Carbon Black EDR¶
About¶
VMware Carbon Black is a cybersecurity company based in Waltham, Massachusetts. The company develops cloud-native endpoint security software that is designed to detect malicious behavior and to help prevent malicious files from attacking an organization.
Product Details¶
Vendor URL: VMware Security Solutions
Product Type: Endpoint Detection and Response
Product Tier: Tier I
Integration Method: Syslog and API
Integration URL: Carbon Black Defense - Cyderes Documentation
Integration URL: Carbon Black Response - Cyderes Documentation
Log Guide: Carbon Black Log Guide
Parser Details¶
Log Format: CEF Syslog and Json
Expected Normalization Rate: 95%
Data Label: CB_EDR
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| action | additional.action |
| action | metadata.product_event_type |
| alert_severity | security_result.detection_fields.value.alert_severity |
| blocked_threat_category | additional.blocked_threat_category |
| blocked_threat_category | security_result.detection_fields.value.blocked_threat_category |
| cb_server | intermediary.hostname |
| child_command_line | target.process.command_line |
| child_pid | target.process.pid |
| child_process_guid | target.process.product_specific_process_id |
| child_username | target.user.userid |
| childproc_guid | target.process.product_specific_process_id |
| childproc_hash.0 | target.process.file.md5 |
| childproc_hash.1 | target.process.file.sha256 |
| childproc_pid | target.process.pid |
| childproc_reputation | additional.childproc_reputation |
| childproc_username | target.user.userid |
| column1 | csv_header |
| column2 | csv_vendor |
| column3 | csv_product |
| column4 | csv_version |
| column5 | log_version |
| column6 | csv_event_type |
| column7 | log_level |
| column8 | csv_message_details |
| command_line | target.process.command_line |
| comms_ip | intermediary.port |
| computer_name | principal.hostname |
| created_by_event_id | additional.created_by_event_id |
| crossproc_api | additional.crossproc_api |
| crossproc_guid | additional.crossproc_guid |
| crossproc_hash.0 | additional.crossproc_md5 |
| crossproc_hash.1 | additional.crossproc_sha256 |
| crossproc_name | target.process.file.full_path |
| crossproc_publisher.0.name | additional.crossproc_publisher_name |
| crossproc_publisher.0.state | additional.crossproc_publisher_state |
| crossproc_reputation | additional.crossproc_reputation |
| crossproc_target | additional.crossproc_target |
| device_group | principal.group.group_display_name |
| device_internal_ip | additional.device_internal_ip |
| device_location | additional.device_location |
| deviceInfo.deviceId | about.asset_id |
| deviceInfo.deviceName | principal.hostname |
| deviceInfo.deviceVersion | principal.platform_version |
| deviceInfo.email | principal.user.email_addresses |
| deviceInfo.email | principal.user.userid |
| deviceInfo.externalIpAddress | principal.nat_ip |
| deviceInfo.internalIpAddress | principal.ip, about.ip |
| direction | network.direction |
| docs.0.cmdline | target.process.command_line |
| docs.0.interface_ip | principal.ip |
| docs.0.link_process | target.url |
| docs.0.parent_guid | target.process.parent_process.product_specific_process_id |
| docs.0.parent_name | additional.parent_process_name |
| docs.0.parent_pid | target.process.parent_process.pid |
| docs.0.path | target.process.file.full_path |
| docs.0.process_guid | target.process.product_specific_process_id |
| docs.0.process_name | additional.process_name |
| docs.0.process_pid | target.process.pid |
| docs.0.process_sha256 | additional.process_sha256 |
| docs.0.start | additional.start |
| docs.0.username | target.user.userid |
| domain | principal.administrative_domain |
| domain | target.hostname |
| event_description | metadata.description |
| event_id | additional.event_id |
| event_origin | additional.event_origin |
