Carbon Black EDR¶
About¶
VMware Carbon Black is a cybersecurity company based in Waltham, Massachusetts. The company develops cloud-native endpoint security software that is designed to detect malicious behavior and to help prevent malicious files from attacking an organization.
Product Details¶
Vendor URL: VMware Security Solutions
Product Type: Endpoint Detection and Response
Product Tier: Tier I
Integration Method: Syslog and API
Integration URL: Carbon Black Defense - Cyderes Documentation
Integration URL: Carbon Black Response - Cyderes Documentation
Log Guide: Carbon Black Log Guide
Parser Details¶
Log Format: CEF Syslog and Json
Expected Normalization Rate: 95%
Data Label: CB_EDR
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
action | additional.action |
action | metadata.product_event_type |
alert_severity | security_result.detection_fields.value.alert_severity |
blocked_threat_category | additional.blocked_threat_category |
blocked_threat_category | security_result.detection_fields.value.blocked_threat_category |
cb_server | intermediary.hostname |
child_command_line | target.process.command_line |
child_pid | target.process.pid |
child_process_guid | target.process.product_specific_process_id |
child_username | target.user.userid |
childproc_guid | target.process.product_specific_process_id |
childproc_hash.0 | target.process.file.md5 |
childproc_hash.1 | target.process.file.sha256 |
childproc_pid | target.process.pid |
childproc_reputation | additional.childproc_reputation |
childproc_username | target.user.userid |
column1 | csv_header |
column2 | csv_vendor |
column3 | csv_product |
column4 | csv_version |
column5 | log_version |
column6 | csv_event_type |
column7 | log_level |
column8 | csv_message_details |
command_line | target.process.command_line |
comms_ip | intermediary.port |
computer_name | principal.hostname |
created_by_event_id | additional.created_by_event_id |
crossproc_api | additional.crossproc_api |
crossproc_guid | additional.crossproc_guid |
crossproc_hash.0 | additional.crossproc_md5 |
crossproc_hash.1 | additional.crossproc_sha256 |
crossproc_name | target.process.file.full_path |
crossproc_publisher.0.name | additional.crossproc_publisher_name |
crossproc_publisher.0.state | additional.crossproc_publisher_state |
crossproc_reputation | additional.crossproc_reputation |
crossproc_target | additional.crossproc_target |
device_group | principal.group.group_display_name |
device_internal_ip | additional.device_internal_ip |
device_location | additional.device_location |
deviceInfo.deviceId | about.asset_id |
deviceInfo.deviceName | principal.hostname |
deviceInfo.deviceVersion | principal.platform_version |
deviceInfo.email | principal.user.email_addresses |
deviceInfo.email | principal.user.userid |
deviceInfo.externalIpAddress | principal.nat_ip |
deviceInfo.internalIpAddress | principal.ip, about.ip |
direction | network.direction |
docs.0.cmdline | target.process.command_line |
docs.0.interface_ip | principal.ip |
docs.0.link_process | target.url |
docs.0.parent_guid | target.process.parent_process.product_specific_process_id |
docs.0.parent_name | additional.parent_process_name |
docs.0.parent_pid | target.process.parent_process.pid |
docs.0.path | target.process.file.full_path |
docs.0.process_guid | target.process.product_specific_process_id |
docs.0.process_name | additional.process_name |
docs.0.process_pid | target.process.pid |
docs.0.process_sha256 | additional.process_sha256 |
docs.0.start | additional.start |
docs.0.username | target.user.userid |
domain | principal.administrative_domain |
domain | target.hostname |
event_description | metadata.description |
event_id | additional.event_id |
event_origin | additional.event_origin |
