Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Carbon Black Protection


The JSA DSM for Carbon Black Protection receives logs from a Carbon Black Protection device.

The following table identifies the specifications for the Carbon Black Protection DSM:

Table 1: Carbon Black Protection DSM Specifications




Carbon Black

DSM name

Carbon Black Protection

RPM filename



Supported versions

8.0.0, 8.1.0



Event format


Recorded event types

Computer Management, Server Management, Session Management, Policy Management, Policy Enforcement, Internal Events, General Management, Discovery

Automatically discovered?


Includes identity?


Includes custom properties?


More information


  1. If automatic updates are not configured, download the most recent version of the following RPMs on your JSA console

    • DSMCommon RPM

    • Carbon Black Protection DSM RPM

  2. Enable the Carbon Black Protection console to communicate with JSA.

  3. If JSA does not automatically detect the log source, add a Carbon Black Protection log source on the JSA Console. The following table describes the parameters that require specific values for Carbon Black Protection event collection:

    Table 2: Carbon Black Protection Log Source Parameters



    Log source type

    Carbon Black Protection

    Log source identifier

    IP address or host name for the log source

    Protocol configuration


  4. Verify that Carbon Black Protection is configured correctly.

    The following table provides a sample event message for the Carbon Black Protection DSM:

    Table 3: Carbon Black Protection Sample Message Supported by the Carbon Black Protection Device

    Event name

    Low level category

    Sample log message

    Console user login

    User login success

    LEEF:1.0| Carbon_Black|Protection|| Console_user_login| cat=Session Management sev=4 devTime=Mar 09 2017 18:32:14.360 UTC msg=User 'admin' logged in from externalId=12345 src= usrName=admin dstHostName=hostname receivedTime=Mar 09 2017 18:32:14.360 UTC

Configuring Carbon Black Protection to Communicate with JSA

Enable the Carbon Black Protection console to communicate with JSA.

  1. Access the Carbon Black Protection console by entering the Carbon Black Protection server URL in your browser.
  2. On the login screen, enter your username and password. You must use a Carbon Black Protection account with Administrator or Power User privileges.
  3. From the top console menu, select System Configuration in the Administration section.
  4. On the System Configuration page, click on the Events tab.
  5. On the External Events Logging section, click Edit. Enter the JSA Event Collector IP address in the Syslog address field and enter 514 for the Syslog port field.
  6. Change the Syslog format to LEEF (Q1Labs).
  7. Check Syslog Enabled for Syslog output.
  8. Click Update to confirm the changes.