Carbon Black Logs

Connecting Carbon Black logs in your Panther Console

Overview

Panther supports the following methods of ingesting logs from Carbon Black:

How to onboard Carbon Black Audit logs to Panther

To set up Carbon Black as a log source in Panther, you will create a new log source in Panther using a Carbon Black API key.

This Carbon Black Audit Logs integration only supports CarbonBlack.Audit logs. To ingest other log types, see How to onboard Carbon Black Data Streaming logs to Panther.

Step 1: Generate a Carbon Black API key

Do not use the Carbon Black API key attached to your Panther integration with any other application, as doing so may result in log loss.

  1. Log in to your Carbon Black instance.

  2. Click Settings > API Access, then Add API Key.

  3. Enter a name, and set Access Level Type to API.

  4. Optionally fill in the Authorized IP Address section to restrict access to only Panther's IP address.

  5. Copy the API ID and API Secret Key and store them in a secure location, as you will need these values in the next step.

Step 2: Create a new Carbon Black Audit Logs source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for "Carbon Black Audit Logs," then click its tile.

  4. In the slide-out panel, click Start Setup.

  5. On the next screen, enter a descriptive name for the source, such as My Carbon Black Audit logs.

  6. Click Setup.

  7. On the Set Credentials page, fill in the form:

    1. Carbon Black Domain: Enter the URL of your Carbon Black domain.

    2. API ID: Enter the Carbon Black API ID generated in Step 1.

    3. API Secret Key: Enter the API Secret Key generated in Step 1.

  8. Click Setup. You will be directed to a success screen:

    • You can optionally enable one or more Detection Packs.

    • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

How to onboard Carbon Black Data Streaming logs to Panther

To configure Carbon Black log streaming for ingestion in Panther, you will first set up Data Forwarders in Carbon Black, then create a Carbon Black Data Streaming source in Panther.

This Carbon Black Data Streaming integration supports CarbonBlack.AlertV2, CarbonBlack.EndpointEvent, and CarbonBlack.WatchlistHit log types. To ingest CarbonBlack.Audit logs, see How to onboard Carbon Black Audit logs to Panther.

Step 1: Set up Carbon Black Data Forwarders to an S3 bucket

After completing this process, your Data Forwarders will look similar to the below:

Step 2: Create a new Carbon Black Data Streaming source in Panther

  1. In the left-hand navigation bar of the Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for "Carbon Black," then click the Carbon Black Data Streaming tile.

    • In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the AWS S3 Bucket option.

  4. Click Start Setup.

  5. Follow Panther's instructions for configuring an S3 Source, with the below modifications:

    1. On the Basic Info page, click Configure Prefixes & Schemas (Optional).

    2. For each Data Forwarder you created in Step 1 of this process, create an S3 Prefix and schema pair. If you are using all three log types, this will look like:

    3. Click Apply Changes.

Audit Log source log types

These are audit logs of events in a Carbon Black tenant. For more information, see the Carbon Black Audit Log Events documentation.

CarbonBlack.Audit

schema: CarbonBlack.Audit
description: Audit logs from CarbonBlack
referenceURL: https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/
fields:
  - name: verbose
    description: Whether the event is verbose or not
    type: boolean
  - name: eventId
    description: The ID of the event
    required: true
    type: string
  - name: eventTime
    description: The time the event occurred
    type: timestamp
    timeFormats:
      - unix_ms
    isEventTime: true
  - name: description
    description: A description of the event
    type: string
  - name: orgName
    description: The name of the organization
    type: string
  - name: clientIp
    description: The IP address of the client
    type: string
    indicators:
      - ip
  - name: requestUrl
    description: The URL of the request
    type: string
    indicators:
      - hostname
  - name: loginName
    description: The name of the user who logged in
    type: string
    indicators:
      - username
  - name: flagged
    description: Whether the event is flagged or not
    type: boolean

Data Streaming source log types

For more information, see the Carbon Black Data Forwarder schema documentation.

