Skip to content

Carbon Black Defense

Cyderes supports an integration for Carbon Black Defense notifications and alerts (also known as Carbon Black Cloud Endpoint Standard).

Chronicle Data Types

  • CB_EDR


Cyderes is currently using the version 3 integration services API to get audit logs, and the version 7 alerts API to get alerts and notification events from Carbon Black.

To configure for the version 3 integration services API this requires either an API key or SIEM key depending on the source of the logs. See below for details on the respective configuration setup.

Configuration for the version 7 alerts API requires an API key with a custom access level and an Org Key. See Creating an Alerts API Key for more information on configuring an API and Org key.

Audit Logs


Required Key Type - API

This endpoint retrieves all new audit log notifications since the last request. The response logs will include various types of notifications such as:

  • Log in attempts by users
  • Updates to connectors
  • Creation of connectors
  • LiveResponse events

To configure this log source, an API key will need to be created. This is similar to adding a user to a system and setting their access level, except granting access to the application or script instead of a user.

If using Carbon Black Cloud identity management, choose the key type “API” when creating the API Key.

If using VMware Cloud Services Platform for identity management, assign the permission ConnectorType.API to a custom role and assign that custom role to an OAuth App. Additional steps to create and manage your API keys can be found in the VMware Carbon Black Cloud docs

Creating an Alerts API Key


Required Key Type - CUSTOM

Cyderes now supports ingesting from Carbon Black using the Alerts API, the steps are similar to creating the above API key with some added caveats

Access Level:

Steps on how to create an access level, with appropriate permissions, for the Alerts API can be found in the Carbon Black Alerts API docs in the Authentication section.

To create an API Key:

Steps to create and manage your API keys can be found in the VMware Carbon Black Cloud docs

Org Key:

For the Alerts API the org key is now a required part of the request

To find your org key refer to the steps in the Carbon Black knowledge base

Gather Information

Provide Cyderes with the following:

  • Secret Key
  • API ID (synonymous with connector ID)
  • Hostname (Carbon Black console URL)
  • Org Key (Only if you are using the Alerts API)
  • Carbon Black Product Name (can be found in the top right of the console such as Endpoint Standard)

Additional Telemetry

There's also the option to export all of the Carbon Black telemetry into an AWS bucket that is then forwarded to Chronicle.

Click here for more information