Skip to content

Carbon Black Defense

Cyderes supports an integration for Carbon Black Defense notifications (also known as Carbon Black Cloud Endpoint Standard).

Chronicle Data Types

  • CB_EDR


Cyderes is currently using the version 3 integration services API to get notifications from Carbon Black. This requires an API key with the SIEM access level. See below for details on configuring an API key.

Creating an API Key

This is similar to adding a user to a system and setting their access level, except granting access to the application or script instead of a user.

To create an API Key:

  • Navigate to Settings > API Access > API Keys tab in the Carbon Black Cloud console
  • Select “Add API Key” on the far right
  • Give the API Key a unique name and select the SIEM access level
    • Choose a name to clearly distinguish the key from other API keys
    • Administrators can restrict use of an API key to a specific set of IP addresses for security reasons
      • If this is desired, contact Cyderes prior to creating the API key to get a list of IP addresses to use.
  • Hit save, and the following API Key Credentials will be provided:
    • API Secret Key
    • API ID (synonymous with connector ID)
  • If the API Key already exists, the credentials can be found under the Actions dropdown by selecting API Credentials. This will reveal the API Secret Key and API ID. If the system becomes compromised, a new secret key can be generated here (this is similar to changing the password for an application or script).

Enable Notifications

  • Navigate to Settings > Notifications
  • Select “Add Notifications” on the far right
  • Use the following settings:

    • When do you want to be notified? Alert crosses a threshold
    • Enable: Threat, Observed, Alert Severity=1
    • Policy = All policies
    • How do you want to be notified? API Keys
      • Select the API Key created above. It should look like CYDERES-CHRONICLE-ALERTS API KEY
  • Hit Save

Gather Information

Provide Cyderes with the following:

  • API Secret Key
  • API ID (synonymous with connector ID)
  • API Hostname (Carbon Black console URL)
  • Carbon Black Product Name (can be found in the top right of the console such as Endpoint Standard)

Additional Telemetry

There's also the option to export all of the Carbon Black telemetry into an AWS bucket that is then forwarded to Chronicle.

Click here for more information