Carbon Black Logs
Overview
Section titled “Overview”Evidence: Carbon Black Logs
Description: Collect Carbon Black Logs
Category: Applications
Platform: windows
Short Name: crbnl
Is Parsed: No
Sent to Investigation Hub: No
Collect File(s): Yes
Background
Section titled “Background”Carbon Black (now VMware Carbon Black) is an enterprise EDR solution that logs endpoint activities, threat detections, behavioral analysis, and AMSI (Antimalware Scan Interface) events for comprehensive threat visibility.
Data Collected
Section titled “Data Collected”This collector gathers structured data about carbon black logs.
Collection Method
Section titled “Collection Method”This collector gathers Carbon Black log files including general activity logs and AMSI event logs that capture script-based threat detections from the ProgramData directory.
Forensic Value
Section titled “Forensic Value”Carbon Black logs are essential for EDR investigations, providing detailed process execution, network connections, file modifications, and behavioral threat detections. AMSI logs reveal script-based attacks including PowerShell and VBScript exploits.