VMware Carbon Black Cloud collector
- Juan Tomás Alonso Nieto (Deactivated)
Analytics
Service description
VMware Carbon Black is a cloud-native endpoint, workload, and container protection platform that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single, easy-to-use console. By analyzing more than 1 trillion security events per day, VMware CBC proactively uncovers attackers’ behavior patterns and empowers defenders to detect and stop emerging attacks.
This Devo collector helps to extend CBC's rich analytics and response actions to the rest of our customers' security stack.
Data source description
Data source | Table | Collector service | Remote endpoint | Description |
|---|---|---|---|---|
Alerts |
|
|
| Alerts Data Source indicates suspicious behavior and known threats in your environment. |
Audit Logs |
|
|
| Audit Logs returns audit events in a system, such as when a user signs-in or updates a policy |
Vendor setup
In order to configure the Devo - VMware Carbon Black Cloud collector, you need to create API credentials that will be used to authenticate API requests.
Required setup actions by collector services | event_alerts | event_audit_logs |
|---|---|---|
Open your API Access console | ✔ | ✔ |
Create a new | ✔ | |
Create a new | ✔ |
Open your API Access console
VMware Carbon Black API Access console allows you to create, remove and edit your API credentials.
Log in to your Carbon Black Cloud console.
Now navigate to Settings → API Access.
Note down your Org Key, which is displayed at the top left of the console.
Create a new audit_token
This token is required to run the event_audit_logs service and retrieve the Audit Logs data source.
On the top right, click Add API Key to open the creation screen.
Fill out the Add API Key creation form:
Name - Type in a unique name for your API key.
Description - Enter an optional detailed description of the purpose of the credentials.
Access level type - Select API
Authorized IP address - Enter an optional list of authorized IP addresses that this API key can use.
Click Save. You will be prompted with a window displaying your API credentials (API ID and API Secret Key). Note them down.
Finally, generate the final token by combining your API ID and API Secret Key like in the following example:
API ID → ABCDEFGHIJKLMNOPQ
API Secret Key → 012345
The final audit token would be → ABCDEFGHIJKLMNOPQ/012345
Create a new generic_token
This token is required to run the event_alert service and retrieve the Alert data source.
Generic tokens require an associated Access Level. On the top left, click the Access Levels tab.
On the top right, click on Add Access Level to open the creation screen.
Fill out the Add Access Level creation form
Name - Type in a unique name for your API key.
Description - Type in a detailed description of the purpose of the credentials.
Required permissions - Add the following permission levels to enable the
event_alertservice:org.retention → Read
org.alerts.notes → Read
org.alerts → Read
device → Read
Click Save.
Now, go to the API Keys tab and click Add API Key at the top right area.
Fill out the Add API Key creation form:
Name - Type in a unique name for your API key.
Description - Enter an optional detailed description of the purpose of the credentials.
Access level type - Select Custom, and you'll be prompted to select a Custom Access Level. Select the Access Level role that you created in step 3.
Authorized IP address - Enter an optional list of authorized IP addresses that this API key can use.
Click Save. You will be prompted with a window displaying your API credentials (API ID and API Secret Key). Note them down.
Finally, generate the final token by combining your API ID and API Secret Key like in the following example:
API ID → 012345
API Secret Key → ABCDEFGHIJKLMNOPQ
The final token would be → ABCDEFGHIJKLMNOPQ/012345
Run the collector
API limitations
Rate limiting is currently not enforced. However, excessive usage is monitored. Excessive usage can result in temporary enforcement of rate-limiting.