VMware Carbon Black EDR

Collect logs from VMware Carbon Black EDR with Elastic Agent.

Version
1.18.1 (View all)
Compatible Kibana version(s)
8.13.0 or higher
Supported Serverless project types

Security
Observability
Subscription level
Basic
Level of support
Elastic

The VMware Carbon Black EDR integration collects EDR Server and raw Endpoint events exported by Carbon Black EDR Event Forwarder. The following output methods are supported: http, tcp, udp and file.

Compatibility

This integration has been tested with the 3.7.4 version of EDR Event Forwarder.

Configuration

The following configuration is necessary in cb-event-forwarder.conf:

  • output_format=json (default)

For http output:

  • output_type=http
  • http_post_template=[{{range .Events}}{{.EventText}}{{end}}]
  • content_type=application/json (default)

For tcp output:

  • output_type=tcp
  • tcpout=<Address of Elastic Agent>:<port>

For udp output:

  • output_type=tcp
  • tcpout=<Address of Elastic Agent>:<port>

For file output:

  • output_type=file
  • outfile=<path to a file readable by Elastic Agent>

An example event for log looks as following:

{
    "@timestamp": "2014-04-11T19:21:33.682Z",
    "agent": {
        "ephemeral_id": "7bb86a18-d262-4348-b206-131e38d2d1c8",
        "id": "9cb9fa70-f3e9-45d8-b1cb-61425bd93e1a",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.0.0-beta1"
    },
    "carbonblack": {
        "edr": {
            "event_timestamp": 1397244093.682,
            "feed_id": 7,
            "feed_name": "dxmtest1",
            "ioc_attr": {},
            "md5": "506708142BC63DABA64F2D3AD1DCD5BF",
            "report_id": "dxmtest1_04",
            "sensor_id": 3321
        }
    },
    "data_stream": {
        "dataset": "carbonblack_edr.log",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "9cb9fa70-f3e9-45d8-b1cb-61425bd93e1a",
        "snapshot": false,
        "version": "8.0.0-beta1"
    },
    "event": {
        "action": "unknown",
        "agent_id_status": "verified",
        "dataset": "carbonblack_edr.log",
        "ingested": "2022-01-25T07:45:03Z",
        "kind": "event",
        "original": "{\"md5\":\"506708142BC63DABA64F2D3AD1DCD5BF\",\"report_id\":\"dxmtest1_04\",\"ioc_type\":\"md5\",\"ioc_value\":\"506708142bc63daba64f2d3ad1dcd5bf\",\"ioc_attr\":{},\"feed_id\":7,\"hostname\":\"FS-SEA-529\",\"sensor_id\":3321,\"cb_version\":\"4.2.1.140808.1059\",\"server_name\":\"localhost.localdomain\",\"feed_name\":\"dxmtest1\",\"event_timestamp\":1397244093.682}\n"
    },
    "host": {
        "name": "FS-SEA-529"
    },
    "input": {
        "type": "udp"
    },
    "log": {
        "source": {
            "address": "172.19.0.4:46263"
        }
    },
    "observer": {
        "name": "localhost.localdomain",
        "product": "Carbon Black EDR",
        "type": "edr",
        "vendor": "VMWare",
        "version": "4.2.1.140808.1059"
    },
    "tags": [
        "carbonblack_edr-log",
        "forwarded",
        "preserve_original_event"
    ],
    "threat": {
        "indicator": {
            "file": {
                "hash": {
                    "md5": "506708142bc63daba64f2d3ad1dcd5bf"
                }
            },
            "type": "file"
        }
    }
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
carbonblack.edr.action
keyword
carbonblack.edr.actiontype
keyword
carbonblack.edr.alert_severity
double
carbonblack.edr.alert_type
keyword
carbonblack.edr.blocked
boolean
carbonblack.edr.blocked_event
keyword
carbonblack.edr.blocked_reason
keyword
carbonblack.edr.blocked_result
keyword
carbonblack.edr.cb_server
keyword
carbonblack.edr.cb_version
keyword
carbonblack.edr.child_command_line
keyword
carbonblack.edr.child_pid
long
carbonblack.edr.child_process_guid
keyword
carbonblack.edr.child_suppressed
boolean
carbonblack.edr.child_username
keyword
carbonblack.edr.childproc_count
long
carbonblack.edr.childproc_type
keyword
carbonblack.edr.command_line
keyword
carbonblack.edr.comms_ip
keyword
carbonblack.edr.compressed_size
long
carbonblack.edr.computer_name
keyword
carbonblack.edr.created
boolean
carbonblack.edr.created_time
keyword
carbonblack.edr.cross_process_type
keyword
carbonblack.edr.crossproc_count
long
carbonblack.edr.digsig.issuer_name
keyword
carbonblack.edr.digsig.program_name
keyword
carbonblack.edr.digsig.publisher
keyword
carbonblack.edr.digsig.result
keyword
carbonblack.edr.digsig.result_code
keyword
carbonblack.edr.digsig.sign_time
keyword
carbonblack.edr.digsig.subject_name
keyword
carbonblack.edr.direction
keyword
carbonblack.edr.doc