| eventDescription | security_result.severity_details |
| feed_id | principal.resource.id |
| feed_name | principal.resource.name |
| feed_name | security_result.description |
| file_md5 | principal.process.file.md5 |
| file_md5 | target.file.md5 |
| file_sha256 | principal.process.file.sha256 |
| file_sha256 | target.file.sha256 |
| fileless_scriptload_cmdline | additional.fileless_scriptload_cmdline |
| fileless_scriptload_cmdline_length | additional.fileless_scriptload_cmdline_length |
| fileless_scriptload_hash | additional.fileless_scriptload_hash |
| filemod_hash.0 | target.process.file.md5 |
| filemod_hash.1 | target.process.file.sha256 |
| filemod_name | target.file.full_path |
| first_event_time | additional.first_event_time |
| group | target.group.group_display_name |
| indicator.applicationName | security_result.about.application |
| indicator.indicatorName | security_result.threat_name |
| indicator.sha256Hash | security_result.about.file.sha256 |
| interface_ip | principal.ip |
| ioc_attr.direction | network.direction |
| ioc_attr.dns_name | additional.dns_name |
| ioc_attr.ja3 | additional.ja3 |
| ioc_attr.ja3s | additional.ja3s |
| ioc_attr.local_ip | about.ip |
| ioc_attr.local_port | about.port |
| ioc_attr.protocol | network.ip_protocol |
| ioc_attr.remote_ip | about.ip |
| ioc_attr.remote_port | about.port |
| ioc_attrs.highlights.0 | about.resource.name |
| ioc_confidence | additional.ioc_confidence |
| ioc_hit | additional.ioc_hit |
| ioc_id | additional.ioc_id |
| ioc_query_index | additional.ioc_query_index |
| ioc_query_string | about.resource.name |
| ioc_type | about.resource.type |
| ioc_value | about.resource.name |
| ioc_value | target.ip |
| last_event_time | additional.last_event_time |
| last_update_time | additional.last_update_time |
| link_process | principal.url |
| local_ip | principal.ip |
| local_port | principal.port |
| md5 | principal.process.file.md5 |
| md5 | target.file.md5 |
| modload_count | security_result.detection_fields.value.modload_count |
| modload_effective_reputation | security_result.detection_fields.value.modload_effective_reputation |
| modload_md5 | security_result.detection_fields.value.modload_md5 |
| modload_name | security_result.detection_fields.value.modload_name |
| modload_publisher.0.name | security_result.detection_fields.value.modload_publisher_name |
| modload_publisher.0.state | security_result.detection_fields.value.modload_publisher_state |
| modload_sha256 | security_result.detection_fields.value.modload_sha256 |
| netconn_domain | target.hostname |
| netconn_protocol | network.ip_protocol |
| netconn_proxy_domain | intermediary.hostname |
| netconn_proxy_ip | intermediary.ip |
| netconn_proxy_port | intermediary.port |
| normalized_device_os | principal.platform |
| not_blocked_threat_category | additional.not_blocked_threat_category |
| not_blocked_threat_category | security_result.detection_fields.value.not_blocked_threat_category |
| os_type | principal.platform |
| parent_cmdline | principal.process.parent_process.command_line |
| parent_guid | principal.process.parent_process.product_specific_process_id |
| parent_hash.0 | principal.process.parent_process.file.md5 |
| parent_hash.1 | principal.process.parent_process.file.sha256 |
| parent_md5 | principal.process.file.md5 |
| parent_md5 | target.file.md5 |
| parent_path | principal.process.file.full_path |
| parent_path | target.process.file.full_path |
| parent_pid | principal.process.pid |
| parent_pid | target.process.pid |
| parent_process_guid | principal.process.product_specific_process_id |
| parent_process_guid | target.process.product_specific_process_id |
| path | target.file.full_path |
| path | target.registry.registry_key |
| pid | principal.process.pid |
| pid | target.process.pid |
| policy_applied | additional.policy_applied |
