CB Defense Integrations

Integrations developed by Carbon Black all have similar installation instructions, unless otherwise specified.

Note: Integrations might require an API URL, which is accessible through a special hostname assigned to your organization. To find your organization’s API hostname, please refer to this KB article.

To start using integrations, as root on your RPM based 64-bit Linux distribution server:

cd /etc/yum.repos.d
curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo

Then install the appropriate connector by executing:

yum install <connector-name>

Carbon Black Integration Network

Carbon Black Integration Network Partners support vendor interoperability to help customers build next-generation security infrastructures. Leveraging our Open APIs, Carbon Black has partnered with industry leaders to create integrated solutions that provide end-to-end protection against advanced threats.

As a member of the Carbon Black Connect program, partners can submit their products to Carbon Black for certification and promote interoperability across security solutions.

SIEM Connectors

These connectors allow users to send notifications or alerts into a SIEM like Splunk or QRadar.

CB Defense Syslog Connector

Connector Name: python-cb-defense-syslog

This connector allows you to forward alert notifications from your CB Defense cloud instance into local, on-premise SIEM systems that accept industry standard syslog notifications. By default, it will generate pipe-delimited syslog messages containing the key metadata associated with any alert identified by the CB Defense streaming prevention system.

The syslog connector will aggregate data from one or more CB Defense organizations into a single syslog stream. The connector can be configured to use UDP, TCP, or encrypted (TCP over TLS) syslog protocols.

This connector is distributed as a binary RPM package compatible with any Red Hat or CentOS Linux distribution, CentOS/RHEL 6.x, running on a 64-bit Intel platform.

Installation

  1. Install the software. As root on your Carbon Black or other RPM based 64-bit Linux distribution server:

    cd /etc/yum.repos.d

    curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo

    yum install python-cb-defense-syslog

  2. Copy the example config file:

    cd /etc/cb/integrations/cb-defense-syslog

    cp cb-defense-syslog.conf.example cb-defense-syslog.conf

  3. Modify the config file /etc/cb/integrations/cb-defense-syslog/cb-defense-syslog.conf as needed

  4. Test the new connector. As root, execute:

    /usr/share/cb/integrations/cb-defense-syslog/cb-defense-syslog --config-file /etc/cb/integrations/cb-defense-syslog/cb-defense-syslog.conf --log-file /var/log/cb/integrations/cb-defense-syslog/cb-defense-syslog.log

    Then:

    cat /var/log/cb/integrations/cb-defense-syslog/cb-defense-syslog.log

    A successful run will look like:

    2017-06-27 09:24:10,747 - __main__ - INFO - Found 1 CB Defense Servers in config file
2017-06-27 09:24:10,748 - __main__ - INFO - Handling notifications for https://api-url.conferdeploy.net
2017-06-27 09:24:10,748 - __main__ - INFO - Attempting to connect to url: https://api-url.conferdeploy.net
2017-06-27 09:24:10,748 - __main__ - INFO - connectorID = XXXX
2017-06-27 09:24:10,845 - __main__ - INFO - <Response [200]>
2017-06-27 09:24:10,845 - __main__ - INFO - sessionId = XXXX
2017-06-27 09:24:10,888 - __main__ - INFO - <Response [200]>
2017-06-27 09:24:10,889 - __main__ - INFO - successfully connected, no alerts at this time
2017-06-27 09:24:10,889 - __main__ - INFO - There are no messages to forward to host

  5. Start the connector by enabling it in cron. Uncomment the CB Defense Connector (remove the beginning # from the last line) in /etc/cron.d/cb-defense-syslog. By default, the connector will run once per hour.

Debug Logs

Debug Logs are stored in /var/log/cb/integrations/cb-defense-syslog/

Sample Config File

[general]

#
# Template for syslog output.
# This is a jinja 2 template
# NOTE: The source variable corresponds to the CB Defense Server used to retrieve results
#
template = {{source}}|{{version}}|{{vendor}}|{{product}}|{{dev_version}}|{{signature}}|{{name}}|{{severity}}|{{extension}}

#
# Configure the specific output.
# Valid options are: 'udp', 'tcp', 'tcp+tls'
#
#  udp     - Have the events sent over a UDP socket
#  tcp     - Have the events sent over a TCP socket
#  tcp+tls - Have the events sent over a TLS+TCP socket
#
output_type=tcp

#
# tcpout=IP:port - ie 1.2.3.5:8080
#
tcp_out=

#
# udpout=IP:port - ie 1.2.3.5:8080
#
udp_out=

[tls]

#
# Specify a file containing PEM-encoded CA certificates for verifying the peer server when using TLS+TCP syslog
#
#ca_cert = /etc/cb/integrations/cb-defense/cert.pem

#
# Uncomment tls_verify and set to "false" in order to disable verification of the peer server certificate
#
#tls_verify = true

[cbdefense1]

#
# CB Defense Connector ID
#
connector_id = F8KF111111

#
# CB Defense API Key
#
api_key = WT9T3QDP4UGCK2NS96111111

#
# CB Defense Server URL
# NOTE: this is not the url to the web ui, but to the url of sensor checkins
#
server_url = https://server.yourcompany.com

#
# For more than one CB Defense Server, add another server using the following template including the stanza
#
#[cbdefenseserver2]
#connector_id = F8KF111111
#api_key = WT9T3QDP4UGCK2NS96111111
#server_url = https://server2.yourcompany.com

CB Defense Splunk Add-On

The CB Defense Add-On for Splunk allows administrators to forward events and notifications from the industry’s leading NGAV solution into Splunk for correlation and analysis.

This Add-On is available via Splunkbase at https://splunkbase.splunk.com/app/3545/#/details. You will be able to install this Add-On via Splunkbase on both Splunk on-premise and Splunk Cloud.

Requirements

This app requires CB Defense and Splunk version 6.4 or above.

No additional hardware requirements are necessary for running this app above the standard requirements for both Carbon Black and Splunk.

Getting Started

Once the CB Defense app for Splunk is installed, then you must configure it to connect to your CB Defense server. This is done by creating a CB Defense API Key and attaching it to one or more Notification Rules. To create a SIEM API Key and notification rule:

  1. Log into your CB Defense Dashboard and select the Settings/API Keys menu option.
  2. Create a new key of “SIEM” access level and name it. Optionally, restrict access to this connector by IP address range.
  3. Select the Settings/Notifications menu option.
  4. Create a new Notification Rule and add your new SIEM connector to the list of notifiers. You can search by API Key name. The Notification Rule defines what alerts are sent to the SIEM. No events will be sent to Splunk if a notification rule isn’t linked to the SIEM connector.

Next, configure the CB Defense app for Splunk to connect to your CB Defense server:

  1. Start the CB Defense App in Splunk
  2. Go to the “Configuration” tab - “Add-On Settings” page and fill in the following fields:
    1. Enter the API hostname for your CB Defense instance in the URL field. Example: api-url.conferdeploy.net. Refer to: CB Defense API Basics.
    2. Set SIEM API ID to the API ID obtained from the Carbon Black Cloud Console. Do the same for your SIEM API Secret Key. Refer to: Carbon Black Cloud Authentication.
  3. Go to the “Inputs” tab and click “Create new input” with the following settings:
    1. Set “name” to anything (for example “cbdefense”)
    2. Set “interval” to 60 seconds (the polling interval of the CB Defense notifications API)
    3. Set “index” to whatever Splunk index you’d like the app to place CB Defense events into

The CB Defense app for Splunk uses Splunk’s encrypted credential storage facility to store the API token for your CB Defense server, so the API key is stored securely on the Splunk server.

Last modified on May 7, 2019