Documentation Center
AlienVault® USM Anywhere™

Carbon Black Cb Response

When you configure Carbon Black Cb Response (formerly Carbon Black Endpoint Security) integration to send log data to USM Anywhere, you can use the Cb Response plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Carbon Black
Device type Cb Response
Connection type Syslog
Vendor link https://www.carbonblack.com/resources/resource-library/

Cb Response Integration

Before you configure the integration, you must have the IP Address of the USM AnywhereUSM Appliance Sensor.

To send log data from Cb Response to USM Anywhere

  1. Install the RPM Package Manager for cb-event-forwarder:

    yum install cb-event-forwarder

  2. Modify the /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf file to include the following item.

    udpout=<USM_Anywhere_Sensor_IP_address>:514.

  3. If you are not installing on the Cb Response server, make these configuration updates.

    • Locate /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf, and copy the RabbitMQ user name and password into the rabbit_mq_username and rabbit_mq_password variables, respectively.
    • In the cb_server_hostname variable, enter the host name or IP address of the Cb Response server.
  4. Ensure that the configuration is valid by running the cb-event-forwarder in check mode.

    /usr/share/cb/integrations/event-forwarder/cb-event-forwarder -check

    • If valid, the system displays the Initialized output message.
    • If there are errors, the system displays the information.

    By default, Cb Response publishes all feed and watchlist events over the bus.

  5. Choose the type of event that you want to capture by enabling them within the /etc/cb/cb.conf file.

    • Raw sensor events — Edit the DatastoreBroadcastEventTypes option to enable broadcast of the raw sensor events that you want to export.
    • Binary observed events — Set the EnableSolrBinaryInfoNotifications option to True.
  6. To enable your changes to the file, restart the Cb Response server.

    service cb-enterprise restart

  7. Start the cb-event-forwarder service.

    initctl start cb-event-forwarder

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • audit_reason

  • customfield_0

  • customfield_1

  • customheader_0

  • customheader_1

  • destination_address

  • destination_address_6

  • destination_port

  • device_direction

  • device_external_id

  • event_category

  • event_description

  • event_description_url

  • event_name

  • event_severity

  • file_hash

  • file_hash_algorithm

  • file_path

  • rep_device_rule_id

  • reputation_score

  • security_group_name

  • source_address

  • source_address_6

  • source_nat_address

  • source_process

  • source_hostname

  • time_end

  • timestamp_occured

  • time_start

  • transport_protocol

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://www.carbonblack.com/resources/resource-library/