Versions Compared

Old Version 2

changes.mady.by.user Former user

Saved on

compared with

New Version 3

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
typeflat

Overview

VMware Carbon Black Cloud Event Forwarder is a cloud-native endpoint, workload, and container protection platform that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single, easy-to-use console. By analyzing more than 1 trillion security events per day, VMware CBC proactively uncovers attackers’ behavior patterns and empowers defenders to detect and stop emerging attacks. 

This Devo collector helps to extend CBC's rich analytics and response actions to the rest of our customers' security stack.

...

native endpoint security software that is designed to detect malicious behavior and help prevent malicious files from attacking an organization. It allows you to send data about alerts and events to an AWS S3 bucket where it can be reconfigured into other applications.

Devo collector features

Feature

Details

Allow parallel downloading (multipod)

  • Allowed

Running environments

  • Collector server

  • On-premise

Populated Devo events

  • Table

Flattening preprocessing

  • No

...

Data source

Collector service

Optional

Flattening details

Source

Service

  • No

Flattening steps

Vendor setup

There are some steps you need to follow in order to set up this collector:

  1. Log in with your credentials to the Carbon Black console.

    Image Added

  2. Note your ORg Key on the top-left of the console.

    Image Added

  3. Go to Settings → API Access.

    Image Added

  4. Select the Access Level tab.

    Image Added

  5. Click on Add Access Level on the top-right.

  6. Give it a unique name and a description.

  7. Scroll down in the table below and look for the Event forwarding category. Mark the columns as the image below and click Save.

    Image Added

  8. Select the API Keys tab.

    Image Added

  9. Click on Add API Key.

  10. Give it a unique name and the appropriate access levels. Select Custom so you can choose the Access Level you created before. Note - Choose a name to clearly distinguish the API from your other API Keys. You can also add Authorized IP addresses and a description to differentiate among other APIs.

  11. Click Save and your credentials will display.

    Image Added

  12. You can view your credentials by opening the Actions drop-down and selecting API Credentials.

    Image Added

  13. Create your forwarder using the following API. A successful creation will add a healthcheck.json file to your event folder in your S3 bucket.

    Image Added

  14. Update your config.yalm with the appropriate values, including the AWS region and SQS qeue_name.

    Image Added

Minimum configuration required for basic pulling

...