eventDescription | security_result.severity_details |
feed_id | principal.resource.id |
feed_name | principal.resource.name |
feed_name | security_result.description |
file_md5 | principal.process.file.md5 |
file_md5 | target.file.md5 |
file_sha256 | principal.process.file.sha256 |
file_sha256 | target.file.sha256 |
fileless_scriptload_cmdline | additional.fileless_scriptload_cmdline |
fileless_scriptload_cmdline_length | additional.fileless_scriptload_cmdline_length |
fileless_scriptload_hash | additional.fileless_scriptload_hash |
filemod_hash.0 | target.process.file.md5 |
filemod_hash.1 | target.process.file.sha256 |
filemod_name | target.file.full_path |
first_event_time | additional.first_event_time |
group | target.group.group_display_name |
indicator.applicationName | security_result.about.application |
indicator.indicatorName | security_result.threat_name |
indicator.sha256Hash | security_result.about.file.sha256 |
interface_ip | principal.ip |
ioc_attr.direction | network.direction |
ioc_attr.dns_name | additional.dns_name |
ioc_attr.ja3 | additional.ja3 |
ioc_attr.ja3s | additional.ja3s |
ioc_attr.local_ip | about.ip |
ioc_attr.local_port | about.port |
ioc_attr.protocol | network.ip_protocol |
ioc_attr.remote_ip | about.ip |
ioc_attr.remote_port | about.port |
ioc_attrs.highlights.0 | about.resource.name |
ioc_confidence | additional.ioc_confidence |
ioc_hit | additional.ioc_hit |
ioc_id | additional.ioc_id |
ioc_query_index | additional.ioc_query_index |
ioc_query_string | about.resource.name |
ioc_type | about.resource.type |
ioc_value | about.resource.name |
ioc_value | target.ip |
last_event_time | additional.last_event_time |
last_update_time | additional.last_update_time |
link_process | principal.url |
local_ip | principal.ip |
local_port | principal.port |
md5 | principal.process.file.md5 |
md5 | target.file.md5 |
modload_count | security_result.detection_fields.value.modload_count |
modload_effective_reputation | security_result.detection_fields.value.modload_effective_reputation |
modload_md5 | security_result.detection_fields.value.modload_md5 |
modload_name | security_result.detection_fields.value.modload_name |
modload_publisher.0.name | security_result.detection_fields.value.modload_publisher_name |
modload_publisher.0.state | security_result.detection_fields.value.modload_publisher_state |
modload_sha256 | security_result.detection_fields.value.modload_sha256 |
netconn_domain | target.hostname |
netconn_protocol | network.ip_protocol |
netconn_proxy_domain | intermediary.hostname |
netconn_proxy_ip | intermediary.ip |
netconn_proxy_port | intermediary.port |
normalized_device_os | principal.platform |
not_blocked_threat_category | additional.not_blocked_threat_category |
not_blocked_threat_category | security_result.detection_fields.value.not_blocked_threat_category |
os_type | principal.platform |
parent_cmdline | principal.process.parent_process.command_line |
parent_guid | principal.process.parent_process.product_specific_process_id |
parent_hash.0 | principal.process.parent_process.file.md5 |
parent_hash.1 | principal.process.parent_process.file.sha256 |
parent_md5 | principal.process.file.md5 |
parent_md5 | target.file.md5 |
parent_path | principal.process.file.full_path |
parent_path | target.process.file.full_path |
parent_pid | principal.process.pid |
parent_pid | target.process.pid |
parent_process_guid | principal.process.product_specific_process_id |
parent_process_guid | target.process.product_specific_process_id |
path | target.file.full_path |
path | target.registry.registry_key |
pid | principal.process.pid |
pid | target.process.pid |
policy_applied | additional.policy_applied |
policy_id | additional.policy_id |
policy_name | additional.policy_name |
