Graylog Illuminate is available for use with Graylog Operations and Graylog Security. Contact sales to learn more about obtaining Graylog Illuminate.

Carbon Black Defense is a next-gen antivirus (NGAV) and an endpoint detection and response solution (EDR) that allows security teams to monitor and detect threats instantly against their companies devices while at the same time giving the user a suite of tools that protects against most attacks including malware, ransomware, zero-day, and non-malware. This technology pack will process Carbon Black Defense logs, providing normalization and enrichment of common events of interest.

Supported Version(s)

• The current version (Oct 2021)--CB Defense does not have version numbers.

Stream Configuration

This technology pack includes one stream:

• “Illuminate:Carbon Black Defense Messages”

Index Set Configuration

This technology pack includes one index set definition:

• “Carbon Black Defense Event Log Messages”

If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Example

cbdefense1 CEF:0|CarbonBlack|CbDefense_Syslog_Connector|2.0|Active_Threat|A known virus (iWorm) is actively attempting a network connection.|7|rt="Apr 15 2016 13:11:37" sntdom=mycompany dvchost=iworm_test duser=iworm_test dvc= cs3Label="Link" cs3="https://testserver.company.net/ui#investigate/events/device/2004121/incident/UHMZ3" cs4Label="Threat_ID" cs4="UHMZ3" act=Alert

Requirements

• Configure Carbon Black Defense (CB Defense) to transmit Syslog to your Graylog server Syslog input.

  • (https://developer.carbonblack.com/reference/cb-defense/connectors/#cb-defense-syslog-connector).

  • Select CEF format.

What is Provided

• Parsing rules to extract Carbon Black logs into Graylog schema compatible fields