VMware Carbon Black Cloud Endpoint Standard and Enterprise EDR Integration Guide
integrations endpoints vmware carbon black edr
The following applies to:
- VMware Carbon Black Cloud Endpoint Standard
- VMware Carbon Black Cloud Enterprise EDR
In order to integrate your VMware Carbon Black Cloud subscription you must configure a Secureworks user account in the Carbon Black domain. The details of this account are captured in the Integration page and allow for integration of Enterprise EDR events into Secureworks® Taegis™ XDR.
Regions
XDR’s EU1 Region can only accept data from Carbon Black’s EU regions.
To integrate XDR with VMware Carbon Black Cloud you need four pieces of information from the Carbon Black Enterprise EDR Dashboard:
- What Environment you should select,
- The Org Key for your VMware Carbon Black Cloud account,
- The API ID, and the
- API Secret Key, which you create in the Carbon Black Dashboard when creating the Secureworks user account.
Data Provided from Integration ⫘
Alerts | Auth | DNS | File Collection | HTTP | NIDS | Netflow | Process | File Modification | API Call | Registry | Scriptblock | Management | Persistence | Thread Injection | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
VMware Carbon Black Cloud Endpoint™ Standard | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||
VMware Carbon Black Cloud Enterprise EDR | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
The Environment ⫘
To figure out which environment to select when configuring Carbon Black Cloud:
- Log in to your Carbon Black Dashboard with a user which has the Super Admin role. Note the first part of the URL:
Carbon Black Cloud Dashboard URL
- Match that URL with the environments listed in the following table:
Carbon Black Dashboard URL | XDR Environment for Carbon Black |
---|---|
https://defense-prod05.conferdeploy.net/ | prod05 |
https://dashboard.confer.net/ | prod01 |
https://defense.conferdeploy.net/ | prod02 |
So, for example, if your URL starts with https://defense-prod05.conferdeploy.net/, then you should select prod05
as your environment.
The Org Key ⫘
To find the Org Key from your Carbon Black Dashboard:
- In the Carbon Black Dashboard, navigate to Settings→API Access and securely copy the ORG KEY from the API Keys tab.
Carbon Black Settings→API Access
The API ID and API Secret Key ⫘
- Navigate to the Access Levels tab and select + Add Access Level button
Carbon Black Add Access Level
- Configure the following settings:
- Name: Secureworks API Access.
- Description: Secureworks Access Levels needed for TDR Integration.
- Device, Quarantine: Select Execute.
- Device, General Information: Select Read.
- Data Forwarder, Settings: Select Create, Read, Update, Delete.
- Select the Save button when complete.
Carbon Black Access Level Permissions
- Navigate back to the API Keys tab and select the + Add API Key button
Carbon Black Add API Key
- Configure the following settings:
- Name: Secureworks API Integration Access
- Access Level type: Custom
- Custom Access Level: Secureworks API Access
- Select the Save button when complete.
API Key Creation
- From the same API Keys tab, view and record (securely) the API ID and API Secret Key using the dropdown menu on the right under Actions.
Note
Protect this information as you would a password.
API Credentials
- Now that you have recorded the API ID and API Secret Key, complete the integration in XDR by Adding a Carbon Black Cloud Collector.
Tip
A successful integration is indicated on the XDR → Manage → Integrations page with a green checkmark next to the Carbon Black entry.