Document toolboxDocument toolbox

VMware Carbon Black Cloud collector

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Feb 04, 2022
6 min read

Service description

VMware Carbon Black develops a cloud-native endpoint security software that is designed to detect malicious behavior and to help prevent malicious files from attacking an organization. Carbon Black is a cloud-native endpoint security software that is designed to detect malicious behavior and to help prevent malicious files from attacking an organization.  

Data source description

Data source

Table

Collector service

Remote endpoint

Description

Alerts

endpoint.vmware.cbc_api.alerts

event_alerts

https://defense.conferdeploy.net/appservices/v6/orgs/{org_key}/alerts/_search

Alerts Data Source indicates suspicious behavior and known threats in your environment.

Audit Logs

endpoint.vmware.cbc_defender.audit_logs

event_audit_logs

https://defense.conferdeploy.net/integrationServices/v3/auditlogs

Audit Logs returns audit events in a system, such as when a user signs-in or updates a policy

Setup

In order to configure the Devo - VMware Carbon Black Cloud collector, you need to create API credentials that will be used to authenticate API requests.

  1. Log in to your Carbon Black Cloud console and note down your Org Key, which is displayed at the top left of the console.

  2. Now navigate to Settings → API Access

  3. Select the Access Levels tab.

  4. Click Add Access Level at the top right of the window.

  5. Give the access level a unique Name (you will need this to create your API key) and a Description.

  6. In the table below, scroll down until you see the Category you want. Some categories have multiple permissions that can be configured. Click Save when you're done.

  7. Now select the API Keys tab and click Add API Key.

  8. Give the API key a unique Name, and select the appropriate access level provided in the table above. If you select Custom, you will need to choose the access level you created in the prior section.

    • Choose a Name to clearly distinguish the API from your organization’s other API keys. Example: Event_Forwarder_Test_Key

    • You can also add Authorized IP addresses and a Description to differentiate among your APIs. Administrators can restrict the use of an API key to a specific set of IP addresses for security reasons.

  9. Hit Save, and you will be provided with your API key credentials (API ID and API Secret Key)

  10. If your API key already exists, you can view your credentials by opening the Actions dropdown and selecting API Credentials

Run the collector

API limitations

Rate limiting is currently not enforced. However, excessive usage is monitored. Excessive usage can result in temporary enforcement of rate-limiting.