VMWare Carbon Black Cloud Enterprise EDR
TL;DR
To integrate VMWare CarbonBlack Cloud Enterprise EDR with Query:
- Configure the required API connection parameters in Carbon Black Cloud as mentioned in the 'Prerequisites' section of this document.
- Add a connection source in Query with the connection parameters.
- Go to Query Search and search for any alerts that contain users, devices, and file hashes.
Overview
Carbon Black Cloud Enterprise EDR is an advanced threat-hunting and incident-response solution delivered through the Carbon Black Cloud. By integrating with VMWare Carbon Black EDR, you can:
- Search alerts for users' names, email addresses, devices, and file hashes.
- Get context on users and devices from Carbon Black EDR.
Prerequisites
You need the following connection parameters. They can be created from the Carbon Black Cloud console (reference link).
- Carbon Black Cloud Enterprise EDR URL
- Organization Key
- API Secret
- API ID
Adding a connection source in Query
- Go to the Connections page, click Add Connections, and select Carbon Black EDR.
- In the General tab, add the following details:
- Name - Give a name to this connection source.
- Base URL - Enter the Carbon Black Cloud Enterprise EDR URL here.
- Org Key - Enter the Organization Key.
- API Secret - Add the API secret.
- API ID - Add the API ID.
- Click the Save button on the top right corner of the screen to save the connection source.
- To test the connection credentials, click on 'Test Connection.' You will see a successful connection message if the credentials are valid. If the test connection fails, then check if the connection parameters are correct. If necessary, change appropriately and retest.
Resources
- Carbon Black Cloud API documentation is available here - https://developer.carbonblack.com/reference/carbon-black-cloud/cb-threathunter/
Updated 5 months ago