| policy_id | additional.policy_id |
| policy_name | additional.policy_name |
| process_cmdline | principal.process.command_line |
| process_guid | principal.process.product_specific_process_id |
| process_guid | target.process.product_specific_process_id |
| process_hash.0 | principal.process.file.md5 |
| process_hash.1 | principal.process.file.sha256 |
| process_path | principal.process.file.full_path |
| process_path | target.process.file.full_path |
| process_pid | principal.process.pid |
| process_publisher.0.name | additional.process_publisher_name |
| process_publisher.0.state | additional.process_publisher_state |
| process_reputation | additional.process_reputation |
| process_username | principal.user.userid |
| protocol | network.ip_protocol |
| proxy_domain | observer.hostname |
| proxy_ip | observer.ip |
| proxy_port | observer.port |
| reason | metadata.description |
| reason_code | additional.reason_code |
| regmod_count | additional.regmod_count |
| regmod_key | target.registry.registry_key |
| regmod_name | target.registry.registry_key |
| regmod_value | target.registry.registry_value_name |
| remote_ip | target.ip |
| remote_port | target.port |
| report_id | additional.report_id |
| report_id | security_result.rule_id |
| report_id | target.resource.id |
| report_name | additional.report_name |
| report_score | security_result.about.investigation.severity_score |
| report_score | security_result.summary |
| requested_access | target.process.access_mask |
| run_state | security_result.detection_fields.value.run_state |
| scriptload_count | additional.scriptload_count |
| scriptload_effective_reputation | additional.scriptload_effective_reputation |
| scriptload_publisher.0.state | additional.scriptload_publisher_state |
| scriptload_reputation | additional.scriptload_reputation |
| sensor_action | security_result.action |
| sensor_action | security_result.detection_fields.value.sensor_action |
| sensor_id | principal.asset_id |
| server_name | intermediary.hostname |
| severity | security_result.severity |
| sha256 | principal.process.file.sha256 |
| sha256 | target.file.sha256 |
| size | target.file.size |
| status | additional.status |
| target_cmdline | target.process.command_line |
| target_md5 | target.process.file.md5 |
| target_path | target.process.file.full_path |
| target_pid | target.process.pid |
| target_process_guid | target.process.product_specific_process_id |
| target_sha256 | target.process.file.sha256 |
| target_value | security_result.detection_fields.value.device_priority |
| target_value | security_result.severity |
| threat_cause_actor_name | security_result.detection_fields.value.threat_cause_actor_name |
| threat_cause_actor_name | security_result.threat_name |
| threat_cause_actor_process_pid | additional.threat_cause_actor_pid |
| threat_cause_actor_sha256 | security_result.detection_fields.value.threat_cause_actor_sha256 |
| threat_cause_cause_event_id | additional.threat_cause_cause_event_id |
| threat_cause_reputation | additional.threat_cause_reputation |
| threat_cause_threat_category | security_result.detection_fields.value.threat_cause_threat_category |
| threat_cause_vector | additional.threat_cause_vector |
| threat_id | security_result.threat_id |
| threatHunterInfo.incidentId | security_result.threat_id |
| threatHunterInfo.md5 | target.process.file.md5 |
| threatHunterInfo.processGuid | target.process.product_specific_process_id |
| threatHunterInfo.processPath | target.process.file.full_path |
| threatHunterInfo.reportName | metadata.description |
| threatHunterInfo.score | security_result.about.investigation.severity_score |
| threatHunterInfo.sha256 | target.process.file.sha256 |
| threatHunterInfo.summary | security_result.summary |
| threatHunterInfo.threatCause.threatCategory | security_result.category_details |
