Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

VMware Carbon Black App Control (formerly known as Carbon Black Protection)

The JSA DSM for VMware Carbon Black App Control collects Syslog events from a Carbon Black App Control device.

To integrate Carbon Black App Control with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA Console:

    • DSM Common RPM

    • Carbon Black App Control DSM RPM

  2. Configure your Carbon Black App Control device to send events to JSA. For more information, see Configuring VMware Carbon Black App Control to communicate with JSA

  3. If JSA does not automatically detect the log source, add a Carbon Black App Control log source on the JSA Console. For more information, see Syslog log source parameters for VMware Carbon Black App Control

VMware Carbon Black App Control DSM specifications

When you configure the Carbon Black App Control DSM, understanding the specifications for the Carbon Black App Control DSM can help ensure a successful integration. For example, knowing what the supported version of Carbon Black App Control is before you begin can help reduce frustration during the configuration process.

The following table describes the specifications for the Carbon Black App Control DSM.

Table 1: Carbon Black App Control DSM Specifications

Specification

Value

Manufacturer

VMware

DSM name

Carbon Black App Control

RPM file name

DSM-CarbonBlackProtection- JSA_version-build_number.noarch.rpm

Supported version

8.0.x to 8.5.x

Protocol

Syslog

Event format

LEEF

Recorded event types

computer management, server management, session management, policy management, policy enforcement, internal events, general management, discovery

Automatically discovered?

Yes

Includes identity?

Yes

Includes custom properties?

No

More information

VMware Carbon Black App Control

Configuring VMware Carbon Black App Control to communicate with JSA

Configure your Carbon Black App Control console to forward events to JSA in LEEF format.

  1. Access the Carbon Black App Control console by entering the Carbon Black App Control server URL in your browser.

  2. Log in to the Carbon Black App Control console. You must have Administrator or Power User privileges.

  3. From the navigation menu, select Administration > System Configuration.

  4. On the System Configuration page, click the Events tab.

  5. In the External Events Logging section, click Edit and then configure the following parameters.

    1. Type the IP address of the JSA Event Collector in the Syslog address field.

    2. Type 514 in the Syslog port field.

  6. From the Syslog format list, select LEEF (Q1Labs).

  7. Select the Syslog Enabled checkbox and then click Update.

Syslog log source parameters for VMware Carbon Black App Control

If JSA does not automatically detect the log source, add a Carbon Black App Control log source on the JSA Console by using the Syslog protocol.

When you use the Syslog protocol, there are specific parameters that you must configure.

The following table describes the parameters that require specific values to collect Syslog events from Carbon Black App Control:

Table 2: Syslog Log Source Parameters for the Carbon Black App Control DSM

Parameter

Value

Log Source type

Carbon Black App Control

Protocol Configuration

Syslog

Log Source Identifier

Type the IP address or host name for the log source as an identifier for metric events from your Carbon Black App Control appliances.

VMware Carbon Black App Control Sample Event Messages

Use these sample event messages to verify a successful integration with JSA.

Note:

Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Carbon Black App Control sample message when you use the Syslog protocol

Sample 1: The following sample event message shows that a user logged out of a console.

Table 3: Highlighted Fields

JSA field name

Highlighted field name

Event ID

Console_user_logout (Extracted from the LEEF header Event ID field in JSA)

Event Category

cat

Severity

sev

Source IP

src

Username

usrName

Device Time

devTime

Sample 2: The following sample event message shows that a server configuration was modified. This sample event is from Carbon Black App Control 8.5x.

Table 4: Highlighted Fields

JSA field name

Highlighted field name

Event ID

Server_config_modified (Extracted from the LEEF header Event ID field in JSA)

Event Category

cat

Severity

sev

Source IP

src

Username

usrName

Device Time

devTime