VMware Carbon Black Cloud collector
Service description
VMware Carbon Black is a cloud-native endpoint, workload, and container protection platform that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single, easy-to-use console. By analyzing more than 1 trillion security events per day, VMware CBC proactively uncovers attackers’ behavior patterns and empowers defenders to detect and stop emerging attacks.
This Devo collector helps to extend CBC's rich analytics and response actions to the rest of our customers' security stack.
Data source description
Data source | Table | Collector service | Remote endpoint | Description |
---|---|---|---|---|
Alerts |
|
| https://defense.conferdeploy.net/appservices/v6/orgs/{org_key}/alerts/_search | Alerts Data Source indicates suspicious behavior and known threats in your environment. |
Audit Logs |
|
| https://defense.conferdeploy.net/integrationServices/v3/auditlogs | Audit Logs returns audit events in a system, such as when a user signs-in or updates a policy |
Live Query |
|
| https://defense.conferdeploy.net//livequery/v1/orgs/{org_key}/runs/ | Live Query allows users to send custom OSquery based SQL queries to get specific performance and security data |
Vendor setup
In order to configure the Devo - VMware Carbon Black Cloud collector, you need to create API credentials that will be used to authenticate API requests.
Required setup actions by collector services | event_alerts | event_audit_logs | event_live_query |
---|---|---|---|
Open your API Access console | |||
Create a new |
|
| |
Create a new |
|
Open your API Access console
VMware Carbon Black API Access console allows you to create, remove and edit your API credentials.
Create a new audit_token
This token is required to run the event_audit_logs
service and retrieve the Audit Logs data source.
Create a new generic_token
This token is required to run the event_alert
service and retrieve the Alert data source.
Run the collector
API limitations
Rate limiting is currently not enforced. However, excessive usage is monitored. Excessive usage can result in temporary enforcement of rate-limiting.
Change log for 1.x.x
Release | Released on | Release type | Details | Recommendations |
---|---|---|---|---|
| Aug 5, 2022 | FEATURE | New features:
|
|