| threatInfo.incidentId | security_result.threat_id |
| threatInfo.score | security_result.about.investigation.severity_score |
| threatInfo.summary | metadata.description |
| threatInfo.summary | security_result.summary |
| threatInfo.threatCause.actorProcessPPid | target.process.pid |
| threatInfo.threatCause.detectionGuid | target.process.product_specific_process_id |
| timestamp | metadata.event_timestamp |
| type | metadata.product_event_type |
| url | metadata.url_back_to_product |
| username | principal.user.userid |
| utf8_on_disk_filename | target.file.full_path |
| value_name | target.registry.registry_value_name |
| watchlist_id | additional.watchlist_id |
| watchlist_name | additional.watchlist_name |
| watchlist_name | target.resource.name |
| workflow_changed_by | additional.workflow_changed_by |
| workflow_comment | additional.workflow_comment |
| workflow_remediation | additional.workflow_remediation |
| workflow_state | additional.workflow_state |
Product Event Types¶
| type, action, report_id, feed_name, eventDescription | threatHunterInfo.score, threatInfo.score | report_score | UDM Event Classification | alerting enabled? |
|---|---|---|---|---|
| abusech | >= 50 | TRUE | ||
| alert.watchlist.hit.ingress.process | STATUS_UNCATEGORIZED | |||
| alienvault | >= 50 | TRUE | ||
| all events | >= 5 | TRUE | ||
| all other events | GENERIC_EVENT | |||
| binary_info | FILE_UNCATEGORIZED | |||
| CB_ANALYTICS | PROCESS_UNCATEGORIZED | |||
| create | FILE_CREATION | |||
| delete | FILE_DELETION | |||
| endpoint.event.apicall | PROCESS_UNCATEGORIZED | |||
| endpoint.event.fileless_scriptload | STATUS_UNCATEGORIZED | |||
| endpoint.event.filemod | FILE_MODIFICATION | |||
| endpoint.event.moduleload | PROCESS_UNCATEGORIZED | |||
| endpoint.event.netconn | NETWORK_CONNECTION | |||
| endpoint.event.netconn_proxy | NETWORK_CONNECTION | |||
| endpoint.event.procend | PROCESS_TERMINATION | |||
| endpoint.event.procstart | PROCESS_LAUNCH | |||
| endpoint.event.regmod | REGISTRY_CREATION, REGISTRY_DELETION, REGISTRY_MODIFICATION | |||
| endpoint.event.scriptload | STATUS_UNCATEGORIZED | |||
| endpoint.event.volume | SETTING_MODIFICATION | |||
| feed.ingress.hit.process | STATUS_UNCATEGORIZED | |||
| feed.query.hit.process | PROCESS_UNCATEGORIZED | |||
| feed.storage.hit.process | PROCESS_UNCATEGORIZED | |||
| ingress.event.childproc | PROCESS_LAUNCH | |||
| ingress.event.corssprocopen | PROCESS_OPEN | |||
| ingress.event.moduleload | PROCESS_UNCATEGORIZED | |||
| ingress.event.netconn | NETWORK_CONNECTION | |||
| ingress.event.procend | PROCESS_TERMINATION | |||
| ingress.event.procstart | PROCESS_LAUNCH | |||
| ingress.event.regmod | REGISTRY_CREATION, REGISTRY_DELETION, REGISTRY_MODIFICATION | |||
| ingress.event.remotethread | PROCESS_UNCATEGORIZED | |||
| lastwrite | FILE_MODIFICATION | |||
| malicioushost | >= 50 | TRUE | ||
| THREAT | PROCESS_UNCATEGORIZED | |||
| Threat | TRUE | |||
| WATCHLIST | PROCESS_UNCATEGORIZED | |||
| watchlist.hit.process | PROCESS_UNCATEGORIZED | |||
| write | FILE_MODIFICATION |
Log Sample¶
{"threatInfo":{"indicators":[{"applicationName":"rtagent.exe","indicatorName":"RUN_CMD_SHELL","sha256Hash":"aeaacee8306d6ce88e238f5b6c623fa6e63a4f2c5429096841e9d17c4c4ad4db"},{"applicationName":"rtservice.exe","indicatorName":"ACTIVE_SERVER","sha256Hash":"afa8e97b33807248b7d7fa9a16ad44ab01d22a676f61abf2a211807239784dd3"},{"applicationName":"rtservice.exe","indicatorName":"UNKNOWN_APP","sha256Hash":"afa8e97b33807248b7d7fa9a16ad44ab01d22a676f61abf2a211807239784dd3"},{"indicatorName":"NETWORK_ACCESS","sha256Hash":"afa8e97b33807248b7d7fa9a16ad44ab01d22a676f61abf2a211807239784dd3","applicationName":"rtservice.exe"},{"applicationName":"rtagent.exe","indicatorName":"UNKNOWN_APP","sha256Hash":"aeaacee8306d6ce88e238f5b6c623fa6e63a4f2c5429096841e9d17c4c4ad4db"},{"applicationName":"rtagent.exe","