This is the carbonblack backend for pySigma. It provides the package sigma.backends.carbonblack with the CarbonBlackBackend class.
Further, it contains the following processing pipelines in sigma.pipelines.carbonblack:
- CarbonBlack_pipeline: Uses Carbon Black Enterprise EDR process-level field mappings
- CarbonBlackEvents_pipeline: Uses Carbon Black Enterprise EDR event-level field mappings
- CarbonBlackResponse_pipeline: Uses Carbon Black EDR process_level field mappings
It supports the following output formats:
- default: plain CarbonBlack queries
- json: JSON output to include query and rule metadata
This backend is currently maintained by:
This can be installed via pip from PyPI
pip install pysigma-backend-carbonblackfrom sigma.backends.carbonblack import CarbonBlackBackend
from sigma.pipelines.carbonblack import CarbonBlack_pipeline, CarbonBlackResponse_pipeline
import yaml
from sigma.rule import SigmaRule
rule = SigmaRule.from_yaml("""
title: Invoke-Mimikatz CommandLine
status: test
logsource:
category: process_creation
product: windows
detection:
sel:
CommandLine|contains: Invoke-Mimikatz
condition: sel""")
cb_backend = CarbonBlackBackend(CarbonBlack_pipeline())
# If you want to use the field names for the legacy Carbon Black EDR (fka Response)
# cbr_backend = CarbonBlackBackend(CarbonBlackResponse_pipeline())
print(f"Cb query: {cb_backend.convert_rule(rule)[0]}")
#print(f"CbR query: {cbr_backend.convert_rule(rule)[0]}")- Backend uses Carbon Black syntax
- Pipelines exist for both Carbon Black Enterprise EDR and Carbon Black EDR
- Both pipelines support linux, windows, and macos product types
- Both pipelines support the following category types for field mappings
process_creationfile_eventfile_changefile_renamefile_deleteimage_loadregistry_addregistry_deleteregistry_eventregistry_setnetwork_connectionfirewall
- Below is a chart of supported fields. Any unsupported fields or categories will throw errors
| Field Name | Carbon Black Response | Carbon Black Cloud | Carbon Black Cloud Events |
|---|---|---|---|
| CommandLine | ✔️ | ✔️ | ✔️ |
| Company | ✔️ | ✔️ | ❌ |
| CurrentDirectory | ✔️ | ✔️ | ✔️ |
| Description | ✔️ | ✔️ | ❌ |
| DestinationHostname | ✔️ | ✔️ | ✔️ |
| DestinationIp | ✔️ | ✔️ | ✔️ |
| DestinationPort | ✔️ | ✔️ | ✔️ |
| DstPort | ✔️ | ✔️ | ✔️ |
| Image | ✔️ | ✔️ | ✔️ |
| ImageLoaded | ✔️ | ✔️ | ✔️ |
| ImagePath | ✔️ | ✔️ | ✔️ |
| IntegrityLevel | ❌ | ✔️ | ❌ |
| OriginalFileName | ❌ | ✔️ | ❌ |
| ParentCommandLine | ❌ | ✔️ | ❌ |
| ParentImage | ✔️ | ✔️ | ❌ |
| ParentProcessId | ✔️ | ✔️ | ❌ |
| ProcessId | ✔️ | ✔️ | ❌ |
| Product | ✔️ | ✔️ | ❌ |
| Protocol | ❌ | ✔️ | ✔️ |
| SourceIp | ✔️ | ✔️ | ✔️ |
| SourcePort | ✔️ | ✔️ | ✔️ |
| SrcPort | ✔️ | ✔️ | ✔️ |
| TargetFilename | ✔️ | ✔️ | ✔️ |
| TargetObject | ✔️ | ✔️ | ✔️ |
| User | ✔️ | ✔️ | ✔️ |
| dst_ip | ✔️ | ✔️ | ✔️ |
| dst_port | ✔️ | ✔️ | ✔️ |
| md5 | ✔️ | ✔️ | ✔️ |
| sha256 | ✔️ | ✔️ | ✔️ |
| src_ip | ✔️ | ✔️ | ✔️ |
| src_port | ✔️ | ✔️ | ✔️ |