VMware Carbon Black EDR Integration
editVMware Carbon Black EDR Integration
editVersion |
1.19.0 (View all) |
Compatible Kibana version(s) |
8.13.0 or higher |
Supported Serverless project types |
Security |
Subscription level |
Basic |
Level of support |
Elastic |
The VMware Carbon Black EDR integration collects EDR Server and raw Endpoint events exported by Carbon Black EDR Event Forwarder. The following output methods are supported: http, tcp, udp and file.
Compatibility
editThis integration has been tested with the 3.7.4 version of EDR Event Forwarder.
Configuration
editThe following configuration is necessary in cb-event-forwarder.conf:
-
output_format=json(default)
For http output:
-
output_type=http -
http_post_template=[{{range .Events}}{{.EventText}}{{end}}] -
content_type=application/json(default)
For tcp output:
-
output_type=tcp -
tcpout=<Address of Elastic Agent>:<port>
For udp output:
-
output_type=tcp -
tcpout=<Address of Elastic Agent>:<port>
For file output:
-
output_type=file -
outfile=<path to a file readable by Elastic Agent>
Example
An example event for log looks as following:
{
"@timestamp": "2014-04-11T19:21:33.682Z",
"agent": {
"ephemeral_id": "7bb86a18-d262-4348-b206-131e38d2d1c8",
"id": "9cb9fa70-f3e9-45d8-b1cb-61425bd93e1a",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.0.0-beta1"
},
"carbonblack": {
"edr": {
"event_timestamp": 1397244093.682,
"feed_id": 7,
"feed_name": "dxmtest1",
"ioc_attr": {},
"md5": "506708142BC63DABA64F2D3AD1DCD5BF",
"report_id": "dxmtest1_04",
"sensor_id": 3321
}
},
"data_stream": {
"dataset": "carbonblack_edr.log",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "9cb9fa70-f3e9-45d8-b1cb-61425bd93e1a",
"snapshot": false,
"version": "8.0.0-beta1"
},
"event": {
"action": "unknown",
"agent_id_status": "verified",
"dataset": "carbonblack_edr.log",
"ingested": "2022-01-25T07:45:03Z",
"kind": "event",
"original": "{\"md5\":\"506708142BC63DABA64F2D3AD1DCD5BF\",\"report_id\":\"dxmtest1_04\",\"ioc_type\":\"md5\",\"ioc_value\":\"506708142bc63daba64f2d3ad1dcd5bf\",\"ioc_attr\":{},\"feed_id\":7,\"hostname\":\"FS-SEA-529\",\"sensor_id\":3321,\"cb_version\":\"4.2.1.140808.1059\",\"server_name\":\"localhost.localdomain\",\"feed_name\":\"dxmtest1\",\"event_timestamp\":1397244093.682}\n"
},
"host": {
"name": "FS-SEA-529"
},
"input": {
"type": "udp"
},
"log": {
"source": {
"address": "172.19.0.4:46263"
}
},
"observer": {
"name": "localhost.localdomain",
"product": "Carbon Black EDR",
"type": "edr",
"vendor": "VMWare",
"version": "4.2.1.140808.1059"
},
"tags": [
"carbonblack_edr-log",
"forwarded",
"preserve_original_event"
],
"threat": {
"indicator": {
"file": {
"hash": {
"md5": "506708142bc63daba64f2d3ad1dcd5bf"
}
},
"type": "file"
}
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Event timestamp. |
date |
carbonblack.edr.action |
keyword |
|
carbonblack.edr.actiontype |
keyword |
|
carbonblack.edr.alert_severity |
double |
|
carbonblack.edr.alert_type |
keyword |
|
carbonblack.edr.blocked |
boolean |
|
carbonblack.edr.blocked_event |
keyword |
|
carbonblack.edr.blocked_reason |
keyword |
|
carbonblack.edr.blocked_result |
keyword |
|
carbonblack.edr.cb_server |
keyword |
|
carbonblack.edr.cb_version |
keyword |
|
carbonblack.edr.child_command_line |
keyword |
|
carbonblack.edr.child_pid |
long |
|
carbonblack.edr.child_process_guid |
keyword |
|
carbonblack.edr.child_suppressed |
boolean |
|
carbonblack.edr.child_username |
keyword |
|
carbonblack.edr.childproc_count |
long |
|
carbonblack.edr.childproc_type |
keyword |
|
carbonblack.edr.command_line |
keyword |
|
carbonblack.edr.comms_ip |
keyword |
|
carbonblack.edr.compressed_size |
long |
|
carbonblack.edr.computer_name |
keyword |
|
carbonblack.edr.created |
boolean |
|
carbonblack.edr.created_time |
keyword |
|
carbonblack.edr.cross_process_type |
keyword |
|