indicatorName":"MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER","sha256Hash":"aeaacee8306d6ce88e238f5b6c623fa6e63a4f2c5429096841e9d17c4c4ad4db"}],"threatCause":{"reputation":"NOT_LISTED","parentGuid":null,"threatCategory":"NEW_MALWARE","originSourceType":"UNKNOWN","actorName":"rtservice.exe","processGuid":"NWLSW-010459","reason":"R_NET_SERVER","actorType":null,"detectionGuid":"5676939-ades","causeEventId":"4165c544997311ec838177311e89ab46","actor":"afa8e97b33807248b7d7fa9a16ad44ab01d22a676f61abf2a211807239784dd3","actorProcessPPid":"2847869691"},"incidentId":"0xsad012-hqy72","score":3,"summary":"The application rtservice.exe acted as a network server.","time":1646148391607},"eventDescription":"[CYDERES-CHRONICLE] [Carbon Black has detected a threat against your company.] [website2.domain.com] [The application rtservice.exe acted as a network server.] [Incident id: 0xsad012-hqy72] [Threat score: 3] [Group: Standard] [Email: johndoe] [Name: Hostname1] [Type and OS: WINDOWS Server 2012 R2 x64] [Severity: Monitored]\n","url":"website.domain.com","eventTime":1646148074285,"deviceInfo":{"targetPriorityCode":0,"uemId":"","externalIpAddress":"10.0.0.15","deviceId":222258,"deviceName":"Hostname1","email":"johndoe","deviceHostName":null,"targetPriorityType":"MEDIUM","internalIpAddress":"10.0.0.14","groupName":"Standard","deviceType":"WINDOWS","deviceVersion":"Server 2012 R2 x64"},"ruleName":"CYDERES-CHRONICLE","type":"THREAT"}
Sample Parsing¶
metadata.event_timestamp = "2022-03-01T15:21:14.285Z"
metadata.event_type = "PROCESS_UNCATEGORIZED"
metadata.vendor_name = "Carbon Black"
metadata.product_name = "EDR"
metadata.product_event_type = "THREAT"
metadata.description = "The application rtservice.exe acted as a network server."
metadata.url_back_to_product = "website.domain.com"
metadata.ingested_timestamp = "2022-03-01T15:39:39.875741Z"
principal.hostname = "Hostname1"
principal.user.userid = "johndoe"
principal.platform = "WINDOWS"
principal.ip = "10.0.0.14"
principal.platform_version = "Server 2012 R2 x64"
principal.nat_ip = "10.0.0.15"
principal.asset.ip = "10.0.0.14"
target.process.pid = "2847869691"
target.process.product_specific_process_id = "CB:5676939-ades"
about.asset_id = "CB:222258"
about.ip = "10.0.0.14"
security_result.about.file.sha256 = "aeaacee8306d6ce88e238f5b6c623fa6e63a4f2c5429096841e9d17c4c4ad4db"
security_result.about.application = "rtagent.exe"
security_result.threat_name = "RUN_CMD_SHELL"
security_result.about.file.sha256 = "afa8e97b33807248b7d7fa9a16ad44ab01d22a676f61abf2a211807239784dd3"
security_result.about.application = "rtservice.exe"
security_result.threat_name = "ACTIVE_SERVER"
security_result.about.file.sha256 = "afa8e97b33807248b7d7fa9a16ad44ab01d22a676f61abf2a211807239784dd3"
security_result.about.application = "rtservice.exe"
security_result.threat_name = "UNKNOWN_APP"
security_result.about.file.sha256 = "afa8e97b33807248b7d7fa9a16ad44ab01d22a676f61abf2a211807239784dd3"
security_result.about.application = "rtservice.exe"
security_result.threat_name = "NETWORK_ACCESS"
security_result.about.file.sha256 = "aeaacee8306d6ce88e238f5b6c623fa6e63a4f2c5429096841e9d17c4c4ad4db"
security_result.about.application = "rtagent.exe"
security_result.threat_name = "UNKNOWN_APP"
security_result.about.file.sha256 = "aeaacee8306d6ce88e238f5b6c623fa6e63a4f2c5429096841e9d17c4c4ad4db"
security_result.about.application = "rtagent.exe"
security_result.threat_name = "MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER"
security_result.about.investigation.severity_score = 3
security_result.category_details = "NEW_MALWARE"
security_result.summary = "The application rtservice.exe acted as a network server."
security_result.severity_details = "Monitored"
security_result.threat_id = "0xsad012-hqy72"
Parser Alerting¶
Alerting criteria is listed in the Product Event Types table above.