process_cmdline | principal.process.command_line |
process_guid | principal.process.product_specific_process_id |
process_guid | target.process.product_specific_process_id |
process_hash.0 | principal.process.file.md5 |
process_hash.1 | principal.process.file.sha256 |
process_path | principal.process.file.full_path |
process_path | target.process.file.full_path |
process_pid | principal.process.pid |
process_publisher.0.name | additional.process_publisher_name |
process_publisher.0.state | additional.process_publisher_state |
process_reputation | additional.process_reputation |
process_username | principal.user.userid |
protocol | network.ip_protocol |
proxy_domain | observer.hostname |
proxy_ip | observer.ip |
proxy_port | observer.port |
reason | metadata.description |
reason_code | additional.reason_code |
regmod_count | additional.regmod_count |
regmod_key | target.registry.registry_key |
regmod_name | target.registry.registry_key |
regmod_value | target.registry.registry_value_name |
remote_ip | target.ip |
remote_port | target.port |
report_id | additional.report_id |
report_id | security_result.rule_id |
report_id | target.resource.id |
report_name | additional.report_name |
report_score | security_result.about.investigation.severity_score |
report_score | security_result.summary |
requested_access | target.process.access_mask |
run_state | security_result.detection_fields.value.run_state |
scriptload_count | additional.scriptload_count |
scriptload_effective_reputation | additional.scriptload_effective_reputation |
scriptload_publisher.0.state | additional.scriptload_publisher_state |
scriptload_reputation | additional.scriptload_reputation |
sensor_action | security_result.action |
sensor_action | security_result.detection_fields.value.sensor_action |
sensor_id | principal.asset_id |
server_name | intermediary.hostname |
severity | security_result.severity |
sha256 | principal.process.file.sha256 |
sha256 | target.file.sha256 |
size | target.file.size |
status | additional.status |
target_cmdline | target.process.command_line |
target_md5 | target.process.file.md5 |
target_path | target.process.file.full_path |
target_pid | target.process.pid |
target_process_guid | target.process.product_specific_process_id |
target_sha256 | target.process.file.sha256 |
target_value | security_result.detection_fields.value.device_priority |
target_value | security_result.severity |
threat_cause_actor_name | security_result.detection_fields.value.threat_cause_actor_name |
threat_cause_actor_name | security_result.threat_name |
threat_cause_actor_process_pid | additional.threat_cause_actor_pid |
threat_cause_actor_sha256 | security_result.detection_fields.value.threat_cause_actor_sha256 |
threat_cause_cause_event_id | additional.threat_cause_cause_event_id |
threat_cause_reputation | additional.threat_cause_reputation |
threat_cause_threat_category | security_result.detection_fields.value.threat_cause_threat_category |
threat_cause_vector | additional.threat_cause_vector |
threat_id | security_result.threat_id |
threatHunterInfo.incidentId | security_result.threat_id |
threatHunterInfo.md5 | target.process.file.md5 |
threatHunterInfo.processGuid | target.process.product_specific_process_id |
threatHunterInfo.processPath | target.process.file.full_path |
threatHunterInfo.reportName | metadata.description |
threatHunterInfo.score | security_result.about.investigation.severity_score |
threatHunterInfo.sha256 | target.process.file.sha256 |
threatHunterInfo.summary | security_result.summary |
threatHunterInfo.threatCause.threatCategory | security_result.category_details |
threatInfo.incidentId | security_result.threat_id |
threatInfo.score | security_result.about.investigation.severity_score |
