VMWare Carbon Black Cloud Enterprise EDR



To integrate VMWare CarbonBlack Cloud Enterprise EDR with Query:

  • Configure the required API connection parameters in Carbon Black Cloud as mentioned in the 'Prerequisites' section of this document.
  • Add a connection source in Query with the connection parameters.
  • Go to Query Search and search for any alerts that contain users, devices, and file hashes.


Carbon Black Cloud Enterprise EDR is an advanced threat-hunting and incident-response solution delivered through the Carbon Black Cloud. By integrating with VMWare Carbon Black EDR, you can:

  • Search alerts for users' names, email addresses, devices, and file hashes.
  • Get context on users and devices from Carbon Black EDR.


You need the following connection parameters. They can be created from the Carbon Black Cloud console (reference link).

  • Carbon Black Cloud Enterprise EDR URL
  • Organization Key
  • API Secret
  • API ID

Adding a connection source in Query

  1. Go to the Connections page, click Add Connections, and select Carbon Black EDR.
  2. In the General tab, add the following details:
    • Name - Give a name to this connection source.
    • Base URL - Enter the Carbon Black Cloud Enterprise EDR URL here.
    • Org Key - Enter the Organization Key.
    • API Secret - Add the API secret.
    • API ID - Add the API ID.
  3. Click the Save button on the top right corner of the screen to save the connection source.
  4. To test the connection credentials, click on 'Test Connection.' You will see a successful connection message if the credentials are valid. If the test connection fails, then check if the connection parameters are correct. If necessary, change appropriately and retest.