Documentation Center
AlienVault® USM Anywhere™

Carbon Black Cb Defense

When you configure Carbon Black Cb Defense integration to send log data to USM Anywhere, you can use the Cb Defense plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Carbon Black
Device type Antivirus
Connection type Syslog
Vendor link Cb Defense Syslog Connector

Cb Defense Integration

Before you configure the integration, you must have the IP Address of the USM AnywhereUSM Appliance Sensor. You must also install and configure the Cb Defense Syslog Connector to forward alerts to USM Anywhere.

To send log data from Cb Defense to USM Anywhere

  1. As the root user, install the Cb Defense Syslog Connector (a RPM package) on a 64-bit Linux machine.

    cd /etc/yum.repos.d

    curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo

    yum install python-cb-defense-syslog

  2. Copy the example config file.

    cd /etc/cb/integrations/cb-defense-syslog

    cp cb-defense-syslog.conf.example cb-defense-syslog.conf

  3. Modify the config file (/etc/cb/integrations/cb-defense-syslog/cb-defense-syslog.conf).

    • Remove {{source}}| from the template line so it becomes

      template = {{version}}|{{vendor}}|{{product}}|{{dev_version}}|{{signature}}|{{name}}|{{severity}}|{{extension}}

    • Specify the syslog protocol of your choice and port number, such as the following

      output_type=tcp

      tcp_out=<USM-Anywhere-Sensor-IP-Address>:601

      Note: USM Anywhere listens for syslog at UDP port 514, TCP port 601, or TLS/TCP port 6514.

      If using TLS+TCP, you also need to download the certificate from USM Anywhere, place the file (USM-Anywhere-Syslog-CA.pem) in /etc/cb/integrations/cb-defense/, and update the ca_cert parameter accordingly.

    • Replace connector_id, api_key, and server_url with the correct Cb Defense values.
  4. Test the connector.

    As the root user, execute

    /usr/share/cb/integrations/cb-defense-syslog/cb-defense-syslog --config-file /etc/cb/integrations/cb-defense-syslog/cb-defense-syslog.conf --log-file /var/log/cb/integrations/cb-defense-syslog/cb-defense-syslog.log

    Then

    cat /var/log/cb/integrations/cb-defense-syslog/cb-defense-syslog.log

    Look for the "successfully connected" message in the log.

  5. Enable the connector in cron.

    In /etc/cron.d/cb-defense-syslog, uncomment the Cb Defense Connector (remove the beginning # from the last line).

    By default, the connector runs once every hour.

Plugin Enablement

The cb Defense plugin will automatically process all messages when the raw message contains "Confer\\|Confer_Syslog_Connector".

Important: If you plan to use the same assetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. to forward other Carbon Black logs (such as the Cb Response logs), which are not auto-discovered, you must configure the plugin enablement in USM Anywhere.

For detailed instructions about how to associate plugins with an asset, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • customfield_3
  • customheader_3
  • destination_username
  • event_action
  • event_description_url
  • event_name
  • event_receipt_time
  • event_severity
  • plugin_device
  • plugin_device_type
  • rep_device_address
  • rep_device_hostname
  • rep_device_rule_id
  • rep_device_type
  • rep_device_vendor
  • rep_device_version
  • source_ntdomain

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://www.carbonblack.com/products/services/customer-support/