Enabling VMware Carbon Black Cloud Integration

If you are monitoring and managing your computers with both Carbon Black App Control and VMware Carbon Black Cloud, you can configure the Carbon Black App Control Server to connect to the Carbon Black Cloud and view information it has about activities on these jointly managed endpoints. The Carbon Black Cloud pages you can connect to from Carbon Black App Control depend upon whether your Carbon Black Cloud license includes Carbon Black Cloud Enterprise EDR.

Configuration of this integration requires entering search URLs for your Carbon Black Cloud server, with the search term replaced with the string “<search>”. This is done on the System Configuration Connectors tab.

The System Configuration connectors tab showing the Carbon Black Cloud connector page

The following table describes the configuration fields and the resulting links to the Carbon Black Cloud.

Table 1. Carbon Black Cloud Integration Configuration Fields
Field	Description
`Enable Carbon Black Cloud Integration`	Checking this box enables the integration when you save the configuration if URLs have been configured for all relevant fields. Uncheck the box and click Update to disable the connector. URLs are retained and are applied if you re-enable the connector.
`Do you have Carbon Black Cloud Enterprise EDR?`	The Yes, radio button activates URL fields appropriate for searches of Carbon Black Cloud with Enterprise EDR. The No radio button activates URL fields appropriate for searches of Carbon Black Cloud without Enterprise EDR.
`File Event URL`	Link name in App Control: Carbon Black Cloud Events. Link location: File and File Instance Details pages Shows when: Carbon Black Cloud Enterprise EDR button is Yes. Results in Carbon Black Cloud: Shows the Investigations page with the results of a search for events involving this file, including additional data on the file provided by Enterprise EDR. URL: https:// `<CarbonBlackCloudserveraddress>` /EnterpriseEDR/investigate?searchWindow=ALL&query=hash:<search>
`Automatic`	Select to populate the URL fields automatically based on your Carbon Black Cloud URL.
`Event URL`	Link name in Carbon Black App Control: Carbon Black Cloud Events Link location: File and File Instance Details pages Shows when: Carbon Black Cloud Enterprise EDR button is No. Results in Carbon Black Cloud: Shows the Investigations page with the results of a search for events involving this file. URL: https:// `<CarbonBlackCloudserveraddress>` /investigate?s[c][QUERY_STRING_TYPE][0]=<search>
`Computer/Device Event URL`	Link name in Carbon Black App Control: Carbon Black Cloud Events Link location: Computer Details page Shows when: Carbon Black Cloud Enterprise EDR button is No. Results in Carbon Black Cloud: Shows the Investigations page with the results of a search for events involving this computer, including additional file data from Enterprise EDR. URL: https:// `<` `CarbonBlackCloud` `serveraddress>` / EnterpriseEDR /investigate?searchWindow=ALL&query=device_name:<search>
`Device URL`	Link name in Carbon Black App Control: Carbon Black Cloud Device Link location: Computer Details page Shows when: Always (Carbon Black Cloud Enterprise EDR can be Yes or No) Results in Carbon Black Cloud: Shows the All Sensors page with the results of a search for this computer. URL: https:// `<CarbonBlackCloudserveraddress>` /settings/enrollment?s[c][QUERY_STRING_TYPE][0]=<search>

Note: If you use the Populate from URL button on the Carbon Black Cloud connector configuration screen, you only need to enter the Carbon Black Cloud server address in a dialog box. URLs will be created using that address and additional strings appropriate for each link.

If you do manually enter a URL, it must include “<search>” as shown in the preceding instructions.