Latest Updates: CB ThreatHunter App for Splunk 1.0.0 Released

CB Event Forwarder 3.1.0 Released

Posted on December 24, 2015


cb-event-forwarder 3.1.0

The 3.1.0 release of cb-event-forwarder adds the following features over 3.0.0:

  • “Deep links” into the Cb server UI are now optionally available in the output
    • These links allow you to directly access the relevant sensor, binary, or process context for each event output by the cb-event-forwarder.
    • The new variable cb_server_url has been added to the configuration file to support this new feature. Set this variable to the base URL of the Carbon Black web UI. If this variable is not set, then no links are generated.
    • The new links are available in the link_process, link_child (in child process events), link_md5 and link_sensor keys of the JSON or LEEF output.
    • Note that links to processes and binaries may result in 404 errors until the process and binary data is committed to disk on the Carbon Black server. Process events received via the event-forwarder may take up to 15 minutes or longer before they’re visible on the Carbon Black web UI.
  • All Carbon Black 5.1 event types are now supported
    • Microsoft EMET
    • Carbon Black Tamper events
    • Cross-process (process open/thread create) events
    • Carbon Black process/network blocking events
  • Network events now include the local IP and port number of the network connection (available on Carbon Black 5.1 servers and sensors)
    • The IP four-tuple is now available as (local_ip, local_port, remote_ip, and remote_port) in the JSON/LEEF output
  • Provide a human-readable status page for statistics
    • By default, these statistics are available via HTTP on port 33706 of the system running the cb-event-forwarder.
  • Fix regressions on output from cb-event-forwarder 2.x on some JSON message types
    • cb-event-forwarder 3.0.0 was missing the computer_name field from some JSON messages
  • New Amazon S3 options; see the [s3] section of the configuration file
    • Specify whether the files uploaded to S3 should be encrypted with server-side encryption (see server_side_encryption)
    • Define an ACL policy to apply to files uploaded to S3 (see acl_policy)
    • Specify the credential profile used when connecting to S3 (see credential_profile)