AlienVault® USM Anywhere™

Carbon Black Cb Defense

When you configure Carbon Black Cb Defense integration to send log data to USM Anywhere, you can use the Cb Defense plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Carbon Black
Device type Antivirus
Connection type Syslog
Vendor link Cb Defense Syslog Connector

Cb Defense Integration

Before configuring the log collection, you must have the IP address of the USM Anywhere Sensor.

To send log data from CB Defense to USM Anywhere

  1. Install the CB Defense syslog connector (an RPM package) on a 64-bit Linux machine. See the Carbon Black documentation for instructions.

    When modifying the config file (/etc/cb/integrations/cb-defense-syslog/cb-defense-syslog.conf), do the following

    • Remove {{source}}| from the template line so it becomes

      template = {{version}}|{{vendor}}|{{product}}|{{dev_version}}|{{signature}}|{{name}}|{{severity}}|{{extension}}

    • Specify the syslog protocol of your choice and port number, such as



      Note: USM Anywhere listens for syslog at UDP port 514, TCP port 601, or TLS port 6514.

      If using TLS, you need to download the certificate from USM Anywhere, place the file (USM-Anywhere-Syslog-CA.pem) in /etc/cb/integrations/cb-defense/, and update the ca_cert parameter accordingly.

    • Replace connector_id, api_key, and server_url with the correct CB Defense values.
  2. Create a CB Defense Connector key and attach it to one or more Notification Rules to connect to your CB Defense server. See the Carbon Black documentation for instructions. While the Carbon Black documentation mentions Splunk, the steps are the same for USM Anywhere.

Plugin Enablement

The cb Defense plugin automatically processes all messages when the raw message contains "Confer\\|Confer_Syslog_Connector".

Important: If you plan to use the same assetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. to forward other Carbon Black logs (such as the Cb Response logs), which are not auto-discovered, you must configure the plugin enablement in USM Anywhere.

For detailed instructions about how to associate plugins with an asset, see Manual Integration Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • customfield_3
  • customheader_3
  • destination_username
  • event_action
  • event_description_url
  • event_name
  • event_receipt_time
  • event_severity
  • plugin_device
  • plugin_device_type
  • rep_device_address
  • rep_device_hostname
  • rep_device_rule_id
  • rep_device_type
  • rep_device_vendor
  • rep_device_version
  • source_ntdomain


For troubleshooting, refer to the vendor documentation: