Back to Blogs

CB Event Forwarder 3.3.0 Released

Posted on October 19, 2016


New Features

Output Changes

In addition, new fields were added to the output (thanks to Red Canary):

  • Process start message (procstart or process):
    • parent_path: Path to the parent process
    • parent_create_time: Parent process creation time
    • parent_md5: Parent process binary MD5 hash
    • expect_followon_w_md5: In certain cases, the MD5 for the new process isn’t available at the time the message is generated. This will be “true” if another process start message will be sent with the correct process MD5.
  • File modification message (filemod):
    • filetype: Integer enum with the type of file written to the endpoint
    • filetype_name: File type as string (decoded from the list linked above)
    • file_md5: MD5 hash of the file, only available on certain file types (mostly executables)
  • Cross-process messages (crossprocopen or remotethread)
    • is_target: True if this process is the target of the Process Open or CreateRemoteThread request

The following bugs were fixed:

  • A potential crash was identified and fixed if malformed input was received from the EDR server via the bulk sensor exchange.

HTTP Output Type

Event Forwarder 3.3.0 introduces support to POST events to a remote HTTP or HTTPS endpoint. The Forwarder can use HTTP basic authentication and/or SSL client certificates for mutual authenticationl. To use the HTTP output support, set the output_type to http and set httpout to the URL of the remote HTTP/HTTPS endpoint. Additional options are available in the http stanza in the configuration file. The options, descriptions for each and defaults are shown below:

# httpout:
#   uses the format <temporary file location>:<HTTP URL>
#   where the temporary file location is optional; defaults to /var/cb/data/event-forwarder
# for more http options, see the [http] section below.
# examples:
#   httpout=/tmp/http_out:
#   httpout=

# By default the HTTP POST output type will initiate a connection to the remote service every five minutes, or when
#  the temporary file containing the event output reaches 10MB.

# Set the default timeout period in seconds. By default, cb-event-forwarder will contact the remote service every five
#  minutes (300 seconds)
# bundle_send_timeout=300

# Send empty updates? By default, cb-event-forwarder will send an empty update every bundle_send_timeout seconds.
#  if this is set to false, then the cb-event-forwarder will not initiate a connection to the remote service unless
#  there are events to send.
# upload_empty_files=true

# Set the maximum file size before the events must be flushed to the remote service. The default is 10MB.
# bundle_size_max=10485760

# Override the default template used for posting JSON to the remote service.
# The template language is Go's text/template; see
# The following placeholders can be used:
#  {{.FileName}} - the filename of the current event-forwarder file being uploaded (for example event-forwarder.2016-08-11T01:01:01Z)
#  {{.Events}} - the list of events being uploaded as a "range". Each event has the following placeholder:
#   {{.EventText}} - the event itself, as a JSON dictionary.
#                    Note that a comma is added to each event (except the last) to make the list proper JSON.
# The default template for JSON is:
# http_post_template={"filename": "{{.FileName}}", "service": "carbonblack", "alerts":[{{range .Events}}{{.EventText}}{{end}}]}

# Override the content-type sent to the remote service through the HTTP Content-Type header.
#  The default content-type for JSON output is application/json.
# content_type=application/json

# Uncomment ca_cert to specify a file containing PEM-encoded CA certificates for verifying the peer server
# ca_cert=/etc/cb/integrations/event-forwarder/ca-certs.pem

# Uncomment tls_verify and set to "false" in order to disable verification of the peer server certificate
# tls_verify=false

# Uncomment client_key and client_cert and set to files containing PEM-encoded private key and public
#  certificate when using client TLS certificates
# client_key=/etc/cb/integrations/event-forwarder/client-key.pem
# client_cert=/etc/cb/integrations/event-forwarder/client-cert.pem

# Uncomment authorization_token to place a value in the outgoing HTTP "Authorization" header
#  (used in HTTP Basic Authentication). See
#  for more information. By default no Authorization header is sent.
# authorization_token=Basic QWxhZGRpbjpPcGVuU2VzYW1l