threatInfo.summary | metadata.description |
threatInfo.summary | security_result.summary |
threatInfo.threatCause.actorProcessPPid | target.process.pid |
threatInfo.threatCause.detectionGuid | target.process.product_specific_process_id |
timestamp | metadata.event_timestamp |
type | metadata.product_event_type |
url | metadata.url_back_to_product |
username | principal.user.userid |
utf8_on_disk_filename | target.file.full_path |
value_name | target.registry.registry_value_name |
watchlist_id | additional.watchlist_id |
watchlist_name | additional.watchlist_name |
watchlist_name | target.resource.name |
workflow_changed_by | additional.workflow_changed_by |
workflow_comment | additional.workflow_comment |
workflow_remediation | additional.workflow_remediation |
workflow_state | additional.workflow_state |
Product Event Types¶
type, action, report_id, feed_name, eventDescription | threatHunterInfo.score, threatInfo.score | report_score | UDM Event Classification | alerting enabled? |
---|---|---|---|---|
abusech | >= 50 | TRUE | ||
alert.watchlist.hit.ingress.process | STATUS_UNCATEGORIZED | |||
alienvault | >= 50 | TRUE | ||
all events | >= 5 | TRUE | ||
all other events | GENERIC_EVENT | |||
binary_info | FILE_UNCATEGORIZED | |||
CB_ANALYTICS | PROCESS_UNCATEGORIZED | |||
create | FILE_CREATION | |||
delete | FILE_DELETION | |||
endpoint.event.apicall | PROCESS_UNCATEGORIZED | |||
endpoint.event.fileless_scriptload | STATUS_UNCATEGORIZED | |||
endpoint.event.filemod | FILE_MODIFICATION | |||
endpoint.event.moduleload | PROCESS_UNCATEGORIZED | |||
endpoint.event.netconn | NETWORK_CONNECTION | |||
endpoint.event.netconn_proxy | NETWORK_CONNECTION | |||
endpoint.event.procend | PROCESS_TERMINATION | |||
endpoint.event.procstart | PROCESS_LAUNCH | |||
endpoint.event.regmod | REGISTRY_CREATION, REGISTRY_DELETION, REGISTRY_MODIFICATION | |||
endpoint.event.scriptload | STATUS_UNCATEGORIZED | |||
endpoint.event.volume | SETTING_MODIFICATION | |||
feed.ingress.hit.process | STATUS_UNCATEGORIZED | |||
feed.query.hit.process | PROCESS_UNCATEGORIZED | |||
feed.storage.hit.process | PROCESS_UNCATEGORIZED | |||
ingress.event.childproc | PROCESS_LAUNCH | |||
ingress.event.corssprocopen | PROCESS_OPEN | |||
ingress.event.moduleload | PROCESS_UNCATEGORIZED | |||
ingress.event.netconn | NETWORK_CONNECTION | |||
ingress.event.procend | PROCESS_TERMINATION | |||
ingress.event.procstart | PROCESS_LAUNCH | |||
ingress.event.regmod | REGISTRY_CREATION, REGISTRY_DELETION, REGISTRY_MODIFICATION | |||
ingress.event.remotethread | PROCESS_UNCATEGORIZED | |||
lastwrite | FILE_MODIFICATION | |||
malicioushost | >= 50 | TRUE | ||
THREAT | PROCESS_UNCATEGORIZED | |||
Threat | TRUE | |||
WATCHLIST | PROCESS_UNCATEGORIZED | |||
watchlist.hit.process | PROCESS_UNCATEGORIZED | |||
write | FILE_MODIFICATION |
Log Sample¶
{"threatInfo":{"indicators":[{"applicationName":"rtagent.exe","indicatorName":"RUN_CMD_SHELL","sha256Hash":"aeaacee8306d6ce88e238f5b6c623fa6e63a4f2c5429096841e9d17c4c4ad4db"},{"applicationName":"rtservice.exe","indicatorName":"ACTIVE_SERVER","sha256Hash":"afa8e97b33807248b7d7fa9a16ad44ab01d22a676f61abf2a211807239784dd3"},{"applicationName":"rtservice.exe","indicatorName":"UNKNOWN_APP","sha256Hash":"afa8e97b33807248b7d7fa9a16ad44ab01d22a676f61abf2a211807239784dd3"},{"indicatorName":"NETWORK_ACCESS","sha256Hash":"afa8e97b33807248b7d7fa9a16ad44ab01d22a676f61abf2a211807239784dd3","applicationName":"rtservice.exe"},{"applicationName":"rtagent.exe","indicatorName":"UNKNOWN_APP","sha256Hash":"aeaacee8306d6ce88e238f5b6c623fa6e63a4f2c5429096841e9d17c4c4ad4db"},{"applicationName":"rtagent.exe","indicatorName":"MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER","sha256Hash":"aeaacee8306d6ce88e238f5b6c623fa6e63a4f2c5429096841e9d17c4c4ad4db"}],"threatCause":{"reputation":"NOT_LISTED","parentGuid":null,"threatCategory":"NEW_MALWARE","originSourceType":"UNKNOWN","actorName":"rtservice.exe","processGuid":"NWLSW-010459","reason":"R_NET_SERVER","actorType":null,"detectionGuid":"5676939-ades","causeEventId":"4165c544997311ec838177311e89ab46","actor":"afa8e97b33807248b7d7fa9a16ad44ab01d22a676f61abf2a211807239784dd3","actorProcessPPid":"2847869691"},"incidentId":"0xsad012-hqy72","score":3,"summary":"The