VMware Carbon Black Cloud

Owned by Aparna Rr
Last updated: Apr 17, 2024
5 min read

About The Device

VMware Carbon Black Cloud™ is a cloud-native platform delivering best-in-class, next-generation antivirus and endpoint detection and response without compromising system performance. The platform consolidates multiple endpoint security capabilities using one agent and console, helping you operate faster and more effectively.

Device Information

 Entity

Particulars

 Entity

Particulars

Vendor Name

VMware (Previously Known as Carbon Black and before that Bit9+Carbon Black)

Product Name

Carbon Black Cloud (Previously Known as Carbon Black Predictive Security Cloud)

Type of Device

Hybrid

Collection Method

 Log Type

Ingestion label

Preferred Logging Protocol - Format

Log Collection Method

Data Source

 Log Type

Ingestion label

Preferred Logging Protocol - Format

Log Collection Method

Data Source

 Carbon Black

CB_EDR

JSON

C2C

Feed management API  |  Google Security Operations  |  Google Cloud

Device Configuration

Prerequisites

Data Forwarder Configuration
Carbon Black Cloud Data Forwarders can be used to send bulk data log types categorized as Alerts, Endpoint events and Watchlist hits to an Amazon Web Services (AWS) S3 bucket. You need to create separate Data Forwarders to send each of these three log categories to different sub-folders in the same AWS S3 bucket.

Steps to create Data forwarders

  1. Log in to the Device Console.

  2. On the left navigation pane, click Settings > Data Forwarders.

image-20220915-114217-20240216-104917.png

  1. In the Add Forwarder page,

image-20220905-132837-20240216-105213.png

Enter the Basic Info:

  • Name: Provide a unique name for the Data Forwarder.

  • Type: Select one of the following:

    • Alert

      If you select the Alert option, proceed to Step 5 after providing S3 bucket name and S3 prefix.

  • Endpoint event

If you select the Endpoint Event option, proceed to Step 4 to define the filter data after providing S3 bucket name and S3 prefix.

  • Watchlist hit

If you select the Watchlist hit option, proceed to Step 5 after providing S3 bucket name and S3 prefix.

  • S3 bucket name: Enter the S3 bucket name you created on AWS

  • S3 prefix: Enter the name of the Folder you created in the AWS S3 bucket.

  1. If you have selected Endpoint Event in the previous step, you must click to + icon to expand options under Filter Data and keep Basic filter selected. Kindly keep below values against their properties to filter events.

a. Filter Data by - Event Origin.

b. Data Must - match any of

c. Value(s) - Select EDR and NGAV

  1. Set the forwarder status to either On or Off.

  2. To apply the changes, click Save.

  • While configuring Data Forwarder for Endpoint Events, Adaptive MxDR recommends selecting Basic filter to allow all the endpoint events. Customer can use Custom filter option to filter out events as per their choice.

  • If you select On, data matching the criteria you specified will begin forwarding to the AWS S3 bucket you defined.

Test a New Data Forwarder:

You can test the Data Forwarder connection between the Carbon Black Cloud and the AWS S3 Bucket.

  • Click Settings > Data Forwarders from the left navigation pane.

  • In the right pane, click on Checkmark button to test the data forwarder. A dropdown banner displays and informs you of the test result.

    • Example Result - S3 bucket is connected.

Please refer below page to check required IAM user and KMS Key policies for S3, SQS and KMS. (IAM policies for SQS are required if you are using SQS as a source type).

IAM User and KMS Key Policies Required for AWS

Below is the URL details which we need to allow for connectivity (Please identify URLs by referring AWS document according to your services and regions):

SQS: If you are using source type as SQS, SQS URL should be allowed.

Amazon Simple Queue Service endpoints and quotas - AWS General Reference

Integration parameters

Property

Default Value

Description

Property

Default Value

Description

REGION

N/A

The region where the S3 bucket resides. For a list of regions, see Amazon S3 regions.

S3 URI

N/A

The S3 URI to ingest.

URI IS A

Directory which includes subdirectories

The type of file indicated by the URI. Valid values are:

  • FILES: The URI points to a single file which will be ingested with each execution of the feed.

  • FOLDERS: The URI points to a directory. All files contained within the directory will be ingested with each execution of the feed.

  • FOLDERS_RECURSIVE: The URI points to a directory. All files and directories contained within the indicated directory will be ingested, including all files and directories within those directories, and so on.

SOURCE DELETION OPTION

Never delete files

Whether to delete source files after they have been transferred to Chronicle. This reduces storage costs. Valid values are:

  • SOURCE_DELETION_NEVER: Never delete files from the source.

  • SOURCE_DELETION_ON_SUCCESS:Delete files and empty directories from the source after successful ingestion.

  • SOURCE_DELETION_ON_SUCCESS_FILES_ONLY:Delete files from the source after successful ingestion.

ACCESS KEY ID

N/A

This is the 20 character ID associated with your Amazon IAM account.

SECRET ACCESS KEY

N/A

This is the 40 character access key associated with your Amazon IAM account.

 

About Accenture:
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.

About Accenture Security
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Legal notice: Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.