安装 Carbon Black Event Forwarder

支持的平台:

简介

在本文档中,我们将逐步配置 Carbon Black (CB) Event Forwarder,使其将端点遥测发送到 Google 安全运营团队。

快速入门指南

概括来讲,我们将遵循官方 CB Event Forwarder(请参阅此处)的快速入门指南,包括以下几项:

  1. 直接在 CB 响应服务器或其他虚拟机上安装 CB Event Forwarder。
  2. 确保在 CB 响应服务器上配置要发送到 Google Security Operations 的所需事件。
  3. 在 CB Event Forwarder 配置中配置几个字段以允许将事件发送到 Google 安全运营

配置 CB 响应

配置 CB 响应以导出所需的事件。请参阅官方 CB Event Forwarder 文档的配置 CB 响应以了解详情。

例如,如果要启用在 CB 响应服务器上运行的 CB Event Forwarder 导出网络连接事件,则将执行以下操作:

# If this property is not empty, it will enable publishing of incoming events from
# sensors onto RabbitMQ PUBSUB enterprise bus (see RabbitMQ (cb-rabbitmq service)
# settings in this file). The value of this property consists of one or more of the
# following comma-separated event types that should be published:
#   * procstart (or process)
#   * procend
#   * childproc
#   * moduleload
#   * module
#   * filemod
#   * regmod
#   * netconn
# If you wish to subscribe for ALL of the above events, '*' value can be specified.
# Each event type will be published to its own topic: ingress.event.<event type>
DatastoreBroadcastEventTypes=netconn

配置 CB Event Forwarder

配置 CB Event Forwarder,使用 HTTP(S) 将数据导出到 Google Security Operations Ingestion API。如需了解详情,请参阅官方 CB Event Forwarder 文档的配置 cb-event-forwarder

配置 CB Event Forwarder 需要多个标志。我们将为您提供包含这些标志的配置。

  1. 备份官方 CB Event Forwarder 配置:
// Go to the configuration folder.
$ cd /etc/cb/integrations/event-forwarder
$ cp cb-event-forwarder.conf cb-event-forwarder.conf.official
  1. 更新 cb-event-forwarder.conf 中的以下字段:
// Update output_type from file to http.
output_type=http

// Configure the Ingestion API endpoint.
httpout=https://malachiteingestion-pa.googleapis.com/v1/unstructuredlogentries?key=<api-key>

// Only export the following Raw Sensor (endpoint) Events.
events_raw_sensor=ingress.event.childproc,ingress.event.emetmitigation,ingress.event.netconn,ingress.event.process,ingress.event.processblock,ingress.event.remotethread,ingress.event.tamper,ingress.event.filemod,ingress.event.regmod

// Update the following fields in the [http] section. Note that some fields with exactly the same field name appear in many sections. Make sure that you are updating the fields in the [http] section.

// Do not send an empty update.
upload_empty_files=false

// Update the bundle size to 1MB.
bundle_size_max=1048576

// Update HTTP post template.
 
http_post_template={"log_type": "CB_EDR", "entries":[{{range $index, $element := .Events}}{{if $index}},{{end}}{{printf "{\"log_text\":%q}" .EventText}}{{end}}]} 

请务必将 替换为您提供的 Backstory Ingestion API 密钥。

启动和停止 CB Event Forwarder

请参阅 CB Event Forwarder 官方文档的启动和停止服务

操作方法

如何在 CB Event Forwarder 启动失败时进行调试

启动错误将记录到 /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.startup.log。

如何发现 CB Event Forwarder 向 Google Security Operations 发送数据

如果 CB Event Forwarder 向 Google Security Operations 发送数据,您应该会在日志中看到以下内容。日志可在 /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.log 中找到

time="2018-11-15T16:08:41-08:00" level=info msg="Enforcing minimum TLS version 1.2"
time="2018-11-15T16:08:41-08:00" level=info msg="Raw Event Filtering Configuration:"
time="2018-11-15T16:08:41-08:00" level=info msg="ingress.event.netconn: true"
time="2018-11-15T16:08:41-08:00" level=info msg="cb-event-forwarder version NOT FOR RELEASE starting"
time="2018-11-15T16:08:41-08:00" level=info msg="Interface address XXX.XXX.XXX.XXX"
time="2018-11-15T16:08:41-08:00" level=info msg="Interface address XXXX::XXX:XXXX:XXXX:XXX"
time="2018-11-15T16:08:41-08:00" level=info msg="Configured to capture events: [watchlist.# feed.# alert.# ingress.event.netconn binaryinfo.# binarystore.#]"
time="2018-11-15T16:08:41-08:00" level=info msg="Rolling file /var/cb/data/event-forwarder/event-forwarder to /var/cb/data/event-forwarder/event-forwarder.2018-11-15T16:08:41.481.restart"
time="2018-11-15T16:08:41-08:00" level=info msg="Initialized output: HTTP POST https://malachiteingestion-pa.googleapis.com/v1/unstructuredlogentries\n"
...
time="2018-11-15T16:08:43-08:00" level=info msg="Successfully uploaded file /var/cb/data/event-forwarder/event-forwarder.2018-11-09T14:25:21.446 to HTTP POST https://malachiteingestion-pa.googleapis.com/v1/unstructuredlogentries."

联系信息

技术问题,包括有关本文档中说明的帮助:forwarder@chronicle.security

一般问题:product@chronicle.security

销售问题:sales@chronicle.security