Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Carbon Black Alerts | cb_platform_alerts | NDJSON | S3 | ||||
Carbon Black Devices | ✅ | cb_platform_devices | NDJSON | API | |||
Carbon Black Events | ✅ | cb_platform_events | NDJSON | API |
Overview
Carbon Black products provide critical raw data OS-level telemetry from hosts (endpoints or servers). These telemetries include process creation events, network connection events, DNS requests, file events, and much more.
As most attacks on organizations include activity on some of the hosts of the organization, these telemetries allow Hunters to extract meaningful and important threat signals from the vast amount of OS-level telemetries, detect malicious or suspicious behaviors, and then correlate them with further data sources.
Additionally, Hunters’ integration with the Carbon Black API allows fetching the list and information about all devices with Carbon Black (which allows further enrichment of threat signals with contextual information, e.g. OS version and type and usernames), and the alerts Carbon Black's products generate, which allows us to incorporate these alerts as strong threat signals which will then be further automatically investigated and correlated with other Hunters-proprietary threat signals to conclude whether those alerts were truly indicative of real attacks or not.
Supported data types
Carbon Black Alerts
Overview
Table name: cb_platform_alerts
Platform alerts are critical for identifying potential security threats, such as malware infections, suspicious activities, and policy violations across the networked endpoints. Carbon Black alerts provide immediate notifications about incidents that require attention, enabling security teams to quickly respond and mitigate risks. Each alert contains detailed information about the nature of the threat, affected endpoints, and recommended actions for remediation, facilitating a swift and informed response to secure the environment.
Send data to Hunters
Hunters supports the collection of these logs from Carbon Black using API.
📘Note
Using the Cloud Platform APIs requires you to create a separate API Key from the old Devices and Events API. Please follow the documentation carefully and consult with the Hunters team if you encounter any problems or difficulty.
To connect Carbon Black logs:
Log into your Carbon Black account.
Navigate to Settings > API Access.
Note your ORG KEY (at the top-left corner), and then click on the Access Levels tab at the top of the page.
In Access Levels tab, click on Add Access Level and assign an indicative name for the access level (e.g., HuntersAccess).
Check the READ checkbox for the Alerts (Notes and General Information), Device (General Information), and Search (Events) categories.
To send the raw event data to Hunters, we also need CREATE, READ, UPDATE, DELETE permissions to create a Data Forwarder.
Click Save, and then go back to the API Keys tab, and click Add API Key.
Give the API Key an indicative name (e.g., Hunters API Access) and under Access Level type, select Custom.
The Custom Access Level dropdown box will appear.Pick the previously created custom Access Level (e.g., HuntersAccess).
Click Save, and you will be provided with your API Key Credentials: API Secret Key and API ID.
Complete the process on the Hunters platform, following this guide.
⚠️ Attention
When setting up the data source on Hunters:
Under Host, use your Carbon Black Console Address. Verify that it's one of the following addresses:
defense-eap01.conferdeploy.net
dashboard.confer.net
defense.conferdeploy.net
defense-prod05.conferdeploy.net
defense-eu.conferdeploy.net
defense-prodnrt.conferdeploy.net
Paste the API Secret Key and API ID in the following format:
{API Secret Key}/{API ID}
For each data type, write your ORG_KEY into the appropriate box.
Carbon Black Devices
Overview
Table name: cb_platform_devices
A meticulous record of on each device in the organization. The logs include detailed information such as timestamped actions, user activities, process executions, and changes to system settings or files, which are essential for identifying patterns that may indicate a compromise or attack.
Send data to Hunters
Hunters supports the collection of these logs from Carbon Black using API.
📘Note
Using the Cloud Platform APIs requires you to create a separate API Key from the old Devices and Events API. Please follow the documentation carefully and consult with the Hunters team if you encounter any problems or difficulty.
To connect Carbon Black logs:
Log into your Carbon Black account.
Navigate to Settings > API Access.
Note your ORG KEY (at the top-left corner), and then click on the Access Levels tab at the top of the page.
In Access Levels tab, click on Add Access Level and assign an indicative name for the access level (e.g., HuntersAccess).
Check the READ checkbox for the Alerts (Notes and General Information), Device (General Information), and Search (Events) categories.
To send the raw event data to Hunters, we also need CREATE, READ, UPDATE, DELETE permissions to create a Data Forwarder.
Click Save, and then go back to the API Keys tab, and click Add API Key.
Give the API Key an indicative name (e.g., Hunters API Access) and under Access Level type, select Custom.
The Custom Access Level dropdown box will appear.Pick the previously created custom Access Level (e.g., HuntersAccess).
Click Save, and you will be provided with your API Key Credentials: API Secret Key and API ID.
Complete the process on the Hunters platform, following this guide.
⚠️ Attention
When setting up the data source on Hunters:
Under Host, use your Carbon Black Console Address. Verify that it's one of the following addresses:
defense-eap01.conferdeploy.net
dashboard.confer.net
defense.conferdeploy.net
defense-prod05.conferdeploy.net
defense-eu.conferdeploy.net
defense-prodnrt.conferdeploy.net
Paste the API Secret Key and API ID in the following format:
{API Secret Key}/{API ID}
For each data type, write your ORG_KEY into the appropriate box.
Carbon Black Events
Overview
Table name: cb_platform_events
Carbon Black event logs provide detailed records of security events and activities observed across the endpoints protected by the Carbon Black platform, via the S3 Data Forwarder. These logs play a crucial role in threat detection, incident response, and compliance efforts within organizations.
Send data to Hunters
Hunters supports the ingestion of Carbon Black Events via an intermediary AWS S3 bucket.
To connect Carbon Black Events:
Export your logs from Carbon Black Events to an AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.