🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Carbon Black Response Cloud Integration Guide

integrations endpoints vmware carbon black edr


Secureworks® Taegis™ XDR operates as an MSP partner program with Carbon Black (Cb). To enable integration of event forwarding with XDR, you must request that XDR become a MSP of record to enable access to their data.

Note

XDR currently only supports netflow and process data from Carbon Black Response Cloud; asset data and the detections Carbon Black generates are not currently supported.

Note

Secureworks® Taegis™ ManagedXDR services are not available for this partner integration.

Regions

XDR’s EU1 Region can only accept data from Carbon Black’s EU regions.

Integration with Carbon Black involves the following:

Data Provided from Integration

  Alerts Auth DNS File Collection HTTP NIDS Netflow Process File Modification API Call Registry Scriptblock Management Persistence Thread Injection
VMware Carbon Black Response Cloud                          

A. XDR Domain

A domain is created for you automatically when your XDR account is created. This enables you to ingest Carbon Black data into XDR.

B. Authorize Carbon Black

Once the domain is created, Carbon Black requires authorization from you before they will allow event forwarding to the Secureworks S3 bucket XDR uses.

If You Have an Existing Cb Response Cloud Implementation

  1. Add Secureworks as a contact that is allowed to open tickets with Carbon Black on your behalf, and create a new user account for Secureworks in your cloud instance.

  2. Create a support case for Cb where you state:

“We have purchased the Secureworks AETD service for our Cb Response Cloud instance. Our instance name is <yourInstanceName>.my.carbonblack.io. Please associate our account with Secureworks so they can submit and work cases on our behalf. Also configure the Cb Event Forwarder to forward all data to the Secureworks S3 bucket. Carbon Black already has all details available in order to configure the Event Forwarder with Secureworks.”

  1. Add a new user account within Cb Response Cloud with an access level of Administrator using email address 3rdpartyvendoraccounts@secureworks.com.

Note

Beware that access to the management interface of the cloud instance will be limited to the IPs you define in the DCF. This access limitation is a requirement for the management of this service.

  1. Notify your Secureworks representative when the steps above have been completed.

For more information, see the Managed Carbon Black Response Cloud Setup and Operations Guide

C. Complete

Verify in your XDR client application that it is receiving Carbon Black events.

 

On this page: