VMware Carbon Black App Control (formerly known as Carbon Black Protection)
The JSA DSM for VMware Carbon Black App Control collects Syslog events from a Carbon Black App Control device.
To integrate Carbon Black App Control with JSA, complete the following steps:
-
If automatic updates are not enabled, download the most recent version of the following RPMs from the Juniper Downloads.
-
DSM Common RPM
-
Carbon Black App Control DSM RPM
-
Configure your Carbon Black App Control device to send events to JSA. For more information, see Configuring VMware Carbon Black App Control to communicate with JSA
If JSA does not automatically detect the log source, add a Carbon Black App Control log source on the JSA Console. For more information, see Syslog log source parameters for VMware Carbon Black App Control
VMware Carbon Black App Control DSM specifications
When you configure the Carbon Black App Control DSM, understanding the specifications for the Carbon Black App Control DSM can help ensure a successful integration. For example, knowing what the supported version of Carbon Black App Control is before you begin can help reduce frustration during the configuration process.
The following table describes the specifications for the Carbon Black App Control DSM.
Specification |
Value |
|---|---|
Manufacturer |
VMware |
DSM name |
Carbon Black App Control |
RPM file name |
DSM-CarbonBlackProtection- JSA_version-build_number.noarch.rpm |
Supported version |
8.0.x to 8.5.x |
Protocol |
Syslog |
Event format |
LEEF |
Recorded event types |
computer management, server management, session management, policy management, policy enforcement, internal events, general management, discovery |
Automatically discovered? |
Yes |
Includes identity? |
Yes |
Includes custom properties? |
No |
More information |
Configuring VMware Carbon Black App Control to communicate with JSA
Configure your Carbon Black App Control console to forward events to JSA in LEEF format.
Access the Carbon Black App Control console by entering the Carbon Black App Control server URL in your browser.
Log in to the Carbon Black App Control console. You must have Administrator or Power User privileges.
From the navigation menu, select Administration > System Configuration.
On the System Configuration page, click the Events tab.
In the External Events Logging section, click Edit and then configure the following parameters.
Type the IP address of the JSA Event Collector in the Syslog address field.
Type 514 in the Syslog port field.
From the Syslog format list, select LEEF (Q1Labs).
Select the Syslog Enabled checkbox and then click Update.
Syslog log source parameters for VMware Carbon Black App Control
If JSA does not automatically detect the log source, add a Carbon Black App Control log source on the JSA Console by using the Syslog protocol.
When you use the Syslog protocol, there are specific parameters that you must configure.
The following table describes the parameters that require specific values to collect Syslog events from Carbon Black App Control:
Parameter |
Value |
|---|---|
Log Source type |
Carbon Black App Control |
Protocol Configuration |
Syslog |
Log Source Identifier |
Type the IP address or host name for the log source as an identifier for metric events from your Carbon Black App Control appliances. |
VMware Carbon Black App Control Sample Event Messages
Use these sample event messages to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Carbon Black App Control sample message when you use the Syslog protocol
Sample 1: The following sample event message shows that a user logged out of a console.
LEEF:1.0|Carbon_Black|Protection|8.0.0.2141| Console_user_logout | cat =Session Management sev =4 devTime =Mar 09 2017 18:32:11.110 UTC msg=User 'admin' logged out. externalId=22272 src =192.168.0.23 usrName =admin dstHostName=tesla receivedTime=Mar 09 2017 18:32:1 1.110 UTC
JSA field name |
Highlighted field name |
|---|---|
Event ID |
Console_user_logout (Extracted from the LEEF header Event ID field in JSA) |
Event Category |
cat |
Severity |
sev |
Source IP |
src |
Username |
usrName |
Device Time |
devTime |
Sample 2: The following sample event message shows that a server configuration was modified. This sample event is from Carbon Black App Control 8.5x.
Sep 3 15:42:17 carbonblack.appcontrol.test 1 2020-09-03T15:42:17.378058-04:00 AJW2019-1 Carbon Black App Control 7972 15 - LEEF:1.0|VMware_Carbon_Black|App_Control|8.5.0.37| Server_config_modified | cat =Server Management sev =5 devTime =Sep 03 2020 19:42:11.033 UTC msg=Configuration property 'syslogFormat' was changed from 'cef' to 'leef' by 'admin'. externalId=52 src =10.1.17.139 usrName =admin dstHostName=tst2019-1.test.domain.test receivedTime=Sep03 2020 19:42:11.033 UTC
JSA field name |
Highlighted field name |
|---|---|
Event ID |
Server_config_modified (Extracted from the LEEF header Event ID field in JSA) |
Event Category |
cat |
Severity |
sev |
Source IP |
src |
Username |
usrName |
Device Time |
devTime |