CarbonBlack.AlertV2

schema: CarbonBlack.AlertV2
description: Alert logs generated by the Carbon Black Cloud
referenceURL: https://developer.carbonblack.com/reference/carbon-black-cloud/data-forwarder/schema/latest/alert-2.0.0/
fields:
  - name: additional_events_present
    description: Indicator to let API and forwarder users know that they should look up other associated events related to this alert
    type: boolean
  - name: alert_notes_present
    description: True if notes are present on the alert ID. False if notes are not present.
    type: boolean
  - name: alert_url
    description: Link to the alerts page for this alert. Does not vary by alert type
    type: string
    required: true
    indicators:
      - url
  - name: backend_timestamp
    description: Timestamp when the Carbon Black Cloud processed and enabled the alert for searching. Corresponds to the Created column on the Alerts page.
    type: timestamp
    timeFormat: rfc3339
  - name: backend_update_timestamp
    description: Timestamp when the Carbon Black Cloud initiated and processed an update to an alert. Corresponds to the Updated column on the Alerts page.
    type: timestamp
    timeFormat: rfc3339
  - name: blocked_effective_reputation
    description: Effective reputation of the blocked file or process; applied by the sensor at the time the block occurred
    type: string
  - name: blocked_md5
    description: MD5 hash of the child process binary; for any process terminated by the sensor
    type: string
    indicators:
      - md5
  - name: blocked_name
    description: Tokenized file path of the files blocked by sensor action
    type: string
  - name: blocked_sha256
    description: SHA-256 hash of the child process binary; for any process terminated by the sensor
    type: string
    indicators:
      - sha256
  - name: childproc_cmdline
    description: Command line for the child process
    type: string
  - name: childproc_effective_reputation
    description: Effective reputation of the child process; applied by the sensor at the time the event occurred
    type: string
  - name: childproc_guid
    description: Unique process identifier assigned to the child process
    type: string
  - name: childproc_md5
    description: Hash of the child process' binary (Enterprise EDR)
    type: string
    indicators:
      - md5
  - name: childproc_name
    description: Filesystem path of the child process' binary
    type: string
  - name: childproc_sha256
    description: Hash of the child process' binary (Endpoint Standard)
    type: string
    indicators:
      - sha256
  - name: childproc_username
    description: User context in which the child process was executed
    type: string
    indicators:
      - username
  - name: detection_timestamp
    description: Timestamp when the alert was first detected. For sensor-sent alerts, this is the time of the event on the sensor. For alerts generated on the backend, this is the time the backend system triggered the alert.
    type: timestamp
    timeFormat: rfc3339
    required: true
    isEventTime: true
  - name: determination
    description: User-updatable determination of the alert
    type: object
    fields:
      - name: change_timestamp
        description: Timestamp when the determination was updated
        type: timestamp
        timeFormat: rfc3339
      - name: changed_by
        description: User the determination was changed by
        type: string
        indicators:
          - username
      - name: changed_by_type
        description: Type of user who changed the determination
        type: string
      - name: value
        description: Determination value of the alert set by a user
        type: string
  - name: device_external_ip
    description: IP address of the endpoint according to the Carbon Black Cloud; can differ from device_internal_ip due to network proxy or NAT; either IPv4 (dotted decimal notation) or IPv6 (proprietary format)
    type: string
    indicators:
      - ip
  - name: device_id
    description: ID of devices
    type: string
  - name: device_internal_ip
    description: IP address of the endpoint reported by the sensor; either IPv4 (dotted decimal notation) or IPv6 (proprietary format)
    type: string
    indicators:
      - ip
  - name: device_location
    description: Whether the device was on or off premises when the alert started, based on the current IP address and the device’s registered DNS domain suffix
    type: string
  - name: device_name
    description: Device name
    type: string
  - name: device_os
    description: Device Operating Systems
    type: string
  - name: device_os_version
    description: The operating system and version of the endpoint. Requires Windows CBC sensor version 3.5 or later.
    type: string
  - name: device_policy
    description: Device policy
    type: string
  - name: device_policy_id
    description: Device policy id
    type: string
  - name: device_target_value
    description: Target value assigned to the device, set from the policy
    type: string
  - name: device_uem_id
    description: Device correlation with WS1/EUC, required for our Workspace ONE Intelligence integration to function
    type: string
  - name: device_username
    description: Users or device owners of alerts
    type: string
    indicators:
      - username
  - name: first_event_timestamp
    description: Timestamp when the first event in the alert occurred
    type: timestamp
    timeFormat: rfc3339
  - name: id
    description: Unique ID of alert
    type: string
    required: true
  - name: is_updated
    description: Set to true if this is an updated copy of the alert initiated by the Carbon Black Cloud backend. User workflow updates, such as adding a note, will generate a new copy of the alert, but is_updated will be set to false.
    type: boolean
  - name: last_event_timestamp
    description: Timestamp when the last event in the alert occurred
    type: timestamp
    timeFormat: rfc3339
  - name: netconn_local_ip
    description: IP address of the remote side of the network connection; stored as dotted decimal
    type: string
    indicators:
      - ip
  - name: netconn_local_ipv4
    description: IPv4 address of the local side of the network connection; stored as a dotted decimal. Only one of ipv4 and ipv6 fields will be populated.
    type: string
    indicators:
      - ip
  - name: netconn_local_ipv6
    description: IPv6 address of the local side of the network connection; stored as a string without octet-separating colon characters. Only one of ipv4 and ipv6 fields will be populated.
