Carbon Black App Control Connector

This section provides instructions for configuring and using the Connector, which integrates the Carbon Black App Control Server with one or more network security devices or services.

The Carbon Black App Control Connector allows you to integrate the Carbon Black App Control Server with one or more network security devices or services, including:

Palo Alto Networks™ firewalls
Palo Alto Networks WildFire™ public and private cloud services

Note: In addition to the supported devices and services, you can integrate other services, such as Lastline, with Carbon Black App Control using the Carbon Black App Control API. These integrations are examples of API capabilities only, and not currently supported. See App Control API for instructions on enabling API access and authentication.

By integrating these systems with Carbon Black App Control, when a connected device or service detects malware on an enterprise network, Carbon Black App Control’s real-time endpoint sensor and recorder automatically confirms the location and scope of the threat, accelerating incident response and remediation. In addition, suspicious files found by the Carbon Black App Control endpoint sensor can be uploaded to one of the connected appliances or network security analysis providers for further analysis.

The Carbon Black App Control Connector adds the following capabilities to what the Carbon Black App Control Server and network security devices or services offer individually:

External Notifications –: Notifications provided by the connected sources appear as “External Notifications” in the Carbon Black App Control Console, correlated with Carbon Black App Control endpoint data to provide immediate visibility into the priority of the alert and the scope of any infection. See External Notifications for details.
File Banning –: Malware reported by connected sources can be manually or automatically banned by Carbon Black App Control. See Banning Externally Reported Malware for details.
Registry Control –: Suspicious file or registry activity reported by connected sources can be reported or restricted by Carbon Black App Control custom rules. See Special Rules for Reporting or Banning Malware for details.
Analysis of Suspicious Files –: Suspicious files discovered on endpoints by Carbon Black App Control agents can be sent to connected services for analysis. See Analysis of Suspicious Files on Endpoints for details.
Event Logging –: Events related to external notification or analysis and reported to the Carbon Black App Control Server become part of the Carbon Black App Control event log, and are also available as Syslog output. See Logging of Connector-related Events for details.
Event Rules –: Rules can be defined that use file-related events to take actions. For example, a rule could send any newly discovered file in the Carbon Black App Control Server inventory to Palo Alto Networks WildFire cloud for analysis. Another rule might automatically ban any file reported as malicious in an external notification. Or if Carbon Black App Control detects that repeated malware infections reported by a connected third-party tool, an Event Rule could be created to ban that parent process if it is not used for any required function; see Event Rules.