VMWare Carbon Black

Overview

LimaCharlie can ingest Carbon Black events from a number of storage locations. Typically, an organization would export Carbon Black data via the API to a storage mechanism, such as an S3 bucket, which would then be ingested by LimaCharlie.

Carbon Black events are observable in Detection & Response rules via the carbon_black platform.

Deployment Configurations

Config File

VMWare Carbon Black data can be exported via the API to an S3 bucket, and then ingested with LimaCharlie. The following command utilizes a CLI Adapter to ingest these events

./lc_adapter s3 client_options.identity.installation_key=<INSTALLATION_KEY> client_options.identity.oid=<OID> client_options.platform=carbon_black client_options.sensor_seed_key=tests3 bucket_name=lc-cb-test access_key=YYYYYYYYYY secret_key=XXXXXXXX  "prefix=events/org_key=NKZAAAEM/"

Here's a breakdown of the above example:

• lc_adapter: simply the CLI Adapter.

• s3: the data will be collected from an AWS S3 bucket.

• client_options.identity.installation_key=....: the Installation Key value from LimaCharlie.

• client_options.identity.oid=....: the Organization ID from LimaCharlie the installation key above belongs to.

• client_options.platform=carbon_black: this indicates the data received will be Carbon Black events from their API.

• client_options.sensor_seed_key=....: this is the value that identifies this instance of the Adapter. Record it to re-use the Sensor IDs generated for the Carbon Black sensors from this Adapter later if you have to re-install the Adapter.

• bucket_name:....: the name of the S3 bucket holding the data.

• access_key:....: the AWS Access Key for the API key below.

• secret_key:....: the API key for AWS that has access to this bucket.

• prefix=....: the file/directory name prefix that holds the Carbon Black data within the bucket.