    type: string
    indicators:
      - ip
  - name: netconn_local_port
    description: TCP or UDP port used by the local side of the network connection
    type: int
  - name: netconn_protocol
    description: Network protocol of the network connection
    type: string
  - name: netconn_remote_domain
    description: Domain name (FQDN) associated with the remote end of the network connection, if available
    type: string
    indicators:
      - domain
  - name: netconn_remote_ip
    description: IP address of the local side of the network connection; stored as dotted decimal
    type: string
    indicators:
      - ip
  - name: netconn_remote_ipv4
    description: IPv4 address of the remote side of the network connection; stored as dotted decimal. Only one of ipv4 and ipv6 fields will be populated.
    type: string
    indicators:
      - ip
  - name: netconn_remote_ipv6
    description: IPv6 address of the remote side of the network connection; stored as a string without octet-separating colon characters. Only one of ipv4 and ipv6 fields will be populated.
    type: string
    indicators:
      - ip
  - name: netconn_remote_port
    description: TCP or UDP port used by the remote side of the network connection; same as netconn_port and event_network_remote_port
    type: int
  - name: org_key
    description: Unique alphanumeric string that identifies your organization in the Carbon Black Cloud
    type: string
  - name: parent_cmdline
    description: Command line of the parent process
    type: string
  - name: parent_effective_reputation
    description: Effective reputation of the parent process; applied by the sensor when the event occurred
    type: string
  - name: parent_guid
    description: Unique process identifier assigned to the parent process
    type: string
  - name: parent_md5
    description: MD5 hash of the parent process binary
    type: string
    indicators:
      - md5
  - name: parent_name
    description: Filesystem path of the parent process binary
    type: string
  - name: parent_pid
    description: Identifier assigned by the operating system to the parent process
    type: string
  - name: parent_reputation
    description: Reputation of the parent process; applied by the Carbon Black Cloud when the event is initially processed
    type: string
  - name: parent_sha256
    description: SHA-256 hash of the parent process binary
    type: string
    indicators:
      - sha256
  - name: parent_username
    description: User context in which the parent process was executed
    type: string
    indicators:
      - username
  - name: policy_applied
    description: Indicates whether or not a policy has been applied to any event associated with this alert
    type: string
  - name: primary_event_id
    description: ID of the primary event in the alert
    type: string
  - name: process_cmdline
    description: Command line executed by the actor process
    type: string
  - name: process_effective_reputation
    description: Effective reputation of the actor hash
    type: string
  - name: process_guid
    description: Guid of the process that has fired the alert (optional)
    type: string
  - name: process_issuer
    description: The certificate authority associated with the process’s certificate
    type: array
    element:
      type: string
  - name: process_md5
    description: MD5 hash of the actor process binary
    type: string
    indicators:
      - md5
  - name: process_name
    description: Process names of an alert
    type: string
  - name: process_pid
    description: PID of the process that has fired the alert (optional)
    type: string
  - name: process_publisher
    description: Publisher name on the certificate used to sign the Windows or macOS process binary
    type: array
    element:
      type: string
  - name: process_reputation
    description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud
    type: string
  - name: process_sha256
    description: SHA-256 hash of the actor process binary
    type: string
    indicators:
      - sha256
  - name: process_username
    description: User context in which the actor process was executed. MacOS - all users for the PID for fork() and exec() transitions. Linux - process user for exec() events, but in a future sensor release can be multi-valued due to setuid()
    type: string
    indicators:
      - username
  - name: reason
    description: A spoken language written explanation of the what and why the alert occurred and any action taken, usually consisting of 1 to 3 sentences.
    type: string
  - name: reason_code
    description: A unique short-hand code or GUID identifying the particular alert reason
    type: string
  - name: run_state
    description: Whether the threat in the alert actually ran
    type: string
  - name: sensor_action
    description: Actions taken by the sensor, according to the rules of a policy
    type: string
  - name: severity
    description: Integer representation of the impact of alert if true positive
    type: int
  - name: threat_id
    description: ID assigned to a group of alerts with common criteria, based on alert type
    type: string
  - name: type
    description: Type of alert generated
    type: string
    required: true
  - name: user_update_timestamp
    description: Timestamp of the last property of an alert changed by a user, such as the alert workflow or determination
    type: timestamp
    timeFormat: rfc3339
  - name: version
    description: The version of the schema being emitted. e.g. 2.0.0
    type: string
  - name: workflow
    description: Current workflow state of an alert. The workflow represents the flow from OPEN to IN_PROGRESS to CLOSED and captures who moved the alert into the current state. The history of these state transitions is available via the alert history route.
    type: object
    fields:
      - name: change_timestamp
        description: When the last status change occurred
        type: timestamp
        timeFormat: rfc3339
      - name: changed_by
        description: Who (or what) made the last status change
        type: string
      - name: changed_by_type
        description: Type of user or system that made the last status change
        type: string
      - name: changed_by_autoclose_rule_id
        description: The ID of the autoclose rule that closed the alert
        type: string
      - name: closure_reason
        description: A more detailed description of why the alert was resolved
        type: string
      - name: status