carbonblack.edr.crossproc_count |
long |
|
carbonblack.edr.digsig.issuer_name |
keyword |
|
carbonblack.edr.digsig.program_name |
keyword |
|
carbonblack.edr.digsig.publisher |
keyword |
|
carbonblack.edr.digsig.result |
keyword |
|
carbonblack.edr.digsig.result_code |
keyword |
|
carbonblack.edr.digsig.sign_time |
keyword |
|
carbonblack.edr.digsig.subject_name |
keyword |
|
carbonblack.edr.direction |
keyword |
|
carbonblack.edr.doc |
flattened |
|
carbonblack.edr.domain |
keyword |
|
carbonblack.edr.emet_timestamp |
long |
|
carbonblack.edr.event_timestamp |
double |
|
carbonblack.edr.event_type |
keyword |
|
carbonblack.edr.expect_followon_w_md5 |
boolean |
|
carbonblack.edr.feed_id |
keyword |
|
carbonblack.edr.feed_name |
keyword |
|
carbonblack.edr.feed_rating |
double |
|
carbonblack.edr.file_md5 |
keyword |
|
carbonblack.edr.file_path |
keyword |
|
carbonblack.edr.file_sha256 |
keyword |
|
carbonblack.edr.filemod_count |
long |
|
carbonblack.edr.filetype |
keyword |
|
carbonblack.edr.filetype_name |
keyword |
|
carbonblack.edr.filtering_known_dlls |
boolean |
|
carbonblack.edr.group |
keyword |
|
carbonblack.edr.host |
keyword |
|
carbonblack.edr.hostname |
keyword |
|
carbonblack.edr.icon |
keyword |
|
carbonblack.edr.image_file_header |
keyword |
|
carbonblack.edr.interface_ip |
keyword |
|
carbonblack.edr.ioc_attr |
flattened |
|
carbonblack.edr.ioc_confidence |
double |
|
carbonblack.edr.ioc_type |
keyword |
|
carbonblack.edr.ioc_value |
keyword |
|
carbonblack.edr.ipv4 |
keyword |
|
carbonblack.edr.is_target |
boolean |
|
carbonblack.edr.ja3 |
keyword |
|
carbonblack.edr.ja3s |
keyword |
|
carbonblack.edr.link_child |
keyword |
|
carbonblack.edr.link_md5 |
keyword |
|
carbonblack.edr.link_parent |
keyword |
|
carbonblack.edr.link_process |
keyword |
|
carbonblack.edr.link_sensor |
keyword |
|
carbonblack.edr.link_target |
keyword |
|
carbonblack.edr.local_ip |
keyword |
|
carbonblack.edr.local_port |
long |
|
carbonblack.edr.log_id |
keyword |
|
carbonblack.edr.log_message |
keyword |
|
carbonblack.edr.md5 |
keyword |
|
carbonblack.edr.mitigation |
keyword |
|
carbonblack.edr.modload_count |
long |
|
carbonblack.edr.netconn_count |
long |
|
carbonblack.edr.os_type |
keyword |
|
carbonblack.edr.parent_create_time |
long |
|
carbonblack.edr.parent_guid |
keyword |
|
carbonblack.edr.parent_md5 |
keyword |
|
carbonblack.edr.parent_path |
keyword |
|
carbonblack.edr.parent_pid |
long |
|
carbonblack.edr.parent_process_guid |
keyword |
|
carbonblack.edr.parent_sha256 |
keyword |
|
carbonblack.edr.path |
keyword |
|
carbonblack.edr.pid |
long |
|
carbonblack.edr.port |
long |
|
carbonblack.edr.process_guid |
keyword |
|
carbonblack.edr.process_id |
keyword |
|
carbonblack.edr.process_name |
keyword |
|
carbonblack.edr.process_path |
keyword |
|
carbonblack.edr.process_unique_id |
keyword |
|
carbonblack.edr.protocol |
keyword |
|
carbonblack.edr.proxy |
boolean |
|
carbonblack.edr.regmod_count |
long |
|
carbonblack.edr.remote_ip |
keyword |
|
carbonblack.edr.remote_port |
long |
|
carbonblack.edr.report_id |
keyword |
|
carbonblack.edr.report_score |
long |
|
carbonblack.edr.requested_access |
long |
|
carbonblack.edr.scores.alliance_score_srstrust |
long |
|
carbonblack.edr.scores.alliance_score_virustotal |
long |
|
carbonblack.edr.script |
keyword |
|
carbonblack.edr.script_sha256 |
keyword |
|
carbonblack.edr.segment_id |
keyword |
|
carbonblack.edr.sensor_criticality |
double |
|
carbonblack.edr.sensor_id |
keyword |
|
carbonblack.edr.server_name |
keyword |
|
carbonblack.edr.sha256 |
keyword |
|
carbonblack.edr.size |
long |
|
carbonblack.edr.status |
keyword |
|
carbonblack.edr.tamper |
boolean |
|
carbonblack.edr.tamper_sent |
boolean |
|
carbonblack.edr.tamper_type |
keyword |
|
carbonblack.edr.target_create_time |
long |
|
carbonblack.edr.target_md5 |
keyword |
|
