VMWare Carbon Black EDR 1.3.0-beta
- 06 Apr 2025
- 2 Minutes to read
- DarkLight
- PDF
VMWare Carbon Black EDR 1.3.0-beta
- Updated on 06 Apr 2025
- 2 Minutes to read
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
VMWare Carbon Black EDR - 1.3.0-beta
tags: python | EDR | bit9
Table of Contents
Description
Integration with VMware Carbon Black EDR supports CDC users by providing enrichment consisting of details of individual IDs and details of hosts connected to Carbon Black. This enables CDC users to make informed decisions regarding incident response.
Carbon Black collects and visualizes comprehensive information about endpoint events, giving security professionals unparalleled visibility into IT environments.
CyberProof uses generic adaptive cards to display host-related information in a meaningful intuitive GUI, facilitating an easy understanding of host data and the status of hosts on Carbon Black.
We provide CLI commands to cater to two primary use cases. The first is to enrich specific host information available on Carbon Black, and the second is to isolate and un-isolate specific hosts from the network. The integration currently has the ability to isolate an asset from the network.
| Integration Type: | Prevent |
| Information Enriched: | Host information and Device ID for specific host. |
| API Supported: | API V6 |
| Input: | Device host name to enrich the host name, Device ID for isolate and un-isolate the individual host. |
| Output: | Detailed enrichment consisting of host information, Individual Host – Isolated/un-Isolated from network and confirmation for the action. |
CDC Command Lines
- isolate_by_hostname_cli
The CLI of the CDC, of get-device-id-by-hostname in the CDC message thread.
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | Command metadata. | True |
| hostname | string | device_id of the host to be isolated. | True |
- get_device_details_cli
Executing get enrich details for carbon black device details.
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | Command metadata. | True |
| device_id | integer | device id from Carbon Black. | True |
- isolate_by_device_id_cli
Isolates a host from the network using the Carbon Black device API.
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | Command metadata. | True |
| device_id | integer | device_id of the host to be isolated. | True |
- unquarantine_by_device_id_cli
This action will unquarantine a host from the network, using the Carbon Black device API.
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | command metadata | True |
| device_id | integer | device_id of the host to be unquarantined. | True |
Workflows
automtatic_incident_creation
Carbon Black automation flow.inject_alert_to_cdc
Injects an alert to the CDC if an alert is not present.post_get_device_id_by_hostname
Post get-device-id-by-hostname in the CDC, by the ID of the incident/message/channel.post_get_device_details
Post get-device-details in CDC by ID of incident/message/channel.post_isolate_by_device_id
Post isolate-by-device-id in CDC by ID of incident/message/channel.post_unquarantine_by_device_id
Post unquarantine-by-device-id in CDC by ID of incident/message/channel.
Rules
carbon_black_incident_creation
Creates an incident on Carbon Black.inject_carbon_black_alert
Triggers injecting a new alert to the CDC workflow, when a sensor dispatches a new alert to the CDC.
Sensors
- CarbonBlackSensor
Sensor to pull alerts from Carbon Black.
Poll interval - 30s
Triggers
No triggers
Known Issues
No known issues
Was this article helpful?