安装 Carbon Black Event Forwarder
简介
在本文档中,我们将逐步配置 Carbon Black (CB) Event Forwarder,使其将端点遥测发送到 Google 安全运营团队。
快速入门指南
概括来讲,我们将遵循官方 CB Event Forwarder(请参阅此处)的快速入门指南,包括以下几项:
- 直接在 CB 响应服务器或其他虚拟机上安装 CB Event Forwarder。
- 确保在 CB 响应服务器上配置要发送到 Google Security Operations 的所需事件。
- 在 CB Event Forwarder 配置中配置几个字段以允许将事件发送到 Google 安全运营
配置 CB 响应
配置 CB 响应以导出所需的事件。请参阅官方 CB Event Forwarder 文档的配置 CB 响应以了解详情。
例如,如果要启用在 CB 响应服务器上运行的 CB Event Forwarder 导出网络连接事件,则将执行以下操作:
# If this property is not empty, it will enable publishing of incoming events from
# sensors onto RabbitMQ PUBSUB enterprise bus (see RabbitMQ (cb-rabbitmq service)
# settings in this file). The value of this property consists of one or more of the
# following comma-separated event types that should be published:
# * procstart (or process)
# * procend
# * childproc
# * moduleload
# * module
# * filemod
# * regmod
# * netconn
# If you wish to subscribe for ALL of the above events, '*' value can be specified.
# Each event type will be published to its own topic: ingress.event.<event type>
DatastoreBroadcastEventTypes=netconn
配置 CB Event Forwarder
配置 CB Event Forwarder,使用 HTTP(S) 将数据导出到 Google Security Operations Ingestion API。如需了解详情,请参阅官方 CB Event Forwarder 文档的配置 cb-event-forwarder。
配置 CB Event Forwarder 需要多个标志。我们将为您提供包含这些标志的配置。
- 备份官方 CB Event Forwarder 配置:
// Go to the configuration folder.
$ cd /etc/cb/integrations/event-forwarder
$ cp cb-event-forwarder.conf cb-event-forwarder.conf.official
- 更新 cb-event-forwarder.conf 中的以下字段:
// Update output_type from file to http.
output_type=http
// Configure the Ingestion API endpoint.
httpout=https://malachiteingestion-pa.googleapis.com/v1/unstructuredlogentries?key=<api-key>
// Only export the following Raw Sensor (endpoint) Events.
events_raw_sensor=ingress.event.childproc,ingress.event.emetmitigation,ingress.event.netconn,ingress.event.process,ingress.event.processblock,ingress.event.remotethread,ingress.event.tamper,ingress.event.filemod,ingress.event.regmod
// Update the following fields in the [http] section. Note that some fields with exactly the same field name appear in many sections. Make sure that you are updating the fields in the [http] section.
// Do not send an empty update.
upload_empty_files=false
// Update the bundle size to 1MB.
bundle_size_max=1048576
// Update HTTP post template.
http_post_template={"log_type": "CB_EDR", "entries":[{{range $index, $element := .Events}}{{if $index}},{{end}}{{printf "{\"log_text\":%q}" .EventText}}{{end}}]}
请务必将
启动和停止 CB Event Forwarder
请参阅 CB Event Forwarder 官方文档的启动和停止服务。
操作方法
如何在 CB Event Forwarder 启动失败时进行调试
启动错误将记录到 /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.startup.log。
如何发现 CB Event Forwarder 向 Google Security Operations 发送数据
如果 CB Event Forwarder 向 Google Security Operations 发送数据,您应该会在日志中看到以下内容。日志可在 /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.log 中找到
time="2018-11-15T16:08:41-08:00" level=info msg="Enforcing minimum TLS version 1.2"
time="2018-11-15T16:08:41-08:00" level=info msg="Raw Event Filtering Configuration:"
time="2018-11-15T16:08:41-08:00" level=info msg="ingress.event.netconn: true"
time="2018-11-15T16:08:41-08:00" level=info msg="cb-event-forwarder version NOT FOR RELEASE starting"
time="2018-11-15T16:08:41-08:00" level=info msg="Interface address XXX.XXX.XXX.XXX"
time="2018-11-15T16:08:41-08:00" level=info msg="Interface address XXXX::XXX:XXXX:XXXX:XXX"
time="2018-11-15T16:08:41-08:00" level=info msg="Configured to capture events: [watchlist.# feed.# alert.# ingress.event.netconn binaryinfo.# binarystore.#]"
time="2018-11-15T16:08:41-08:00" level=info msg="Rolling file /var/cb/data/event-forwarder/event-forwarder to /var/cb/data/event-forwarder/event-forwarder.2018-11-15T16:08:41.481.restart"
time="2018-11-15T16:08:41-08:00" level=info msg="Initialized output: HTTP POST https://malachiteingestion-pa.googleapis.com/v1/unstructuredlogentries\n"
...
time="2018-11-15T16:08:43-08:00" level=info msg="Successfully uploaded file /var/cb/data/event-forwarder/event-forwarder.2018-11-09T14:25:21.446 to HTTP POST https://malachiteingestion-pa.googleapis.com/v1/unstructuredlogentries."
联系信息
技术问题,包括有关本文档中说明的帮助:forwarder@chronicle.security
一般问题:product@chronicle.security