Carbon Black Logs (Beta)
Connecting Carbon Black logs in your Panther Console
Overview
Panther can fetch Carbon Black logs by querying the Carbon Black API.
How to onboard Carbon Black logs to Panther
To set up Carbon Black as a log source in Panther, you will create a new log source in Panther using a Carbon Black API key.
Step 1: Generate a Carbon Black API key
Log in to your Carbon Black instance.
Click Settings > API Access, then Add API Key.
Enter a name, and set Access Level Type to
API
.Optionally fill in the Authorized IP Address section to restrict access to only Panther's IP address.
Find Panther's IP address in your Console, on the Settings > General page.
Take note of the API ID and API Secret Key. You will need these values in the next step.
Step 2: Create a new Carbon Black source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Carbon Black," then click its tile.
In the slide-out panel, click Start Setup.
On the next screen, enter a descriptive name for the source, such as
My Carbon Black Audit logs
.Click Setup.
On the Set Credentials page, fill in the form:
Carbon Black Domain: Enter the URL of your Carbon Black domain.
API ID: Enter the Carbon Black API ID generated in Step 1.
API Secret Key: Enter the API Secret Key generated in Step 1.
Click Setup. You will be directed to a success screen:
You can optionally enable one or more Detection Packs.
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Supported log types
CarbonBlack.Audit
These are audit logs of events in a Carbon Black tenant. For more information, see the Carbon Black Audit Log Events documentation.
schema: CarbonBlack.Audit
description: Audit logs from CarbonBlack
referenceURL: https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/
fields:
- name: verbose
description: Whether the event is verbose or not
type: boolean
- name: eventId
description: The ID of the event
required: true
type: string
- name: eventTime
description: The time the event occurred
type: timestamp
timeFormats:
- unix_ms
isEventTime: true
- name: description
description: A description of the event
type: string
- name: orgName
description: The name of the organization
type: string
- name: clientIp
description: The IP address of the client
type: string
indicators:
- ip
- name: requestUrl
description: The URL of the request
type: string
indicators:
- hostname
- name: loginName
description: The name of the user who logged in
type: string
indicators:
- username
- name: flagged
description: Whether the event is flagged or not
type: boolean
Last updated
Was this helpful?