application rtservice.exe acted as a network server.","time":1646148391607},"eventDescription":"[CYDERES-CHRONICLE] [Carbon Black has detected a threat against your company.] [website2.domain.com] [The application rtservice.exe acted as a network server.] [Incident id: 0xsad012-hqy72] [Threat score: 3] [Group: Standard] [Email: johndoe] [Name: Hostname1] [Type and OS: WINDOWS Server 2012 R2 x64] [Severity: Monitored]\n","url":"website.domain.com","eventTime":1646148074285,"deviceInfo":{"targetPriorityCode":0,"uemId":"","externalIpAddress":"10.0.0.15","deviceId":222258,"deviceName":"Hostname1","email":"johndoe","deviceHostName":null,"targetPriorityType":"MEDIUM","internalIpAddress":"10.0.0.14","groupName":"Standard","deviceType":"WINDOWS","deviceVersion":"Server 2012 R2 x64"},"ruleName":"CYDERES-CHRONICLE","type":"THREAT"}
Sample Parsing¶
metadata.event_timestamp = "2022-03-01T15:21:14.285Z"
metadata.event_type = "PROCESS_UNCATEGORIZED"
metadata.vendor_name = "Carbon Black"
metadata.product_name = "EDR"
metadata.product_event_type = "THREAT"
metadata.description = "The application rtservice.exe acted as a network server."
metadata.url_back_to_product = "website.domain.com"
metadata.ingested_timestamp = "2022-03-01T15:39:39.875741Z"
principal.hostname = "Hostname1"
principal.user.userid = "johndoe"
principal.platform = "WINDOWS"
principal.ip = "10.0.0.14"
principal.platform_version = "Server 2012 R2 x64"
principal.nat_ip = "10.0.0.15"
principal.asset.ip = "10.0.0.14"
target.process.pid = "2847869691"
target.process.product_specific_process_id = "CB:5676939-ades"
about.asset_id = "CB:222258"
about.ip = "10.0.0.14"
security_result.about.file.sha256 = "aeaacee8306d6ce88e238f5b6c623fa6e63a4f2c5429096841e9d17c4c4ad4db"
security_result.about.application = "rtagent.exe"
security_result.threat_name = "RUN_CMD_SHELL"
security_result.about.file.sha256 = "afa8e97b33807248b7d7fa9a16ad44ab01d22a676f61abf2a211807239784dd3"
security_result.about.application = "rtservice.exe"
security_result.threat_name = "ACTIVE_SERVER"
security_result.about.file.sha256 = "afa8e97b33807248b7d7fa9a16ad44ab01d22a676f61abf2a211807239784dd3"
security_result.about.application = "rtservice.exe"
security_result.threat_name = "UNKNOWN_APP"
security_result.about.file.sha256 = "afa8e97b33807248b7d7fa9a16ad44ab01d22a676f61abf2a211807239784dd3"
security_result.about.application = "rtservice.exe"
security_result.threat_name = "NETWORK_ACCESS"
security_result.about.file.sha256 = "aeaacee8306d6ce88e238f5b6c623fa6e63a4f2c5429096841e9d17c4c4ad4db"
security_result.about.application = "rtagent.exe"
security_result.threat_name = "UNKNOWN_APP"
security_result.about.file.sha256 = "aeaacee8306d6ce88e238f5b6c623fa6e63a4f2c5429096841e9d17c4c4ad4db"
security_result.about.application = "rtagent.exe"
security_result.threat_name = "MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER"
security_result.about.investigation.severity_score = 3
security_result.category_details = "NEW_MALWARE"
security_result.summary = "The application rtservice.exe acted as a network server."
security_result.severity_details = "Monitored"
security_result.threat_id = "0xsad012-hqy72"
Parser Alerting¶
Alerting criteria is listed in the Product Event Types table above.