Carbon Black Logs (Beta)

Connecting Carbon Black logs in your Panther Console

Overview

Carbon Black log ingestion is in open beta starting with Panther version 1.78, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Panther can fetch Carbon Black logs by querying the Carbon Black API.

How to onboard Carbon Black logs to Panther

To set up Carbon Black as a log source in Panther, you will create a new log source in Panther using a Carbon Black API key.

Step 1: Generate a Carbon Black API key

  1. Log in to your Carbon Black instance.

  2. Click Settings > API Access, then Add API Key.

  3. Enter a name, and set Access Level Type to API.

  4. Optionally fill in the Authorized IP Address section to restrict access to only Panther's IP address.

  5. Take note of the API ID and API Secret Key. You will need these values in the next step.

Step 2: Create a new Carbon Black source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for "Carbon Black," then click its tile.

  4. In the slide-out panel, click Start Setup.

  5. On the next screen, enter a descriptive name for the source, such as My Carbon Black Audit logs.

  6. Click Setup.

  7. On the Set Credentials page, fill in the form:

    1. Carbon Black Domain: Enter the URL of your Carbon Black domain.

    2. API ID: Enter the Carbon Black API ID generated in Step 1.

    3. API Secret Key: Enter the API Secret Key generated in Step 1.

  8. Click Setup. You will be directed to a success screen:

    The success screen reads, "Everything looks good! Panther will now automatically pull & process logs from your account"
    • You can optionally enable one or more Detection Packs.

    • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

      The "Trigger an alert when no events are processed" toggle is set to YES. The "How long should Panther wait before it sends you an alert that no events have been processed" setting is set to 1 Day

Supported log types

Required fields in the schema are listed as "required: true" just below the "name" field.

CarbonBlack.Audit

These are audit logs of events in a Carbon Black tenant. For more information, see the Carbon Black Audit Log Events documentation.

schema: CarbonBlack.Audit
description: Audit logs from CarbonBlack
referenceURL: https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/
fields:
  - name: verbose
    description: Whether the event is verbose or not
    type: boolean
  - name: eventId
    description: The ID of the event
    required: true
    type: string
  - name: eventTime
    description: The time the event occurred
    type: timestamp
    timeFormats:
      - unix_ms
    isEventTime: true
  - name: description
    description: A description of the event
    type: string
  - name: orgName
    description: The name of the organization
    type: string
  - name: clientIp
    description: The IP address of the client
    type: string
    indicators:
      - ip
  - name: requestUrl
    description: The URL of the request
    type: string
    indicators:
      - hostname
  - name: loginName
    description: The name of the user who logged in
    type: string
    indicators:
      - username
  - name: flagged
    description: Whether the event is flagged or not
    type: boolean

Last updated

Was this helpful?

#1935: [1.78] Add filtering section

Change request updated