computer_name principal.hostname
created_by_event_id additional.created_by_event_id
crossproc_api additional.crossproc_api
crossproc_guid additional.crossproc_guid
crossproc_hash.0 additional.crossproc_md5
crossproc_hash.1 additional.crossproc_sha256
crossproc_name target.process.file.full_path
crossproc_publisher.0.name additional.crossproc_publisher_name
crossproc_publisher.0.state additional.crossproc_publisher_state
crossproc_reputation additional.crossproc_reputation
crossproc_target additional.crossproc_target
device_group principal.group.group_display_name
device_internal_ip additional.device_internal_ip
device_location additional.device_location
deviceInfo.deviceId about.asset_id
deviceInfo.deviceName principal.hostname
deviceInfo.deviceVersion principal.platform_version
deviceInfo.email principal.user.email_addresses
deviceInfo.email principal.user.userid
deviceInfo.externalIpAddress principal.nat_ip
deviceInfo.internalIpAddress principal.ip, about.ip
direction network.direction
docs.0.cmdline target.process.command_line
docs.0.interface_ip principal.ip
docs.0.link_process target.url
docs.0.parent_guid target.process.parent_process.product_specific_process_id
docs.0.parent_name additional.parent_process_name
docs.0.parent_pid target.process.parent_process.pid
docs.0.path target.process.file.full_path
docs.0.process_guid target.process.product_specific_process_id
docs.0.process_name additional.process_name
docs.0.process_pid target.process.pid
docs.0.process_sha256 additional.process_sha256
docs.0.start additional.start
docs.0.username target.user.userid
domain principal.administrative_domain
domain target.hostname
event_description metadata.description
event_id additional.event_id
event_origin additional.event_origin
eventDescription security_result.severity_details
feed_id principal.resource.id
feed_name principal.resource.name
feed_name security_result.description
file_md5 principal.process.file.md5
file_md5 target.file.md5
file_sha256 principal.process.file.sha256
file_sha256 target.file.sha256
fileless_scriptload_cmdline additional.fileless_scriptload_cmdline
fileless_scriptload_cmdline_length additional.fileless_scriptload_cmdline_length
fileless_scriptload_hash additional.fileless_scriptload_hash
filemod_hash.0 target.process.file.md5
filemod_hash.1 target.process.file.sha256
filemod_name target.file.full_path
first_event_time additional.first_event_time
group target.group.group_display_name
indicator.applicationName security_result.about.application
indicator.indicatorName security_result.threat_name
indicator.sha256Hash security_result.about.file.sha256
interface_ip principal.ip
ioc_attr.direction network.direction
ioc_attr.dns_name additional.dns_name
ioc_attr.ja3 additional.ja3
ioc_attr.ja3s additional.ja3s
ioc_attr.local_ip about.ip
ioc_attr.local_port about.port
ioc_attr.protocol network.ip_protocol
ioc_attr.remote_ip about.ip
ioc_attr.remote_port about.port
ioc_attrs.highlights.0 about.resource.name
ioc_confidence additional.ioc_confidence
ioc_hit additional.ioc_hit
ioc_id additional.ioc_id
ioc_query_index additional.ioc_query_index
ioc_query_string about.resource.name
ioc_type about.resource.type
ioc_value about.resource.name
ioc_value target.ip
last_event_time additional.last_event_time
last_update_time additional.last_update_time
link_process principal.url
local_ip principal.ip
local_port principal.port
md5 principal.process.file.md5
md5 target.file.md5
modload_count security_result.detection_fields.value.modload_count
modload_effective_reputation security_result.detection_fields.value.modload_effective_reputation
modload_md5 security_result.detection_fields.value.modload_md5
modload_name security_result.detection_fields.value.modload_name
modload_publisher.0.name security_result.detection_fields.value.modload_publisher_name
modload_publisher.0.state security_result.detection_fields.value.modload_publisher_state
modload_sha256 security_result.detection_fields.value.modload_sha256
netconn_domain target.hostname
netconn_protocol network.ip_protocol
netconn_proxy_domain intermediary.hostname
netconn_proxy_ip intermediary.ip
netconn_proxy_port intermediary.port
normalized_device_os principal.platform
not_blocked_threat_category additional.not_blocked_threat_category
not_blocked_threat_category security_result.detection_fields.value.not_blocked_threat_category
os_type principal.platform
parent_cmdline principal.process.parent_process.command_line
parent_guid principal.process.parent_process.product_specific_process_id
parent_hash.0 principal.process.parent_process.file.md5
parent_hash.1 principal.process.parent_process.file.sha256
parent_md5 principal.process.file.md5
parent_md5 target.file.md5
