Contents x
      VMWare Carbon Black EDR 1.10.2
      • 16 Apr 2023
      • 2 Minutes to read
      • Dark
        Light
      • PDF
      Contents

      VMWare Carbon Black EDR 1.10.2

      • Updated on 16 Apr 2023
      • 2 Minutes to read
      • Dark
        Light
      • PDF
      Article Summary

      tags: python | EDR | bit9

      Description

      Integration with VMware Carbon Black EDR is created to fetch the details of incidents created on the VMware Carbon Black EDR platform, along with metadata. This enables CDC users to have additional information to make informed decisions during incident response.

      VMware Carbon Black EDR collects and visualizes comprehensive information about endpoint events, giving security professionals’ unparalleled visibility into IT environments.

      We have provisioned configuration options to CDC users to :

      1. Configure alert filter criteria to ingest only those alerts that match the set criteria. For example: {"category": ["THREAT"]}.

      2. Limit the number of alerts to be injected in the CDC via the UI configuration field alert_limit.

      3. Filter out alerts on the basis of tags via UI configuration. Tags are compared with reason_code and if a match is found, those alerts are not injected in the CDC. For example: Filter_tags : ["tag_1", "tag_2"]. Alerts with empty reason codes are injected to the CDC with default tags.

      4. Filter out alerts on the basis of alert name via UI configuration. Configured names of alerts are treated as case insensitive for filtration.

      5. Filter out observables via the UI configuration field observable_filter_config. For example: {"filter_key":["major_version","platform_id"]}.

      When an alert is closed on the CDC with the dismiss parameter and dismissal reasons, the corresponding alert on VMware Carbon Black is also closed with all required metadata, using our automation.

      Integration Type:EPP/ EDR
      Information Enriched:Logs from VMware Carbon Black EDR based on defined criteria.
      API Supported:API V6
      Input:N/A
      Output:Detailed logs that lead to the creation of alert and observables in the CDC.

      Customer Configuration

      No configuration required at the customer end, except for the provision of credentials.

      CDC Command Lines

      No CDC command lines.

      Workflows

      * **inject_alert_to_cdc**
      Injects an alert to the CDC if an alert is not present.

      Rules

      * **close_carbon_black_alert**
      Close alert on Carbon Black.

      * **inject_carbon_black_alert**
      Triggers injecting a new alert to the CDC workflow, when a sensor dispatches a new alert to the CDC.

      Sensors

      * **CarbonBlackSensor**
      Sensor to pull alerts from Carbon Black.

      Poll interval - 30s

      Triggers

      No triggers

      Known Issues

      No known issues

      Change Log

      Pack VersionDate of MergeChanges
      v1.8.22022-07-07Added cb_filter_criteria parameter to DataStore key.
      v1.8.32022-09-12Updated pack dependencies.
      v1.9.02022-12-06Added changes to filter out alerts by name. Updated Common Logic Version.
      v1.9.12023-01-20Replaced sync_create_alert action with create-alert action.
      v1.10.0-beta2023-02-02Updated isolate_by_hostname_cli. Replaced cdc_sdk post message actions with Async actions.
      Was this article helpful?
      What's Next