The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
How to onboard Carbon Black Data Streaming logs to Panther
To configure Carbon Black log streaming for ingestion in Panther, you will first set up Data Forwarders in Carbon Black, then create a Carbon Black Data Streaming source in Panther.
It's recommended to configure each Data Forwarder to send logs to a different folder in your S3 bucket. This will ensure all data is parsed correctly in Panther.
When creating the Alert Data Forwarder, for Schema, select 2.0.0.
After completing this process, your Data Forwarders will look similar to the below:
Step 2: Create a new Carbon Black Data Streaming source in Panther
In the left-hand navigation bar of the Panther Console, click Configure> Log Sources.
Click Create New.
Search for "Carbon Black," then click the Carbon Black Data Streaming tile.
In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the AWS S3 Bucket option.
On the Basic Info page, click Configure Prefixes & Schemas (Optional).
For each Data Forwarder you created in Step 1 of this process, create an S3 Prefix and schema pair. If you are using all three log types, this will look like:
schema:CarbonBlack.Auditdescription:Audit logs from CarbonBlackreferenceURL:https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/fields: - name:verbosedescription:Whether the event is verbose or nottype:boolean - name:eventIddescription:The ID of the eventrequired:truetype:string - name:eventTimedescription:The time the event occurredtype:timestamptimeFormats: - unix_msisEventTime:true - name:descriptiondescription:A description of the eventtype:string - name:orgNamedescription:The name of the organizationtype:string - name:clientIpdescription:The IP address of the clienttype:stringindicators: - ip - name:requestUrldescription:The URL of the requesttype:stringindicators: - hostname - name:loginNamedescription:The name of the user who logged intype:stringindicators: - username - name:flaggeddescription:Whether the event is flagged or nottype:boolean
schema:CarbonBlack.AlertV2description:Alert logs generated by the Carbon Black CloudreferenceURL:https://developer.carbonblack.com/reference/carbon-black-cloud/data-forwarder/schema/latest/alert-2.0.0/fields: - name:additional_events_presentdescription:Indicator to let API and forwarder users know that they should look up other associated events related to this alerttype:boolean - name:alert_notes_presentdescription:True if notes are present on the alert ID. False if notes are not present.type:boolean - name:alert_urldescription:Link to the alerts page for this alert. Does not vary by alert typetype:stringrequired:trueindicators: - url - name:backend_timestampdescription:Timestamp when the Carbon Black Cloud processed and enabled the alert for searching. Corresponds to the Created column on the Alerts page.type:timestamptimeFormat:rfc3339 - name:backend_update_timestampdescription:Timestamp when the Carbon Black Cloud initiated and processed an update to an alert. Corresponds to the Updated column on the Alerts page.type:timestamptimeFormat:rfc3339 - name:blocked_effective_reputationdescription:Effective reputation of the blocked file or process; applied by the sensor at the time the block occurredtype:string - name:blocked_md5description:MD5 hash of the child process binary; for any process terminated by the sensortype:stringindicators: - md5 - name:blocked_namedescription:Tokenized file path of the files blocked by sensor actiontype:string - name:blocked_sha256description:SHA-256 hash of the child process binary; for any process terminated by the sensortype:stringindicators: - sha256 - name:childproc_cmdlinedescription:Command line for the child processtype:string - name:childproc_effective_reputationdescription:Effective reputation of the child process; applied by the sensor at the time the event occurredtype:string - name:childproc_guiddescription:Unique process identifier assigned to the child processtype:string - name:childproc_md5description:Hash of the child process' binary (Enterprise EDR)type:stringindicators: - md5 - name:childproc_namedescription:Filesystem path of the child process' binarytype:string - name:childproc_sha256description:Hash of the child process' binary (Endpoint Standard)type:stringindicators: - sha256 - name:childproc_usernamedescription:User context in which the child process was executedtype:stringindicators: - username - name:detection_timestampdescription:Timestamp when the alert was first detected. For sensor-sent alerts, this is the time of the event on the sensor. For alerts generated on the backend, this is the time the backend system triggered the alert.type:timestamptimeFormat:rfc3339required:trueisEventTime:true - name:determinationdescription:User-updatable determination of the alerttype:objectfields: - name:change_timestampdescription:Timestamp when the determination was updatedtype:timestamptimeFormat:rfc3339 - name:changed_bydescription:User the determination was changed bytype:stringindicators: - username - name:changed_by_typedescription:Type of user who changed the determinationtype:string - name:valuedescription:Determination value of the alert set by a usertype:string - name:device_external_ipdescription:IP address of the endpoint according to the Carbon Black Cloud; can differ from device_internal_ip due to network proxy or NAT; either IPv4 (dotted decimal notation) or IPv6 (proprietary format)type:stringindicators: - ip - name:device_iddescription:ID of devicestype:string - name:device_internal_ipdescription:IP address of the endpoint reported