parent_path principal.process.file.full_path
parent_path target.process.file.full_path
parent_pid principal.process.pid
parent_pid target.process.pid
parent_process_guid principal.process.product_specific_process_id
parent_process_guid target.process.product_specific_process_id
path target.file.full_path
path target.registry.registry_key
pid principal.process.pid
pid target.process.pid
policy_applied additional.policy_applied
policy_id additional.policy_id
policy_name additional.policy_name
process_cmdline principal.process.command_line
process_guid principal.process.product_specific_process_id
process_guid target.process.product_specific_process_id
process_hash.0 principal.process.file.md5
process_hash.1 principal.process.file.sha256
process_path principal.process.file.full_path
process_path target.process.file.full_path
process_pid principal.process.pid
process_publisher.0.name additional.process_publisher_name
process_publisher.0.state additional.process_publisher_state
process_reputation additional.process_reputation
process_username principal.user.userid
protocol network.ip_protocol
proxy_domain observer.hostname
proxy_ip observer.ip
proxy_port observer.port
reason metadata.description
reason_code additional.reason_code
regmod_count additional.regmod_count
regmod_key target.registry.registry_key
regmod_name target.registry.registry_key
regmod_value target.registry.registry_value_name
remote_ip target.ip
remote_port target.port
report_id additional.report_id
report_id security_result.rule_id
report_id target.resource.id
report_name additional.report_name
report_score security_result.about.investigation.severity_score
report_score security_result.summary
requested_access target.process.access_mask
run_state security_result.detection_fields.value.run_state
scriptload_count additional.scriptload_count
scriptload_effective_reputation additional.scriptload_effective_reputation
scriptload_publisher.0.state additional.scriptload_publisher_state
scriptload_reputation additional.scriptload_reputation
sensor_action security_result.action
sensor_action security_result.detection_fields.value.sensor_action
sensor_id principal.asset_id
server_name intermediary.hostname
severity security_result.severity
sha256 principal.process.file.sha256
sha256 target.file.sha256
size target.file.size
status additional.status
target_cmdline target.process.command_line
target_md5 target.process.file.md5
target_path target.process.file.full_path
target_pid target.process.pid
target_process_guid target.process.product_specific_process_id
target_sha256 target.process.file.sha256
target_value security_result.detection_fields.value.device_priority
target_value security_result.severity
threat_cause_actor_name security_result.detection_fields.value.threat_cause_actor_name
threat_cause_actor_name security_result.threat_name
threat_cause_actor_process_pid additional.threat_cause_actor_pid
threat_cause_actor_sha256 security_result.detection_fields.value.threat_cause_actor_sha256
threat_cause_cause_event_id additional.threat_cause_cause_event_id
threat_cause_reputation additional.threat_cause_reputation
threat_cause_threat_category security_result.detection_fields.value.threat_cause_threat_category
threat_cause_vector additional.threat_cause_vector
threat_id security_result.threat_id
threatHunterInfo.incidentId security_result.threat_id
threatHunterInfo.md5 target.process.file.md5
threatHunterInfo.processGuid target.process.product_specific_process_id
threatHunterInfo.processPath target.process.file.full_path
threatHunterInfo.reportName metadata.description
threatHunterInfo.score security_result.about.investigation.severity_score
threatHunterInfo.sha256 target.process.file.sha256
threatHunterInfo.summary security_result.summary
threatHunterInfo.threatCause.threatCategory security_result.category_details
threatInfo.incidentId security_result.threat_id
threatInfo.score security_result.about.investigation.severity_score
threatInfo.summary metadata.description
threatInfo.summary security_result.summary
threatInfo.threatCause.actorProcessPPid target.process.pid
threatInfo.threatCause.detectionGuid target.process.product_specific_process_id
timestamp metadata.event_timestamp
type metadata.product_event_type
url metadata.url_back_to_product
username principal.user.userid
utf8_on_disk_filename target.file.full_path
value_name target.registry.registry_value_name
watchlist_id additional.watchlist_id
watchlist_name additional.watchlist_name
watchlist_name target.resource.name
workflow_changed_by additional.workflow_changed_by
workflow_comment additional.workflow_comment
workflow_remediation additional.workflow_remediation
workflow_state additional.workflow_state

