Skip to main content

VMware Carbon Black Cloud Enterprise EDR

vmware-carbon-black-cloud-endpoint-standard

Version: 2.1
Updated: Oct 05, 2023

VMware Carbon Black Cloud Enterprise EDR Integration Interact with watchlists, files, and processes using Carbon Black Threat Hunter.

Actions

  • Add IoC To Watchlist Report (Containment) - Add a suspicious file hash to the watchlist (and receive an alert if its ever seen again)
  • Disable Watchlist Alerts (Containment) - Turn off alerting for a noisy watchlist to reduce future alert fatigue
  • Download File (Enrichment) - Fetch a potentially malicious binary and send it to a sandbox for analysis
  • Get Binary Metadata (Enrichment) - Get more information about possible binary impersonation.
  • Get Watchlist Report Info (Enrichment) - Get details about the Watchlist
  • Ignore An IoC (Containment) - Ignore a false-positive IoC so that it does not introduce future noise
  • List Watchlists (Enrichment) - Get all available watchlists
  • Remove IoC From Watchlist Report (Containment) - Remove IoC From Watchlist

VMware Carbon Black Cloud Enterprise EDR configuration

  1. Log in to the CBC Console.
  2. Navigate to the Settings menu, and then click on API Access.
    vvmware-carbon-black-cloud-enterprise-edr
  3. From the API ACCESS page, click on Add API Key.
    vvmware-carbon-black-cloud-enterprise-edr
  4. Populate the name, Access Level type, and click the Save button.
    vvmware-carbon-black-cloud-enterprise-edr
  5. Copy the API Credentials (API ID and API Secret Key).
    vvmware-carbon-black-cloud-enterprise-edr
  6. Also you will see the ORG KEY from API Access, you need to copy it.
    vvmware-carbon-black-cloud-enterprise-edr

VMware Carbon Black Cloud Enterprise EDR in Automation Service and Cloud SOAR

  1. Access integrations in the Automation Service or Cloud SOAR.
  2. After the list of the integrations appears, search/look for the VMware Carbon Black Cloud Enterprise EDR integration and click on it. The integration details will appear. Click on the "+" button to add a new Resource.
    vvmware-carbon-black-cloud-enterprise-edr
  3. Populate all the required fields (*) and then click SAVE.
    • Label. The name of the resource.
    • API URL. URL to the API of the VMware Carbon Black Cloud Enterprise EDR instance https://defense.conferdeploy.net.
    • Organization Key. The Organization Key you copied earlier.
    • API ID. The API ID that you copied earlier.
    • API Secret Key. The API Secret Key that you copied earlier.
      vvmware-carbon-black-cloud-enterprise-edr
  4. To make sure the resource is working, hover over the resource and then click the pencil icon that appears on the right.
    vvmware-carbon-black-cloud-enterprise-edr
  5. Click TEST SAVED SETTINGS.
    vvmware-carbon-black-cloud-enterprise-edr
  6. You should receive a successful notification in the bottom right corner.
    vvmware-carbon-black-cloud-enterprise-edr

External Libraries

Change Log

  • May 11, 2022 - Refactored all actions with CBC SDK
  • June 8, 2022 - Updated Integration doc
  • October 5, 2023 (v2.1) - Updated the integration with Environmental Variables
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.