Contents x
      VMWare Carbon Black EDR 1.9.1
      • 06 Apr 2025
      • 1 Minute to read
      • Dark
        Light
      • PDF
      Contents

      VMWare Carbon Black EDR 1.9.1

      • Updated on 06 Apr 2025
      • 1 Minute to read
      • Dark
        Light
      • PDF
      Article summary

      VMWare Carbon Black EDR - 1.9.1

      tags: python | EDR | bit9

      Table of Contents

      Description

      Integration with VMware Carbon Black EDR is created to fetch the details of Incident created on VMware Carbon Black EDR platform along with metadata, which enables CDC users have additional information to make informed decisions during incident response.

      VMware Carbon Black EDR collects and visualizes comprehensive information about endpoint events, giving security professionals’ unparalleled visibility into IT environments.

      We have provisioned Configuration options to CDC user to :

      1. Configure alert filter criteria to ingest only those alerts which are matching the set criteria. For example: {"category": ["THREAT"]}.

      2. Limit the number of alerts to be injected in CDC via UI configuration field alert_limit.

      3. Filter out alerts on the basis of tags via UI configuration. Tags are compared with reason_code and if a match is found, those alerts are not injected in CDC. For example: Filter_tags : ["tag_1", "tag_2"]. Alerts with empty reason code are injected to CDC with default tags.

      4. Filter out alerts on the basis of alert name via UI configuration. Configured name of alerts are treated as case insensitive for filtration.

      5. Filter out observables via UI configuration field observable_filter_config. For example: {"filter_key":["major_version","platform_id"]}.

      When an alert is closed on CDC with the dismiss parameter and dismissal reasons, corresponding alert on VMware Carbon black is also closed with all required metadata using our automation.

      Integration Type:EPP/ EDR
      Information Enriched:Logs from VMware Carbon Black EDR based on Criteria defined
      API Supported:API V6
      Input:N/A
      Output:Detailed logs which lead to creation of alert and observables on CDC.

      Customer Configuration

      No Configuration required at customer end, except provision of Credentials.

      CDC Command Lines

      No CDC command lines

      Workflows

      * **inject_alert_to_cdc**
      Injects an alert to the CDC if an alert is not present.

      Rules

      * **inject_carbon_black_alert**
      Triggers injecting a new alert to the CDC workflow, when a sensor dispatches a new alert to the CDC.

      * **close_carbon_black_alert**
      Close alert on Carbon Black.

      Sensors

      * **CarbonBlackSensor**
      Sensor to pull alerts from Carbon Black.

      Poll interval - 30s

      Triggers

      No triggers

      Known Issues

      No issues

      Was this article helpful?
      What's Next