Carbon Black

Several Carbon Black DSMs can be integrated with JSA. The JSA DSM for Carbon Black collects endpoint protection events from a Carbon Black server.

The following table describes the specifications for the Carbon Black DSM:

Table 1: Carbon Black DSM Specifications
Specification	Value
Manufacturer	Carbon Black
DSM name	Carbon Black
RPM file name	DSM-CarbonBlackCarbonBlack-`JSA_version-build_number`.noarch.rpm
Supported versions	5.1 and later
Protocol	Syslog
Recorded event types	Watchlist hits
Automatically discovered?	Yes
Includes identity?	No
Includes custom properties?	No
More information	Carbon Black website (https://www.carbonblack.com/products/cb-response/)

To integrate Carbon Black with JSA, complete the following steps:

If automatic updates are not enabled, download and install the most recent version of the following RPMs from the Juniper Downloads onto your JSA console:
- Carbon Black DSM RPM
- DSMCommon RPM
Configure your Carbon Black device to send syslog events to JSA.

If JSA does not automatically detect the log source, add a Carbon Black log source on the JSA console. The following table describes the parameters that require specific values for Carbon Black event collection:

Table 2: Carbon Black Log Source Parameters
Parameter	Value
Log Source type	Carbon Black
Protocol Configuration	Syslog

Configuring Carbon Black to Communicate with JSA

To collect events from Carbon Black, you must install and configure cb-event-forwarder to send Carbon Black events to JSA.

Install the Carbon Black Enterprise RPM and ensure that it is running. You can install the cb-event-forwarder on any 64-bit Linux computer that is running CentOS 6.x. It can be installed on the same computer as the Carbon Black server, or on another computer. If you are forwarding many events, for example, all file modifications, registry modifications, or both, to JSA, install cb-event-forwarder on a separate server. If you are not forwarding many events to JSA, you can install the cb-event-forwarder on the Carbon Black server.

If you are installing the cb-event-forwarder on a computer other than the Carbon Black server, you must configure the Carbon Black server:

Ensure that TCP port 5004 is open through the iptables firewall on the Carbon Black server. The event-forwarder connects to TCP port 5004 on the Carbon Black server to connect to the Cb message bus.
Get the RabbitMQ user name and password from the /etc/cb/cb.conf file on the Carbon Black server. Search for the RabbitMQUser and RabbitMQPassword variables and note their values.

You can find the following instructions, source code, and quick start guide on the GitHub website (https://github.com/carbonblack/cb-event-forwarder/).

If it is not already installed, install the CbOpenSource repository:

Install the RPM for cb-event-forwarder:

yum install cb-event-forwarder
Modify the /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf file to include udpout=<JSA_IP_address>:514, and then specify LEEF as the output format: output_format=leef.
If you are installing on a computer other than the Carbon Black server, copy the RabbitMQ user name and password into the rabbit_mq_username and rabbit_mq_password variables in the /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf file. In the cb_server_hostname variable, enter the host name or IP address of the Carbon Black server.
Ensure that the configuration is valid by running the cb-event-forwarder in check mode:

/usr/share/cb/integrations/event-forwarder/cb-event-forwarder -check.

If valid, the message Initialized output displays. If there are errors, the errors are printed to your screen.
Choose the type of event that you want to capture.

By default, Carbon Black publishes the all feed and watchlist events over the bus. If you want to capture raw sensor events or all binaryinfo notifications, you must enable those features in the /etc/cb/cb.conf file.
- To capture raw sensor events, edit the DatastoreBroadcastEventTypes option in the /etc/cb/cb.conf file to enable broadcast of the raw sensor events that you want to export.
- To capture binary observed events, edit the EnableSolrBinaryInfoNotifications option in the /etc/cb/cb.conf file and set it to True.
If any variables were changed in /etc/cb/cb.conf, restart the Carbon Black server: "service cb-enterprise restart".
Start the cb-event-forwarder service by using the initctl command: initctl start cb-event-forwarder.

Note:
You can stop the cb-event-forwarder service by using the initctl command: initctl stop cb-event-forwarder.

Carbon Black Sample Event Messages

Use these sample event messages to verify a successful integration with JSA.

Note:

Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Carbon Black Sample Message when you use the Syslog Protocol

Sample 1: The following sample event message shows a watchlist query that is matching a process.

Table 3: Highlighted Values in the Carbon Black Sample Event
JSA field name	Highlighted field names or values in the event payload
Event ID	alert.watchlist.hit.query.process
Event Category	For this DSM, the value in JSA is always CarbonBlack
Source IP	interface_ip
Username	username
Device time	created_time

ON THIS PAGE

Carbon Black

Configuring Carbon Black to Communicate with JSA

Carbon Black Sample Event Messages

Carbon Black Sample Message when you use the Syslog Protocol

Related Documentation