All notable changes to this project will be documented in this file.
Bug Fixes
- Add catch for epoch time transform with milliseconds
NEW:
- Added support to configure a proxy for Carbon Black Cloud requests
Bug Fixes
- Update copyrights on code to reflect current date and Broadcom.
- Update dependencies to fixed version of CBC SDK.
Bug Fixes:
- Fix datetime.now UTC issue that prevents polling alerts
Bug Fixes:
- Adjust filename output and backup to use base64 instead of datetime
- Fix windows escape issue when using setup or convert commands to create config file
Bug Fixes:
- Enforce carbon-black-cloud-sdk >= 1.5.0
- Fix broken link in readme for pypi
The CBC Syslog tool has been rewritten from the ground up to provide increased customization and improved Alert data with support for the latest Carbon Black Cloud alert types
NEW:
- Added increased message templating support for any syslog format
- Supports customizable extensions based on a configurable type field
- Supports customizable timestamp format
- Audit logs and Alerts can be enabled independently
- Added new cbc_syslog_forwarder script which is installed into OS bin directory
- New CBC Syslog commands to support config validation, setup wizard, configuration convert, polling, and historical fetch for alerts
- All current and future alert types are supported by default
- Built in notification rule style support using alert_rules to configure specific filters that reduce noise and alert fatigue
- Only one API key required to fetch all Carbon Black Cloud data
- Improved configuration validation and logging
Breaking Changes:
- New configuration file format from conf to toml
- Moved from Carbon Black Cloud notifications to Alerts v7 schema
- Removed CEF and LEEF support for better message templating to customize to any syslog format
- back_up_dir renamed to backup_dir
- api_connector_id/api_key and siem_connector_id/siem_key renamed to custom_api_id/custom_api_key
- Removed requests_ca_cert
- Changed CLI parameters to increase functionality
- Removed dead cacert.pem
- Changed how cbc-syslog is executed to support better python practices
Bug fixes:
- Improved Backup Directory support to only process cbc syslog .bck files
- Improved handling for Carbon Black Cloud server_url supports hostname with https or without and removes trailing backslash
General:
- Update to latest jinja2 package
Bug fixes:
- Rename parser file to prevent conflict on windows
- Reformat package to move files into a util subfolder
Breaking Changes:
- Leef output has been rewritten to better utilize common properties and include as much information as possible
- Code and files have been refactored and renamed to better align with the product
Bug fixes:
- Config file no longer fails when output_format is leef
- Added Python 3 support with the addition of the python six package.
- Tests have been rewritten and additional tests around the config file have been added
- https_ssl_verify allows for false value
Removed the package fcntl and replaced it with the package psutils. This ensures multi-platform functionality for the connector.
The Syslog Connector will now be moved to a pip install. Please see README.md for more information about the installation instructions. The previous yum installation will be deprecated.
In the configuration file, a Backup Directory location can now be added. This allows backup files to be stored in the case that the Connector fails to send the data to Syslog.
Please see the following example:
backup_dir = /Users/jdoe/Documents/
Note: These fields are not optional and must be present in the config file.
In the configuration file, a API Key is now available to be added. This will allow Audit Logs to be pulled from each server in the configuration file.
Please see the following example:
[cbdefense1]
api_connector_id = GO5M953111
api_key = BYCRM7BRNSH0CXZR5V1Y3111
Note: These fields are not optional and must be present in the config file. If no API Key is needed, please leave the field blank as shown below:
[cbdefense1]
api_connector_id =
api_key =
Audit Logs are now available to be pulled from the Syslog Connector. To set up the program to pull Audit Logs, please see the API Key section above. When the Syslog Connector is executing, the program will grab the Audit Logs that have been generated since the last time the Connector was run. The following file formats are compatible with Audit Logs: CEF,LEEF, JSON
Note: All events types will be pulled from the Syslog Connector. As of now, no additional filtering is compatible for Audit Logs.
ThreatHunter notifications are now available to be pulled from the Syslog Connector. To set up the Connector to pull ThreatHunter notifications you need to add the API Key as shown below in the configuration file:
[cbdefense1]
siem_connector_id = UEUWR4U111
siem_api_key = XNS5UKWZXZMCC3CYC7DFM111
The file formats that are compatible with ThreatHunter Notifications are: LEEF, CEF, JSON. Just like with Audit Logs, the program will grab only the notifications that have been generated since the last time the Connector was run.
Note: All events types will be pulled from the Syslog Connector. As of now, no additional filtering is compatible for the ThreatHunter Notifications.