Product Event Types

type, action, report_id, feed_name, eventDescription threatHunterInfo.score, threatInfo.score report_score UDM Event Classification alerting enabled?
abusech >= 50 TRUE
alert.watchlist.hit.ingress.process STATUS_UNCATEGORIZED
alienvault >= 50 TRUE
all events >= 5 TRUE
all other events GENERIC_EVENT
binary_info FILE_UNCATEGORIZED
CB_ANALYTICS PROCESS_UNCATEGORIZED
create FILE_CREATION
delete FILE_DELETION
endpoint.event.apicall PROCESS_UNCATEGORIZED
endpoint.event.fileless_scriptload STATUS_UNCATEGORIZED
endpoint.event.filemod FILE_MODIFICATION
endpoint.event.moduleload PROCESS_UNCATEGORIZED
endpoint.event.netconn NETWORK_CONNECTION
endpoint.event.netconn_proxy NETWORK_CONNECTION
endpoint.event.procend PROCESS_TERMINATION
endpoint.event.procstart PROCESS_LAUNCH
endpoint.event.regmod REGISTRY_CREATION, REGISTRY_DELETION, REGISTRY_MODIFICATION
endpoint.event.scriptload STATUS_UNCATEGORIZED
endpoint.event.volume SETTING_MODIFICATION
feed.ingress.hit.process STATUS_UNCATEGORIZED
feed.query.hit.process PROCESS_UNCATEGORIZED
feed.storage.hit.process PROCESS_UNCATEGORIZED
ingress.event.childproc PROCESS_LAUNCH
ingress.event.corssprocopen PROCESS_OPEN
ingress.event.moduleload PROCESS_UNCATEGORIZED
ingress.event.netconn NETWORK_CONNECTION
ingress.event.procend PROCESS_TERMINATION
ingress.event.procstart PROCESS_LAUNCH
ingress.event.regmod REGISTRY_CREATION, REGISTRY_DELETION, REGISTRY_MODIFICATION
ingress.event.remotethread PROCESS_UNCATEGORIZED
lastwrite FILE_MODIFICATION
malicioushost >= 50 TRUE
THREAT PROCESS_UNCATEGORIZED
Threat TRUE
WATCHLIST PROCESS_UNCATEGORIZED
watchlist.hit.process PROCESS_UNCATEGORIZED
write FILE_MODIFICATION

Log Sample

{"threatInfo":{"indicators":[{"applicationName":"rtagent.exe","indicatorName":"RUN_CMD_SHELL","sha256Hash":"aeaacee8306d6ce88e238f5b6c623fa6e63a4f2c5429096841e9d17c4c4ad4db"},{"applicationName":"rtservice.exe","indicatorName":"ACTIVE_SERVER","sha256Hash":"afa8e97b33807248b7d7fa9a16ad44ab01d22a676f61abf2a211807239784dd3"},{"applicationName":"rtservice.exe","indicatorName":"UNKNOWN_APP","sha256Hash":"afa8e97b33807248b7d7fa9a16ad44ab01d22a676f61abf2a211807239784dd3"},{"indicatorName":"NETWORK_ACCESS","sha256Hash":"afa8e97b33807248b7d7fa9a16ad44ab01d22a676f61abf2a211807239784dd3","applicationName":"rtservice.exe"},{"applicationName":"rtagent.exe","indicatorName":"UNKNOWN_APP","sha256Hash":"aeaacee8306d6ce88e238f5b6c623fa6e63a4f2c5429096841e9d17c4c4ad4db"},{"applicationName":"rtagent.exe","indicatorName":"MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER","sha256Hash":"aeaacee8306d6ce88e238f5b6c623fa6e63a4f2c5429096841e9d17c4c4ad4db"}],"threatCause":{"reputation":"NOT_LISTED","parentGuid":null,"threatCategory":"NEW_MALWARE","originSourceType":"UNKNOWN","actorName":"rtservice.exe","processGuid":"NWLSW-010459","reason":"R_NET_SERVER","actorType":null,"detectionGuid":"5676939-ades","causeEventId":"4165c544997311ec838177311e89ab46","actor":"afa8e97b33807248b7d7fa9a16ad44ab01d22a676f61abf2a211807239784dd3","actorProcessPPid":"2847869691"},"incidentId":"0xsad012-hqy72","score":3,"summary":"The application rtservice.exe acted as a network server.","time":1646148391607},"eventDescription":"[CYDERES-CHRONICLE] [Carbon Black has detected a threat against your company.] [website2.domain.com] [The application rtservice.exe acted as a network server.] [Incident id: 0xsad012-hqy72] [Threat score: 3] [Group: Standard] [Email: johndoe] [Name: Hostname1] [Type and OS: WINDOWS Server 2012 R2 x64] [Severity: Monitored]\n","url":"website.domain.com","eventTime":1646148074285,"deviceInfo":{"targetPriorityCode":0,"uemId":"","externalIpAddress":"10.0.0.15","deviceId":222258,"deviceName":"Hostname1","email":"johndoe","deviceHostName":null,"targetPriorityType":"MEDIUM","internalIpAddress":"10.0.0.14","groupName":"Standard","deviceType":"WINDOWS","deviceVersion":"Server 2012 R2 x64"},"ruleName":"CYDERES-CHRONICLE","type":"THREAT"}