carbonblack.edr.target_path |
keyword |
|
carbonblack.edr.target_pid |
long |
|
carbonblack.edr.target_process_guid |
keyword |
|
carbonblack.edr.target_sha256 |
keyword |
|
carbonblack.edr.timestamp |
double |
|
carbonblack.edr.type |
keyword |
|
carbonblack.edr.uid |
keyword |
|
carbonblack.edr.unique_id |
keyword |
|
carbonblack.edr.username |
keyword |
|
carbonblack.edr.utf8_comments |
keyword |
|
carbonblack.edr.utf8_company_name |
keyword |
|
carbonblack.edr.utf8_copied_module_length |
long |
|
carbonblack.edr.utf8_file_description |
keyword |
|
carbonblack.edr.utf8_file_version |
keyword |
|
carbonblack.edr.utf8_internal_name |
keyword |
|
carbonblack.edr.utf8_legal_copyright |
keyword |
|
carbonblack.edr.utf8_legal_trademark |
keyword |
|
carbonblack.edr.utf8_on_disk_filename |
keyword |
|
carbonblack.edr.utf8_original_file_name |
keyword |
|
carbonblack.edr.utf8_private_build |
keyword |
|
carbonblack.edr.utf8_product_description |
keyword |
|
carbonblack.edr.utf8_product_name |
keyword |
|
carbonblack.edr.utf8_product_version |
keyword |
|
carbonblack.edr.utf8_special_build |
keyword |
|
carbonblack.edr.watchlist_id |
keyword |
|
carbonblack.edr.watchlist_name |
keyword |
|
carbonblack.edr.watchlists.watchlist_1 |
keyword |
|
carbonblack.edr.watchlists.watchlist_7 |
keyword |
|
carbonblack.edr.watchlists.watchlist_9 |
keyword |
|
data_stream.dataset |
Data stream dataset name. |
constant_keyword |
data_stream.namespace |
Data stream namespace. |
constant_keyword |
data_stream.type |
Data stream type. |
constant_keyword |
event.dataset |
Event dataset |
constant_keyword |
event.module |
Event module |
constant_keyword |
host.containerized |
If the host is a container. |
boolean |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
log.source.address |
Source address from which the log event was read / sent from. |
keyword |
Changelog
editChangelog
| Version | Details | Kibana version(s) |
|---|---|---|
1.19.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.18.1 |
Bug fix (View pull request) |
8.13.0 or higher |
1.18.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.17.0 |
Enhancement (View pull request) |
7.14.0 or higher |
1.16.2 |
Enhancement (View pull request) |
7.14.0 or higher |
1.16.1 |
Bug fix (View pull request) |
7.14.0 or higher |
1.16.0 |
Enhancement (View pull request) |
7.14.0 or higher |
1.15.0 |
Enhancement (View pull request) |
7.14.0 or higher |
1.14.1 |
Bug fix (View pull request) |
7.14.0 or higher |
1.14.0 |
Enhancement (View pull request) |
7.14.0 or higher |
1.13.0 |
Enhancement (View pull request) |
7.14.0 or higher |
1.12.0 |
Enhancement (View pull request) |
7.14.0 or higher |
1.11.0 |
Enhancement (View pull request) |
7.14.0 or higher |
1.10.0 |
Enhancement (View pull request) |
7.14.0 or higher |
1.9.0 |
Enhancement (View pull request) |
7.14.0 or higher |
1.8.0 |
Enhancement (View pull request) |
7.14.0 or higher |
1.7.1 |
Enhancement (View pull request) |
7.14.0 or higher |
1.7.0 |
Enhancement (View pull request) |
7.14.0 or higher |
1.6.0 |
Enhancement (View pull request) |
7.14.0 or higher |
1.5.1 |
Enhancement (View pull request) |
7.14.0 or higher |
1.5.0 |
Enhancement (View pull request) |
7.14.0 or higher |
1.4.0 |
Enhancement (View pull request) |
7.14.0 or higher |
1.3.0 |
Enhancement (View pull request) |
7.14.0 or higher |
1.2.0 |
Enhancement (View pull request) |
7.14.0 or higher |
1.1.1 |
Enhancement (View pull request) |
7.14.0 or higher |
1.1.0 |
Enhancement (View pull request) |
7.14.0 or higher |
1.0.0 |
Enhancement (View pull request) |
7.14.0 or higher |
0.3.1 |
Bug fix (View pull request) |
— |
0.3.0 |
Enhancement (View pull request) |
— |
0.2.2 |
Enhancement (View pull request) |
— |
0.2.1 |
Bug fix (View pull request) |
— |
0.2.0 |
Enhancement (View pull request) |
— |
0.1.0 |
Enhancement (View pull request) |
— |