flattened
carbonblack.edr.domain
keyword
carbonblack.edr.emet_timestamp
long
carbonblack.edr.event_timestamp
double
carbonblack.edr.event_type
keyword
carbonblack.edr.expect_followon_w_md5
boolean
carbonblack.edr.feed_id
keyword
carbonblack.edr.feed_name
keyword
carbonblack.edr.feed_rating
double
carbonblack.edr.file_md5
keyword
carbonblack.edr.file_path
keyword
carbonblack.edr.file_sha256
keyword
carbonblack.edr.filemod_count
long
carbonblack.edr.filetype
keyword
carbonblack.edr.filetype_name
keyword
carbonblack.edr.filtering_known_dlls
boolean
carbonblack.edr.group
keyword
carbonblack.edr.host
keyword
carbonblack.edr.hostname
keyword
carbonblack.edr.icon
keyword
carbonblack.edr.image_file_header
keyword
carbonblack.edr.interface_ip
keyword
carbonblack.edr.ioc_attr
flattened
carbonblack.edr.ioc_confidence
double
carbonblack.edr.ioc_type
keyword
carbonblack.edr.ioc_value
keyword
carbonblack.edr.ipv4
keyword
carbonblack.edr.is_target
boolean
carbonblack.edr.ja3
keyword
carbonblack.edr.ja3s
keyword
carbonblack.edr.link_child
keyword
carbonblack.edr.link_md5
keyword
carbonblack.edr.link_parent
keyword
carbonblack.edr.link_process
keyword
carbonblack.edr.link_sensor
keyword
carbonblack.edr.link_target
keyword
carbonblack.edr.local_ip
keyword
carbonblack.edr.local_port
long
carbonblack.edr.log_id
keyword
carbonblack.edr.log_message
keyword
carbonblack.edr.md5
keyword
carbonblack.edr.mitigation
keyword
carbonblack.edr.modload_count
long
carbonblack.edr.netconn_count
long
carbonblack.edr.os_type
keyword
carbonblack.edr.parent_create_time
long
carbonblack.edr.parent_guid
keyword
carbonblack.edr.parent_md5
keyword
carbonblack.edr.parent_path
keyword
carbonblack.edr.parent_pid
long
carbonblack.edr.parent_process_guid
keyword
carbonblack.edr.parent_sha256
keyword
carbonblack.edr.path
keyword
carbonblack.edr.pid
long
carbonblack.edr.port
long
carbonblack.edr.process_guid
keyword
carbonblack.edr.process_id
keyword
carbonblack.edr.process_name
keyword
carbonblack.edr.process_path
keyword
carbonblack.edr.process_unique_id
keyword
carbonblack.edr.protocol
keyword
carbonblack.edr.proxy
boolean
carbonblack.edr.regmod_count
long
carbonblack.edr.remote_ip
keyword
carbonblack.edr.remote_port
long
carbonblack.edr.report_id
keyword
carbonblack.edr.report_score
long
carbonblack.edr.requested_access
long
carbonblack.edr.scores.alliance_score_srstrust
long
carbonblack.edr.scores.alliance_score_virustotal
long
carbonblack.edr.script
keyword
carbonblack.edr.script_sha256
keyword
carbonblack.edr.segment_id
keyword
carbonblack.edr.sensor_criticality
double
carbonblack.edr.sensor_id
keyword
carbonblack.edr.server_name
keyword
carbonblack.edr.sha256
keyword
carbonblack.edr.size
long
carbonblack.edr.status
keyword
carbonblack.edr.tamper
boolean
carbonblack.edr.tamper_sent
boolean
carbonblack.edr.tamper_type
keyword
carbonblack.edr.target_create_time
long
carbonblack.edr.target_md5
keyword
carbonblack.edr.target_path
keyword
carbonblack.edr.target_pid
long
carbonblack.edr.target_process_guid
keyword
carbonblack.edr.target_sha256
keyword
carbonblack.edr.timestamp
double
carbonblack.edr.type
keyword
carbonblack.edr.uid
keyword
carbonblack.edr.unique_id
keyword
carbonblack.edr.username
keyword
carbonblack.edr.utf8_comments
keyword
carbonblack.edr.utf8_company_name
keyword
carbonblack.edr.utf8_copied_module_length
long
carbonblack.edr.utf8_file_description
keyword
carbonblack.edr.utf8_file_version
keyword
carbonblack.edr.utf8_internal_name
keyword
carbonblack.edr.utf8_legal_copyright
keyword
carbonblack.edr.utf8_legal_trademark
keyword
carbonblack.edr.utf8_on_disk_filename
keyword
carbonblack.edr.utf8_original_file_name
keyword
carbonblack.edr.utf8_private_build
keyword
carbonblack.edr.utf8_product_description
keyword
carbonblack.edr.utf8_product_name
keyword
carbonblack.edr.utf8_product_version
keyword
carbonblack.edr.utf8_special_build
keyword
carbonblack.edr.watchlist_id
keyword
carbonblack.edr.watchlist_name
keyword
carbonblack.edr.watchlists.watchlist_1
keyword
carbonblack.edr.watchlists.watchlist_7
keyword
carbonblack.edr.watchlists.watchlist_9
keyword
data_stream.dataset
Data stream dataset name.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset
constant_keyword
event.module
Event module
constant_keyword
host.containerized
If the host is a container.
boolean
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
input.type
Type of Filebeat input.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
log.source.address
Source address from which the log event was read / sent from.
keyword

