Carbon Black Defense¶
Cyderes supports an integration for Carbon Black Defense notifications and alerts (also known as Carbon Black Cloud Endpoint Standard).
Chronicle Data Types¶
- CB_EDR
Configuration¶
Cyderes is currently using the version 3 integration services API to get audit logs, and the version 7 alerts API to get alerts and notification events from Carbon Black.
To configure for the version 3 integration services API this requires either an API key or SIEM key depending on the source of the logs. See below for details on the respective configuration setup.
Configuration for the version 7 alerts API requires an API key with a custom access level and an Org Key. See Creating an Alerts API Key for more information on configuring an API and Org key.
Audit Logs¶
Note
Required Key Type - API
This endpoint retrieves all new audit log notifications since the last request. The response logs will include various types of notifications such as:
- Log in attempts by users
- Updates to connectors
- Creation of connectors
- LiveResponse events
To configure this log source, an API key will need to be created. This is similar to adding a user to a system and setting their access level, except granting access to the application or script instead of a user.
If using Carbon Black Cloud identity management, choose the key type “API” when creating the API Key.
If using VMware Cloud Services Platform for identity management, assign the permission ConnectorType.API to a custom role and assign that custom role to an OAuth App. Additional steps to create and manage your API keys can be found in the VMware Carbon Black Cloud docs
Creating an Alerts API Key¶
Note
Required Key Type - CUSTOM
Cyderes now supports ingesting from Carbon Black using the Alerts API, the steps are similar to creating the above API key with some added caveats
Access Level:
Steps on how to create an access level, with appropriate permissions, for the Alerts API can be found in the Carbon Black Alerts API docs in the Authentication section.
To create an API Key:
Steps to create and manage your API keys can be found in the VMware Carbon Black Cloud docs
Org Key:
For the Alerts API the org key is now a required part of the request
To find your org key refer to the steps in the Carbon Black knowledge base
Gather Information¶
Provide Cyderes with the following:
- Secret Key
- API ID (synonymous with connector ID)
- Hostname (Carbon Black console URL)
- Org Key (Only if you are using the Alerts API)
- Carbon Black Product Name (can be found in the top right of the console such as Endpoint Standard)
Additional Telemetry¶
There's also the option to export all of the Carbon Black telemetry into an AWS bucket that is then forwarded to Chronicle.