This is the carbonblack backend for pySigma. It provides the package sigma.backends.carbonblack
with the CarbonBlackBackend
class.
Further, it contains the following processing pipelines in sigma.pipelines.carbonblack
:
- CarbonBlack_pipeline: Uses Carbon Black Enterprise EDR process-level field mappings
- CarbonBlackEvents_pipeline: Uses Carbon Black Enterprise EDR event-level field mappings
- CarbonBlackResponse_pipeline: Uses Carbon Black EDR process_level field mappings
It supports the following output formats:
- default: plain CarbonBlack queries
- json: JSON output to include query and rule metadata
This backend is currently maintained by:
This can be installed via pip from PyPI
pip install pysigma-backend-carbonblack
from sigma.backends.carbonblack import CarbonBlackBackend
from sigma.pipelines.carbonblack import CarbonBlack_pipeline, CarbonBlackResponse_pipeline
import yaml
from sigma.rule import SigmaRule
rule = SigmaRule.from_yaml("""
title: Invoke-Mimikatz CommandLine
status: test
logsource:
category: process_creation
product: windows
detection:
sel:
CommandLine|contains: Invoke-Mimikatz
condition: sel""")
cb_backend = CarbonBlackBackend(CarbonBlack_pipeline())
# If you want to use the field names for the legacy Carbon Black EDR (fka Response)
# cbr_backend = CarbonBlackBackend(CarbonBlackResponse_pipeline())
print(f"Cb query: {cb_backend.convert_rule(rule)[0]}")
#print(f"CbR query: {cbr_backend.convert_rule(rule)[0]}")
- Backend uses Carbon Black syntax
- Pipelines exist for both Carbon Black Enterprise EDR and Carbon Black EDR
- Both pipelines support linux, windows, and macos product types
- Both pipelines support the following category types for field mappings
process_creation
file_event
file_change
file_rename
file_delete
image_load
registry_add
registry_delete
registry_event
registry_set
network_connection
firewall
- Below is a chart of supported fields. Any unsupported fields or categories will throw errors
Field Name | Carbon Black Response | Carbon Black Cloud | Carbon Black Cloud Events |
---|---|---|---|
CommandLine | ✔️ | ✔️ | ✔️ |
Company | ✔️ | ✔️ | ❌ |
CurrentDirectory | ✔️ | ✔️ | ✔️ |
Description | ✔️ | ✔️ | ❌ |
DestinationHostname | ✔️ | ✔️ | ✔️ |
DestinationIp | ✔️ | ✔️ | ✔️ |
DestinationPort | ✔️ | ✔️ | ✔️ |
DstPort | ✔️ | ✔️ | ✔️ |
Image | ✔️ | ✔️ | ✔️ |
ImageLoaded | ✔️ | ✔️ | ✔️ |
ImagePath | ✔️ | ✔️ | ✔️ |
IntegrityLevel | ❌ | ✔️ | ❌ |
OriginalFileName | ❌ | ✔️ | ❌ |
ParentCommandLine | ❌ | ✔️ | ❌ |
ParentImage | ✔️ | ✔️ | ❌ |
ParentProcessId | ✔️ | ✔️ | ❌ |
ProcessId | ✔️ | ✔️ | ❌ |
Product | ✔️ | ✔️ | ❌ |
Protocol | ❌ | ✔️ | ✔️ |
SourceIp | ✔️ | ✔️ | ✔️ |
SourcePort | ✔️ | ✔️ | ✔️ |
SrcPort | ✔️ | ✔️ | ✔️ |
TargetFilename | ✔️ | ✔️ | ✔️ |
TargetObject | ✔️ | ✔️ | ✔️ |
User | ✔️ | ✔️ | ✔️ |
dst_ip | ✔️ | ✔️ | ✔️ |
dst_port | ✔️ | ✔️ | ✔️ |
md5 | ✔️ | ✔️ | ✔️ |
sha256 | ✔️ | ✔️ | ✔️ |
src_ip | ✔️ | ✔️ | ✔️ |
src_port | ✔️ | ✔️ | ✔️ |