VMware Carbon Black Cloud collector

[ 1 Overview ] [ 2 Data source description ] [ 3 Vendor setup ] [ 4 Run the collector ] [ 5 API limitations ] [ 6 Change log ]

Overview

VMware Carbon Black is a cloud-native endpoint, workload, and container protection platform that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single, easy-to-use console. By analyzing more than 1 trillion security events per day, VMware CBC proactively uncovers attackers’ behavior patterns and empowers defenders to detect and stop emerging attacks.

This Devo collector helps to extend CBC's rich analytics and response actions to the rest of our customers' security stack.

Data source description

Data source	Table	Collector service	Remote endpoint	Description

Data source	Table	Collector service	Remote endpoint	Description
Alerts	`endpoint.vmware.cbc_api.alerts`	`event_alerts`	https://defense.conferdeploy.net/api/alerts/v7/orgs/{org_key}/alerts/_search	Alerts Data Source indicates suspicious behavior and known threats in your environment.
Audit Logs	`endpoint.vmware.cbc_defender.audit_logs`	`event_audit_logs`	https://defense.conferdeploy.net/integrationServices/v3/auditlogs	Audit Logs returns audit events in a system, such as when a user signs-in or updates a policy
Live Query	`endpoint.vmware.cbc_liveops.live_query`	`event_live_query`	https://defense.conferdeploy.net//livequery/v1/orgs/{org_key}/runs/	Live Query allows users to send custom OSquery based SQL queries to get specific performance and security data

Vendor setup

In order to configure the Devo - VMware Carbon Black Cloud collector, you need to create API credentials that will be used to authenticate API requests.

Required setup actions by collector services	event_alerts	event_audit_logs	event_live_query

Required setup actions by collector services	event_alerts	event_audit_logs	event_live_query
Open your API Access console
Create a new `audit_token`
Create a new `generic_token`

Open your API Access console

VMware Carbon Black API Access console allows you to create, remove and edit your API credentials.

Create a new `audit_token`

This token is required to run the event_audit_logs service and retrieve the Audit Logs data source.

Create a new `generic_token`

This token is required to run the event_alert service and retrieve the Alert data source.

Run the collector

API limitations

Rate limiting is currently not enforced. However, excessive usage is monitored. Excessive usage can result in temporary enforcement of rate-limiting.

Change log

Release	Released on	Release type	Details	Recommendations

Release

Released on

Release type

Details

Recommendations

v1.4.1

Jul 5, 2023

improvements

Improvements:

Updated DevoCollectorSDK from 'v1.7.2' to v1.11.1
* Ensure special characters are properly sent to the platform
* Changed log level to some messages from info to debug
* Changed some wrong log messages
* Upgraded some internal dependencies
* Changed queue passed to setup instance constructor
* Ability to validate collector setup and exit without pulling any data
* Ability to store in the persistence the messages that couldn't be sent after the collector stopped
* Ability to send messages from the persistence when the collector starts and before the puller begins working
* Updated DevoSDK to v5.1.9
* Fixed some bug related to development on MacOS
* Added an extra validation and fix when the DCSDK receives a wrong timestamp format
* Added an optional config property for use the Syslog timestamp format in a strict way
* Updated DevoSDK to v5.1.10
* Fix for SyslogSender related to UTF-8
* Enhace of troubleshooting. Trace Standardization, Some traces has been introduced.
* Introduced a mechanism to detect "Out of Memory killer" situation
- upgraded dcsdk-docker-base-image to 1.2.0
- migrate to alerts v7 endpoint

Recommended version

v1.3.0

Apr 5, 2023

improvements

Improvements

Upgrade SDK from version 1.1.4 to 1.7.2.
Changes in logging.
Refactor some code.

Update

v1.2.0

Aug 5, 2022

INITIAL RELEASE

New features

CBC Live Queries. An advanced user can define a custom query for pulling data about performance and security that Osquery makes available. The query can be expressed using the SQL language featured by Osquery.

Initial version