Document toolboxDocument toolbox

VMware Carbon Black Cloud collector

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: Dec 02, 2024 by Aditya Bahukhandi
13 min read
[ 1.1 Overview ] [ 2 Devo Collector features ] [ 2.1 API Limits, Delays, Known Issues ] [ 2.2 Data source description ] [ 2.3 Vendor setup ] [ 2.4 Run the collector ] [ 2.5 API limitations ] [ 2.6 Change log ]

Overview

VMware Carbon Black is a cloud-native endpoint, workload, and container protection platform that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single, easy-to-use console. By analyzing more than 1 trillion security events per day, VMware CBC proactively uncovers attackers’ behavior patterns and empowers defenders to detect and stop emerging attacks. 

This Devo collector helps to extend CBC's rich analytics and response actions to the rest of our customers' security stack.

Devo Collector features

Feature

Details

Feature

Details

Allow parallel downloading (multipod)

  • Not allowed

Running Environments

  • Collector Server

  • On Premise

API Limits, Delays, Known Issues

With the credentials used, an intermittent 401(Principal is not authenticated) issue was being seen in the setup logs. This, however, gets resolved on its own and the puller recovers after some retries.

Data source description

Data source

Table

Collector service

Remote endpoint

Description

Data source

Table

Collector service

Remote endpoint

Description

Alerts

endpoint.vmware.cbc_api.alerts

event_alerts

https://defense.conferdeploy.net/api/alerts/v7/orgs/{org_key}/alerts/_search

Alerts Data Source indicates suspicious behavior and known threats in your environment.

Audit Logs

endpoint.vmware.cbc_defender.audit_logs

event_audit_logs

https://defense.conferdeploy.net/integrationServices/v3/auditlogs

Audit Logs returns audit events in a system, such as when a user signs-in or updates a policy

Live Query

endpoint.vmware.cbc_liveops.live_query

event_live_query

https://defense.conferdeploy.net//livequery/v1/orgs/{org_key}/runs/

Live Query allows users to send custom OSquery based SQL queries to get specific performance and security data

Vendor setup

In order to configure the Devo - VMware Carbon Black Cloud collector, you need to create API credentials that will be used to authenticate API requests.

Required setup actions by collector services

event_alerts

event_audit_logs

event_live_query

Required setup actions by collector services

event_alerts

event_audit_logs

event_live_query

Open your API Access console

Create a new audit_token

 

 

Create a new generic_token

 

Open your API Access console

VMware Carbon Black API Access console allows you to create, remove and edit your API credentials.

Create a new audit_token

This token is required to run the event_audit_logs service and retrieve the Audit Logs data source.

Create a new generic_token

This token is required to run the event_alert service and retrieve the Alert data source.

Run the collector

API limitations

Rate limiting is currently not enforced. However, excessive usage is monitored. Excessive usage can result in temporary enforcement of rate-limiting.

Change log

Release

Released on

Release type

Recommendations

Release

Released on

Release type

Recommendations

v1.5.0

Nov 28, 2024

improvements
bug fixing

Recommended version

Improvements

  • Updated the docker base image to 1.3.0

  • Update DCSDK from 1.12.4 to 1.12.4:

    • Changed internal queue management for protecting against OOMK

    • Extracted ModuleThread structure from PullerAbstract

    • Improved Controlled stop when both processes fails to instantiate

    • Improved Controlled stop when InputProcess is killed

    • Fixed error related a ValueError exception not well controlled

  • Refactored code for the livequery, alerts and audit service in accordance with template1

  • Eliminated the use of while loops in the pull logic

  • Added Unit Tests for the livequery, alerts and audit services

Bug fixing

  • fixed the 400 API error received the when collector was invoking the carbon black live query API

v1.4.2

Aug 15, 2024

improvements
bug fixing

Upgrade

Improvements

  • Updated the docker base image to 1.3.0

  • Update DCSDK from 1.11.1 to 1.12.4:

    • Added new sender for relay in house + TLS

    • Added persistence functionality for gzip sending buffer

    • Added Automatic activation of gzip sending

    • Improved behaviour when persistence fails

    • Upgraded DevoSDK dependency

    • Fixed console log encoding

    • Restructured python classes

    • Improved behaviour with non-utf8 characters

    • Decreased defaut size value for internal queues (Redis limitation, from 1GiB to 256MiB)

    • New persistence format/structure (compression in some cases)

    • Removed dmesg execution (It was invalid for docker execution)

    • Applied changes to make DCSDK compatible with MacOS

    • Upgrade DevoSDK dependency to version v5.4.

    • Change internal queue management for protecting against OOMK

    • Extracted ModuleThread structure from PullerAbstract

    • Improve Controlled stop when both processes fails to instantiate

    • Improve Controlled stop when InputProcess is killed

    • Bug related to lost of collector_name , collector_id and job_id

    • Bug retaled queues and ValueError

Bug fixing

  • Fixed remove duplicate logic.

v1.4.1

Jul 5, 2023

improvements

Upgrade

Improvements:

  • Updated DevoCollectorSDK from 'v1.7.2' to v1.11.1

    • Ensure special characters are properly sent to the platform

    • Changed log level to some messages from info to debug

    • Changed some wrong log messages

    • Upgraded some internal dependencies

    • Changed queue passed to setup instance constructor

    • Ability to validate collector setup and exit without pulling any data

    • Ability to store in the persistence the messages that couldn't be sent after the collector stopped

    • Ability to send messages from the persistence when the collector starts and before the puller begins working

    • Updated DevoSDK to v5.1.9

    • Fixed some bug related to development on MacOS

    • Added an extra validation and fix when the DCSDK receives a wrong timestamp format

    • Added an optional config property for use the Syslog timestamp format in a strict way

    • Updated DevoSDK to v5.1.10

    • Fix for SyslogSender related to UTF-8

    • Enhance of troubleshooting. Trace Standardization, Some traces has been introduced.

    • Introduced a mechanism to detect "Out of Memory killer" situation

  • upgraded dcsdk-docker-base-image to 1.2.0

    • migrate to alerts v7 endpoint

v1.3.0

Apr 5, 2023

improvements

Upgrade

Improvements

  • Upgrade SDK from version 1.1.4 to 1.7.2.

  • Changes in logging.

  • Refactor some code.

v1.2.0

Aug 5, 2022

INITIAL RELEASE

Initial version

New features

  • CBC Live Queries. An advanced user can define a custom query for pulling data about performance and security that Osquery makes available. The query can be expressed using the SQL language featured by Osquery.