by the sensor; either IPv4 (dotted decimal notation) or IPv6 (proprietary format)type:stringindicators: - ip - name:device_locationdescription:Whether the device was on or off premises when the alert started, based on the current IP address and the device’s registered DNS domain suffixtype:string - name:device_namedescription:Device nametype:string - name:device_osdescription:Device Operating Systemstype:string - name:device_os_versiondescription:The operating system and version of the endpoint. Requires Windows CBC sensor version 3.5 or later.type:string - name:device_policydescription:Device policytype:string - name:device_policy_iddescription:Device policy idtype:string - name:device_target_valuedescription:Target value assigned to the device, set from the policytype:string - name:device_uem_iddescription:Device correlation with WS1/EUC, required for our Workspace ONE Intelligence integration to functiontype:string - name:device_usernamedescription:Users or device owners of alertstype:stringindicators: - username - name:first_event_timestampdescription:Timestamp when the first event in the alert occurredtype:timestamptimeFormat:rfc3339 - name:iddescription:Unique ID of alerttype:stringrequired:true - name:is_updateddescription:Set to true if this is an updated copy of the alert initiated by the Carbon Black Cloud backend. User workflow updates, such as adding a note, will generate a new copy of the alert, but is_updated will be set to false.type:boolean - name:last_event_timestampdescription:Timestamp when the last event in the alert occurredtype:timestamptimeFormat:rfc3339 - name:netconn_local_ipdescription:IP address of the remote side of the network connection; stored as dotted decimaltype:stringindicators: - ip - name:netconn_local_ipv4description:IPv4 address of the local side of the network connection; stored as a dotted decimal. Only one of ipv4 and ipv6 fields will be populated.type:stringindicators: - ip - name:netconn_local_ipv6description:IPv6 address of the local side of the network connection; stored as a string without octet-separating colon characters. Only one of ipv4 and ipv6 fields will be populated.type:stringindicators: - ip - name:netconn_local_portdescription:TCP or UDP port used by the local side of the network connectiontype:int - name:netconn_protocoldescription:Network protocol of the network connectiontype:string - name:netconn_remote_domaindescription:Domain name (FQDN) associated with the remote end of the network connection, if availabletype:stringindicators: - domain - name:netconn_remote_ipdescription:IP address of the local side of the network connection; stored as dotted decimaltype:stringindicators: - ip - name:netconn_remote_ipv4description:IPv4 address of the remote side of the network connection; stored as dotted decimal. Only one of ipv4 and ipv6 fields will be populated.type:stringindicators: - ip - name:netconn_remote_ipv6description:IPv6 address of the remote side of the network connection; stored as a string without octet-separating colon characters. Only one of ipv4 and ipv6 fields will be populated.type:stringindicators: - ip - name:netconn_remote_portdescription:TCP or UDP port used by the remote side of the network connection; same as netconn_port and event_network_remote_porttype:int - name:org_keydescription:Unique alphanumeric string that identifies your organization in the Carbon Black Cloudtype:string - name:parent_cmdlinedescription:Command line of the parent processtype:string - name:parent_effective_reputationdescription:Effective reputation of the parent process; applied by the sensor when the event occurredtype:string - name:parent_guiddescription:Unique process identifier assigned to the parent processtype:string - name:parent_md5description:MD5 hash of the parent process binarytype:stringindicators: - md5 - name:parent_namedescription:Filesystem path of the parent process binarytype:string - name:parent_piddescription:Identifier assigned by the operating system to the parent processtype:string - name:parent_reputationdescription:Reputation of the parent process; applied by the Carbon Black Cloud when the event is initially processedtype:string - name:parent_sha256description:SHA-256 hash of the parent process binarytype:stringindicators: - sha256 - name:parent_usernamedescription:User context in which the parent process was executedtype:stringindicators: - username - name:policy_applieddescription:Indicates whether or not a policy has been applied to any event associated with this alerttype:string - name:primary_event_iddescription:ID of the primary event in the alerttype:string - name:process_cmdlinedescription:Command line executed by the actor processtype:string - name:process_effective_reputationdescription:Effective reputation of the actor hashtype:string - name:process_guiddescription:Guid of the process that has fired the alert (optional)type:string - name:process_issuerdescription:The certificate authority associated with the process’s certificatetype:arrayelement:type:string - name:process_md5description:MD5 hash of the actor process binarytype:stringindicators: - md5 - name:process_namedescription:Process names of an alerttype:string - name:process_piddescription:PID of the process that has fired the alert (optional)type:string - name:process_publisherdescription:Publisher name on the certificate used to sign the Windows or macOS process binarytype:arrayelement:type:string - name:process_reputationdescription:Reputation of the actor process; applied when event is processed by the Carbon Black Cloudtype:string - name:process_sha256description:SHA-256 hash of the actor process binarytype:stringindicators: - sha256 - name:process_usernamedescription:User context in which the actor process was executed. MacOS - all users for the PID for fork() and exec() transitions. Linux - process user for exec() events, but in a future sensor release can be multi-valued due to setuid()type:stringindicators: - username - name:reasondescription:A spoken language written explanation of the what and why the alert occurred and any action taken, usually consisting of 1 to 3 sentences.type:string - name:reason_codedescription:A unique short-hand code or GUID identifying the particular alert reasontype:string - name:run_statedescription:Whether the threat in the alert actually rantype:string - name:sensor_actiondescription:Actions taken by the sensor, according to the rules of a policytype:string - name:severitydescription:Integer representation of the impact of alert if true positivetype:int - name:threat_iddescription:ID assigned to a group of alerts with common criteria, based on alert typetype:string - name:typedescription:Type of alert generatedtype:stringrequired:true - name:user_update_timestampdescription:Timestamp of the last property of an alert changed by a user, such as the alert workflow or determinationtype:timestamptimeFormat:rfc3339 - name:versiondescription:The version of the schema being emitted. e.g. 2.0.0type:string - name:workflowdescription:Current workflow state of an alert. The workflow represents the flow from OPEN to IN_PROGRESS to CLOSED and captures who moved the alert into the current state. The history of these state transitions is available via the alert history route.type:objectfields: - name:change_timestampdescription:When the last status change occurredtype:timestamptimeFormat:rfc3339 - name:changed_bydescription:Who (or what) made the last status changetype:string - name:changed_by_typedescription:Type of user or system that made the last status changetype:string - name:changed_by_autoclose_rule_iddescription:The ID of the autoclose rule that closed the alerttype:string - name:closure_reasondescription:A more detailed description of why the alert was resolvedtype:string - name:statustype:string - name:attack_tacticdescription:A tactic from the MITRE ATT&CK framework; defines a reason for an adversary’s action, such as achieving credential accesstype:string - name:attack_techniquedescription:A technique from the MITRE ATT&CK framework; defines an action an adversary takes to accomplish a goal, such as dumping credentials to achieve credential accesstype:string - name:rule_category_iddescription:ID representing the category of the rule_id for certain alert typestype:string - name:rule_iddescription:ID of the rule that triggered an alert; applies to Intrusion Detection System, Host-Based Firewall, TAU Intelligence, and USB Device Control alertstype:string - name:threat_categorydescription:Categories of threats which we were able to take action ontype:string - name:ttpsdescription:Other potential malicious activities involved in a threattype:arrayelement:type:string - name:connection_typedescription:Connection Typetype:string - name:egress_group_iddescription:Unique identifier for the egress grouptype:string - name:egress_group_namedescription:Name of the egress grouptype:string - name:ip_reputationdescription:Range of reputations to accept for the remote IPtype:int - name:k8s_clusterdescription:K8s Cluster nametype:string - name:k8s_kinddescription:K8s Workload kindtype:string - name:k8s_namespacedescription:K8s namespacetype:string - name:k8s_pod_namedescription:Name of the pod within a workloadtype:string - name:k8s_policydescription:Name of the K8s policytype:string - name:k8s_policy_iddescription:Unique identifier for the K8s policytype:string - name:k8s_ruledescription:Name of the K8s policy ruletype:string - name:k8s_rule_iddescription:Unique identifier for the K8s policy ruletype:string - name:k8s_workload_namedescription:K8s Workload Nametype:string - name:remote_is_privatedescription:Is the remote information private true or falsetype:boolean - name:remote_k8s_kinddescription:Kind of remote workload; set if the remote side is another workload in the same clustertype:string - name:remote_k8s_namespacedescription:Namespace within the remote workload’s cluster; set if the remote side is another workload in the same clustertype:string - name:remote_k8s_pod_namedescription:Remote workload pod name; set if the remote side is another workload in the same clustertype:string - name:remote_k8s_workload_namedescription:Name of the remote workload; set if the remote side is another workload in the same clustertype:string - name:external_device_friendly_namedescription:Human-readable external device namestype:string - name:product_iddescription:IDs of the product that identifies USB devicestype:string - name:product_namedescription:Names of the product that identifies USB devicestype:string - name:serial_numberdescription:Serial numbers of USB devicestype:string - name:vendor_iddescription:IDs of the vendor that identifies USB devicestype:string - name:vendor_namedescription:Names of the vendors who produced the devicestype:string - name:threat_namedescription:Name of the threattype:string - name:tms_rule_iddescription:Detection idtype:string - name:ioc_fielddescription:The field the indicator of comprise (IOC) hit containstype:string - name:ioc_hitdescription:IOC field value or IOC query that matchestype:string - name:ioc_iddescription:Unique identifier of the IOC that generated the watchlist hit