Sample Parsing

metadata.event_timestamp = "2022-03-01T15:21:14.285Z"
metadata.event_type = "PROCESS_UNCATEGORIZED"
metadata.vendor_name = "Carbon Black"
metadata.product_name = "EDR"
metadata.product_event_type = "THREAT"
metadata.description = "The application rtservice.exe acted as a network server."
metadata.url_back_to_product = "website.domain.com"
metadata.ingested_timestamp = "2022-03-01T15:39:39.875741Z"
principal.hostname = "Hostname1"
principal.user.userid = "johndoe"
principal.platform = "WINDOWS"
principal.ip = "10.0.0.14"
principal.platform_version = "Server 2012 R2 x64"
principal.nat_ip = "10.0.0.15"
principal.asset.ip = "10.0.0.14"
target.process.pid = "2847869691"
target.process.product_specific_process_id = "CB:5676939-ades"
about.asset_id = "CB:222258"
about.ip = "10.0.0.14"
security_result.about.file.sha256 = "aeaacee8306d6ce88e238f5b6c623fa6e63a4f2c5429096841e9d17c4c4ad4db"
security_result.about.application = "rtagent.exe"
security_result.threat_name = "RUN_CMD_SHELL"
security_result.about.file.sha256 = "afa8e97b33807248b7d7fa9a16ad44ab01d22a676f61abf2a211807239784dd3"
security_result.about.application = "rtservice.exe"
security_result.threat_name = "ACTIVE_SERVER"
security_result.about.file.sha256 = "afa8e97b33807248b7d7fa9a16ad44ab01d22a676f61abf2a211807239784dd3"
security_result.about.application = "rtservice.exe"
security_result.threat_name = "UNKNOWN_APP"
security_result.about.file.sha256 = "afa8e97b33807248b7d7fa9a16ad44ab01d22a676f61abf2a211807239784dd3"
security_result.about.application = "rtservice.exe"
security_result.threat_name = "NETWORK_ACCESS"
security_result.about.file.sha256 = "aeaacee8306d6ce88e238f5b6c623fa6e63a4f2c5429096841e9d17c4c4ad4db"
security_result.about.application = "rtagent.exe"
security_result.threat_name = "UNKNOWN_APP"
security_result.about.file.sha256 = "aeaacee8306d6ce88e238f5b6c623fa6e63a4f2c5429096841e9d17c4c4ad4db"
security_result.about.application = "rtagent.exe"
security_result.threat_name = "MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER"
security_result.about.investigation.severity_score = 3
security_result.category_details = "NEW_MALWARE"
security_result.summary = "The application rtservice.exe acted as a network server."
security_result.severity_details = "Monitored"
security_result.threat_id = "0xsad012-hqy72"

Parser Alerting

Alerting criteria is listed in the Product Event Types table above.