Environment
- Cb Response 6.1.2-6.2.1, with cb-event-forwarder
Symptoms
- Sensors on 6.1.2 or later versions.
- Netconns are observed within the CB Response console
- Netconns are not observed in external SIEM while using cb-event-forwarder to send data (or fewer than expected are observed, or only netconns from sensors before 6.1.2)
Cause
There is an identified defect in CB Response related to Netconn_v2 type events (introduced in 6.1.2 and later sensors) when broadcasting event via default method. This known issue is being tracked as: CB-17446. This will be addressed in a future product release.
Resolution
This issue can be addressed by switching from the 'default' broadcast (which is impacted by CB-17446) to "raw sensor exchange" (which is not). This change is invisible from the SIEM perspective and no changes are needed from SIEM side.
1. Ensure that cb-event-forwarder is upgraded to the latest version:
yum info cb-event-forwarder |
If it is not the latest (3.4, currently), then stop the cb-event-forwarder and update it:
initctl stop cb-event-forwarder |
yum upgrade cb-event-forwarder |
2. On master/standalone server (where cb-event-forwarder is installed), edit your /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf and locate the following parameter and uncomment it:
#use_raw_sensor_exchange=true |
change to:
use_raw_sensor_exchange=true |
3. On master/standalone server and all minions in the cluster, edit your /etc/cb/cb.conf and add the following parameter (bottom of the file is fine, it is not present out-of-box):
EnableRawSensorDataBroadcast=True |
4. Again, in your /etc/cb/cb.conf on master/standalone server and all minions in the cluster, comment out the following line:
DatastoreBroadcastEventTypes=<your current settings> |
change to:
#DatastoreBroadcastEventTypes=<your current settings> |
5. Confirm your /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf on the system that is running cb-event-forwarder has the correct setting you want for the events_raw_sensor parameter. The events_raw_sensor value should reflected the DatastoreBroadcastEventTypes value you commented out the previous step above. In case of an original setting of DatastoreBroadcastEventType=* in step 4, use events_raw_sensor=ALL. For any other settings, the parameters should have the same setting.
events_raw_sensor=<your setting> |
6. Do a complete server/cluster restart as per the normal procedure and also restart cb-event-forwarder:
initctl stop cb-event-forwarder initctl start cb-event-forwarder |
7. Wait for a few minutes and confirm that you are now getting expected netconns via cb-event-forwarder to your SIEM
