Carbon Black vs. Wazuh/Sysmon

[Buddha Man]

Hello,

I'm doing some research and trying to determine if Sysmon/Wazuh can be replaced with Carbon Black. My initial reaction would be no because Carbon Black uses Osquery to expose the OS internals and would not fulfill a requirement for centralized windows log management the way Wazuh would.

Any feedback is appreciated.

B  

[Jose Antonio Muñoz Herrera]

Indeed, Carbon Black does not seem to offer a centralized log management solution as Wazuh does. Wazuh is a HIDS solution with a focus on security data collection for his posterior treatment and analysis. Along with the collection of data, Wazuh offers an Incident Response system based on events. Aside from the features mentioned earlier, you can check all the capabilities at the following link: https://documentation.wazuh.com/current/user-manual/capabilities/index.html .

Regarding the methods to extract information from Windows systems, Wazuh makes use of Sysmon as well as Osquery to get different information of the host. You can check all the data channels and systems from where Wazuh collects Windows data:

https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html

Could you please explain what are the use cases you need to cover? Maybe this way I can share with you more valuable information. 

I hope this helps!