Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EDR Addition - Carbon Black Cloud (Linux) #88

Closed
5 tasks done
SecurityAura opened this issue Nov 28, 2024 · 0 comments
Closed
5 tasks done

EDR Addition - Carbon Black Cloud (Linux) #88

SecurityAura opened this issue Nov 28, 2024 · 0 comments

Comments

@SecurityAura
Copy link
Contributor

SecurityAura commented Nov 28, 2024
edited
Loading

Description

Please provide the below information so we can validate before merging:

  1. Does the proposed EDR feature align with our definition of telemetry?(definition here)
  2. Could you please provide documentation to support the telemetry you are proposing?(If it is held privately, please reach out to me or @inodee)
  3. If no documentation is available for all the categories you are proposing, could you provide screenshots or sanitized logs?

1: Yes it does.
2: https://developer.carbonblack.com/reference/carbon-black-cloud/data-forwarder/schema/latest/endpoint.event-1.1.0/
3: Documentation and screenshots will be provided to Kostas directly.

Type of change

Please delete options that are not relevant.

  • [X ] New feature (adding additional EDR product or proposing new event categories/sub-categories)

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.

  • Carbon Black Cloud installed on a Ubuntu 22,04.4 VM on Proxmox
  • VM was left open for a few hours (even few days) so that telemetry could be passively collected
  • For each telemetry category (e.g.: Process, Network, File, Registry, etc.) the available "type" of events (e.g.: Process Creation) were queried for matching events
  • Event types that returned results were marked as "Yes" in the JSON. Event types that did not return any results were left alone for further testing
  • For event types that did not return any results, the lnx_telem_gen.py script was ran to generate matching telemetry.
  • New searches were executed for the event types that did not return any results before, to see if they did. If they did, they were marked as "Yes" in the JSON. If they didn't, they were marked as "No"

Test Configuration:

  • EDR version: Carbon Black Cloud 2.16.0.2566828 (which is the latest version available at this time)
  • Operating System version: Ubuntu 22.04.4

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have made corresponding changes to the documentation
  • I have added tests that prove my corrections or additions are accurate
  • I have checked my code and corrected any misspellings

Additional Information

As with other EDRs, some subactivities can be "inferred" by Carbon Black Cloud, but they are not actual, raw telemetry events.
As for the EDR SysOps Agent Start and Agent Stop, you can see in the console the last check-in time of the sensor. So the information is there in a PARTIAL fashion, since it is not "raw" events.

CSV

CBC_categories_table.csv
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SecurityAura @tsale