安裝 Carbon Black 事件轉寄站
簡介
本文將逐步說明如何設定 Carbon Black (CB) 事件轉送器,將端點遙測資料傳送至 Google Security Operations。
快速入門指南
大致來說,我們會按照官方 CB 事件轉送程式的快速入門指南 (請參閱這裡) 進行操作,並完成下列幾項步驟:
- 直接在 CB Response 伺服器上安裝 CB Event Forwarder,或是在其他 VM 上安裝。
- 確認 CB Response 伺服器已設定要傳送至 Google SecOps 的事件。
- 在 CB Event Forwarder 的設定中設定幾個欄位,即可啟用事件傳送至 Google SecOps 的功能
設定 CB 回應
設定 CB Response,匯出所需事件。如需更多背景資訊,請參閱官方 CB Event Forwarder 說明文件的「設定 CB Response」。
舉例來說,如果您想透過 CB 事件轉送器 (同樣在 CB Response 伺服器上執行) 啟用網路連線事件匯出功能,請按照下列步驟操作:
# If this property is not empty, it will enable publishing of incoming events from
# sensors onto RabbitMQ PUBSUB enterprise bus (see RabbitMQ (cb-rabbitmq service)
# settings in this file). The value of this property consists of one or more of the
# following comma-separated event types that should be published:
# * procstart (or process)
# * procend
# * childproc
# * moduleload
# * module
# * filemod
# * regmod
# * netconn
# If you wish to subscribe for ALL of the above events, '*' value can be specified.
# Each event type will be published to its own topic: ingress.event.<event type>
DatastoreBroadcastEventTypes=netconn
設定 CB 事件轉送器
設定 CB Event Forwarder,透過 HTTP(S) 將資料匯出至 Chronicle Ingestion API。如需更多背景資訊,請參閱官方 CB Event Forwarder 說明文件的「Configure the cb-event-forwarder」一節。
設定 CB Event Forwarder 時,需要使用多個標記。我們會提供包含這些旗標的設定。
- 備份正式的 CB Event Forwarder 設定:
// Go to the configuration folder.
$ cd /etc/cb/integrations/event-forwarder
$ cp cb-event-forwarder.conf cb-event-forwarder.conf.official
- 更新 cb-event-forwarder.conf 中的下列欄位:
// Update output_type from file to http.
output_type=http
// Configure the Ingestion API endpoint.
httpout=https://malachiteingestion-pa.googleapis.com/v1/unstructuredlogentries?key=<api-key>
// Only export the following Raw Sensor (endpoint) Events.
events_raw_sensor=ingress.event.childproc,ingress.event.emetmitigation,ingress.event.netconn,ingress.event.process,ingress.event.processblock,ingress.event.remotethread,ingress.event.tamper,ingress.event.filemod,ingress.event.regmod
// Update the following fields in the [http] section. Note that some fields with exactly the same field name appear in many sections. Make sure that you are updating the fields in the [http] section.
// Do not send an empty update.
upload_empty_files=false
// Update the bundle size to 1MB.
bundle_size_max=1048576
// Update HTTP post template.
http_post_template={"log_type": "CB_EDR", "entries":[{{range $index, $element := .Events}}{{if $index}},{{end}}{{printf "{\"log_text\":%q}" .EventText}}{{end}}]}
請記得將
啟動及停止 CB 事件轉送器
請參閱官方 CB Event Forwarder 說明文件的「啟動及停止服務」一節。
使用方法
如果 CB 事件轉送程式無法啟動,該如何進行偵錯
啟動錯誤會記錄到 /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.startup.log。
如何確認 CB 事件轉送器是否將資料傳送至 Google SecOps
如果 CB Event Forwarder 將資料傳送至 Google SecOps,您應該會在記錄中看到下列內容。記錄檔位於 /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.log
time="2018-11-15T16:08:41-08:00" level=info msg="Enforcing minimum TLS version 1.2"
time="2018-11-15T16:08:41-08:00" level=info msg="Raw Event Filtering Configuration:"
time="2018-11-15T16:08:41-08:00" level=info msg="ingress.event.netconn: true"
time="2018-11-15T16:08:41-08:00" level=info msg="cb-event-forwarder version NOT FOR RELEASE starting"
time="2018-11-15T16:08:41-08:00" level=info msg="Interface address XXX.XXX.XXX.XXX"
time="2018-11-15T16:08:41-08:00" level=info msg="Interface address XXXX::XXX:XXXX:XXXX:XXX"
time="2018-11-15T16:08:41-08:00" level=info msg="Configured to capture events: [watchlist.# feed.# alert.# ingress.event.netconn binaryinfo.# binarystore.#]"
time="2018-11-15T16:08:41-08:00" level=info msg="Rolling file /var/cb/data/event-forwarder/event-forwarder to /var/cb/data/event-forwarder/event-forwarder.2018-11-15T16:08:41.481.restart"
time="2018-11-15T16:08:41-08:00" level=info msg="Initialized output: HTTP POST https://malachiteingestion-pa.googleapis.com/v1/unstructuredlogentries\n"
...
time="2018-11-15T16:08:43-08:00" level=info msg="Successfully uploaded file /var/cb/data/event-forwarder/event-forwarder.2018-11-09T14:25:21.446 to HTTP POST https://malachiteingestion-pa.googleapis.com/v1/unstructuredlogentries."
聯絡資訊
技術問題,包括本文件中的操作說明:forwarder@chronicle.security
一般問題:product@chronicle.security
還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。