Menginstal Carbon Black Event Forwarder
Pengantar
Dalam dokumen ini, kita akan membahas proses mengonfigurasi Carbon Black (CB) Event Forwarder agar dapat mengirim telemetri endpoint ke Google Security Operations.
Panduan Memulai Cepat
Pada tingkat tinggi, kita akan mengikuti panduan memulai CB Event Forwarder resmi (lihat di sini) dengan beberapa item sebagai berikut:
- Instal CB Event Forwarder secara langsung di server CB Response, atau di VM lain.
- Pastikan peristiwa yang diinginkan untuk dikirim ke Google Security Operations dikonfigurasi di server CB Response.
- Mengonfigurasi beberapa kolom dalam konfigurasi CB Event Forwarder untuk mengaktifkan pengiriman peristiwa ke Google Security Operations
Mengonfigurasi Respons CB
Konfigurasikan Respons CB untuk mengekspor peristiwa yang diinginkan. Lihat Mengonfigurasi Respons CB dalam dokumentasi CB Event Forwarder resmi untuk mengetahui latar belakang selengkapnya.
Misalnya, jika ingin mengaktifkan ekspor peristiwa koneksi jaringan melalui penerusan peristiwa CB yang juga berjalan di server CB Response, Anda akan melakukan hal berikut:
# If this property is not empty, it will enable publishing of incoming events from
# sensors onto RabbitMQ PUBSUB enterprise bus (see RabbitMQ (cb-rabbitmq service)
# settings in this file). The value of this property consists of one or more of the
# following comma-separated event types that should be published:
# * procstart (or process)
# * procend
# * childproc
# * moduleload
# * module
# * filemod
# * regmod
# * netconn
# If you wish to subscribe for ALL of the above events, '*' value can be specified.
# Each event type will be published to its own topic: ingress.event.<event type>
DatastoreBroadcastEventTypes=netconn
Mengonfigurasi CB Event Forwarder
Konfigurasikan CB Event Forwarder untuk mengekspor data menggunakan HTTP(S) ke Google Security Operations Ingestion API. Silakan baca Mengonfigurasi cb-event-forwarder dalam dokumentasi CB Event Forwarder resmi untuk mengetahui latar belakang selengkapnya.
Sejumlah flag diperlukan untuk mengonfigurasi CB Event Forwarder. Kami akan memberikan konfigurasi dengan flag tersebut.
- Cadangkan konfigurasi CB Event Forwarder resmi:
// Go to the configuration folder.
$ cd /etc/cb/integrations/event-forwarder
$ cp cb-event-forwarder.conf cb-event-forwarder.conf.official
- Perbarui kolom berikut di cb-event-forwarder.conf:
// Update output_type from file to http.
output_type=http
// Configure the Ingestion API endpoint.
httpout=https://malachiteingestion-pa.googleapis.com/v1/unstructuredlogentries?key=<api-key>
// Only export the following Raw Sensor (endpoint) Events.
events_raw_sensor=ingress.event.childproc,ingress.event.emetmitigation,ingress.event.netconn,ingress.event.process,ingress.event.processblock,ingress.event.remotethread,ingress.event.tamper,ingress.event.filemod,ingress.event.regmod
// Update the following fields in the [http] section. Note that some fields with exactly the same field name appear in many sections. Make sure that you are updating the fields in the [http] section.
// Do not send an empty update.
upload_empty_files=false
// Update the bundle size to 1MB.
bundle_size_max=1048576
// Update HTTP post template.
http_post_template={"log_type": "CB_EDR", "entries":[{{range $index, $element := .Events}}{{if $index}},{{end}}{{printf "{\"log_text\":%q}" .EventText}}{{end}}]}
Jangan lupa untuk mengganti
Memulai dan Menghentikan CB Event Forwarder
Silakan baca Memulai dan Menghentikan Layanan dalam dokumentasi CB Event Forwarder resmi.
Petunjuk
Cara Men-debug Jika CB Event Forwarder Gagal Dimulai
Error saat memulai akan dicatat ke dalam log /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.startup.log.
Cara Menemukan Bahwa CB Event Forwarder Mengirim Data ke Google Security Operations
Jika CB Event Forwarder mengirim data ke Google Security Operations, Anda akan melihat hal berikut dalam log. Log dapat ditemukan di /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.log
time="2018-11-15T16:08:41-08:00" level=info msg="Enforcing minimum TLS version 1.2"
time="2018-11-15T16:08:41-08:00" level=info msg="Raw Event Filtering Configuration:"
time="2018-11-15T16:08:41-08:00" level=info msg="ingress.event.netconn: true"
time="2018-11-15T16:08:41-08:00" level=info msg="cb-event-forwarder version NOT FOR RELEASE starting"
time="2018-11-15T16:08:41-08:00" level=info msg="Interface address XXX.XXX.XXX.XXX"
time="2018-11-15T16:08:41-08:00" level=info msg="Interface address XXXX::XXX:XXXX:XXXX:XXX"
time="2018-11-15T16:08:41-08:00" level=info msg="Configured to capture events: [watchlist.# feed.# alert.# ingress.event.netconn binaryinfo.# binarystore.#]"
time="2018-11-15T16:08:41-08:00" level=info msg="Rolling file /var/cb/data/event-forwarder/event-forwarder to /var/cb/data/event-forwarder/event-forwarder.2018-11-15T16:08:41.481.restart"
time="2018-11-15T16:08:41-08:00" level=info msg="Initialized output: HTTP POST https://malachiteingestion-pa.googleapis.com/v1/unstructuredlogentries\n"
...
time="2018-11-15T16:08:43-08:00" level=info msg="Successfully uploaded file /var/cb/data/event-forwarder/event-forwarder.2018-11-09T14:25:21.446 to HTTP POST https://malachiteingestion-pa.googleapis.com/v1/unstructuredlogentries."
Info Kontak
Pertanyaan Teknis, termasuk bantuan terkait petunjuk dalam dokumen ini: forwarder@chronicle.security
Pertanyaan Umum: product@chronicle.security
Pertanyaan Penjualan: sales@chronicle.security