Document toolboxDocument toolbox

VMware Carbon Black Cloud collector

Service description

VMware Carbon Black is a cloud-native endpoint, workload, and container protection platform that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single, easy-to-use console. By analyzing more than 1 trillion security events per day, VMware CBC proactively uncovers attackers’ behavior patterns and empowers defenders to detect and stop emerging attacks. 

This Devo collector helps to extend CBC's rich analytics and response actions to the rest of our customers' security stack.

Data source description

Data source

Table

Collector service

Remote endpoint

Description

Data source

Table

Collector service

Remote endpoint

Description

Alerts

endpoint.vmware.cbc_api.alerts

event_alerts

https://defense.conferdeploy.net/appservices/v6/orgs/{org_key}/alerts/_search

Alerts Data Source indicates suspicious behavior and known threats in your environment.

Audit Logs

endpoint.vmware.cbc_defender.audit_logs

event_audit_logs

https://defense.conferdeploy.net/integrationServices/v3/auditlogs

Audit Logs returns audit events in a system, such as when a user signs-in or updates a policy

Live Query

endpoint.vmware.cbc_liveops.live_query

event_live_query

https://defense.conferdeploy.net//livequery/v1/orgs/{org_key}/runs/

Live Query allows users to send custom OSquery based SQL queries to get specific performance and security data

Vendor setup

In order to configure the Devo - VMware Carbon Black Cloud collector, you need to create API credentials that will be used to authenticate API requests.

Required setup actions by collector services

event_alerts

event_audit_logs

event_live_query

Required setup actions by collector services

event_alerts

event_audit_logs

event_live_query

Open your API Access console

Create a new audit_token

 

 

Create a new generic_token

 

Open your API Access console

VMware Carbon Black API Access console allows you to create, remove and edit your API credentials.

Create a new audit_token

This token is required to run the event_audit_logs service and retrieve the Audit Logs data source.

Create a new generic_token

This token is required to run the event_alert service and retrieve the Alert data source.

Run the collector

API limitations

Rate limiting is currently not enforced. However, excessive usage is monitored. Excessive usage can result in temporary enforcement of rate-limiting.

Change log for 1.x.x

Release

Released on

Release type

Details

Recommendations

Release

Released on

Release type

Details

Recommendations

v1.2.0

Aug 5, 2022

FEATURE

New features:

  • CBC Live Queries. An advanced user can define a custom query for pulling data about performance and security that Osquery makes available. The query can be expressed using the SQL language featured by Osquery.

Recommended version