Graylog Illuminate is available for use with Graylog Operations and Graylog Security. Contact sales to learn more about obtaining Graylog Illuminate.
Carbon Black Defense is a next-gen antivirus (NGAV) and an endpoint detection and response solution (EDR) that allows security teams to monitor and detect threats instantly against their companies devices while at the same time giving the user a suite of tools that protects against most attacks including malware, ransomware, zero-day, and non-malware. This technology pack will process Carbon Black Defense logs, providing normalization and enrichment of common events of interest.
- The current version (Oct 2021)--CB Defense does not have version numbers.
This technology pack includes one stream:
- “Illuminate:Carbon Black Defense Messages”
Index Set Configuration
This technology pack includes one index set definition:
- “Carbon Black Defense Event Log Messages”
If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.
Log Format Example
cbdefense1 CEF:0|CarbonBlack|CbDefense_Syslog_Connector|2.0|Active_Threat|A known virus (iWorm) is actively attempting a network connection.|7|rt="Apr 15 2016 13:11:37" sntdom=mycompany dvchost=iworm_test duser=iworm_test dvc= cs3Label="Link" cs3="https://testserver.company.net/ui#investigate/events/device/2004121/incident/UHMZ3" cs4Label="Threat_ID" cs4="UHMZ3" act=Alert
Configure Carbon Black Defense (CB Defense) to transmit Syslog to your Graylog server Syslog input.
What is Provided
- Parsing rules to extract Carbon Black logs into Graylog schema compatible fields