Changelog

VersionDetailsKibana version(s)

1.18.1

Bug fix View pull request
Use triple-brace Mustache templating when referencing variables in ingest pipelines.

8.13.0 or higher

1.18.0

Enhancement View pull request
Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

1.17.0

Enhancement View pull request
Update manifest format version to v3.0.3.

7.14.0 or higher
8.0.0 or higher

1.16.2

Enhancement View pull request
Changed owners

7.14.0 or higher
8.0.0 or higher

1.16.1

Bug fix View pull request
Fix exclude_files pattern.

7.14.0 or higher
8.0.0 or higher

1.16.0

Enhancement View pull request
ECS version updated to 8.11.0.

7.14.0 or higher
8.0.0 or higher

1.15.0

Enhancement View pull request
Update the package format_version to 3.0.0.

7.14.0 or higher
8.0.0 or higher

1.14.1

Bug fix View pull request
Removing unused ECS field declarations.

7.14.0 or higher
8.0.0 or higher

1.14.0

Enhancement View pull request
ECS version updated to 8.10.0.

7.14.0 or higher
8.0.0 or higher

1.13.0

Enhancement View pull request
Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

7.14.0 or higher
8.0.0 or higher

1.12.0

Enhancement View pull request
Update package to ECS 8.9.0.

7.14.0 or higher
8.0.0 or higher

1.11.0

Enhancement View pull request
Ensure event.kind is correctly set for pipeline errors.

7.14.0 or higher
8.0.0 or higher

1.10.0

Enhancement View pull request
Update package to ECS 8.8.0.

7.14.0 or higher
8.0.0 or higher

1.9.0

Enhancement View pull request
Update package-spec version to 2.7.0.

7.14.0 or higher
8.0.0 or higher

1.8.0

Enhancement View pull request
Update package to ECS 8.7.0.

7.14.0 or higher
8.0.0 or higher

1.7.1

Enhancement View pull request
Added categories and/or subcategories.

7.14.0 or higher
8.0.0 or higher

1.7.0

Enhancement View pull request
Update package to ECS 8.6.0.

7.14.0 or higher
8.0.0 or higher

1.6.0

Enhancement View pull request
Update package to ECS 8.5.0.

7.14.0 or higher
8.0.0 or higher

1.5.1

Enhancement View pull request
Remove duplicate field.

7.14.0 or higher
8.0.0 or higher

1.5.0

Enhancement View pull request
Update package to ECS 8.4.0

7.14.0 or higher
8.0.0 or higher

1.4.0

Enhancement View pull request
Update package to ECS 8.3.0.

7.14.0 or higher
8.0.0 or higher

1.3.0

Enhancement View pull request
Add JA3/JA3S parsing

7.14.0 or higher
8.0.0 or higher

1.2.0

Enhancement View pull request
Update to ECS 8.2

7.14.0 or higher
8.0.0 or higher

1.1.1

Enhancement View pull request
Add documentation for multi-fields

7.14.0 or higher
8.0.0 or higher

1.1.0

Enhancement View pull request
Update to ECS 8.0

7.14.0 or higher
8.0.0 or higher

1.0.0

Enhancement View pull request
GA integration

7.14.0 or higher
8.0.0 or higher

0.3.1

Bug fix View pull request
Change test public IPs to the supported subset

0.3.0

Enhancement View pull request
Add 8.0.0 version constraint

0.2.2

Enhancement View pull request
Update Title and Description.

0.2.1

Bug fix View pull request
Fix logic that checks for the 'forwarded' tag

0.2.0

Enhancement View pull request
Update to ECS 1.12.0

0.1.0

Enhancement View pull request
initial release

On this page