Carbon Black Defense Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

VMware Carbon Black Defense (now Broadcom) is a cloud-native endpoint protection platform providing next-generation antivirus, endpoint detection and response (EDR), and device control. This technology pack processes Carbon Black Defense syslog events, providing normalization, enrichment, and GIM categorization.

Supported Version(s)

  • Carbon Black Cloud with CbDefense Syslog Connector

Requirements

  • Carbon Black Cloud with the CbDefense Syslog Connector configured to forward events.

  • A Syslog input (TCP or UDP) configured in Graylog to receive the CB Defense events.

Stream Configuration

This technology pack includes 1 stream:

  • "Illuminate:Carbon Black Defense Messages"

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • "Carbon Black Defense Event Log Messages" with daily rotation and 90-day retention (adjustable after installation)

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

What is Provided

  • Parsing rules to extract Carbon Black Defense syslog events into Graylog schema-compatible fields.

  • GIM code 301002 (hips_detection) for security detections: Active_Threat, Malware_Prevention, Terminated_Process, Policy_Action, Device_Control, Host_Based_Firewall.

  • GIM code 300000 (ids_detection) for network intrusion detections: Intrusion_Detection_System.

  • GIM code 309999 (detection_message) for informational detections: Watchlist_Hit.

  • GIM code 229999 (audit event) for administrative events: Audit_Log.

  • Event action mapping and alert severity normalization.

  • Carbon Black Defense Spotlight dashboard.

GIM Categorization

GIM categorization is provided for the following event types:

Event Type gim_event_type_code gim_event_category gim_event_subcategory gim_event_type
Active_Threat 301002 detection detection.host_detection hips_detection
Malware_Prevention 301002 detection detection.host_detection hips_detection
Terminated_Process 301002 detection detection.host_detection hips_detection
Policy_Action 301002 detection detection.host_detection hips_detection
Device_Control 301002 detection detection.host_detection hips_detection
Host_Based_Firewall 301002 detection detection.host_detection hips_detection
Intrusion_Detection_System 300000 detection detection.network_detection ids_detection
Watchlist_Hit 309999 detection detection.default detection_message
Audit_Log 229999 audit audit.default audit event

Carbon Black Defense Spotlight

The Carbon Black Defense Spotlight offers dashboards for monitoring endpoint security events, detections, and policy actions.