VMware Carbon Black
Sumo Logic provides a complete security analytics solution by allowing you to correlate, validate and investigate VMware Carbon Black endpoint alerts with alerts from other security vendors and security threat feeds to identify and remediate the root causes of new security threats.
The Sumo Logic App for VMware Carbon Black provides visibility into key endpoint security data from VMware Carbon Black EDR and Endpoint Standard with pre-configured dashboards for alerts, threats intelligence, feeds, sensors, alerts, users, hosts, processes, IOCs, devices, and network status.
- VMware Carbon Black Endpoint Detection and Response (EDR) is an incident response and threat hunting solution designed for security operations center (SOC) teams. EDR continuously records and stores unfiltered endpoint data, so that security professionals can hunt threats in real time and visualize the complete attack kill chain.
- VMware Carbon Black Endpoint Standard is a next-generation antivirus (NGAV) solution available through MSSPs or directly as software as a service through VMware Carbon Black’s Predictive Security Cloud (PSC).
Log types
Sumo Logic analyzes the following required VMware Carbon Black events for more efficient monitoring:
- VMware Carbon Black EDR Events
- VMware Carbon Black Endpoint Standard Events
Carbon Black events are forwarded to Sumo Logic by Carbon Black, as defined in Collect Logs for Carbon Black. For more information, see Endpoint Detection Response and Endpoint Standard documentation.
Collect Logs for VMware Carbon Black
This section provides instructions for adding a hosted collector, HTTP, and S3 sources, then configuring collection agents to collect findings for the Carbon Black App.
Collection overview
VMware Carbon Black Endpoint Detection and Response (EDR) events can be sent to Sumo Logic via its event forwarder mechanism. The cb-event-forwarder can be installed on any 64-bit Linux machine running CentOS 6.x. It can be installed on the same machine as the Carbon Black server, or any other machine. Data can be sent in either JSON or LEEF format, both of which are supported by Sumo Logic.
VMware Carbon Black Cloud Endpoint Standard events can be collected via VMware Carbon Black Event Forwarder S3 mechanism and a Sumo Logic S3 source.
For more in-depth information, see Endpoint Standard and EDR documentation.
Step 1: Add a Hosted Collector
To add a hosted collector, perform the steps as defined on the page Configure a Hosted Collector.
Step 2: Configure Collection for VMware Carbon Black EDR
To configure collection, add an HTTP Source, get credentials for VMware Carbon Black, and configure the event forwarder.
Add an HTTP Source for VMware Carbon Black EDR
To add an HTTP source for VMware Carbon Black EDR, do the following:
- Add HTTP Logs and Metrics Source for VMware Carbon Black EDR.
When you configure the HTTP Sources, make sure to save the HTTP Source Address URLs. You will need these URLs later.
Get credentials from VMware Carbon Black EDR
VMware Carbon Black EDR event forwarder requires a RabbitMQ Username and Password. Copy RabbitMQUser and RabbitMQPassword from /etc/cb.conf from the VMware Carbon Black EDR server. These will be required in the next step.
Configure the event forwarder for VMware Carbon Black EDR
This section provides instructions for configuring the collection of VMware Carbon Black EDR events.
The steps in the following procedure should be done as the “root” user on your target Linux system.
To configure the collection of VMware Carbon Black EDR events:
- If it isn't already present, install the CbOpenSource repository.
cd /etc/yum.repos.d
curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo - Install the RPM with YUM.
yum install cb-event-forwarder
- Configure cb-event-forwarder
- If installing on a machine other than the Carbon Black EDR server, copy the RabbitMQ username and password into the rabbit_mq_username and rabbit_mq_password variables in /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf file. Also fill out the cb_server_hostname with the hostname or IP address where the Carbon Black EDR server can be reached.
- If the cb-event-forwarder is forwarding events from a Carbon Black EDR cluster, the cb_server_hostname should be set to the hostname or IP address of the Carbon Black EDR master node. More details here.
- Additionally set the following variables in the cb-event-forwarder.conf:
output_type
as httpoutput_format
as JSON or LEEF as requiredhttpout
as the HTTP Source Address from the previous step
- Ensure that the configuration is correct, by running (as root) the cb-event-forwarder in check mode:
/usr/share/cb/integrations/event-forwarder/cb-event-forwarder -check
- Start and stop the service. Once the service is installed, it is managed by the Upstart init system in CentOS 6.x. You can control the service with the initctl command:
- To start the service:
initctl start cb-event-forwarder
- To stop the service:
initctl stop cb-event-forwarder
Once the service is installed, it is configured to start automatically on system boot.
Step 3: Configure Collection for VMware Carbon Black Cloud Endpoint Standard
Add an S3 Source for VMware Carbon Black Cloud Endpoint Standard
To add an S3 source for VMware Carbon Black Cloud Endpoint Standard, do the following
- Create a new bucket in S3 for Cloud Endpoint Standard events collection.
- Add an S3 for Cloud Endpoint Standard as per the below example. Populate the bucket name and path as created in the previous step.
Configure VMware Carbon Black Cloud Endpoint Standard to send alerts and events to S3
VMware Carbon Black Cloud Endpoint Standard events will be pushed to S3 via VMware Carbon Black Event Forwarder S3 and will be collected via Sumo logic S3 source.
To configure the Event Forwarder, follow the steps mentioned here. Please carefully evaluate this information to assure that your configuration reflects the data set you would like to send to Sumo Logic.
Utilize the S3 bucket created in the previous steps while configuring the Event Forwarder.
Step 4: Verify Sumo is receiving findings
In Sumo, open a Live Tail tab and run a search to verify Sumo is receiving findings. Search by the source category you assigned to the HTTP Source that receives the log data, for example:
_sourceCategory="cb_edr_events" or _sourceCategory="cb_endpoint_standard_events"
For more information, see Live Tail.