        type: string
  - name: attack_tactic
    description: A tactic from the MITRE ATT&CK framework; defines a reason for an adversary’s action, such as achieving credential access
    type: string
  - name: attack_technique
    description: A technique from the MITRE ATT&CK framework; defines an action an adversary takes to accomplish a goal, such as dumping credentials to achieve credential access
    type: string
  - name: rule_category_id
    description: ID representing the category of the rule_id for certain alert types
    type: string
  - name: rule_id
    description: ID of the rule that triggered an alert; applies to Intrusion Detection System, Host-Based Firewall, TAU Intelligence, and USB Device Control alerts
    type: string
  - name: threat_category
    description: Categories of threats which we were able to take action on
    type: string
  - name: ttps
    description: Other potential malicious activities involved in a threat
    type: array
    element:
      type: string
  - name: connection_type
    description: Connection Type
    type: string
  - name: egress_group_id
    description: Unique identifier for the egress group
    type: string
  - name: egress_group_name
    description: Name of the egress group
    type: string
  - name: ip_reputation
    description: Range of reputations to accept for the remote IP
    type: int
  - name: k8s_cluster
    description: K8s Cluster name
    type: string
  - name: k8s_kind
    description: K8s Workload kind
    type: string
  - name: k8s_namespace
    description: K8s namespace
    type: string
  - name: k8s_pod_name
    description: Name of the pod within a workload
    type: string
  - name: k8s_policy
    description: Name of the K8s policy
    type: string
  - name: k8s_policy_id
    description: Unique identifier for the K8s policy
    type: string
  - name: k8s_rule
    description: Name of the K8s policy rule
    type: string
  - name: k8s_rule_id
    description: Unique identifier for the K8s policy rule
    type: string
  - name: k8s_workload_name
    description: K8s Workload Name
    type: string
  - name: remote_is_private
    description: Is the remote information private true or false
    type: boolean
  - name: remote_k8s_kind
    description: Kind of remote workload; set if the remote side is another workload in the same cluster
    type: string
  - name: remote_k8s_namespace
    description: Namespace within the remote workload’s cluster; set if the remote side is another workload in the same cluster
    type: string
  - name: remote_k8s_pod_name
    description: Remote workload pod name; set if the remote side is another workload in the same cluster
    type: string
  - name: remote_k8s_workload_name
    description: Name of the remote workload; set if the remote side is another workload in the same cluster
    type: string
  - name: external_device_friendly_name
    description: Human-readable external device names
    type: string
  - name: product_id
    description: IDs of the product that identifies USB devices
    type: string
  - name: product_name
    description: Names of the product that identifies USB devices
    type: string
  - name: serial_number
    description: Serial numbers of USB devices
    type: string
  - name: vendor_id
    description: IDs of the vendor that identifies USB devices
    type: string
  - name: vendor_name
    description: Names of the vendors who produced the devices
    type: string
  - name: threat_name
    description: Name of the threat
    type: string
  - name: tms_rule_id
    description: Detection id
    type: string
  - name: ioc_field
    description: The field the indicator of comprise (IOC) hit contains
    type: string
  - name: ioc_hit
    description: IOC field value or IOC query that matches
    type: string
  - name: ioc_id
    description: Unique identifier of the IOC that generated the watchlist hit
    type: string
  - name: ml_classification_final_verdict
    description: Final verdict of the alert, based on the ML models that were used to make the prediction.
    type: string
  - name: ml_classification_global_prevalence
    description: Categories (low/medium/high) used to describe the prevalence of alerts across all regional organizations.
    type: string
  - name: ml_classification_org_prevalence
    description: Categories (low/medium/high) used to describe the prevalence of alerts within an organization.
    type: string
  - name: report_description
    description: Description of the report
    type: string
  - name: report_id
    description: Report IDs that contained the IOC that caused a hit
    type: string
  - name: report_link
    description: Link of reports that contained the IOC that caused a hit
    type: string
    indicators:
      - url
  - name: report_name
    description: Name of the watchlist report
    type: string
  - name: report_tags
    description: Tags associated with the watchlist report
    type: array
    element:
      type: string
  - name: watchlists
    description: List of watchlists associated with an alert. Alerts are batched hourly
    type: array
    element:
      type: object
      fields:
        - name: id
          description: Unique identifier of the watchlist
          type: string
        - name: name
          description: Name of the watchlist
          type: string
  - name: mdr_alert
    description: Is the alert eligible for review by Carbon Black MDR Analysts?
    type: boolean
  - name: mdr_alert_notes_present
    description: Customer visible notes at the alert level that were added by an MDR analyst
    type: boolean
  - name: mdr_determination
    description: MDR updatable classification of the alert
    type: object
    fields:
      - name: change_timestamp
        description: When the MDR determination was last changed
        type: timestamp
        timeFormat: rfc3339
      - name: value
        description: A record that identifies the whether the alert was determined to represent a likely or unlikely threat.
        type: string
  - name: mdr_workflow
    description: MDR-updatable workflow of the alert
    type: object
    fields:
      - name: change_timestamp
        description: When the MDR workflow was last changed
        type: timestamp
        timeFormat: rfc3339
      - name: status
        type: string
        description: Primary value used to capture status change during MD Analyst’s alert triage
      - name: is_assigned
        type: boolean
        description: Indicates whether the alert is assigned or not

