Collecting Logs from Carbon Black EDR

Role Availability Read-Only Investigator Analyst Manager

To fully integrate USM Anywhere with your Carbon Black EDR implementation, you should configure Carbon Black EDR to send syslog An industry standard message logging system that is used on many devices and platforms. message to USM Anywhere so that it can collect and normalize Normalization describes the translation of log file entries received from disparate types of monitored assets into the standardized framework of Event types and sub-types. the raw data. The combination of processing the log data and connecting the AlienApp to the Carbon Black EDR API provides a full scope of data analysis and response within USM Anywhere.

Send Carbon Black EDR Logs to the Sensor

Before configuring the log collection, you must have the IP address of the USM Anywhere Sensor.

To send log data from Carbon Black EDR to USM Anywhere

  1. Install and configure the cb-event-forwarder. See the Carbon Black Event Forwarder Quickstart Guide for instructions.

    Events exported from Carbon Black Event Forwarder can be in JavaScript Object Notation (JSON) or Log Event Extended Format (LEEF) format.

  2. Modify the /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf file, include the following item:

    udpout=<USM-Anywhere-Sensor-IP-Address>:514

Assign Assets to the AlienApp

To help AlienApp for Carbon Black EDR identify the relevant logs, you must associate this app with the asset that is forwarding the logs.

To assign assets to the AlienApp

  1. In USM Anywhere, go to Data Sources > AlienApps.
  2. Click the Available Apps tab.
  3. Search for the AlienApp, and then click the tile.
  4. Click Assign Asset.
  5. Search for your asset using its name or IP address, and then click Assign.
  6. If your asset is not in USM Anywhere, click Create Asset to add it.

  7. Select the method that the USM Anywhere Sensor should use to collect logs from your asset.

    Syslog is the default method, but USM Anywhere can also collect logs from an Amazon S3 bucket or Amazon CloudWatch.

  8. In the Format field, click the icon and select JSON from the drop-down.

    Events exported from Carbon Black Event Forwarder are in a normalized JSON format; therefore you must set the Format field to JSON.