Carbon Black Cloud

Carbon Black Cloud EDR FAQ

What is Carbon Black Cloud EDR?

Carbon Black Cloud EDR is a unified endpoint security platform for preventative protection, post-breach detection, automated investigation, and response.

Integration:

How does Carbon Black Cloud EDR integrate with my Vectra platform?

Integration with Carbon Black Cloud EDR adds host context to aid in host identification during a security investigation. When Detect sees a host session come online, it polls Carbon Black Cloud EDR for host information. Host information may include the following:

Machine ID
Machine name
Operating system
Isolation status

Carbon Black Cloud EDR host context is available under the Host Details tab of individual Host pages.

How do I enable the Carbon Black Cloud EDR integration in Detect?

Carbon Black Cloud EDR is configured under the EDR Integrations Tab. In your Detect UI, navigate to Settings -> EDR Integrations -> Carbon Black Cloud:

Select Edit on the far right-hand side within the Carbon Black Cloud row.
Toggle Enable integration with Carbon Black Cloud to On.

Enter your Carbon Black Cloud Hostname, Org Key, API Secret Key, and **API ID. **The username and password should be for an account with permissions defined below. If you do not have this information, please check the section below on how to get this information correctly.

Click Save.
Once the credentials have been validated, the UI will provide confirmation that your configuration has been saved.
Your Carbon Black Cloud EDR setup is now complete.

Where can I find my Carbon Black Cloud Information to integrate with Vectra?

To get credentials for Carbon Black Cloud EDR for use with Vectra:

Log into your Carbon Black Cloud Dashboard
Navigate to Settings > API Access
Here you will see all the accounts that you have created. In order to get the Vectra EDR Integration working, there needs to be an API Key with the following permissions. (https://developer.carbonblack.com/reference/carbon-black-cloud/platform/latest/devices-api/))
Access Level: Before you create your API Key, you need to create a custom Access Level
- for the category Device > General Information > “device” allow permissions for “READ”
- for the category Device > Policy assignment > “device.policy” allow permissions for “UPDATE”
- for the category Device > Background scan > “device.bg-scan” allow permissions for “EXECUTE”
- for the category Device > Bypass > “device.bypass” allow permissions for “EXECUTE”
- for the category Device > Quarantine > “device.quarantine” allow permissions for “EXECUTE”
- for the category Device > Sensor kits > “org.kits” allow permissions for “EXECUTE”
- for the category Device > Uninstall > “device.uninstall” allow permissions for “EXECUTE”
- for the category Device > Deregistered > “device.deregistered” allow permissions for “DELETE"
If you do not have this, please follow the steps below. However, if you do have an API Key with this role, use the corresponding Org Key, Hostname, API Secret Key, and APP ID.
Navigate to the Access Levels and click on Add Access Level.

Provide a name and description for the access level. Make sure you remember which name you provided it as it will be used later.

Mark the checkboxes corresponding to the permissions mentioned above.

Press Save to save this custom permission.
Navigate back to API Keys and select Add API Key.

Provide the Name you want to use for the API Key. From the drop down choose Custom for Access Level Type and then choose your access level in the Custom Access Level.

Press Save.
Once you press save, you will be given you API Secret Key and APP ID.

You now have all the information to set up the Carbon Black Cloud EDR integration.

Why do I not see Carbon Black Cloud EDR as an External Connector?

Vectra introduced native integration support for Carbon Black Cloud EDR in release version 6.6. Please make sure you are running Detect version 6.6 or greater. You can check the current software version by navigating to Settings -> General -> Version in the Detect UI.

Can I use Advanced search to query for Carbon Black Cloud EDR hosts?

Right now, we do not have support for advanced search for Carbon Black Cloud EDR host artifacts. We plan on releasing this feature in a coming releasing.

Can Carbon Black Cloud EDR be used for Host Lockdown?

Yes, Detect release version 6.6 introduced support for Host Lockdown using Carbon Black Cloud EDR. For more details, please check this article.

PreviousCarbon Black Response NextTrellix (FireEye) Endpoint Security (HX)

Last updated 4 hours ago

Was this helpful?

Good evening

hashtagCarbon Black Cloud EDR FAQ

hashtagIntegration:

hashtagHow does Carbon Black Cloud EDR integrate with my Vectra platform?

hashtagHow do I enable the Carbon Black Cloud EDR integration in Detect?

hashtagWhere can I find my Carbon Black Cloud Information to integrate with Vectra?

hashtagWhy do I not see Carbon Black Cloud EDR as an External Connector?

hashtagCan I use Advanced search to query for Carbon Black Cloud EDR hosts?

hashtagCan Carbon Black Cloud EDR be used for Host Lockdown?