CarbonBlack.EndpointEvent

schema: CarbonBlack.EndpointEvent
description: Endpoint events from CarbonBlack
referenceURL: https://developer.carbonblack.com/reference/carbon-black-cloud/data-forwarder/schema/latest/endpoint.event-1.0.0/
fields:
  - name: action
    description: Specific endpoint action observed by sensor during this event.
    type: string
    required: true
  - name: backend_timestamp
    description: Time when the backend received the batch of events, based on Carbon Black Cloud backend’s clock as an RFC 3339 formatted time string based on UTC to the seconds; may differ from device_timestamp by a few minutes due to asynchronous processing
    type: timestamp
    timeFormats:
      - '%Y-%m-%d %H:%M:%S %z %Z'
  - name: device_group
    description: Sensor group to which the endpoint was assigned when the sensor recorded the event data
    type: string
  - name: device_id
    description: ID of the device that created this event
    type: string
  - name: device_name
    description: Hostname of the device that created this event
    type: string
  - name: device_os
    description: OS Type of device (Windows/OSX/Linux)
    type: string
  - name: device_timestamp
    description: Time seen on sensor, based on sensor’s clock in RFC 3339 UTC format to seconds
    type: timestamp
    timeFormats:
      - '%Y-%m-%d %H:%M:%S.%N %z %Z'
      - '%Y-%m-%d %H:%M:%S %z %Z'
    required: true
    isEventTime: true
  - name: event_origin
    description: Indicates which product the event came from.
    type: string
  - name: org_key
    description: The organization key associated with the console instance. Can be used to disambiguate events from different Carbon Black Cloud tenant organizations.
    type: string
  - name: parent_guid
    description: Unique ID of parent process.
    type: string
  - name: parent_hash
    description: Cryptographic hashes of the executable file backing the parent process, represented as an array of two elements - MD5 and SHA-256 hash
    type: array
    element:
      type: string
      indicators:
        - md5
        - sha256
  - name: parent_path
    description: Full path to the executable file backing the parent process on the device’s file system
    type: string
  - name: parent_pid
    description: OS-reported Process ID of the parent process
    type: string
  - name: parent_reputation
    description: Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud
    type: string
  - name: process_cmdline
    description: Command line executed by the actor process
    type: string
  - name: process_fork_pid
    description: The PID of a process forked from the actor on *nix systems. If process_pid != process_fork_pid, the current process was forked from original process_pid.
    type: string
  - name: process_guid
    description: Unique ID of process.
    type: string
  - name: process_hash
    description: Cryptographic hashes of the executable file backing this process, represented as an array of two elements - MD5 and SHA-256 hash
    type: array
    element:
      type: string
      indicators:
        - md5
        - sha256
  - name: process_path
    description: Full path to the executable file backing this process on the device’s file system
    type: string
  - name: process_pid
    description: OS-reported Process ID of the current process
    type: string
  - name: process_reputation
    description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud
    type: string
  - name: process_username
    description: The username associated with the user context that this process was started under
    type: string
    indicators:
      - username
  - name: schema
    description: The schema version. The current schema version is 1.
    type: string
  - name: sensor_action
    description: Included if the sensor blocked the event or terminated the application due to security policy
    type: string
  - name: target_cmdline
    description: Process command line associated with the target process
    type: string