Carbon Black Logs

Overview

Evidence: Carbon Black Logs Description: Collect Carbon Black Logs Category: Applications Platform: windows Short Name: crbnl Is Parsed: No Sent to Investigation Hub: No Collect File(s): Yes

Background

Carbon Black (now VMware Carbon Black) is an enterprise EDR solution that logs endpoint activities, threat detections, behavioral analysis, and AMSI (Antimalware Scan Interface) events for comprehensive threat visibility.

Data Collected

This collector gathers structured data about carbon black logs.

Collection Method

This collector gathers Carbon Black log files including general activity logs and AMSI event logs that capture script-based threat detections from the ProgramData directory.

Forensic Value

Carbon Black logs are essential for EDR investigations, providing detailed process execution, network connections, file modifications, and behavioral threat detections. AMSI logs reveal script-based attacks including PowerShell and VBScript exploits.