You can use the VMware Carbon Black Cloud APIs to integrate the Carbon Black Cloud with other SIEM or downstream tools.
Tip: See
Carbon Black Cloud Integrations on the Developer's Network for more information regarding integrations.
Listed below are the two most common integration use cases and recommendations:
- I would like to use a script to automate a series of tasks during threat hunting and incidence response.
-
- Recommended Integration: CBC Python SDK
- Description: Provides an easy interface to connect with Carbon Black Cloud products. Use this SDK to query and manage your endpoints, manipulate data as Python objects, and harness the full power of Carbon Black Cloud APIs.
- I would like to send Carbon Black Cloud data to my AWS S3 bucket to be consumed by a SIEM or another downstream tool.
-
- Recommended Integration: Data Forwarder
- Description: Built-in to the Carbon Black Cloud platform, it delivers Alert, Event and Watchlist Hit data to an AWS S3 bucket where it is ready for consumption by third-party solutions.
Integrations Reference Guide
| Integration | Description |
|---|---|
| Binary Toolkit | Allows you integrate between Carbon Black Cloud Enterprise EDR and a binary analysis engine, like YARA. |
| CBC Python SDK | Provides an easy interface to connect with Carbon Black Cloud products. Use this SDK to query and manage your endpoints, manipulate data as Python objects, and harness the full power of Carbon Black Cloud APIs. |
| Data Forwarder | Built-in to the Carbon Black Cloud platform, it delivers Alert, Event and Watchlist Hit data to an AWS S3 bucket where it is ready for consumption by third-party solutions. |
| QRadar App | Configures a connection in QRadar to ingest alerts, audit logs, and events from Carbon Black Cloud using the Data Forwarder and APIs into IBM QRadar. Actions such as quarantining devices and adding IOCs to watchlists can be initiated in QRadar to take effect in Carbon Black Cloud. |
| Ingests Alerts and Vulnerabilities from Carbon Black Cloud to Service Now and automatically create Service Now incidents to track the resolution. A large set of actions such as quarantining devices are available to be initiated in ServiceNow and take effect in Carbon Black Cloud. | |
| Splunk App | Allows administrators to bring alerts, events, audit logs, or vulnerability data from Carbon Black Cloud into their Splunk dashboard. |
| Splunk SOAR App | Configures a connection in Splunk SOAR to ingest alerts from Carbon Black Cloud using the REST APIs. Actions can be initiated in Splunk SOAR to take effect in Carbon Black Cloud. |
| Syslog Connector | Allows administrators to forward alert notifications and audit logs from their Carbon Black Cloud instance to local, on-premise systems. |
| Threat Intelligence Connector | A python connector for ingesting and processing STIX Content from various third-party sources, such as TAXII servers or directly from XML or JSON files |
| Zscaler Sandbox Connector | Scans files from Carbon Black Cloud Endpoint Standard or Enterprise EDR that come through the network before they reach the endpoint. |
