Carbon Black Response Cloud Integration Guide
Secureworks® Taegis™ XDR operates as an MSP partner program with Carbon Black (Cb). To enable integration of event forwarding with Secureworks® Taegis™ XDR, you must request that Secureworks® Taegis™ XDR become a MSP of record to enable access to their data.
Secureworks® Taegis™ XDR currently only supports netflow and process data from Carbon Black Response Cloud; asset data and the detections Carbon Black generates are not currently supported.
Taegis™ ManagedXDR services are not available for this partner integration.
Taegis™ XDR’s EU1 Region can only accept data from Carbon Black’s EU regions.
Integration with Carbon Black involves the following:
Data Provided from Integration ⫘
|VMware Carbon Black Response Cloud
A. Secureworks® Taegis™ XDR Domain ⫘
A domain is created for you automatically when your Secureworks® Taegis™ XDR account is created. This enables you to ingest Carbon Black data into Secureworks® Taegis™ XDR.
B. Authorize Carbon Black ⫘
Once the domain is created, Carbon Black requires authorization from you before they will allow event forwarding to the Secureworks S3 bucket Secureworks® Taegis™ XDR uses.
If You Have an Existing Cb Response Cloud Implementation ⫘
Add Secureworks as a contact that is allowed to open tickets with Carbon Black on your behalf, and create a new user account for Secureworks in your cloud instance.
Create a support case for Cb where you state:
“We have purchased the Secureworks AETD service for our Cb Response Cloud instance. Our instance name is <
yourInstanceName>.my.carbonblack.io. Please associate our account with Secureworks so they can submit and work cases on our behalf. Also configure the Cb Event Forwarder to forward all data to the Secureworks S3 bucket. Carbon Black already has all details available in order to configure the Event Forwarder with Secureworks.”
- Add a new user account within Cb Response Cloud with an access level of Administrator using email address
Beware that access to the management interface of the cloud instance will be limited to the IPs you define in the DCF. This access limitation is a requirement for the management of this service.
- Notify your Secureworks representative when the steps above have been completed.
For more information, see the Managed Carbon Black Response Cloud Setup and Operations Guide
C. Complete ⫘
Verify in your Secureworks® Taegis™ XDR client application that it is receiving Carbon Black events.