Versions Compared

Old Version 8

changes.mady.by.user Juan Tomás Alonso Nieto (Deactivated)

Saved on

compared with

New Version 9

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

VMware Carbon Black Cloud Event Forwarder is a cloud-native endpoint security software that is designed to detect malicious behavior and help prevent malicious files from attacking an organization. It allows you to send data about alerts and events to an AWS S3 bucket where it can be reconfigured into other applications.

Devo collector features

Feature

Details

Allow parallel downloading (multipod)

  • Allowed

Running environments

  • Collector server

  • On-premise

Populated Devo events

  • Table

Flattening preprocessing

  • No

Data sources

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

Event Forwarder

The Carbon Black Cloud Forwarder lets you send data about alerts and events to an AWS S3 bucket where it can be reconfigured to port into other applications in your security stack.

Data Forwarder Configuration API - Carbon Black Developer Network

AWS S3 bucket

event_forwarder

endpoint.vmware.cbc_event_forwarder

v1.0.0

endpoint.vmware.cbc_event_forwarder.cb_analytics

v1.0.0

endpoint.vmware.cbc_event_forwarder.endpoint_event_apicall

v1.0.0

endpoint.vmware.cbc_event_forwarder.endpoint_event_crossproc

v1.0.0

endpoint.vmware.cbc_event_forwarder.endpoint_event_fileless_scriptload

v1.0.0

endpoint.vmware.cbc_event_forwarder.endpoint_event_filemod

v1.0.0

endpoint.vmware.cbc_event_forwarder.endpoint_event_moduleload

v1.0.0

endpoint.vmware.cbc_event_forwarder.endpoint_event_netconn

v1.0.0

endpoint.vmware.cbc_event_forwarder.endpoint_event_procstart

v1.0.0

endpoint.vmware.cbc_event_forwarder.endpoint_event_procend

v1.0.0

endpoint.vmware.cbc_event_forwarder.endpoint_event_regmod

v1.0.0

endpoint.vmware.cbc_event_forwarder.endpoint_event_scriptload

v1.0.0

endpoint.vmware.cbc_event_forwarder.unknown

v1.0.0

endpoint.vmware.cbc_event_forwarder.kognos_alerts

v1.0.0

endpoint.vmware.cbc_event_forwarder.kognos_events

v1.0.0

Flattening preprocessing

Data source

Collector service

Optional

Source

Service

  • No

Vendor setup

There are some steps you need to follow in order to set up this collector:

...

Info

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting

Details

org_key

This parameter is the Carbon Black Cloud organization key.

Info

Refer to Carbon Black Cloud: Where is the Org Key Found? for more information.

aws_accesskey

The AWS access key.

Info

Refer to Understanding and getting your AWS credentials - AWS General Reference for more information.

aws_secretkey

The AWS secret key.

Info

Refer to Understanding and getting your AWS credentials - AWS General Reference for more information.

aws_region

This parameter must be a list with valid target region names to be used when collecting data, it will be created one processing thread per region.

Info

Refer to Regions, Availability Zones, and Local Zones - Amazon Relational Database Service for more information.

bucket_name

The AWS s3 bucket name. Examples:

  • docexamplebucket1

  • log-delivery-march-2020

  • my-hosted-content

queue_name

The AWS SQS queue name.

Info

See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.

...

Expand
titleEnable/disable the logging debug mode

Sometimes it is necessary to activate the debug mode of the collector's logging. This debug mode increases the verbosity of the log and allows you to print execution traces that are very helpful in resolving incidents or detecting bottlenecks in heavy download processes.

  • To enable this option you just need to edit the configuration file and change the debug_status parameter from false to true and restart the collector.

  • To disable this option, you just need to update the configuration file and change the debug_status parameter from true to false and restart the collector.

For more information, visit the configuration and parameterization section corresponding to the chosen deployment mode.

Change log for v1.x.x

Release

Released on

Release type

Details

Recommendations

v1.0.0

Status
colourPurple
titleNEW FEATURE

New features:

  • CBC Event Forwarder ingestion through S3+SQS (AWS Platform)

  • Two ways tag mapping:

    • Grouping by events and alerts (compatible with Kognos data feed requirements)

      • endpoint.vmware.cbc_event_forwarder.kognos_alerts

      • endpoint.vmware.cbc_event_forwarder.kognos_events

    • Grouping by event type:

      • endpoint.vmware.cbc_event_forwarder

      • endpoint.vmware.cbc_event_forwarder.{type}

Recommended version