VMware Carbon Black Cloud Enterprise EDR
Version: 2.1
Updated: Oct 05, 2023
VMware Carbon Black Cloud Enterprise EDR Integration Interact with watchlists, files, and processes using Carbon Black Threat Hunter.
Actions
- Add IoC To Watchlist Report (Containment) - Add a suspicious file hash to the watchlist (and receive an alert if its ever seen again)
- Disable Watchlist Alerts (Containment) - Turn off alerting for a noisy watchlist to reduce future alert fatigue
- Download File (Enrichment) - Fetch a potentially malicious binary and send it to a sandbox for analysis
- Get Binary Metadata (Enrichment) - Get more information about possible binary impersonation.
- Get Watchlist Report Info (Enrichment) - Get details about the Watchlist
- Ignore An IoC (Containment) - Ignore a false-positive IoC so that it does not introduce future noise
- List Watchlists (Enrichment) - Get all available watchlists
- Remove IoC From Watchlist Report (Containment) - Remove IoC From Watchlist
VMware Carbon Black Cloud Enterprise EDR configuration
- Log in to the CBC Console.
- Navigate to the Settings menu, and then click on API Access.
- From the API ACCESS page, click on Add API Key.
- Populate the name, Access Level type, and click the Save button.
- Copy the API Credentials (API ID and API Secret Key).
- Also you will see the ORG KEY from API Access, you need to copy it.
VMware Carbon Black Cloud Enterprise EDR in Automation Service and Cloud SOAR
- Access integrations in the Automation Service or Cloud SOAR.
- After the list of the integrations appears, search/look for the VMware Carbon Black Cloud Enterprise EDR integration and click on it. The integration details will appear. Click on the "+" button to add a new Resource.
- Populate all the required fields (*) and then click SAVE.
- Label. The name of the resource.
- API URL. URL to the API of the VMware Carbon Black Cloud Enterprise EDR instance
https://defense.conferdeploy.net
. - Organization Key. The Organization Key you copied earlier.
- API ID. The API ID that you copied earlier.
- API Secret Key. The API Secret Key that you copied earlier.
- To make sure the resource is working, hover over the resource and then click the pencil icon that appears on the right.
- Click TEST SAVED SETTINGS.
- You should receive a successful notification in the bottom right corner.
External Libraries
Change Log
- May 11, 2022 - Refactored all actions with CBC SDK
- June 8, 2022 - Updated Integration doc
- October 5, 2023 (v2.1) - Updated the integration with Environmental Variables